Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NSEC and GCVE Service Account names are too long in tenant #2597

Closed
dobikrisz opened this issue Sep 30, 2024 · 2 comments
Closed

NSEC and GCVE Service Account names are too long in tenant #2597

dobikrisz opened this issue Sep 30, 2024 · 2 comments

Comments

@dobikrisz
Copy link

Describe the bug
When enabling the fast features 'nsec' and 'gcve' on a fast-enabled tenant using the resman stage, I am running into a naming error when trying to generate the read service accounts for the stages, even though every user defined name (e.g.: prefixes) are within the documentation defined limits.

To Reproduce

  1. Execute Bootstrap stage on a fresh organization and give a prefix that is 7 characters long (officially 9 is the max) - in my case this is "found01"
  2. Run the tenant factory stage and create a tenant with a prefix which is the maximum 3 characters long - in my example it is "f01"
  3. run the Resman stage on the tenant with fast-features nsec and gcve enabled

Expected behavior
The stage to perform the action

Result

│ Error: "account_id" ("found01-f01-prod-resman-gcve-0r") doesn't match regexp "^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$"
│ 
│   with module.branch-gcve-prod-r-sa[0].google_service_account.service_account[0],
│   on .terraform/modules/branch-gcve-prod-r-sa/iam-service-account/main.tf line 74, in resource "google_service_account" "service_account":
│   74:   account_id   = "${local.prefix}${local.name}"
│ 
╵
╷
│ Error: "account_id" ("found01-f01-prod-resman-nsec-0r") doesn't match regexp "^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$"
│ 
│   with module.branch-nsec-r-sa[0].google_service_account.service_account[0],
│   on .terraform/modules/branch-nsec-r-sa/iam-service-account/main.tf line 74, in resource "google_service_account" "service_account":
│   74:   account_id   = "${local.prefix}${local.name}"
│ 
╵

Here, the tenant prefix is exactly 11 characters long (with the "-" included) which is the maximum lenght allowed in the documentation. However the SA names are still too long.

Additional context
I don't think this issue can be "fixed" so the documentation should be updated to only allow 10 character long prefixes for tenants.
@juliocc
Copy link
Collaborator

juliocc commented Oct 1, 2024

Thanks for catching this @dobikrisz. Would you mind sending a PR to update the docs?

@ludoo
Copy link
Collaborator

ludoo commented Dec 17, 2024

Closing this as service account names are now configurable since #2769 was merged, and can be tweaked to work around length issues.

@ludoo ludoo closed this as completed Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ludoo @juliocc @dobikrisz