From 4ab0838ba244a6a39f38d4078a829083961175ae Mon Sep 17 00:00:00 2001 From: ZdenekSrotyr Date: Tue, 21 Apr 2026 20:32:50 +0200 Subject: [PATCH] fix(bootstrap): grant monitoring.editor + enable monitoring API v1.3.0 added google_monitoring_uptime_check_config + alert policies to the module, but bootstrap-gcp.sh was not updated. Fresh customers (and the first apply after upgrading existing customers) hit 403 on monitoring.uptimeCheckConfigs.create. Fix: enable monitoring.googleapis.com + grant roles/monitoring.editor to the deploy SA. Idempotent (safe to re-run on existing projects). --- scripts/bootstrap-gcp.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/bootstrap-gcp.sh b/scripts/bootstrap-gcp.sh index d29967e..a7c294b 100755 --- a/scripts/bootstrap-gcp.sh +++ b/scripts/bootstrap-gcp.sh @@ -26,6 +26,7 @@ gcloud services enable \ secretmanager.googleapis.com \ cloudresourcemanager.googleapis.com \ storage.googleapis.com \ + monitoring.googleapis.com \ --project="${PROJECT_ID}" echo "=== Create deploy service account (if not exists) ===" @@ -46,7 +47,8 @@ for role in \ iam.serviceAccountAdmin \ secretmanager.admin \ storage.admin \ - resourcemanager.projectIamAdmin; do + resourcemanager.projectIamAdmin \ + monitoring.editor; do gcloud projects add-iam-policy-binding "${PROJECT_ID}" \ --member="serviceAccount:${SA_EMAIL}" \ --role="roles/${role}" \