google_compute_instance not respecting shared-VPC granular subnetwork-permissions

hashicorp / terraform-provider-google

Terraform Provider for Google Cloud Platform

Mozilla Public License 2.0

2.29k stars 1.72k forks source link

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.
If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

0.15.5

Affected Resource(s)

google_compute_instance
google_compute_network
google_compute_subnetwork

Terraform Configuration Files

resource "google_compute_instance" "instance" {
  name     = local.hostname
  machine_type = var.machine_type
  zone         = var.gcp_zone
  boot_disk {
    source = google_compute_disk.rootvol.name
  }
  network_interface {
    subnetwork         = var.subnetwork
    subnetwork_project = var.subnetwork_project
  }
}

Expected Behavior

Instance should be able to be created

Actual Behavior

Error: Error updating network interface: googleapi: Error 403: Required 'compute.networks.use' permission for 'projects/HOST/global/networks/X', forbidden

Steps to Reproduce

Create a shared network X in Project HOST
Attach a project SERVICE
Create a service account CHILD in project SERVICE
Create subnetwork Y in network X in HOST
Share subnetwork Y with user CHILD from project HOST with IAM subnet-policy and role "roles/compute.networkUser"
Create an instance in project SERVICE using service account CHILD in shared subnetwork Y

Important Factoids

When granting the global permission "roles/compute.networkUser" via IAM in project HOST to service account CHILD, the setup works, but this on the other hand gives direct permissions to use all subnetworks.

b/308756106

resource "google_project_iam_custom_role" "custom_role_child" { role_id = "test" title = "test-child" permissions = [ "compute.instances.create", "compute.disks.create", "compute.subnetworks.use", ] project = var.project_child } resource "google_project_iam_member" "service_account_role_host" { for_each = toset(["roles/compute.networkUser", "roles/viewer"]) project = var.project_host role = each.key member = "serviceAccount:${google_service_account.service_account.email}" } resource "google_project_iam_member" "service_account_role_child" { for_each = toset(["${google_project_iam_custom_role.custom_role_child.id}", "roles/viewer"]) project = var.project_child role = each.key member = "serviceAccount:${google_service_account.service_account.email}" }

resource "google_project_iam_custom_role" "custom_role_host" { role_id = "test" title = "test-host" permissions = [ "compute.networks.use", "compute.subnetworks.use", ] project = var.project_host } resource "google_project_iam_custom_role" "custom_role_child" { role_id = "test" title = "test-child" permissions = [ "compute.instances.create", "compute.disks.create", "compute.subnetworks.use", ] project = var.project_child } resource "google_project_iam_member" "service_account_role_host" { for_each = toset(["${google_project_iam_custom_role.custom_role_host.id}", "roles/viewer"]) project = var.project_host role = each.key member = "serviceAccount:${google_service_account.service_account.email}" } resource "google_project_iam_member" "service_account_role_child" { for_each = toset(["${google_project_iam_custom_role.custom_role_child.id}", "roles/viewer"]) project = var.project_child role = each.key member = "serviceAccount:${google_service_account.service_account.email}" }

hashicorp / terraform-provider-google