Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IaC config for image syncer #11774

Merged
merged 16 commits into from
Sep 6, 2024
Merged

IaC config for image syncer #11774

merged 16 commits into from
Sep 6, 2024

Conversation

dekiel
Copy link
Contributor

@dekiel dekiel commented Sep 4, 2024
edited
Loading

Description

Changes proposed in this pull request:

  • Add attribute_condition optional argument to the wif module. This allow control OIDC tokens allowed to get identity in GCP.
  • Set default value for attribute_condition to allow only identities related to the kyma-project github.com organisation.
  • Added custom attribute to distinguish reusable workflow runs on pull request and push events.
  • Added config to grant artifact registry read and write permissions to the image-syncer reusable workflow identity. The identity is used for push event run only.

This PR depend on #11772, part of changes visible here were introduced in #11772, which should be merged first.

Related issue(s)
See #11384

@dekiel
Update google and github providers to the latest.
429ce93
@dekiel
Grouped resoureces and variables realted to terraform executor and te…
f13ac71 
…rraform planner. The config will be more consistent and easier to maintain.

Made sa-mapping an optional argument of a module. This allows to define mapping in config files related to the mapped service accounts.
@dekiel
Update provider versions.
0a4f528
@dekiel
Use module output instead data
77db704
@dekiel
Fix plan workflow name
c998976
@dekiel
formatting
289e236
@dekiel
Add attribute_condition and allowed_audiences to the wif module
3bd4f81
@kyma-bot kyma-bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 4, 2024
@kyma-bot
Copy link
Contributor

kyma-bot commented Sep 4, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@kyma-bot kyma-bot added cla: yes Indicates the PR's author has signed the CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Sep 4, 2024
@kyma-bot
Copy link
Contributor

kyma-bot commented Sep 4, 2024
edited
Loading

Plan Result

CI link

Plan: 1 to import, 1 to add, 4 to change, 0 to destroy.
  • Create
    • google_artifact_registry_repository_iam_member.image_syncer_prod_repo_writer
  • Update
    • google_artifact_registry_repository.prod_docker_repository
    • google_service_account.sa_gke_kyma_integration
    • module.gh_com_kyma_project_workload_identity_federation.google_iam_workload_identity_pool_provider.main
    • module.service_account_keys_cleaner.google_cloud_scheduler_job.service_account_keys_cleaner
Change Result (Click me) 
  # google_artifact_registry_repository.prod_docker_repository will be updated in-place
  # (imported from "projects/kyma-project/locations/europe/repositories/prod")
  ~ resource "google_artifact_registry_repository" "prod_docker_repository" {
        cleanup_policy_dry_run = true
        create_time            = "2022-10-11T11:18:44.273370Z"
      - description            = "Production registry for kyma-project" -> null
        effective_labels       = {
            "type" = "production"
        }
        format                 = "DOCKER"
        id                     = "projects/kyma-project/locations/europe/repositories/prod"
      ~ labels                 = {
          + "type" = "production"
        }
        location               = "europe"
        mode                   = "STANDARD_REPOSITORY"
        name                   = "prod"
        project                = "kyma-project"
        repository_id          = "prod"
      ~ terraform_labels       = {
          + "type" = "production"
        }
        update_time            = "2024-09-06T11:55:05.960791Z"

      + docker_config {
          + immutable_tags = false
        }
    }

  # google_artifact_registry_repository_iam_member.image_syncer_prod_repo_writer will be created
  + resource "google_artifact_registry_repository_iam_member" "image_syncer_prod_repo_writer" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + location   = "europe"
      + member     = "principalSet://iam.googleapis.com/projects/351981214969/locations/global/workloadIdentityPools/github-com-kyma-project/attribute.reusable_workflow_run/event_name:push:repository_owner_id:39153523:reusable_workflow_ref:kyma-project/test-infra/.github/workflows/image-syncer.yml@refs/heads/main"
      + project    = (known after apply)
      + repository = "prod"
      + role       = "roles/artifactregistry.createOnPushWriter"
    }

  # google_service_account.sa_gke_kyma_integration will be updated in-place
  ~ resource "google_service_account" "sa_gke_kyma_integration" {
      ~ description  = "Service account is used by Prow to integrate with GKE. Will be removed with Prow" -> "Service account is used by Prow to integrate with GKE."
        id           = "projects/sap-kyma-prow/serviceAccounts/[email protected]"
        name         = "projects/sap-kyma-prow/serviceAccounts/[email protected]"
        # (7 unchanged attributes hidden)
    }

  # module.gh_com_kyma_project_workload_identity_federation.google_iam_workload_identity_pool_provider.main will be updated in-place
  ~ resource "google_iam_workload_identity_pool_provider" "main" {
      + attribute_condition                = "attribute.repository_owner_id == 39153523"
      ~ attribute_mapping                  = {
          + "attribute.reusable_workflow_run" = "\"event_name:\" + assertion.event_name + \":repository_owner_id:\" + assertion.repository_owner_id + \":reusable_workflow_ref:\" + assertion.job_workflow_ref"
            # (10 unchanged elements hidden)
        }
        id                                 = "projects/sap-kyma-prow/locations/global/workloadIdentityPools/github-com-kyma-project/providers/github-com-kyma-project"
        name                               = "projects/351981214969/locations/global/workloadIdentityPools/github-com-kyma-project/providers/github-com-kyma-project"
        # (5 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.service_account_keys_cleaner.google_cloud_scheduler_job.service_account_keys_cleaner will be updated in-place
  ~ resource "google_cloud_scheduler_job" "service_account_keys_cleaner" {
        id               = "projects/sap-kyma-prow/locations/europe-west3/jobs/service-account-keys-cleaner"
        name             = "service-account-keys-cleaner"
        # (8 unchanged attributes hidden)

      ~ http_target {
          ~ uri         = "https://service-account-keys-cleaner-q25ja7ch3q-ez.a.run.app/?project=sap-kyma-prow&age=24" -> "https://service-account-keys-cleaner-q25ja7ch3q-ez.a.run.app?project=sap-kyma-prow&age=24"
            # (2 unchanged attributes hidden)

            # (1 unchanged block hidden)
        }
    }

Plan: 1 to import, 1 to add, 4 to change, 0 to destroy.

Changes to Outputs:
  ~ terraform_executor_gcp_workload_identity            = {
      ~ etag               = "BwYSslcC1II=" -> "BwYhcY+T+/A="
        id                 = "projects/sap-kyma-prow/serviceAccounts/[email protected]/roles/iam.workloadIdentityUser"
        # (4 unchanged attributes hidden)
    }
ℹ️ Objects have changed outside of Terraform

This feature was introduced from Terraform v0.15.4.

OpenTofu detected the following changes made outside of OpenTofu since the
last "tofu apply" which may have affected this plan:

  # google_service_account_iam_binding.terraform_workload_identity has changed
  ~ resource "google_service_account_iam_binding" "terraform_workload_identity" {
      ~ etag               = "BwYSslcC1II=" -> "BwYhcY+T+/A="
        id                 = "projects/sap-kyma-prow/serviceAccounts/[email protected]/roles/iam.workloadIdentityUser"
        # (3 unchanged attributes hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the

@dekiel dekiel self-assigned this Sep 4, 2024
@dekiel
formatting
88c75ae
@dekiel
Remove comments.
870fc6e 
Rename file to better describe it's content.
@dekiel
Merge branch 'refs/heads/tf-cleanup' into tf-for-image-syncer
2c06bf6 
# Conflicts:
#	configs/terraform/environments/prod/gcp-workfload-identity-federation.tf
@dekiel
Add custom attribute mapping to identify if reusable workflow is runn…
c1f50f3 
…ing for pull request or push event.
@dekiel dekiel marked this pull request as ready for review September 5, 2024 11:37
@dekiel dekiel requested review from neighbors-dev-bot and a team as code owners September 5, 2024 11:37
@kyma-bot kyma-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 5, 2024
@dekiel dekiel changed the title Tf for image syncer IaC config for image syncer Sep 5, 2024
Sawthis
Sawthis requested changes Sep 6, 2024
View reviewed changes
Copy link
Contributor

@Sawthis Sawthis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please resolve the conflicts.

@dekiel
Merge remote-tracking branch 'refs/remotes/upstream/main' into tf-for…
28c2507 
…-image-syncer

# Conflicts:
#	configs/terraform/environments/prod/provider.tf
#	configs/terraform/modules/gcp-workload-identity-federation/main.tf
#	configs/terraform/modules/gcp-workload-identity-federation/variables.tf
@dekiel dekiel requested a review from Sawthis September 6, 2024 11:38
@dekiel dekiel requested a review from Sawthis September 6, 2024 11:53
@kyma-bot kyma-bot added the lgtm Looks good to me! label Sep 6, 2024
@kyma-bot kyma-bot merged commit fb6c7ba into kyma-project:main Sep 6, 2024
5 checks passed
@kyma-bot
Copy link
Contributor

kyma-bot commented Sep 6, 2024

❌ Apply Result

CI link

Error: Error retrieving IAM policy for artifactregistry repository "projects/sap-kyma-prow/locations/europe/repositories/prod": googleapi: Error 403: The caller does not have permission

  with google_artifact_registry_repository_iam_member.image_syncer_prod_repo_writer,
  on image-syncer.tf line 1, in resource "google_artifact_registry_repository_iam_member" "image_syncer_prod_repo_writer":
   1: resource "google_artifact_registry_repository_iam_member" "image_syncer_prod_repo_writer" {
Details (Click me) 
Acquiring state lock. This may take a few moments...
data.kubectl_file_documents.automated_approver: Reading...
data.kubectl_file_documents.automated_approver_rules: Reading...
data.kubectl_file_documents.automated_approver_rules: Read complete after 0s [id=48d07f870c26a37d3a48229fcc9cd29ae14bea83cf200e4e8326e5d755a1e790]
data.kubectl_file_documents.automated_approver: Read complete after 0s [id=d35ba5fbc8a5c66e9f272afd6a9a70002d2ee1b153e3b552df9323ff9e259407]
github_actions_variable.github_terraform_planner_secret_name: Refreshing state... [id=test-infra:GH_TERRAFORM_PLANNER_SECRET_NAME]
github_actions_organization_variable.gcp_kyma_project_project_id: Refreshing state... [id=GCP_KYMA_PROJECT_PROJECT_ID]
data.github_repository.test_infra: Reading...
github_actions_organization_variable.image_builder_ado_pat_gcp_secret_name: Refreshing state... [id=IMAGE_BUILDER_ADO_PAT_GCP_SECRET_NAME]
data.github_repository.gitleaks_repository["test-infra"]: Reading...
data.github_organization.kyma-project: Reading...
github_actions_variable.github_terraform_executor_secret_name: Refreshing state... [id=test-infra:GH_TERRAFORM_EXECUTOR_SECRET_NAME]
google_service_account.gitleaks_secret_accesor: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/gitleaks-secret-accesor@sap-kyma-prow.iam.gserviceaccount.com]
module.security_dashboard_token.data.google_iam_policy.noauth: Reading...
module.security_dashboard_token.data.google_iam_policy.noauth: Read complete after 0s [id=3450855414]
google_service_account.secret-manager-prow: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secret-manager-prow@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.gencred-refresher: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/gencred-refresher@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.secret-manager-untrusted: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secret-manager-untrusted@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_cleaner.google_service_account.service_account_keys_cleaner: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-keys-cleaner@sap-kyma-prow.iam.gserviceaccount.com]
data.google_client_config.gcp: Reading...
google_service_account.secrets-rotator: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secrets-rotator@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.data.google_secret_manager_secret.webhook_token: Reading...
module.service_account_keys_cleaner.data.google_project.project: Reading...
google_service_account.control-plane: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/control-plane@sap-kyma-prow.iam.gserviceaccount.com]
data.google_container_cluster.prow_k8s_cluster: Reading...
data.google_client_config.gcp: Read complete after 0s [id=projects/"sap-kyma-prow"/regions/"europe-west4"/zones/<null>]
google_service_account.sa-kyma-dns-serviceuser: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-kyma-dns-serviceuser@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.google_service_account.github_webhook_gateway: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/github-webhook-gateway@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-prow-job-resource-cleaners: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-prow-job-resource-cleaners@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.data.google_secret_manager_secret.webhook_token: Read complete after 0s [id=projects/sap-kyma-prow/secrets/sap-tools-github-backlog-webhook-secret]
google_service_account.sa-kyma-project: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-kyma-project@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.gitleaks-secret-accesor: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/gitleaks-secret-accesor@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.kyma-submission-pipeline: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/kyma-submission-pipeline@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-dev-kyma-project: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-dev-kyma-project@sap-kyma-prow.iam.gserviceaccount.com]
module.cors_proxy.google_cloud_run_service.cors_proxy: Refreshing state... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/cors-proxy]
data.github_repository.test_infra: Read complete after 1s [id=test-infra]
google_service_account.counduit-cli-bucket: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/counduit-cli-bucket@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.terraform_planner: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.secret-manager-trusted: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secret-manager-trusted@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-gardener-logs: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-gardener-logs@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-prow-deploy: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-prow-deploy@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.data.google_iam_policy.noauth: Reading...
google_service_account.sa_gke_kyma_integration: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-gke-kyma-integration@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.data.google_iam_policy.noauth: Read complete after 0s [id=3450855414]
module.security_dashboard_token.google_cloud_run_service.security_dashboard_token: Refreshing state... [id=locations/europe-west1/namespaces/sap-kyma-prow/services/security-dashboard-token]
google_service_account.gcr-cleaner: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/gcr-cleaner@sap-kyma-prow.iam.gserviceaccount.com]
module.security_dashboard_token.data.google_project.project: Reading...
module.service_account_keys_rotator.data.google_project.project: Reading...
module.github_webhook_gateway.data.google_project.project: Reading...
google_service_account.firebase-adminsdk-udzxq: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/firebase-adminsdk-udzxq@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_cleaner.data.google_project.project: Read complete after 0s [id=projects/sap-kyma-prow]
data.google_pubsub_topic.secret-manager-notifications-topic: Reading...
google_service_account.terraform_executor: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
data.google_pubsub_topic.secret-manager-notifications-topic: Read complete after 1s [id=projects/sap-kyma-prow/topics/secret-manager-notifications]
google_service_account.kyma-security-scanners: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/kyma-security-scanners@sap-kyma-prow.iam.gserviceaccount.com]
module.security_dashboard_token.data.google_project.project: Read complete after 1s [id=projects/sap-kyma-prow]
google_service_account.kyma-oci-image-builder: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/kyma-oci-image-builder@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-security-dashboard-oauth: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-security-dashboard-oauth@sap-kyma-prow.iam.gserviceaccount.com]
data.google_container_cluster.trusted_workload_k8s_cluster: Reading...
module.slack_message_sender.google_service_account.slack_message_sender: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/slack-message-sender@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-gcr-kyma-project-trusted: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-gcr-kyma-project-trusted@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.terraform-executor: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
module.slack_message_sender.google_monitoring_alert_policy.slack_message_sender: Refreshing state... [id=projects/sap-kyma-prow/alertPolicies/17360148176148949136]
google_dns_managed_zone.build_kyma: Refreshing state... [id=projects/sap-kyma-prow/managedZones/build-kyma]
data.github_repository.gitleaks_repository["test-infra"]: Read complete after 2s [id=test-infra]
google_service_account.sa-gke-kyma-integration: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-gke-kyma-integration@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.data.google_project.project: Read complete after 1s [id=projects/sap-kyma-prow]
google_service_account.sa-prowjob-gcp-logging-client: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-prowjob-gcp-logging-client@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-secret-update: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-secret-update@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-prow-pubsub: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-prow-pubsub@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.sa-vm-kyma-integration: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-vm-kyma-integration@sap-kyma-prow.iam.gserviceaccount.com]
data.google_container_cluster.untrusted_workload_k8s_cluster: Reading...
google_service_account.sa-kyma-artifacts: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-kyma-artifacts@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.google_pubsub_topic.issue_labeled: Refreshing state... [id=projects/sap-kyma-prow/topics/issue-labeled]
module.github_webhook_gateway.data.google_secret_manager_secret.gh_tools_kyma_bot_token: Reading...
module.service_account_keys_rotator.google_service_account.service_account_keys_rotator: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-keys-rotator@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.neighbors-conduit-cli-builder: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/neighbors-conduit-cli-builder@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.data.google_secret_manager_secret.gh_tools_kyma_bot_token: Read complete after 0s [id=projects/sap-kyma-prow/secrets/trusted_default_kyma-bot-github-sap-token]
module.slack_message_sender.data.google_secret_manager_secret.common_slack_bot_token: Reading...
google_pubsub_topic.secrets_rotator_dead_letter: Refreshing state... [id=projects/sap-kyma-prow/topics/secrets-rotator-dead-letter]
google_service_account.kyma-compliance-pipeline: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/kyma-compliance-pipeline@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_rotator.data.google_project.project: Read complete after 1s [id=projects/sap-kyma-prow]
google_service_account.sa-gcs-plank: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/sa-gcs-plank@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account.terraform-planner: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
module.slack_message_sender.data.google_secret_manager_secret.common_slack_bot_token: Read complete after 0s [id=projects/sap-kyma-prow/secrets/common-slack-bot-token]
module.cors_proxy.data.google_project.project: Reading...
module.cors_proxy.data.google_iam_policy.noauth: Reading...
module.artifact_registry["modules-internal"].data.google_client_config.this: Reading...
module.cors_proxy.data.google_iam_policy.noauth: Read complete after 0s [id=3450855414]
google_artifact_registry_repository.prod_docker_repository: Preparing import... [id=projects/kyma-project/locations/europe/repositories/prod]
google_artifact_registry_repository.prod_docker_repository: Refreshing state... [id=projects/kyma-project/locations/europe/repositories/prod]
module.service_account_keys_rotator.google_project_service_identity.pubsub_identity_agent: Refreshing state... [id=projects/sap-kyma-prow/services/pubsub.googleapis.com]
module.github_webhook_gateway.google_secret_manager_secret_iam_member.webhook_token_accessor: Refreshing state... [id=projects/sap-kyma-prow/secrets/sap-tools-github-backlog-webhook-secret/roles/secretmanager.secretAccessor/serviceAccount:github-webhook-gateway@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_cleaner.google_cloud_run_service.service_account_keys_cleaner: Refreshing state... [id=locations/europe-west4/namespaces/sap-kyma-prow/services/service-account-keys-cleaner]
google_container_cluster.trusted_workload: Refreshing state... [id=projects/sap-kyma-prow/locations/europe-west4/clusters/trusted-workload-kyma-prow]
module.cors_proxy.data.google_project.project: Read complete after 0s [id=projects/sap-kyma-prow]
google_service_account_iam_binding.terraform_planner_workload_identity: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-planner@sap-kyma-prow.iam.gserviceaccount.com/roles/iam.workloadIdentityUser]
module.artifact_registry["modules-internal"].data.google_client_config.this: Read complete after 0s [id=projects/"kyma-project"/regions/"europe-west4"/zones/<null>]
github_actions_variable.gcp_terraform_planner_service_account_email: Refreshing state... [id=test-infra:GCP_TERRAFORM_PLANNER_SERVICE_ACCOUNT_EMAIL]
google_project_iam_member.terraform_planner_workloads_project_read_access["roles/viewer"]: Refreshing state... [id=sap-kyma-prow-workloads/roles/viewer/serviceAccount:terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
google_project_iam_member.terraform_planner_prow_project_read_access["roles/storage.objectViewer"]: Refreshing state... [id=sap-kyma-prow/roles/storage.objectViewer/serviceAccount:terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
google_project_iam_member.terraform_planner_prow_project_read_access["roles/viewer"]: Refreshing state... [id=sap-kyma-prow/roles/viewer/serviceAccount:terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
google_project_iam_member.terraform_planner_prow_project_read_access["roles/container.developer"]: Refreshing state... [id=sap-kyma-prow/roles/container.developer/serviceAccount:terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
data.google_container_cluster.prow_k8s_cluster: Read complete after 2s [id=projects/sap-kyma-prow/locations/europe-west3-a/clusters/prow]
google_project_iam_member.terraform_planner_prow_project_read_access["roles/iam.securityReviewer"]: Refreshing state... [id=sap-kyma-prow/roles/iam.securityReviewer/serviceAccount:terraform-planner@sap-kyma-prow.iam.gserviceaccount.com]
google_storage_bucket_iam_binding.planner_state_bucket_write_access: Refreshing state... [id=b/tf-state-kyma-project/roles/storage.objectUser]
google_project_iam_binding.dns_collector_dns_reader: Refreshing state... [id=sap-kyma-prow/roles/dns.reader]
google_project_iam_binding.dns_collector_container_analysis_occurrences_viewer: Refreshing state... [id=sap-kyma-prow/roles/containeranalysis.occurrences.viewer]
google_project_iam_binding.dns_collector_bucket_get: Refreshing state... [id=sap-kyma-prow/projects/sap-kyma-prow/roles/BucketGet]
module.service_account_keys_cleaner.google_project_iam_member.service_account_keys_cleaner_secrets_versions_manager: Refreshing state... [id=sap-kyma-prow/roles/secretmanager.secretVersionManager/serviceAccount:sa-keys-cleaner@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_cleaner.google_project_iam_member.service_account_keys_cleaner_secret_viewer: Refreshing state... [id=sap-kyma-prow/roles/secretmanager.viewer/serviceAccount:sa-keys-cleaner@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_cleaner.google_project_iam_member.service_account_keys_cleaner_sa_keys_admin: Refreshing state... [id=sap-kyma-prow/roles/iam.serviceAccountKeyAdmin/serviceAccount:sa-keys-cleaner@sap-kyma-prow.iam.gserviceaccount.com]
google_service_account_iam_binding.terraform_workload_identity: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/terraform-executor@sap-kyma-prow.iam.gserviceaccount.com/roles/iam.workloadIdentityUser]
github_actions_variable.gcp_terraform_executor_service_account_email: Refreshing state... [id=test-infra:GCP_TERRAFORM_EXECUTOR_SERVICE_ACCOUNT_EMAIL]
google_project_iam_member.terraform_executor_prow_project_owner: Refreshing state... [id=sap-kyma-prow/roles/owner/serviceAccount:terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
google_project_iam_member.terraform_executor_workloads_project_owner: Refreshing state... [id=sap-kyma-prow-workloads/roles/owner/serviceAccount:terraform-executor@sap-kyma-prow.iam.gserviceaccount.com]
data.google_container_cluster.untrusted_workload_k8s_cluster: Read complete after 2s [id=projects/sap-kyma-prow/locations/europe-west3/clusters/untrusted-workload-kyma-prow]
module.slack_message_sender.google_project_iam_member.project_run_invoker: Refreshing state... [id=sap-kyma-prow/roles/run.invoker/serviceAccount:slack-message-sender@sap-kyma-prow.iam.gserviceaccount.com]
module.slack_message_sender.data.google_iam_policy.run_invoker: Reading...
module.slack_message_sender.data.google_iam_policy.run_invoker: Read complete after 0s [id=1526577908]
module.github_webhook_gateway.google_secret_manager_secret_iam_member.gh_tools_kyma_bot_token_accessor: Refreshing state... [id=projects/sap-kyma-prow/secrets/trusted_default_kyma-bot-github-sap-token/roles/secretmanager.secretAccessor/serviceAccount:github-webhook-gateway@sap-kyma-prow.iam.gserviceaccount.com]
module.github_webhook_gateway.google_pubsub_topic_iam_binding.issue_labeled: Refreshing state... [id=projects/sap-kyma-prow/topics/issue-labeled/roles/pubsub.publisher]
module.service_account_keys_rotator.google_cloud_run_service.service_account_keys_rotator: Refreshing state... [id=locations/europe-west4/namespaces/sap-kyma-prow/services/service-account-keys-rotator]
module.service_account_keys_rotator.google_project_iam_member.service_account_keys_rotator: Refreshing state... [id=sap-kyma-prow/roles/iam.serviceAccountKeyAdmin/serviceAccount:sa-keys-rotator@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_rotator.google_project_iam_member.service_account_keys_rotator_secret_version_viewer: Refreshing state... [id=sap-kyma-prow/roles/secretmanager.viewer/serviceAccount:sa-keys-rotator@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_rotator.google_project_iam_member.service_account_keys_rotator_secret_version_accessor: Refreshing state... [id=sap-kyma-prow/roles/secretmanager.secretAccessor/serviceAccount:sa-keys-rotator@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_rotator.google_project_iam_member.service_account_keys_rotator_secret_version_adder: Refreshing state... [id=sap-kyma-prow/roles/secretmanager.secretVersionAdder/serviceAccount:sa-keys-rotator@sap-kyma-prow.iam.gserviceaccount.com]
module.slack_message_sender.google_secret_manager_secret_iam_member.slack_msg_sender_common_slack_bot_token_accessor: Refreshing state... [id=projects/sap-kyma-prow/secrets/common-slack-bot-token/roles/secretmanager.secretAccessor/serviceAccount:slack-message-sender@sap-kyma-prow.iam.gserviceaccount.com]
module.cors_proxy.google_cloud_run_service_iam_policy.noauth: Refreshing state... [id=v1/projects/sap-kyma-prow/locations/europe-west3/services/cors-proxy]
module.security_dashboard_token.google_cloud_run_service_iam_policy.noauth: Refreshing state... [id=v1/projects/sap-kyma-prow/locations/europe-west1/services/security-dashboard-token]
data.github_organization.kyma-project: Read complete after 5s [id=39153523]
module.service_account_keys_rotator.google_project_iam_binding.pubsub_project_token_cre

# ...
# ... The maximum length of GitHub Comment is 65536, so the content is omitted by tfcmt.
# ...

.dev/kyma-project/prod/image-builder:*\"\n      - \"europe-docker.pkg.dev/kyma-project/prod/buildkit-image-builder:*\"\n      - \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-k3d:*\"\n      - \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-nodejs:*\""]: Refreshing state... [id=/apis/constraints.gatekeeper.sh/v1beta1/k8spspprivilegedcontainers/psp-privileged-container]
module.trusted_workload_gatekeeper.kubectl_manifest.constraints["apiVersion: constraints.gatekeeper.sh/v1beta1\nkind: K8sPSPHostNamespace\nmetadata:\n  name: psp-host-namespace\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\""]: Refreshing state... [id=/apis/constraints.gatekeeper.sh/v1beta1/k8spsphostnamespaces/psp-host-namespace]
module.trusted_workload_gatekeeper.kubectl_manifest.constraints["# Constraint to allow only image-builder tool trusted usage on Prow cluster run as image-builder service account identity.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: SecretTrustedUsage\nmetadata:\n  name: kyma-bot-github-token\nspec:\n  enforcementAction: deny\n  match:\n    kinds:\n      - apiGroups: [\"\"]\n        kinds: [\"Pod\"]\n    namespaces:\n      - \"default\"\n  parameters:\n    restrictedSecrets:\n      # usually provided with preset-bot-github-token\n      - kyma-bot-github-token\n    trustedImages:\n      # rel-api-gateway-goreleaser\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"\\/bin\\/bash\",\"-c\",\"mkdir -p \\/prow-tools \\\\u0026\\\\u0026 ln -s \\/usr\\/local\\/bin\\/jobguard \\/prow-tools\\/jobguard \\\\u0026\\\\u0026 hack/release.sh\"\\],\"container_name\":\"test\",.*$'\n      # rel-kyma-cli\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"make\",\"ci-release\"\\],\"container_name\":\"test\",.*$'\n      - image: \"eu.gcr.io/kyma-project/test-infra/bootstrap:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"\\/home\\/prow\\/go\\/src\\/github\\.com\\/kyma-project\\/test-infra\\/prow\\/scripts\\/build-kyma-artifacts\\.sh\"\\],\"container_name\":\"test\",.*$'\n      # pre-main-kyma-gardener-gcp-eventing-upgrade\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-garden:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"\\/home\\/prow\\/go\\/src\\/github\\.com\\/kyma-project\\/test-infra\\/prow\\/scripts\\/cluster-integration\\/kyma-integration-gardener-eventing-upgrade\\.sh\"\\],\"container_name\":\"test\",.*$'\n      # skr-aws-upgrade-integration-dev\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-dind-nodejs:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"\\/home\\/prow\\/go\\/src\\/github\\.com\\/kyma-project\\/test-infra\\/prow\\/scripts\\/cluster-integration\\/skr-aws-upgrade-integration-dev\\.sh\"\\],\"container_name\":\"test\",.*$'\n      # post-keda-manager-module-build\n      - image: \"eu.gcr.io/kyma-project/test-infra/buildpack-golang:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"\\.\\/scripts\\/release.sh\",\"ci\"\\],\"container_name\":\"test\",.*$'\n      # post-telemetry-manager-release-module\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/e2e-gcloud:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^.*\"args\":\\[\"make\",\"release\"\\],\"container_name\":\"test\",.*$'\n      # pre-main-check-users-map\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/test-infra/ko/usersmapchecker:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"/ko-app/usersmapchecker\"\\],\"container_name\":\"test\",.*}$'\n      # release-serverless-module-build\n      - image: \"europe-docker.pkg.dev/kyma-project/prod/testimages/buildpack-go:*\"\n        command:\n          - /tools/entrypoint\n        args: []\n        entrypoint_options: '^{.*\"args\":\\[\"\\.\\/scripts\\/release\\.sh\",\"ci\"\\],\"container_name\":\"test\",.*}$'\n      # sidecar\n      - image: \"gcr.io/k8s-prow/sidecar:*\"\n        command: []\n        args: []"]: Refreshing state... [id=/apis/constraints.gatekeeper.sh/v1beta1/secrettrustedusages/kyma-bot-github-token]
module.secrets_leaks_log_scanner.google_service_account.github_issue_finder: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/github-issue-finder@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_service_account.github_issue_creator: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/github-issue-creator@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.data.google_project.project: Reading...
module.secrets_leaks_log_scanner.data.google_secret_manager_secret.gh_tools_kyma_bot_token: Reading...
module.secrets_leaks_log_scanner.google_service_account.secrets_leak_detector: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secrets-leak-detector@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_service_account.secrets_leak_log_scanner: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/secrets-leak-log-scanner@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.data.google_storage_bucket.kyma_prow_logs: Reading...
module.secrets_leaks_log_scanner.google_service_account.gcs_bucket_mover: Refreshing state... [id=projects/sap-kyma-prow/serviceAccounts/gcs-bucket-mover@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_storage_bucket.kyma_prow_logs_secured: Refreshing state... [id=kyma-prow-logs-secured]
module.secrets_leaks_log_scanner.google_monitoring_alert_policy.github_issue_creator: Refreshing state... [id=projects/sap-kyma-prow/alertPolicies/4186084580898851199]
module.secrets_leaks_log_scanner.data.google_secret_manager_secret.gh_tools_kyma_bot_token: Read complete after 0s [id=projects/sap-kyma-prow/secrets/trusted_default_kyma-bot-github-sap-token]
module.secrets_leaks_log_scanner.google_monitoring_alert_policy.secrets_leak_log_scanner: Refreshing state... [id=projects/sap-kyma-prow/alertPolicies/4186084580898851963]
module.secrets_leaks_log_scanner.google_monitoring_alert_policy.gcs_bucket_mover: Refreshing state... [id=projects/sap-kyma-prow/alertPolicies/14829426496191956253]
module.secrets_leaks_log_scanner.google_monitoring_alert_policy.github_issue_finder: Refreshing state... [id=projects/sap-kyma-prow/alertPolicies/7170185124964513561]
module.secrets_leaks_log_scanner.data.google_iam_policy.run_invoker: Reading...
module.secrets_leaks_log_scanner.data.google_iam_policy.run_invoker: Read complete after 0s [id=735823064]
module.secrets_leaks_log_scanner.google_secret_manager_secret_iam_member.gh_issue_creator_gh_tools_kyma_bot_token_accessor: Refreshing state... [id=projects/sap-kyma-prow/secrets/trusted_default_kyma-bot-github-sap-token/roles/secretmanager.secretAccessor/serviceAccount:github-issue-creator@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_secret_manager_secret_iam_member.gh_issue_finder_gh_tools_kyma_bot_token_accessor: Refreshing state... [id=projects/sap-kyma-prow/secrets/trusted_default_kyma-bot-github-sap-token/roles/secretmanager.secretAccessor/serviceAccount:github-issue-finder@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_cloud_run_service.secrets_leak_log_scanner: Refreshing state... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/secrets-leak-log-scanner]
module.secrets_leaks_log_scanner.data.google_storage_bucket.kyma_prow_logs: Read complete after 0s [id=kyma-prow-logs]
module.secrets_leaks_log_scanner.data.google_project.project: Read complete after 0s [id=projects/sap-kyma-prow]
module.secrets_leaks_log_scanner.google_storage_bucket_iam_member.secrets_leak_detector: Refreshing state... [id=b/kyma-prow-logs/roles/storage.objectViewer/serviceAccount:secrets-leak-detector@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_storage_bucket_iam_member.kyma_prow_logs_viewer: Refreshing state... [id=b/kyma-prow-logs/roles/storage.objectViewer/serviceAccount:gcs-bucket-mover@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_storage_bucket_iam_member.kyma_prow_logs_object_admin: Refreshing state... [id=b/kyma-prow-logs/roles/storage.objectAdmin/serviceAccount:gcs-bucket-mover@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_project_iam_member.project_workflows_invoker: Refreshing state... [id=projects/sap-kyma-prow/roles/workflows.invoker/serviceAccount:secrets-leak-detector@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_project_iam_member.project_log_writer: Refreshing state... [id=projects/sap-kyma-prow/roles/logging.logWriter/serviceAccount:secrets-leak-detector@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_storage_bucket_iam_member.kyma_prow_logs_secured_object_admin: Refreshing state... [id=b/kyma-prow-logs-secured/roles/storage.objectAdmin/serviceAccount:gcs-bucket-mover@sap-kyma-prow.iam.gserviceaccount.com]
module.secrets_leaks_log_scanner.google_cloud_run_service.gcs_bucket_mover: Refreshing state... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/gcs-bucket-mover]
module.secrets_leaks_log_scanner.google_cloud_run_service.github_issue_creator: Refreshing state... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/github-issue-creator]
module.secrets_leaks_log_scanner.google_cloud_run_service_iam_policy.secrets_leak_log_scanner: Refreshing state... [id=v1/projects/sap-kyma-prow/locations/europe-west3/services/secrets-leak-log-scanner]
module.secrets_leaks_log_scanner.google_cloud_run_service.github_issue_finder: Refreshing state... [id=locations/europe-west3/namespaces/sap-kyma-prow/services/github-issue-finder]
module.secrets_leaks_log_scanner.google_cloud_run_service_iam_policy.github_issue_creator: Refreshing state... [id=v1/projects/sap-kyma-prow/locations/europe-west3/services/github-issue-creator]
module.secrets_leaks_log_scanner.google_cloud_run_service_iam_policy.github_issue_finder: Refreshing state... [id=v1/projects/sap-kyma-prow/locations/europe-west3/services/github-issue-finder]
module.secrets_leaks_log_scanner.google_cloud_run_service_iam_policy.gcs_bucket_mover: Refreshing state... [id=v1/projects/sap-kyma-prow/locations/europe-west3/services/gcs-bucket-mover]
module.secrets_leaks_log_scanner.google_workflows_workflow.secrets_leak_detector: Refreshing state... [id=projects/sap-kyma-prow/locations/europe-west3/workflows/secrets-leak-detector]
module.secrets_leaks_log_scanner.google_eventarc_trigger.secrets_leak_detector_workflow: Refreshing state... [id=projects/sap-kyma-prow/locations/europe-west3/triggers/secrets-leak-detector]

Note: Objects have changed outside of OpenTofu

OpenTofu detected the following changes made outside of OpenTofu since the
last "tofu apply" which may have affected this plan:

  # google_service_account_iam_binding.terraform_workload_identity has changed
  ~ resource "google_service_account_iam_binding" "terraform_workload_identity" {
      ~ etag               = "BwYSslcC1II=" -> "BwYhcY+T+/A="
        id                 = "projects/sap-kyma-prow/serviceAccounts/[email protected]/roles/iam.workloadIdentityUser"
        # (3 unchanged attributes hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

OpenTofu used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

OpenTofu will perform the following actions:

  # google_artifact_registry_repository.prod_docker_repository will be updated in-place
  # (imported from "projects/kyma-project/locations/europe/repositories/prod")
  ~ resource "google_artifact_registry_repository" "prod_docker_repository" {
        cleanup_policy_dry_run = true
        create_time            = "2022-10-11T11:18:44.273370Z"
      - description            = "Production registry for kyma-project" -> null
        effective_labels       = {
            "type" = "production"
        }
        format                 = "DOCKER"
        id                     = "projects/kyma-project/locations/europe/repositories/prod"
      ~ labels                 = {
          + "type" = "production"
        }
        location               = "europe"
        mode                   = "STANDARD_REPOSITORY"
        name                   = "prod"
        project                = "kyma-project"
        repository_id          = "prod"
      ~ terraform_labels       = {
          + "type" = "production"
        }
        update_time            = "2024-09-06T11:55:05.960791Z"

      + docker_config {
          + immutable_tags = false
        }
    }

  # google_artifact_registry_repository_iam_member.image_syncer_prod_repo_writer will be created
  + resource "google_artifact_registry_repository_iam_member" "image_syncer_prod_repo_writer" {
      + etag       = (known after apply)
      + id         = (known after apply)
      + location   = "europe"
      + member     = "principalSet://iam.googleapis.com/projects/351981214969/locations/global/workloadIdentityPools/github-com-kyma-project/attribute.reusable_workflow_run/event_name:push:repository_owner_id:39153523:reusable_workflow_ref:kyma-project/test-infra/.github/workflows/image-syncer.yml@refs/heads/main"
      + project    = (known after apply)
      + repository = "prod"
      + role       = "roles/artifactregistry.createOnPushWriter"
    }

  # google_service_account.sa_gke_kyma_integration will be updated in-place
  ~ resource "google_service_account" "sa_gke_kyma_integration" {
      ~ description  = "Service account is used by Prow to integrate with GKE. Will be removed with Prow" -> "Service account is used by Prow to integrate with GKE."
        id           = "projects/sap-kyma-prow/serviceAccounts/[email protected]"
        name         = "projects/sap-kyma-prow/serviceAccounts/[email protected]"
        # (7 unchanged attributes hidden)
    }

  # module.gh_com_kyma_project_workload_identity_federation.google_iam_workload_identity_pool_provider.main will be updated in-place
  ~ resource "google_iam_workload_identity_pool_provider" "main" {
      + attribute_condition                = "attribute.repository_owner_id == 39153523"
      ~ attribute_mapping                  = {
          + "attribute.reusable_workflow_run" = "\"event_name:\" + assertion.event_name + \":repository_owner_id:\" + assertion.repository_owner_id + \":reusable_workflow_ref:\" + assertion.job_workflow_ref"
            # (10 unchanged elements hidden)
        }
        id                                 = "projects/sap-kyma-prow/locations/global/workloadIdentityPools/github-com-kyma-project/providers/github-com-kyma-project"
        name                               = "projects/351981214969/locations/global/workloadIdentityPools/github-com-kyma-project/providers/github-com-kyma-project"
        # (5 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.service_account_keys_cleaner.google_cloud_scheduler_job.service_account_keys_cleaner will be updated in-place
  ~ resource "google_cloud_scheduler_job" "service_account_keys_cleaner" {
        id               = "projects/sap-kyma-prow/locations/europe-west3/jobs/service-account-keys-cleaner"
        name             = "service-account-keys-cleaner"
        # (8 unchanged attributes hidden)

      ~ http_target {
          ~ uri         = "https://service-account-keys-cleaner-q25ja7ch3q-ez.a.run.app/?project=sap-kyma-prow&age=24" -> "https://service-account-keys-cleaner-q25ja7ch3q-ez.a.run.app?project=sap-kyma-prow&age=24"
            # (2 unchanged attributes hidden)

            # (1 unchanged block hidden)
        }
    }

Plan: 1 to import, 1 to add, 4 to change, 0 to destroy.

Changes to Outputs:
  ~ terraform_executor_gcp_workload_identity            = {
      ~ etag               = "BwYSslcC1II=" -> "BwYhcY+T+/A="
        id                 = "projects/sap-kyma-prow/serviceAccounts/[email protected]/roles/iam.workloadIdentityUser"
        # (4 unchanged attributes hidden)
    }
google_artifact_registry_repository.prod_docker_repository: Importing... [id=projects/kyma-project/locations/europe/repositories/prod]
google_artifact_registry_repository.prod_docker_repository: Import complete [id=projects/kyma-project/locations/europe/repositories/prod]
google_service_account.sa_gke_kyma_integration: Modifying... [id=projects/sap-kyma-prow/serviceAccounts/sa-gke-kyma-integration@sap-kyma-prow.iam.gserviceaccount.com]
module.service_account_keys_cleaner.google_cloud_scheduler_job.service_account_keys_cleaner: Modifying... [id=projects/sap-kyma-prow/locations/europe-west3/jobs/service-account-keys-cleaner]
module.gh_com_kyma_project_workload_identity_federation.google_iam_workload_identity_pool_provider.main: Modifying... [id=projects/sap-kyma-prow/locations/global/workloadIdentityPools/github-com-kyma-project/providers/github-com-kyma-project]
google_artifact_registry_repository.prod_docker_repository: Modifying... [id=projects/kyma-project/locations/europe/repositories/prod]
google_artifact_registry_repository.prod_docker_repository: Modifications complete after 2s [id=projects/kyma-project/locations/europe/repositories/prod]
google_artifact_registry_repository_iam_member.image_syncer_prod_repo_writer: Creating...
module.service_account_keys_cleaner.google_cloud_scheduler_job.service_account_keys_cleaner: Modifications complete after 3s [id=projects/sap-kyma-prow/locations/europe-west3/jobs/service-account-keys-cleaner]
google_service_account.sa_gke_kyma_integration: Modifications complete after 6s [id=projects/sap-kyma-prow/serviceAccounts/sa-gke-kyma-integration@sap-kyma-prow.iam.gserviceaccount.com]
module.gh_com_kyma_project_workload_identity_federation.google_iam_workload_identity_pool_provider.main: Still modifying... [id=projects/sap-kyma-prow/locations/global...ject/providers/github-com-kyma-project, 10s elapsed]
module.gh_com_kyma_project_workload_identity_federation.google_iam_workload_identity_pool_provider.main: Modifications complete after 11s [id=projects/sap-kyma-prow/locations/global/workloadIdentityPools/github-com-kyma-project/providers/github-com-kyma-project]

Error: Error retrieving IAM policy for artifactregistry repository "projects/sap-kyma-prow/locations/europe/repositories/prod": googleapi: Error 403: The caller does not have permission

  with google_artifact_registry_repository_iam_member.image_syncer_prod_repo_writer,
  on image-syncer.tf line 1, in resource "google_artifact_registry_repository_iam_member" "image_syncer_prod_repo_writer":
   1: resource "google_artifact_registry_repository_iam_member" "image_syncer_prod_repo_writer" {

`

@Sawthis Sawthis assigned dekiel and unassigned Sawthis Sep 9, 2024
@dekiel dekiel deleted the tf-for-image-syncer branch October 18, 2024 20:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Sawthis Sawthis Sawthis approved these changes

@neighbors-dev-bot neighbors-dev-bot Awaiting requested review from neighbors-dev-bot neighbors-dev-bot is a code owner

@TorstenD-SAP TorstenD-SAP Awaiting requested review from TorstenD-SAP TorstenD-SAP is a code owner automatically assigned from kyma-project/prow

Assignees

@dekiel dekiel

Labels
add-or-update cla: yes Indicates the PR's author has signed the CLA. lgtm Looks good to me! size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dekiel @kyma-bot @Sawthis