Tips and tricks for using GCP as to host the proxy.
Some orgs have policies that block authentication of the GCloud CLI client, requiring you to contact your IT team and have it added to an approved list. Apart from that, there are several possibilities:
use the GCP Cloud Shell (via GCP web console). gcloud is pre-installed and pre-authorized as your Google user in the Cloud Shell.
use a VM in GCP Compute Engine, with the VM running as a sufficiently privileged service account. In such a scenario, gcloud will be pre-authenticated by GCP on the VM as that service account.
create credentials within the project itself:
enable IAM API and Cloud Resource Manager API within the project
create OAuth credentials for a 'desktop application' within the target GCP project
download the client-secrets.json file to your environment
run gcloud auth application-default login --client-id-file=/path/to/client-secrets.json
Terraform relies on GCP's REST APIs for its operations. If these APIs are disabled either the target project OR the project in which the identity (service account, OAuth client) under which you're running terraform resides, you may get an error.
The solution is to enable APIs via the Cloud Console, specifically:
IAM API
Cloud Resource Manager API
If some resources seem to not be properly provisioned, try terraform taint or terraform state rm, to force re-creation. Use terrafrom state list | grep to search for specific resource ids.
If you receive an error such as:
This may be due to an Organization Policy that restricts the domains that can be used in IAM policies. See https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains
You may need define an exception for the GCP project in which you're deploying the proxy, or add the domain of your Worklytics Tenant SA to the list of allowed domains.