Closed obriensystems closed 4 months ago
before - no access as expected
after
in prod
Step #3 - "tf plan": Terraform will perform the following actions:
Step #3 - "tf plan":
Step #3 - "tf plan": # module.prod-client-prj.google_project_service.project_services["bigquery.googleapis.com"] will be created
Step #3 - "tf plan": + resource "google_project_service" "project_services" {
Step #3 - "tf plan": + disable_dependent_services = true
Step #3 - "tf plan": + disable_on_destroy = true
Step #3 - "tf plan": + id = (known after apply)
Step #3 - "tf plan": + project = "tzpe-tlz-prd-client8"
Step #3 - "tf plan": + service = "bigquery.googleapis.com"
Step #3 - "tf plan": }
Step #3 - "tf plan":
Step #3 - "tf plan": # module.prod-client-prj.google_project_service.project_services["bigquerymigration.googleapis.com"] will be created
Step #3 - "tf plan": + resource "google_project_service" "project_services" {
Step #3 - "tf plan": + disable_dependent_services = true
Step #3 - "tf plan": + disable_on_destroy = true
Step #3 - "tf plan": + id = (known after apply)
Step #3 - "tf plan": + project = "tzpe-tlz-prd-client8"
Step #3 - "tf plan": + service = "bigquerymigration.googleapis.com"
Step #3 - "tf plan": }
Step #3 - "tf plan":
Step #3 - "tf plan": # module.prod-client-prj.google_project_service.project_services["bigquerystorage.googleapis.com"] will be created
Step #3 - "tf plan": + resource "google_project_service" "project_services" {
Step #3 - "tf plan": + disable_dependent_services = true
Step #3 - "tf plan": + disable_on_destroy = true
Step #3 - "tf plan": + id = (known after apply)
Step #3 - "tf plan": + project = "tzpe-tlz-prd-client8"
Step #3 - "tf plan": + service = "bigquerystorage.googleapis.com"
and in common
Step #3 - "tf plan": # module.iam-groups-role_opsadmin.module.organization_iam["group:opsadmin@terraform.landing.systems"].google_organization_iam_member.organization["roles/bigquery.admin"] will be created
Step #3 - "tf plan": + resource "google_organization_iam_member" "organization" {
Step #3 - "tf plan": + etag = (known after apply)
Step #3 - "tf plan": + id = (known after apply)
Step #3 - "tf plan": + member = "group:opsadmin@terraform.landing.systems"
Step #3 - "tf plan": + org_id = "131880894992"
Step #3 - "tf plan": + role = "roles/bigquery.admin"
Step #3 - "tf plan": }
Step #3 - "tf plan":
Step #3 - "tf plan": # module.iam-groups-role_read.module.organization_iam["group:read@terraform.landing.systems"].google_organization_iam_member.organization["roles/bigquery.admin"] will be created
Step #3 - "tf plan": + resource "google_organization_iam_member" "organization" {
Step #3 - "tf plan": + etag = (known after apply)
Step #3 - "tf plan": + id = (known after apply)
Step #3 - "tf plan": + member = "group:read@terraform.landing.systems"
Step #3 - "tf plan": + org_id = "131880894992"
Step #3 - "tf plan": + role = "roles/bigquery.admin"
Step #3 - "tf plan": }
check limited access
getting iam admin via group role
although only the terraform service account can modify group membership
removing opsadmin group role
diff --git a/environments/common/iam-groups.auto.tfvars b/environments/common/iam-groups.auto.tfvars
index 019403f..dd6fdab 100644
--- a/environments/common/iam-groups.auto.tfvars
+++ b/environments/common/iam-groups.auto.tfvars
@@ -32,7 +32,7 @@ iam-group_opsadmin = {
domain = "terraform.landing.systems"
#owners = ["ro..ding.systems"]#, "tfsa..tlz-tlz-de.iam.gserviceaccount.com"] # var.service_accounts
#managers = ["roo..m.landing.systems"]
- members = ["root..stems", "devel...landing.systems"]
+ members = ["roo..landing.systems"]
test results in #279
membership renewal in this case can be done without tearing down the group first - additive not authorative
Step #3 - "tf plan": Terraform will perform the following actions:
Step #3 - "tf plan":
Step #3 - "tf plan": # module.group_opsadmin.google_cloud_identity_group_membership.members["developer@terraform.landing.systems"] will be destroyed
Step #3 - "tf plan": - resource "google_cloud_identity_group_membership" "members" {
Step #3 - "tf plan": - create_time = "2023-08-02T17:07:46.973190Z" -> null
Step #3 - "tf plan": - group = "groups/00gjdgxs0p378zo" -> null
Step #3 - "tf plan": - id = "groups/00gjdgxs0p378zo/memberships/118409452485276160936" -> null
Step #3 - "tf plan": - name = "groups/00gjdgxs0p378zo/memberships/118409452485276160936" -> null
Step #3 - "tf plan": - type = "USER" -> null
Step #3 - "tf plan": - update_time = "2023-08-02T17:07:46.973190Z" -> null
Step #3 - "tf plan":
Step #3 - "tf plan": - member_key {
Step #3 - "tf plan": - id = "developer@terraform.landing.systems" -> null
Step #3 - "tf plan": }
Step #3 - "tf plan":
Step #3 - "tf plan": - preferred_member_key {
Step #3 - "tf plan": - id = "developer@terraform.landing.systems" -> null
Step #3 - "tf plan": }
Step #3 - "tf plan":
Step #3 - "tf plan": - roles {
Step #3 - "tf plan": - name = "MEMBER" -> null
Step #3 - "tf plan": }
Step #3 - "tf plan": }
verified lower iam permissions on dev user
big query ok on the org - reduce to the project projects are limited
20240406: Closing issue during retrofit/rebase of this TEF V1 based/modified repo to TEF V4 standards This issue may participate in the LZ refactor after rebase Query on all issues related to the older V1 version via the tag https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/labels/2024-pre-tef-v4
Update: investigate owner role on project or superfolder and folderIAMAdmin Update: lay out prod/non-prod folder structure
follow document ai canary at https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/canary/solutions/document-processing/gcloud/deployment.sh#L88
https://cloud.google.com/bigquery/docs/access-control#bq-permissions https://cloud.google.com/bigquery/docs/access-control#bigquery
training https://www.cloudskillsboost.google/focuses/1145?parent=catalog
Roles
Services
Big Query is usually enabled by default on a project - but the lz workflow has it unset - fixing
add