Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IAM interface refactor #1595

Merged
merged 86 commits into from
Aug 20, 2023
Merged

IAM interface refactor #1595

merged 86 commits into from
Aug 20, 2023

Conversation

ludoo
Copy link
Collaborator

@ludoo ludoo commented Aug 16, 2023

No description provided.

@ludoo ludoo changed the title IAM modules refactor proposal IAM interface refactor Aug 19, 2023
@ludoo ludoo enabled auto-merge (squash) August 19, 2023 11:41
@ludoo ludoo merged commit 819894d into master Aug 20, 2023
@ludoo ludoo deleted the ludo/modules-iam-design branch August 20, 2023 07:44
@ludoo ludoo added the incompatible change Pull request that breaks compatibility with previous version label Aug 20, 2023
@ludoo ludoo removed the request for review from wiktorn August 21, 2023 05:22
@gustavovalverde
Copy link
Contributor

@ludoo Maybe this was expected, based on the incompatible change label. I'd like to keep up with the repo changes, but after re-applying stage0-bootstrap I got this error and I'm not completely sure what's required to migrate to the new approach.

│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to module.organization.google_organization_iam_member.bindings["roles/compute.orgFirewallPolicyAdmin-group:[email protected]"],
│ provider "provider[\"registry.terraform.io/hashicorp/google\"]" produced an unexpected new value: Root resource was present, but now absent.
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.


│ Error: Error applying IAM policy for organization "***REDACTED***": Error setting IAM policy for organization "***REDACTED***": googleapi: Error 400: The role name must be in the form "roles/{role}", "organizations/{organization_id}/roles/{role}", or "projects/{project_id}/roles/{role}"., badRequest

│   with module.organization.google_organization_iam_binding.bindings["sa_resman_delegated_iam"],
│   on ../../../modules/organization/iam.tf line 51, in resource "google_organization_iam_binding" "bindings":
│   51: resource "google_organization_iam_binding" "bindings" {

When I retried, then I got:

│ Error: Error when reading or editing organizations/***REDACTED***/roles/organizationIamAdmin: googleapi: Error 403: You don't have permission to get the role at organizations/***REDACTED***/roles/organizationIamAdmin.
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│     "domain": "iam.googleapis.com",
│     "metadata": {
│       "permission": "iam.roles.get",
│       "resource": "organizations/***REDACTED***/roles/organizationIamAdmin"
│     },
│     "reason": "IAM_PERMISSION_DENIED"
│   }
│ ]
│ , forbidden

│   with module.organization.google_organization_iam_custom_role.roles["organizationIamAdmin"],
│   on ../../../modules/organization/iam.tf line 35, in resource "google_organization_iam_custom_role" "roles":
│   35: resource "google_organization_iam_custom_role" "roles" {



│ Error: Error when reading or editing organizations/***REDACTED***/roles/tenantNetworkAdmin: googleapi: Error 403: You don't have permission to get the role at organizations/***REDACTED***/roles/tenantNetworkAdmin.
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│     "domain": "iam.googleapis.com",
│     "metadata": {
│       "permission": "iam.roles.get",
│       "resource": "organizations/***REDACTED***/roles/tenantNetworkAdmin"
│     },
│     "reason": "IAM_PERMISSION_DENIED"
│   }
│ ]
│ , forbidden
│ 
│   with module.organization.google_organization_iam_custom_role.roles["tenantNetworkAdmin"],
│   on ../../../modules/organization/iam.tf line 35, in resource "google_organization_iam_custom_role" "roles":
│   35: resource "google_organization_iam_custom_role" "roles" {
│ 
╵
╷
│ Error: Error when reading or editing organizations/***REDACTED***/roles/serviceProjectNetworkAdmin: googleapi: Error 403: You don't have permission to get the role at organizations/***REDACTED***/roles/serviceProjectNetworkAdmin.
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│     "domain": "iam.googleapis.com",
│     "metadata": {
│       "permission": "iam.roles.get",
│       "resource": "organizations/***REDACTED***/roles/serviceProjectNetworkAdmin"
│     },
│     "reason": "IAM_PERMISSION_DENIED"
│   }
│ ]
│ , forbidden

│   with module.organization.google_organization_iam_custom_role.roles["serviceProjectNetworkAdmin"],
│   on ../../../modules/organization/iam.tf line 35, in resource "google_organization_iam_custom_role" "roles":
│   35: resource "google_organization_iam_custom_role" "roles" {

@juliocc
Copy link
Collaborator

juliocc commented Aug 24, 2023

@gustavovalverde my guess is that the first error removed some permissions from the gcp-org-admins group. Can you double check gcp-network-admins has the right permissions at the org level?

Also double check that you're a member of that group, but that's not something we change/touch from bootstrap.

@gustavovalverde
Copy link
Contributor

Thank you @juliocc, I had to add some permissions that were removed, also had to remove my 0-bootstrap-providers.tf to init the terraform configuration, and most errors were gone.

But this one still remains:

│ Error: Error applying IAM policy for organization "***REDACTED***": Error setting IAM policy for organization "***REDACTED***": googleapi: Error 400: The role name must be in the form "roles/{role}", "organizations/{organization_id}/roles/{role}", or "projects/{project_id}/roles/{role}"., badRequest
│ 
│   with module.organization.google_organization_iam_binding.bindings["sa_resman_delegated_iam"],
│   on ../../../modules/organization/iam.tf line 51, in resource "google_organization_iam_binding" "bindings":
│   51: resource "google_organization_iam_binding" "bindings" {

@juliocc
Copy link
Collaborator

juliocc commented Aug 24, 2023

Can you check the value of module.organization.custom_role_id? Looks like the ids of the custom roles have an unexpected format.

@gustavovalverde
Copy link
Contributor

This is the output from the apply. The role is being set as sa_resman_delegated_iam:

              + custom_roles = {
                  + organization_iam_admin        = "organizations/***REDACTED***/roles/organizationIamAdmin"
                  + service_project_network_admin = "organizations/***REDACTED***/roles/serviceProjectNetworkAdmin"
                  + tenant_network_admin          = "organizations/***REDACTED***/roles/tenantNetworkAdmin"
                }

...

  # module.organization.google_organization_iam_binding.bindings["sa_resman_delegated_iam"] will be created
  + resource "google_organization_iam_binding" "bindings" {
      + etag    = (known after apply)
      + id      = (known after apply)
      + members = [
          + "serviceAccount:***REDACTED***-prod-resman-0@***REDACTED***-prod-iac-core-0.iam.gserviceaccount.com",
        ]
      + org_id  = "***REDACTED***"
      + role    = "sa_resman_delegated_iam"

      + condition {
          + description = "Automation service account delegated grants."
          + expression  = "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/accesscontextmanager.policyAdmin','roles/compute.orgFirewallPolicyAdmin','roles/compute.xpnAdmin','roles/orgpolicy.policyAdmin','roles/resourcemanager.organizationViewer','organizations/***REDACTED***/roles/tenantNetworkAdmin','roles/billing.admin','roles/billing.costsManager','roles/billing.user'])"
          + title       = "automation_sa_delegated_grants"
        }
    }

@gustavovalverde
Copy link
Contributor

jayBana pushed a commit to jayBana/cloud-foundation-fabric that referenced this pull request Jul 6, 2024
* IAM modules refactor proposal

* policy

* subheading

* Update 20230816-iam-refactor.md

* log Julio's +1

* data-catalog-policy-tag

* dataproc

* dataproc

* folder

* folder

* folder

* folder

* project

* better filtering in test examples

* project

* folder

* folder

* organization

* fix variable descriptions

* kms

* net-vpc

* dataplex-datascan

* modules/iam-service-account

* modules/source-repository/

* blueprints/cloud-operations/vm-migration/

* blueprints/third-party-solutions/wordpress

* dataplex-datascan

* blueprints/cloud-operations/workload-identity-federation

* blueprints/data-solutions/cloudsql-multiregion/

* blueprints/data-solutions/composer-2

* Update 20230816-iam-refactor.md

* Update 20230816-iam-refactor.md

* capture discussion in architectural doc

* update variable names and refactor proposal

* project

* blueprints first round

* folder

* organization

* data-catalog-policy-tag

* re-enable folder inventory

* project module style fix

* dataproc

* source-repository

* source-repository tests

* dataplex-datascan

* dataplex-datascan tests

* net-vpc

* net-vpc test examples

* iam-service-account

* iam-service-account test examples

* kms

* boilerplate

* tfdoc

* fix module tests

* more blueprint fixes

* fix typo in data blueprints

* incomplete refactor of data platform foundations

* tfdoc

* data platform foundation

* refactor data platform foundation iam locals

* remove redundant example test

* shielded folder fix

* fix typo

* project factory

* project factory outputs

* tfdoc

* test workflow: less verbose tests, fix tf version

* re-enable -vv, shorter traceback, fix action version

* ignore github extension warning, re-enable action version

* fast bootstrap IAM, untested

* bootstrap stage IAM fixes

* stage 0 tests

* fast stage 1

* tenant stage 1

* minor changes to fast stage 0 and 1

* fast security stage

* fast mt stage 0

* fast mt stage 0

* fast pf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
incompatible change Pull request that breaks compatibility with previous version on:blueprints on:documentation on:FAST on:modules on:tools New or changed tool
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants