displague
commented
3 years ago Relates to #14 which made setup_gcp_project.sh unncessary, but still usable.
The keys gcp_keys_path should allow for any custom keys to be used, with setup_gcp_project.sh preparing the keys for the general case.
I see two possible remediations:
- Update the documentation to suggest that you can tailor these keys however you see fit (existing documentation is here: https://github.com/equinix/terraform-metal-anthos-on-baremetal#manage-your-gcp-keys-for-your-service-accounts_
- Offer a terraform variable, a map, defining what roles are assigned for each service account iam membership
(turn https://github.com/equinix/terraform-metal-anthos-on-baremetal/blob/master/gcp-service-accts.tf into a map variable with a for loop)
- Likewise, Offer a terraform variable that can be used to customize the GCP provider services (with the existing services as a default: https://github.com/equinix/terraform-metal-anthos-on-baremetal/blob/master/gcp-apis.tf#L2-L12)
We could do both. Would this help in your scenario?
Use case - you don't own the target GCP project for the deployment. Owner of the project provides the service-account keys and you do the rest.
This may be a corner case issue but in the above scenario the keys and permissions generated by the setup_gcp_project.sh script are not enough. You need to give GCP application-default credentials for terraform to use. The instructions in README use
gcloud application-default loginfor this but if you don't have access to the target GCP project, it will error a about 3 minutes into the terraform run.Prior to changing the super-admin SA to bmctl SA and reducing permissions, you could use the super-admin SA key for the application-default credentials (link). That account had project editor and IAM admin roles.