Open obriensystems opened 2 months ago
checking gcp_bootstrap plan service account
_TF_SA_EMAIL
sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com
Access Context Manager Admin
Artifact Registry Administrator
Browser
Cloud Build Editor
Cloud Build WorkerPool Owner
Cloud Scheduler Admin
Compute Network Admin
DNS Administrator
IAM Workload Identity Pool Admin
Logs Writer
Organization Administrator
Project Deleter
Service Account Admin
Service Usage Consumer
Source Repository Administrator
Storage Admin
Workflows Admin
try
roles/identity.platformAdmin
not
roles/identity.organizationViewer
see https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/0-bootstrap/sa.tf#L117
// Roles required to manage resources in the CI/CD project
granular_sa_cicd_project = {
"bootstrap" = [
"roles/storage.admin",
"roles/compute.networkAdmin",
"roles/cloudbuild.builds.editor",
"roles/cloudbuild.workerPoolOwner",
"roles/artifactregistry.admin",
"roles/source.admin",
"roles/iam.serviceAccountAdmin",
"roles/workflows.admin",
"roles/cloudscheduler.admin",
"roles/resourcemanager.projectDeleter",
"roles/dns.admin",
"roles/iam.workloadIdentityPoolAdmin",
],
}
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git diff
diff --git a/envs/shared/sa.tf b/envs/shared/sa.tf
index e0ed0da..2c6d293 100644
--- a/envs/shared/sa.tf
+++ b/envs/shared/sa.tf
@@ -116,6 +116,7 @@ locals {
// Roles required to manage resources in the CI/CD project
granular_sa_cicd_project = {
"bootstrap" = [
+ "roles/identity.platformAdmin",
"roles/storage.admin",
"roles/compute.networkAdmin",
"roles/cloudbuild.builds.editor",
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git add envs/shared/sa.tf
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git commit -m 'add identity admin for validate error'
[plan 0f76325] add identity admin for validate error
1 file changed, 1 insertion(+)
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git status
On branch plan
Your branch is ahead of 'origin/plan' by 1 commit.
(use "git push" to publish your local commits)
nothing to commit, working tree clean
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git push --set-upstream origin plan
Enumerating objects: 9, done.
Counting objects: 100% (9/9), done.
Delta compression using up to 4 threads
Compressing objects: 100% (4/4), done.
Writing objects: 100% (5/5), 450 bytes | 450.00 KiB/s, done.
Total 5 (delta 3), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (3/3)
remote: Waiting for private key checker: 1/1 objects left
To https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-bootstrap
e8bdf0f..0f76325 plan -> plan
Branch 'plan' set up to track remote branch 'plan' from 'origin'.
didnt work - but 17 roles did not update either - putting at the org level
granular_sa_org_level_roles = {
"bootstrap" = distinct(concat([
"roles/identity.platformAdmin",
"roles/resourcemanager.organizationAdmin",
"roles/accesscontextmanager.policyAdmin",
"roles/serviceusage.serviceUsageConsumer",
], local.common_roles)),
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git diff
diff --git a/envs/shared/sa.tf b/envs/shared/sa.tf
index 2c6d293..471dc13 100644
--- a/envs/shared/sa.tf
+++ b/envs/shared/sa.tf
@@ -33,6 +33,7 @@ locals {
granular_sa_org_level_roles = {
"bootstrap" = distinct(concat([
+ "roles/identity.platformAdmin",
"roles/resourcemanager.organizationAdmin",
"roles/accesscontextmanager.policyAdmin",
"roles/serviceusage.serviceUsageConsumer",
@@ -116,7 +117,6 @@ locals {
// Roles required to manage resources in the CI/CD project
granular_sa_cicd_project = {
"bootstrap" = [
- "roles/identity.platformAdmin",
"roles/storage.admin",
"roles/compute.networkAdmin",
"roles/cloudbuild.builds.editor",
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git add envs/shared/sa.tf
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git commit -m 'add identity admin for validate error - org'
[plan b420e53] add identity admin for validate error - org
1 file changed, 1 insertion(+), 1 deletion(-)
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git push --set-upstream origin plan
before
after
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git diff
diff --git a/envs/shared/sa.tf b/envs/shared/sa.tf
index 471dc13..2ccccb0 100644
--- a/envs/shared/sa.tf
+++ b/envs/shared/sa.tf
@@ -33,7 +33,6 @@ locals {
granular_sa_org_level_roles = {
"bootstrap" = distinct(concat([
- "roles/identity.platformAdmin",
"roles/resourcemanager.organizationAdmin",
"roles/accesscontextmanager.policyAdmin",
"roles/serviceusage.serviceUsageConsumer",
@@ -95,6 +94,7 @@ locals {
// Roles required to manage resources in the Seed project
granular_sa_seed_project = {
"bootstrap" = [
+ "roles/identity.platformAdmin",
"roles/storage.admin",
"roles/iam.serviceAccountAdmin",
"roles/resourcemanager.projectDeleter",
@@ -117,6 +117,7 @@ locals {
// Roles required to manage resources in the CI/CD project
granular_sa_cicd_project = {
"bootstrap" = [
+ "roles/identity.platformAdmin",
"roles/storage.admin",
"roles/compute.networkAdmin",
"roles/cloudbuild.builds.editor",
As a check adding identityAdmin to my sa
of course - I am running plan only - not apply - need to add a named environment branch "production"
or manually via https://github.com/terraform-google-modules/terraform-example-foundation/issues/889 https://github.com/terraform-google-modules/terraform-example-foundation/issues/42
diff --git a/0-bootstrap/sa.tf b/0-bootstrap/sa.tf
index e0ed0da..2ccccb0 100644
--- a/0-bootstrap/sa.tf
+++ b/0-bootstrap/sa.tf
@@ -94,6 +94,7 @@ locals {
// Roles required to manage resources in the Seed project
granular_sa_seed_project = {
"bootstrap" = [
+ "roles/identity.platformAdmin",
"roles/storage.admin",
"roles/iam.serviceAccountAdmin",
"roles/resourcemanager.projectDeleter",
@@ -116,6 +117,7 @@ locals {
// Roles required to manage resources in the CI/CD project
granular_sa_cicd_project = {
"bootstrap" = [
+ "roles/identity.platformAdmin",
"roles/storage.admin",
"roles/compute.networkAdmin",
"roles/cloudbuild.builds.editor",
diff --git a/1-org/README.md b/1-org/README.md
I am hoping the state file will not get corrupted if applied locally instead of in cloud build - as long as that user never gets changed again
Terraform will perform the following actions:
# module.cicd_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/identity.platformAdmin"] will be created
+ resource "google_project_iam_member" "project_parent_iam" {
+ etag = (known after apply)
+ id = (known after apply)
+ member = "serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com"
+ project = "prj-b-cicd-82vv"
+ role = "roles/identity.platformAdmin"
}
# module.seed_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/identity.platformAdmin"] will be created
+ resource "google_project_iam_member" "project_parent_iam" {
+ etag = (known after apply)
+ id = (known after apply)
+ member = "serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com"
+ project = "prj-b-seed-8919"
+ role = "roles/identity.platformAdmin"
}
Plan: 2 to add, 0 to change, 0 to destroy.
michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ ./terraform apply bootstrap.tfplan
module.seed_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/identity.platformAdmin"]: Creating...
module.cicd_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/identity.platformAdmin"]: Creating...
╷
│ Error: Request `Create IAM Members roles/identity.platformAdmin serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com for project "prj-b-cicd-82vv"` returned error: Error applying IAM policy for project "prj-b-cicd-82vv": Error setting IAM policy for project "prj-b-cicd-82vv": googleapi: Error 400: Role roles/identity.platformAdmin is not supported for this resource., badRequest
│
│ with module.cicd_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/identity.platformAdmin"],
│ on modules/parent-iam-member/main.tf line 39, in resource "google_project_iam_member" "project_parent_iam":
│ 39: resource "google_project_iam_member" "project_parent_iam" {
│
╵
╷
│ Error: Request `Create IAM Members roles/identity.platformAdmin serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com for project "prj-b-seed-8919"` returned error: Error applying IAM policy for project "prj-b-seed-8919": Error setting IAM policy for project "prj-b-seed-8919": googleapi: Error 400: Role roles/identity.platformAdmin is not supported for this resource., badRequest
│
│ with module.seed_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/identity.platformAdmin"],
│ on modules/parent-iam-member/main.tf line 39, in resource "google_project_iam_member" "project_parent_iam":
│ 39: resource "google_project_iam_member" "project_parent_iam" {
│
Apply to the SA manually - and dont remove changes to the SA from the cb trigger repo
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git diff
diff --git a/envs/shared/sa.tf b/envs/shared/sa.tf
index 2ccccb0..e0ed0da 100644
--- a/envs/shared/sa.tf
+++ b/envs/shared/sa.tf
@@ -94,7 +94,6 @@ locals {
// Roles required to manage resources in the Seed project
granular_sa_seed_project = {
"bootstrap" = [
- "roles/identity.platformAdmin",
"roles/storage.admin",
"roles/iam.serviceAccountAdmin",
"roles/resourcemanager.projectDeleter",
@@ -117,7 +116,6 @@ locals {
// Roles required to manage resources in the CI/CD project
granular_sa_cicd_project = {
"bootstrap" = [
- "roles/identity.platformAdmin",
"roles/storage.admin",
"roles/compute.networkAdmin",
"roles/cloudbuild.builds.editor",
still failing Adding owner to work backwards from a global perspective
still failing
see https://github.com/hashicorp/terraform-provider-google/issues/8483
parking for now as 0-bootstrap is deployed properly and we don't need the plan cloud build job the apply cloud build job for 1-org completed ok - moving on to 2-environments
add to https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/0-bootstrap/README.md#deploying-with-cloud-build
similar to step 9 of https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/1-org/README.md#deploying-with-cloud-build
Initial run will see 1: tf plan validate all errors like