Open obriensystems opened 1 year ago
Remove Access Context Manager Policy
Display name
[tspevsc_tlsacm_vsc](https://console.cloud.google.com/#)
Resource type
identity.accesscontextmanager.googleapis.com/AccessPolicy
Name
[//accesscontextmanager.googleapis.com/accessPolicies/1021375921638](https://console.cloud.google.com/#)
Organization
[organizations/131880894992](https://console.cloud.google.com/#)
Parent asset type
[cloudresourcemanager.googleapis.com/Organization](https://console.cloud.google.com/#)
Parent full resource name
[//cloudresourcemanager.googleapis.com/organizations/131880894992](https://console.cloud.google.com/#)
Created an ACM at the org level on another org to compare - console does not see the TF created one - but the console created one is there
checking delete API
Actually it is an access policy not an access level
A VPC Service Control - access policy
delete vpc sc
add IAM role https://cloud.google.com/access-context-manager/docs/manage-access-policy#delete
get ID from asset inventory under identity.AccessPolicy
Display name
[tspevsc_tlsacm_vsc](https://console.cloud.google.com/#)
Resource type
identity.accesscontextmanager.googleapis.com/AccessPolicy
Name
[//accesscontextmanager.googleapis.com/accessPolicies/1021375921638](https://console.cloud.google.com/#)
Organization
[organizations/131880894992](https://console.cloud.google.com/#)
Parent asset type
[cloudresourcemanager.googleapis.com/Organization](https://console.cloud.google.com/#)
Parent full resource name
[//cloudresourcemanager.googleapis.com/organizations/131880894992](https://console.cloud.google.com/#)
enable role, delete vpc sc
root_@cloudshell:~ (lz-tls)$ gcloud access-context-manager policies delete accessPolicies/1021375921638
You are about to delete policy [1021375921638]
Do you want to continue (Y/n)? y
API [accesscontextmanager.googleapis.com] not enabled on project [308673020059]. Would you like to enable and retry (this will take a few minutes)? (y/N)? y
Enabling service [accesscontextmanager.googleapis.com] on project [308673020059]...
Operation "operations/acat.p2-308673020059-bb01eee4-4f53-469f-987f-5179f0c8f6c6" finished successfully.
Deleted policy [1021375921638].
common ok
rerunning non-prod (2_folders is up now) prod ok
prod - need to rename project - as deleted 30 day project still up after billing quota error earlier
Step #4 - "tf apply": │ Error: error creating project tzpe-tlz-tlzprod-host2 (TzPe-tlz-tlzprod-host2): googleapi: Error 409: Requested entity already exists, alreadyExists. If you received a 403 error, make sure you have the `roles/resourcemanager.projectCreator` permission
Step #4 - "tf apply": │
Step #4 - "tf apply": │ with module.net-host-prj.module.project.google_project.project,
Step #4 - "tf apply": │ on ../../modules/project/main.tf line 19, in resource "google_project" "project":
Step #4 - "tf apply": │ 19: resource "google_project" "project" {
fix
prod_host_net = {
user_defined_string = "tlzprod" # Must be globally unique. Used to create project name
additional_user_defined_string = "host3"#"host2"
root_@cloudshell:~/lz-tls/_lz2/pbmm-on-gcp-onboarding (lz-tls)$ git status
On branch main
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
modified: environments/prod/prod-network.auto.tfvars
no changes added to commit (use "git add" and/or "git commit -a")
root_@cloudshell:~/lz-tls/_lz2/pbmm-on-gcp-onboarding (lz-tls)$ git add environments/
root_@cloudshell:~/lz-tls/_lz2/pbmm-on-gcp-onboarding (lz-tls)$ git commit -m "new proj name for prod"
[main 6da67af] new proj name for prod
1 file changed, 1 insertion(+), 1 deletion(-)
root_@cloudshell:~/lz-tls/_lz2/pbmm-on-gcp-onboarding (lz-tls)$ git push csr main
prod ok
20240406: Closing issue during retrofit/rebase of this TEF V1 based/modified repo to TEF V4 standards This issue may participate in the LZ refactor after rebase Query on all issues related to the older V1 version via the tag https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/labels/2024-pre-tef-v4
Currently only 1 LZ can be installed per org until we refactor org level collisions
https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-security-controls.md#security---access-context-manager
Access Context Manager - Access Level and VPC Service Control - Access Policy https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-security-controls.md#security---vpc-service-controls
common