Report this

What is the reason for this report?

What custom token scopes do I need to set a loadbalancer forwarding_rule via terraform?

Posted on May 10, 2024

I’m trying to set up a new scoped token to replace a full-access token I previously used for deployment.

I get the following error on terraform plan:

Error building Load Balancer forwarding rules - error: 
&godo.ErrorResponse{Response:(*http.Response)(0xc0005e0f30), 
Message:"You are not authorized to perform this operation", RequestID:"...", Attempts:0}

My token has all scopes enabled for the load_balancer (delete, update, read, create).

My Terraform looks like this:

resource "digitalocean_loadbalancer" "loadbalancer" {
  name = "${var.project_name}-loadbalancer"
  region = "${var.region}"

  forwarding_rule {
    entry_port = 80
    entry_protocol = "http"

    target_port = 80
    target_protocol = "http"
  }

  forwarding_rule {
    entry_port = 443
    entry_protocol = "https"

    target_port = 80
    target_protocol = "http"
  }

P.S I’m very happy that DO now has scoped tokens, this was my biggest problem with the platform until now.



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0

Hi there,

Indeed, if you are creating a 443 forwarding rule, the certificate is a required option.

This is nicely visible in the UI but might be a bit abstracted in the Terraform docs:

I tried creating a Load balancer without the 443 forwarding rule and it works out of the box with only the load balancer token privileges:

resource "digitalocean_loadbalancer" "loadbalancer" {
  name = "test-loadbalancer"
  region = "nyc3"

  forwarding_rule {
    entry_port = 80
    entry_protocol = "http"

    target_port = 80
    target_protocol = "http"
  }

}

Hope that this helps!

Best,

Bobby

I played with setting wider scopes to see what Terraform is trying to do - an additional read scope on “certificate” got me to the next step.

I’m not sure why certificates are changing in my plan. I will update this answer once I understand it.

Edit: I needed read on certificate as well as the load_balancer rules for the scoped token when deploying a Load Balancer with SSL termination. This is also true if there are no changes to be made.

Debugging step that helped - using a wider-access token first to see what Terraform was actually doing.

certificate_name was missing from my Terraform but was set in my deployed infrastructure because I’d set it up and attached it outside Terraform.

certificate_name seems to be an optional attribute in that it is possible to deploy a forwarding_rule without it, but a forwarding_rule that tries to do SSL termination will not work when deployed with no certificate_name.

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.