Gcloud provider plugin allows only one resource in provider config resource list.

utsav14nov commented 2 years ago

Description Gcloud provider plugin allows only one resource in provider config resource list but there can be 2 possible resource types (project and organization) for gcloud.

To Reproduce Create/update provider having two resources in resource list Eg:

....
...
  "resources": [
    {
      "type": "project",
      "policy": {
        "id": "policy_id",
        "version": 4
      },
      "roles": [
        {
          "id": "Role Owner",
          "name": "Role Owner",
          "permissions": [
            "roles/owner"
          ]
        }
      ]
    },
    {
      "type": "organization",
      "policy": {
        "id": "policy_id",
        "version": 1
      },
      "roles": [
        {
          "id": "Bigquery Data Viewer",
          "name": "Bigquery Data Viewer",
          "permissions": [
            "roles/bigquery.dataViewer"
          ]
        }
      ]
    }
  ]

Error

{
    "code": 13,
    "message": "failed to update provider: gcloud_iam should have one resource"
}

ravisuhag commented 2 years ago

@rahmatrhd @bsushmith IS this related to bulk approval?

bsushmith commented 2 years ago

@ravisuhag Currently, the gcloud_iam provider lets a user configure either project or organization as a resource. But only one per provider.

Code - https://github.com/odpf/guardian/blob/main/plugins/providers/gcloudiam/config.go#L104

The documentation helps to understand this a bit. But coming from other providers - where one can onboard multiple resource types per provider, the limitation on the gcloud_iam provider is not immediately clear. If the doc can be improved to point this out, that would be great.

cc/ @utsav14nov

ravisuhag commented 2 years ago

Understood.

raystack / guardian

Gcloud provider plugin allows only one resource in provider config resource list. #282