Deletion and recreation causes stale service account permissions

GoogleCloudPlatform / solutions-modern-cicd-anthos

An end-to-end operating model for onboarding and continually deploying services with Anthos.

Apache License 2.0

86 stars 61 forks source link

Deletion and recreation causes stale service account permissions #23

Open viglesiasce opened 4 years ago

viglesiasce commented 4 years ago

Due to the following caveat in IAM: https://cloud.google.com/iam/docs/understanding-service-accounts#deleting_and_recreating_service_accounts

We should instead create a unique name for the service accounts used in the solution.

bgood commented 4 years ago

I think the service accounts that are going stale are getting missed by the destroy script. From what I have seen so far the service accounts in question are:

gitlab-gcs tf-sa-dev-us-central1 tf-sa-staging-us-central1 tf-sa-prod-us-central1 tf-sa-prod-us-east1

As a work around remove all the permissions from the service account and re-add the permissions.

bgood commented 4 years ago

Slight clarification.

The service accounts get deleted as desired, however, the IAM permissions are not removed by the destroy script.

mike-ensor commented 4 years ago

@henrybell can you take a look at this while you finish up the "delete" app features?

henrybell commented 4 years ago

👍 Will pick this up once the PR for Cloud Endpoints DNS is in -- my day job has been keeping me busy recently!