search

terraform-google-modules / terraform-example-foundation

Shows how the CFT modules can be composed to build a secure cloud foundation
https://cloud.google.com/architecture/security-foundations
Apache License 2.0
1.19k stars 706 forks source link

Step 3, impersonate SA issue #1103

Closed akirichenko1711 closed 3 months ago

akirichenko1711 commented 6 months ago

TL;DR

Unable to impersonate SA for setup shared networking part, In step 3.15 Dual-SVPC

Run init and plan and review output for environment shared. ./tf-wrapper.sh init shared ./tf-wrapper.sh plan shared

Expected behavior

Succesfully completed part 3.15, tf.wrapper.sh plan

Observed behavior

Failed with 403, access denied on SA getAccessToken log.txt

Terraform Configuration

module "seed_bootstrap" {
  source  = "terraform-google-modules/bootstrap/google"
  version = "~> 6.3"

  org_id                         = var.org_id
  folder_id                      = google_folder.bootstrap.id
  project_id                     = "${var.project_prefix}-b-seed"
  state_bucket_name              = "${var.bucket_prefix}-${var.project_prefix}-b-seed-tfstate"
  force_destroy                  = var.bucket_force_destroy
  billing_account                = var.billing_account
  group_org_admins               = local.group_org_admins
  group_billing_admins           = local.group_billing_admins
  default_region                 = var.default_region
  org_project_creators           = local.org_project_creators
  sa_enable_impersonation        = true
  create_terraform_sa            = false
  parent_folder                  = var.parent_folder == "" ? "" : local.parent
  org_admins_org_iam_permissions = local.org_admins_org_iam_permissions
  project_prefix                 = var.project_prefix
  encrypt_gcs_bucket_tfstate     = true
  key_rotation_period            = "7776000s"
  kms_prevent_destroy            = !var.bucket_tfstate_kms_force_destroy

  project_labels = {
    environment       = "bootstrap"
    application_name  = "seed-bootstrap"
    billing_code      = "1234"
    primary_contact   = "example1"
    secondary_contact = "example2"
    business_code     = "abcd"
    env_code          = "b"
  }

  activate_apis = [
    "serviceusage.googleapis.com",
    "servicenetworking.googleapis.com",
    "cloudkms.googleapis.com",
    "compute.googleapis.com",
    "logging.googleapis.com",
    "bigquery.googleapis.com",
    "cloudresourcemanager.googleapis.com",
    "cloudbilling.googleapis.com",
    "cloudbuild.googleapis.com",
    "iam.googleapis.com",
    "admin.googleapis.com",
    "appengine.googleapis.com",
    "storage-api.googleapis.com",
    "monitoring.googleapis.com",
    "pubsub.googleapis.com",
    "securitycenter.googleapis.com",
    "accesscontextmanager.googleapis.com",
    "billingbudgets.googleapis.com",
    "essentialcontacts.googleapis.com",
    "assuredworkloads.googleapis.com",
    "cloudasset.googleapis.com"
  ]

  sa_org_iam_permissions = []
}

Terraform Version

v1.6.0

Additional information

We use terraform cloud as state container The steps executed under user that part of gcp-organization-admins We also notice that step 3 missing information from which GCS bucket get state for local execution before copying to tf cloud

github-actions[bot] commented 4 months ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days