Question

What custom token scopes do I need to set a loadbalancer forwarding_rule via terraform?

Posted on May 10, 2024
Security Terraform Load Balancing
Asked by Rumyana Rumenova

I’m trying to set up a new scoped token to replace a full-access token I previously used for deployment.

I get the following error on terraform plan:

Error building Load Balancer forwarding rules - error: 
&godo.ErrorResponse{Response:(*http.Response)(0xc0005e0f30), 
Message:"You are not authorized to perform this operation", RequestID:"...", Attempts:0}

My token has all scopes enabled for the load_balancer (delete, update, read, create).

My Terraform looks like this:

resource "digitalocean_loadbalancer" "loadbalancer" {
  name = "${var.project_name}-loadbalancer"
  region = "${var.region}"

  forwarding_rule {
    entry_port = 80
    entry_protocol = "http"

    target_port = 80
    target_protocol = "http"
  }

  forwarding_rule {
    entry_port = 443
    entry_protocol = "https"

    target_port = 80
    target_protocol = "http"
  }

P.S I’m very happy that DO now has scoped tokens, this was my biggest problem with the platform until now.

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev

Site Moderator

• May 10, 2024

Accepted Answer

Hi there,

Indeed, if you are creating a 443 forwarding rule, the certificate is a required option.

This is nicely visible in the UI but might be a bit abstracted in the Terraform docs:

I tried creating a Load balancer without the 443 forwarding rule and it works out of the box with only the load balancer token privileges:

resource "digitalocean_loadbalancer" "loadbalancer" {
  name = "test-loadbalancer"
  region = "nyc3"

  forwarding_rule {
    entry_port = 80
    entry_protocol = "http"

    target_port = 80
    target_protocol = "http"
  }

}

Hope that this helps!

Best,

Bobby

Rumyana Rumenova • May 10, 2024

I played with setting wider scopes to see what Terraform is trying to do - an additional read scope on “certificate” got me to the next step.

I’m not sure why certificates are changing in my plan. I will update this answer once I understand it.

Edit: I needed read on certificate as well as the load_balancer rules for the scoped token when deploying a Load Balancer with SSL termination. This is also true if there are no changes to be made.

Debugging step that helped - using a wider-access token first to see what Terraform was actually doing.

certificate_name was missing from my Terraform but was set in my deployed infrastructure because I’d set it up and attached it outside Terraform.

certificate_name seems to be an optional attribute in that it is possible to deploy a forwarding_rule without it, but a forwarding_rule that tries to do SSL termination will not work when deployed with no certificate_name.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

View all products

Get started for free

Get started

*This promotional offer applies to new accounts only.