Question
What custom token scopes do I need to set a loadbalancer forwarding_rule via terraform?
- Posted on May 10, 2024
- SecurityTerraformLoad Balancing
Asked by Rumyana Rumenova
I’m trying to set up a new scoped token to replace a full-access token I previously used for deployment.
I get the following error on terraform plan:
Error building Load Balancer forwarding rules - error:
&godo.ErrorResponse{Response:(*http.Response)(0xc0005e0f30),
Message:"You are not authorized to perform this operation", RequestID:"...", Attempts:0}
My token has all scopes enabled for the load_balancer (delete, update, read, create).
My Terraform looks like this:
resource "digitalocean_loadbalancer" "loadbalancer" {
name = "${var.project_name}-loadbalancer"
region = "${var.region}"
forwarding_rule {
entry_port = 80
entry_protocol = "http"
target_port = 80
target_protocol = "http"
}
forwarding_rule {
entry_port = 443
entry_protocol = "https"
target_port = 80
target_protocol = "http"
}
P.S I’m very happy that DO now has scoped tokens, this was my biggest problem with the platform until now.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Featured on Community
Get our biweekly newsletter
Sign up for Infrastructure as a Newsletter.
Hollie's Hub for Good
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Become a contributor
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Hi there,
Indeed, if you are creating a 443 forwarding rule, the certificate is a required option.
This is nicely visible in the UI but might be a bit abstracted in the Terraform docs:
I tried creating a Load balancer without the 443 forwarding rule and it works out of the box with only the load balancer token privileges:
Hope that this helps!
Best,
Bobby
I played with setting wider scopes to see what Terraform is trying to do - an additional read scope on “certificate” got me to the next step.
I’m not sure why certificates are changing in my plan. I will update this answer once I understand it.
Edit: I needed
readoncertificateas well as theload_balancerrules for the scoped token when deploying a Load Balancer with SSL termination. This is also true if there are no changes to be made.Debugging step that helped - using a wider-access token first to see what Terraform was actually doing.
certificate_namewas missing from my Terraform but was set in my deployed infrastructure because I’d set it up and attached it outside Terraform.certificate_nameseems to be an optional attribute in that it is possible to deploy a forwarding_rule without it, but a forwarding_rule that tries to do SSL termination will not work when deployed with no certificate_name.