-
Notifications
You must be signed in to change notification settings - Fork 910
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix 0-bootstrap iam_by_principals not taking into account all principals #2267
Conversation
Can you provide repro, and of course this should only consider normal apply once a bootstrap SA has been created. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Feel free to merge we can discuss later, don't want ro block you.
a78cd30
to
71d9858
Compare
groups = {
gcp-billing-admins = "group:[email protected]"
gcp-devops = "group:[email protected]"
gcp-network-admins = "group:[email protected]"
gcp-organization-admins = "group:[email protected]"
gcp-security-admins = "group:[email protected]"
gcp-support = "group:[email protected]"
}
iam_by_principals = {
"group:[email protected]" = [ "roles/owner" ]
} Works, but this won't work: groups = {
gcp-billing-admins = "group:[email protected]"
gcp-devops = "group:[email protected]"
gcp-network-admins = "group:[email protected]"
gcp-organization-admins = "group:[email protected]"
gcp-security-admins = "group:[email protected]"
gcp-support = "group:[email protected]"
}
iam_by_principals = {
"group:[email protected]" = [ "roles/owner" ]
} We need to either document this limitation of |
Makes sense, good catch. |
…als (#2267) * Fix 0-bootstrap iam_by_principals not taking into account all principals * Add test-case for iam_by_principals for 0-bootstrap stage --------- Co-authored-by: Ludovico Magnocavallo <[email protected]>
When I provide
iam_by_principals
to bootstrap stage, not all entries are taken into account, as only principals listedlocal.iam_principals
were used. For example, if using this to grant permissions to non-FAST defined groups, this would not work.Checklist
I applicable, I acknowledge that I have:
terraform fmt
on all modified filestools/tfdoc.py