obriensystems
commented
2 months ago checking gcp_bootstrap plan service account
_TF_SA_EMAIL
sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com
Access Context Manager Admin
Artifact Registry Administrator
Browser
Cloud Build Editor
Cloud Build WorkerPool Owner
Cloud Scheduler Admin
Compute Network Admin
DNS Administrator
IAM Workload Identity Pool Admin
Logs Writer
Organization Administrator
Project Deleter
Service Account Admin
Service Usage Consumer
Source Repository Administrator
Storage Admin
Workflows Admin
try
roles/identity.platformAdmin
not
roles/identity.organizationViewer
see https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/0-bootstrap/sa.tf#L117
// Roles required to manage resources in the CI/CD project
granular_sa_cicd_project = {
"bootstrap" = [
"roles/storage.admin",
"roles/compute.networkAdmin",
"roles/cloudbuild.builds.editor",
"roles/cloudbuild.workerPoolOwner",
"roles/artifactregistry.admin",
"roles/source.admin",
"roles/iam.serviceAccountAdmin",
"roles/workflows.admin",
"roles/cloudscheduler.admin",
"roles/resourcemanager.projectDeleter",
"roles/dns.admin",
"roles/iam.workloadIdentityPoolAdmin",
],
}
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git diff
diff --git a/envs/shared/sa.tf b/envs/shared/sa.tf
index e0ed0da..2c6d293 100644
--- a/envs/shared/sa.tf
+++ b/envs/shared/sa.tf
@@ -116,6 +116,7 @@ locals {
// Roles required to manage resources in the CI/CD project
granular_sa_cicd_project = {
"bootstrap" = [
+ "roles/identity.platformAdmin",
"roles/storage.admin",
"roles/compute.networkAdmin",
"roles/cloudbuild.builds.editor",
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git add envs/shared/sa.tf
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git commit -m 'add identity admin for validate error'
[plan 0f76325] add identity admin for validate error
1 file changed, 1 insertion(+)
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git status
On branch plan
Your branch is ahead of 'origin/plan' by 1 commit.
(use "git push" to publish your local commits)
nothing to commit, working tree clean
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git push --set-upstream origin plan
Enumerating objects: 9, done.
Counting objects: 100% (9/9), done.
Delta compression using up to 4 threads
Compressing objects: 100% (4/4), done.
Writing objects: 100% (5/5), 450 bytes | 450.00 KiB/s, done.
Total 5 (delta 3), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (3/3)
remote: Waiting for private key checker: 1/1 objects left
To https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-bootstrap
e8bdf0f..0f76325 plan -> plan
Branch 'plan' set up to track remote branch 'plan' from 'origin'.
didnt work - but 17 roles did not update either - putting at the org level
granular_sa_org_level_roles = {
"bootstrap" = distinct(concat([
"roles/identity.platformAdmin",
"roles/resourcemanager.organizationAdmin",
"roles/accesscontextmanager.policyAdmin",
"roles/serviceusage.serviceUsageConsumer",
], local.common_roles)),
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git diff
diff --git a/envs/shared/sa.tf b/envs/shared/sa.tf
index 2c6d293..471dc13 100644
--- a/envs/shared/sa.tf
+++ b/envs/shared/sa.tf
@@ -33,6 +33,7 @@ locals {
granular_sa_org_level_roles = {
"bootstrap" = distinct(concat([
+ "roles/identity.platformAdmin",
"roles/resourcemanager.organizationAdmin",
"roles/accesscontextmanager.policyAdmin",
"roles/serviceusage.serviceUsageConsumer",
@@ -116,7 +117,6 @@ locals {
// Roles required to manage resources in the CI/CD project
granular_sa_cicd_project = {
"bootstrap" = [
- "roles/identity.platformAdmin",
"roles/storage.admin",
"roles/compute.networkAdmin",
"roles/cloudbuild.builds.editor",
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git add envs/shared/sa.tf
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git commit -m 'add identity admin for validate error - org'
[plan b420e53] add identity admin for validate error - org
1 file changed, 1 insertion(+), 1 deletion(-)
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git push --set-upstream origin planbefore
after
- failure - waiting on role arrival in iam
wrong context - should be seed SA not cicd SA
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git diff
diff --git a/envs/shared/sa.tf b/envs/shared/sa.tf
index 471dc13..2ccccb0 100644
--- a/envs/shared/sa.tf
+++ b/envs/shared/sa.tf
@@ -33,7 +33,6 @@ locals {
granular_sa_org_level_roles = {
"bootstrap" = distinct(concat([
- "roles/identity.platformAdmin",
"roles/resourcemanager.organizationAdmin",
"roles/accesscontextmanager.policyAdmin",
"roles/serviceusage.serviceUsageConsumer",
@@ -95,6 +94,7 @@ locals {
// Roles required to manage resources in the Seed project
granular_sa_seed_project = {
"bootstrap" = [
+ "roles/identity.platformAdmin",
"roles/storage.admin",
"roles/iam.serviceAccountAdmin",
"roles/resourcemanager.projectDeleter",
@@ -117,6 +117,7 @@ locals {
// Roles required to manage resources in the CI/CD project
granular_sa_cicd_project = {
"bootstrap" = [
+ "roles/identity.platformAdmin",
"roles/storage.admin",
"roles/compute.networkAdmin",
"roles/cloudbuild.builds.editor",As a check adding identityAdmin to my sa
of course - I am running plan only - not apply - need to add a named environment branch "production"
or manually via https://github.com/terraform-google-modules/terraform-example-foundation/issues/889 https://github.com/terraform-google-modules/terraform-example-foundation/issues/42
try bootstrap outside of cloud build first - as plan will not run until the role is added via apply - catch 22
diff --git a/0-bootstrap/sa.tf b/0-bootstrap/sa.tf
index e0ed0da..2ccccb0 100644
--- a/0-bootstrap/sa.tf
+++ b/0-bootstrap/sa.tf
@@ -94,6 +94,7 @@ locals {
// Roles required to manage resources in the Seed project
granular_sa_seed_project = {
"bootstrap" = [
+ "roles/identity.platformAdmin",
"roles/storage.admin",
"roles/iam.serviceAccountAdmin",
"roles/resourcemanager.projectDeleter",
@@ -116,6 +117,7 @@ locals {
// Roles required to manage resources in the CI/CD project
granular_sa_cicd_project = {
"bootstrap" = [
+ "roles/identity.platformAdmin",
"roles/storage.admin",
"roles/compute.networkAdmin",
"roles/cloudbuild.builds.editor",
diff --git a/1-org/README.md b/1-org/README.mdI am hoping the state file will not get corrupted if applied locally instead of in cloud build - as long as that user never gets changed again
Terraform will perform the following actions:
# module.cicd_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/identity.platformAdmin"] will be created
+ resource "google_project_iam_member" "project_parent_iam" {
+ etag = (known after apply)
+ id = (known after apply)
+ member = "serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com"
+ project = "prj-b-cicd-82vv"
+ role = "roles/identity.platformAdmin"
}
# module.seed_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/identity.platformAdmin"] will be created
+ resource "google_project_iam_member" "project_parent_iam" {
+ etag = (known after apply)
+ id = (known after apply)
+ member = "serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com"
+ project = "prj-b-seed-8919"
+ role = "roles/identity.platformAdmin"
}
Plan: 2 to add, 0 to change, 0 to destroy.
michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ ./terraform apply bootstrap.tfplan
module.seed_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/identity.platformAdmin"]: Creating...
module.cicd_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/identity.platformAdmin"]: Creating...
╷
│ Error: Request `Create IAM Members roles/identity.platformAdmin serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com for project "prj-b-cicd-82vv"` returned error: Error applying IAM policy for project "prj-b-cicd-82vv": Error setting IAM policy for project "prj-b-cicd-82vv": googleapi: Error 400: Role roles/identity.platformAdmin is not supported for this resource., badRequest
│
│ with module.cicd_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/identity.platformAdmin"],
│ on modules/parent-iam-member/main.tf line 39, in resource "google_project_iam_member" "project_parent_iam":
│ 39: resource "google_project_iam_member" "project_parent_iam" {
│
╵
╷
│ Error: Request `Create IAM Members roles/identity.platformAdmin serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com for project "prj-b-seed-8919"` returned error: Error applying IAM policy for project "prj-b-seed-8919": Error setting IAM policy for project "prj-b-seed-8919": googleapi: Error 400: Role roles/identity.platformAdmin is not supported for this resource., badRequest
│
│ with module.seed_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/identity.platformAdmin"],
│ on modules/parent-iam-member/main.tf line 39, in resource "google_project_iam_member" "project_parent_iam":
│ 39: resource "google_project_iam_member" "project_parent_iam" {
│
add to https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/0-bootstrap/README.md#deploying-with-cloud-build
similar to step 9 of https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/1-org/README.md#deploying-with-cloud-build
Initial run will see 1: tf plan validate all errors like