How to create project using Jinja & Yaml file

[SprintCT]

Hi,

As per below document, i have created Jinja and Yaml file. And my account has added the role role: roles/resourcemanager.folderCreator. And i also i have create SA and i did iam binding to add this role to my SA,. When i tired to execute the below template in deployment manager it getting failed due to below error:

Reference URL for Jinja and Yaml file:

https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/e22fd9592e5c3db15918e4ca0d10baa820851d5b/google/resource-snippets/cloudresourcemanager-v1/project.yaml

My code:

Folder.jinja resources:

• name: folders/{{ properties['folderid'] }} type: gcp-types/cloudresourcemanager-v2:folders properties: parent: organizations/{{ properties['orgrid'] }} displayName: {{ properties['displayName'] }}

Error:

message: '{"ResourceType":"gcp-types/cloudresourcemanager-v2:folders","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v2/folders","httpMethod":"POST"}}'

Note: However the same SA account is working in terraform code to create a project/folder. It is not working when in deployment manager.

Kindly advise me how to use the project creation Jinja/yaml file in GCP deployment manager.

[ocsig]

Hi,

I would like to highlight the Cloud Foundation Toolkit - Project Factory template for project automation. It is well documented and tested and contains many functionalities you will likely wish to use for project automation.

Furthermore if you look up it's code (, schema and examples) you may find many implementation tricks you are looking for.

If you check the link, the read me has detailed prerequisites which may also help you.

To actually answer your question, can you please confirm, which SA you set the roles/resourcemanager.folderCreator role? My intuition says, you did not set the IAM role for the DM SA on the Organization level, so it cannot create a folder under the organization.

4. Find the Cloud Services service account associated with the DM Creation Project.

   It is formatted as <project_number>@cloudservices.gserviceaccount.com, and is listed under IAM & Admin in Google Cloud Console. This account is henceforth referred to as the DM Service Account. See https://cloud.google.com/resource-manager/docs/access-control-proj.

[SprintCT]

Ty, it is well documented. Now i can do folder creation and project creation. However i'm facing folder and project creation in single file using jinja, not by python.

Please see the issue:-

Hi Team,

I'm doing project factory automation in jinja file, However i faced issue while split the folder name and folder id from folder api. Please find the below steps for more details

step1: I have created a folder using below code and it is successfully created.

resources:

• name: {{ properties['foldername'] }} type: gcp-types/cloudresourcemanager-v2:folders properties: {% if properties['isorg'] == "yes" %} parent: organizations/{{ properties['orgid'] }} {% else %} parent: folders/{{ properties['parentfolderid'] }} {% endif %} displayName: {{ properties['folderdisplayName'] }}

Step 2: once created i need the folder id to parse the value in parent->id of project.

• name: {{ properties['projectid'] }} type: gcp-types/cloudresourcemanager-v1:projects properties: projectId: {{ properties['projectid'] }} parent: type: folders id: $(ref.{{ properties['foldername'] }}.name).split('/')[1]

I'm getting error that above split command, it is not working. Kindly assist me how to split the above value>

Example: Output of Inline reference value for newly created folder name is : core/123456789 I want to split foldername is core and folderid is 12345678 with above jinja file.

[ocsig]

TL;DR; You can't do string manipulation on references.

Unfortunately it is a known limitation of how deployment manager works. The short advise is to manage folders and project from separate deployments. There is a detailed thread with answers here: #353 .

[SprintCT]

HI Thank you, I have created project based on this above python, However i unable to do billing link to the new projects while deployment manager.

Step1 :

DM service account (@cloudservices.gserviceaccount.com) has below roles

"Project Billing Manager,Billing Account User,Project Creator roles" .

my deployment manager account (personalname>@<domain.com) has also same privilege.

Other than Deployment manager it working fine with my personal account, as mentioned below, When i use the gcloud command i can link the billing account to new project, Manually i can link it and also i tried to API call by google API url and it is working fine.

However when use same in deployment manager by yaml file it get failed due to permission issue. Since DM service account (@cloudservices.gserviceaccount.com) and personal account (personalname>@<domain.com) is same roles, May i know why it failing due to permission.

Only differ is my personal account (personalname>@<domain.com) mapped in billing admin group by Gsuite. However DM service account (@cloudservices.gserviceaccount.com) is not the gsuite group, so do we need to add this DM service account (@cloudservices.gserviceaccount.com) to billing admin gsuite group?

[ocsig]

Since DM service account (@cloudservices.gserviceaccount.com) and personal account (@) is same roles, May i know why it failing due to permission. I believe that is a misunderstanding how DM/IAM works. The Deployment Manager SA does not get any IAM permissions from you, or whoever triggers the deployment.

The DM SA is be default Project Editor within the project where the deployment is created. Above that, IAM permissions has to be added to that particular SA to perform actions. So if you want that DM SA manage something outside the project, like a Billing account, you need to set permission either directly or indirectly.

(Other Note: G-suite groups/Cloud Identity groups are are part inherited in GCP, so you can set IAM permissions to users or SAs via Group membership as well.)

Let me know if this cleared up your situation.

[SprintCT]

Apologies, i unable to get it, I need more details.

1) I have created demo org (for testing the automation) 2) I have created the sample project in the demo org (initial project for DM service account) 3) I have Linked the billing account of sample project in demo org 4) my Billing account it is in billing org. 5) My personal id has access to the Billing account and both org (demo and billing) with admin privilege. 6) I have created new project using above python code, However it is failing while linking the billing account to my new project in demo org. 7) When i try do link the billing to the new project in demo org by using my personal account it is working. 8) When i use API url of google https://cloud.google.com/billing/reference/rest/v1/projects/updateBillingInfo i tried with my personal account and it working. 9) However when i tried with python and yaml it is failing in deployment is failing due ti

My question is: Since My personal account and DM service account has same permission in IAM and project, May i know why it is failing in Deployment manager. Is there any role do i need to setup in IAM or do i need to add the billing admin privilage to my DM service account in Billing account and respective billing org? Or kindly advise me to sort out this issue.

Error:- ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation : errors:

• code: RESOURCE_ERROR location: /deployments/deploymentid01/resources/projects/ message: '{"ResourceType":"deploymentmanager.v2.virtual.projectBillingInfo","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The caller does not have permission","status":"PERMISSION_DENIED","details":[],"statusMessage":"Forbidden","requestPath":"https://cloudbilling.googleapis.com/v1/projects//billingInfo","httpMethod":"PUT"}}'

[ocsig]

Since My personal account and DM service account has same permission in IAM

Can you please confirm to me, if the Service Account what DM is using for your deployment ( <project_number>@cloudservices.gserviceaccount.com ) has Billing Account User ( or Admin) rights ON the billing account what you are trying to attach?

You can check it here: gcloud beta billing accounts get-iam-policy 012345-678901-012345

CFT Project Factory Readme

7 Create/find the Billing Account associated with the Organization. See: https://cloud.google.com/support/billing/. Take note of the Billing Account's ID, which is formatted as follows:00E12A-0AB8B2-078CE8.

8 Give the DM Service Account the following permissions on the Billing Account: roles/billing.user. This is visible in Cloud Console's IAM permissions in Billing -> Billing Account User.

[SprintCT]

Hi,

Thank you. Once i added the DM service account into the billing account by suite it is working fine. However now im facing to add assets in security command center for respective org. Which mean as per project factory i have to add this new project into the assets of the security command center to enable the vulnerability. Since there is no gcp-types for SCC so unable to add it. Is there any gcp-types for scc, or shall i execute the gcloud command by GDM template