Open nstogner opened 5 years ago
Examples ancestry_path
for top-level resources:
organization: organization/{org_id}
folder: organzation/{org_id}/folder/{folder}
project: organzation/{org_id}/folder/{folder}/project/{project}
Strategy: Move the calculation ancestry_path upstream into the conversions library. See https://github.com/GoogleCloudPlatform/magic-modules/pull/1620.
PS: Once 1620 (above) gets merged, we should be able to get rid of the internally defined Asset
struct and use the one from the conversions library.
Closing - seems to be a duplicate of #5.
@melinath Last I checked, I think we still need a fix for this. In particular, if you are validating a google_folder
resource it should return an ancestry_path
of organzation/{org_id}/folder/{parent_folder}
.
Whereas now I assume it includes the project as well? I was thinking of this as being a duplicate of #5 (and by extension of #206) but we could probably resolve it separately in the shorter term.
Right, I think now we use a nonsense project in the ancestry path (folders can't have projects as their parent).
This might be a dupe of #5, but since you closed both I think there was more detail here.
Are the following errors related to this issue? I have an org structure: org/top-folder/child-folder/projects (1-org cloudbuild with https://github.com/terraform-google-modules/terraform-example-foundation/tree/master/1-org)
...
Step #1 - "tf plan validate all": ERROR: logging before flag.Parse: I0528 05:00:40.260261 535 convert.go:183] unknown resource: random_id
Step #1 - "tf plan validate all": ERROR: logging before flag.Parse: I0528 05:00:40.260272 535 convert.go:183] unknown resource: random_string
Step #1 - "tf plan validate all": Error: converting tfplan to CAI assets: adding resource changes to converter: adding resource create or update augmenting asset: getting resource ancestry: project ######-c-billing-logs-0ccf googleapi: Error 403: The caller does not have permission
Step #1 - "tf plan validate all": Usage:
Step #1 - "tf plan validate all": terraform-validator validate
@suibinz that looks like a separate issue. The key line is:
Error: converting tfplan to CAI assets: adding resource changes to converter: adding resource create or update augmenting asset: getting resource ancestry: project ######-c-billing-logs-0ccf googleapi: Error 403: The caller does not have permission
It sounds like you may not have permissions to call the resource ancestry API. That could mean the API isn't enabled or something about your authentication method isn't working. You could fix the auth issue, or you could work around this by using adding the offline and ancestry
flags:
terraform-validator validate ./example/terraform.tfplan --offline --project my-project --ancestry organization/my-org/folder/my-folder --policy-path ./path/to/my/policy/library
Please open a new ticket if you have any problems resolving the issue.
I would guess the same on the permission issue. But in this case, the sa iam has enough permissions("roles/resourcemanager.projectCreator", "roles/resourcemanager.folderAdmin", and "roles/resourcemanager.organizationViewer". I was running the terraform-example-foundation/1-org.
By cleaning up the resource and re-apply, it can pass the step without the Error. If I have further findings, I will report back.
Currently
asset.ancestry_path
assumes the resource lives within a project. This does not work for folders, etc.