-
Notifications
You must be signed in to change notification settings - Fork 910
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IAM interface refactor #1595
IAM interface refactor #1595
Conversation
@ludoo Maybe this was expected, based on the │ Error: Provider produced inconsistent result after apply
│
│ When applying changes to module.organization.google_organization_iam_member.bindings["roles/compute.orgFirewallPolicyAdmin-group:[email protected]"],
│ provider "provider[\"registry.terraform.io/hashicorp/google\"]" produced an unexpected new value: Root resource was present, but now absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵
╷
│ Error: Error applying IAM policy for organization "***REDACTED***": Error setting IAM policy for organization "***REDACTED***": googleapi: Error 400: The role name must be in the form "roles/{role}", "organizations/{organization_id}/roles/{role}", or "projects/{project_id}/roles/{role}"., badRequest
│
│ with module.organization.google_organization_iam_binding.bindings["sa_resman_delegated_iam"],
│ on ../../../modules/organization/iam.tf line 51, in resource "google_organization_iam_binding" "bindings":
│ 51: resource "google_organization_iam_binding" "bindings" { When I retried, then I got: │ Error: Error when reading or editing organizations/***REDACTED***/roles/organizationIamAdmin: googleapi: Error 403: You don't have permission to get the role at organizations/***REDACTED***/roles/organizationIamAdmin.
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "domain": "iam.googleapis.com",
│ "metadata": {
│ "permission": "iam.roles.get",
│ "resource": "organizations/***REDACTED***/roles/organizationIamAdmin"
│ },
│ "reason": "IAM_PERMISSION_DENIED"
│ }
│ ]
│ , forbidden
│
│ with module.organization.google_organization_iam_custom_role.roles["organizationIamAdmin"],
│ on ../../../modules/organization/iam.tf line 35, in resource "google_organization_iam_custom_role" "roles":
│ 35: resource "google_organization_iam_custom_role" "roles" {
│
╵
╷
│ Error: Error when reading or editing organizations/***REDACTED***/roles/tenantNetworkAdmin: googleapi: Error 403: You don't have permission to get the role at organizations/***REDACTED***/roles/tenantNetworkAdmin.
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "domain": "iam.googleapis.com",
│ "metadata": {
│ "permission": "iam.roles.get",
│ "resource": "organizations/***REDACTED***/roles/tenantNetworkAdmin"
│ },
│ "reason": "IAM_PERMISSION_DENIED"
│ }
│ ]
│ , forbidden
│
│ with module.organization.google_organization_iam_custom_role.roles["tenantNetworkAdmin"],
│ on ../../../modules/organization/iam.tf line 35, in resource "google_organization_iam_custom_role" "roles":
│ 35: resource "google_organization_iam_custom_role" "roles" {
│
╵
╷
│ Error: Error when reading or editing organizations/***REDACTED***/roles/serviceProjectNetworkAdmin: googleapi: Error 403: You don't have permission to get the role at organizations/***REDACTED***/roles/serviceProjectNetworkAdmin.
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "domain": "iam.googleapis.com",
│ "metadata": {
│ "permission": "iam.roles.get",
│ "resource": "organizations/***REDACTED***/roles/serviceProjectNetworkAdmin"
│ },
│ "reason": "IAM_PERMISSION_DENIED"
│ }
│ ]
│ , forbidden
│
│ with module.organization.google_organization_iam_custom_role.roles["serviceProjectNetworkAdmin"],
│ on ../../../modules/organization/iam.tf line 35, in resource "google_organization_iam_custom_role" "roles":
│ 35: resource "google_organization_iam_custom_role" "roles" {
│
╵ |
@gustavovalverde my guess is that the first error removed some permissions from the gcp-org-admins group. Can you double check gcp-network-admins has the right permissions at the org level? Also double check that you're a member of that group, but that's not something we change/touch from bootstrap. |
Thank you @juliocc, I had to add some permissions that were removed, also had to remove my But this one still remains:
|
Can you check the value of |
This is the output from the apply. The
...
|
* IAM modules refactor proposal * policy * subheading * Update 20230816-iam-refactor.md * log Julio's +1 * data-catalog-policy-tag * dataproc * dataproc * folder * folder * folder * folder * project * better filtering in test examples * project * folder * folder * organization * fix variable descriptions * kms * net-vpc * dataplex-datascan * modules/iam-service-account * modules/source-repository/ * blueprints/cloud-operations/vm-migration/ * blueprints/third-party-solutions/wordpress * dataplex-datascan * blueprints/cloud-operations/workload-identity-federation * blueprints/data-solutions/cloudsql-multiregion/ * blueprints/data-solutions/composer-2 * Update 20230816-iam-refactor.md * Update 20230816-iam-refactor.md * capture discussion in architectural doc * update variable names and refactor proposal * project * blueprints first round * folder * organization * data-catalog-policy-tag * re-enable folder inventory * project module style fix * dataproc * source-repository * source-repository tests * dataplex-datascan * dataplex-datascan tests * net-vpc * net-vpc test examples * iam-service-account * iam-service-account test examples * kms * boilerplate * tfdoc * fix module tests * more blueprint fixes * fix typo in data blueprints * incomplete refactor of data platform foundations * tfdoc * data platform foundation * refactor data platform foundation iam locals * remove redundant example test * shielded folder fix * fix typo * project factory * project factory outputs * tfdoc * test workflow: less verbose tests, fix tf version * re-enable -vv, shorter traceback, fix action version * ignore github extension warning, re-enable action version * fast bootstrap IAM, untested * bootstrap stage IAM fixes * stage 0 tests * fast stage 1 * tenant stage 1 * minor changes to fast stage 0 and 1 * fast security stage * fast mt stage 0 * fast mt stage 0 * fast pf
No description provided.