search

terraform-google-modules / terraform-example-foundation

Shows how the CFT modules can be composed to build a secure cloud foundation
https://cloud.google.com/architecture/security-foundations
Apache License 2.0
1.21k stars 708 forks source link

1-org - ACM policy API failure - step 5 requires "Access Context Manager Admin" or lower on the super admin account #1146

Closed obriensystems closed 5 months ago

obriensystems commented 6 months ago

TL;DR

Same as #1145

step 5 https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/1-org/README.md#deploying-with-cloud-build

michael@cloudshell:~/tef-olapp/github/gcp-org (tef-olapp)$ export ACCESS_CONTEXT_MANAGER_ID=$(gcloud access-context-manager policies list --organization ${ORGANIZATION_ID} --format="value(name)")
echo "access_context_manager_policy_id = ${ACCESS_CONTEXT_MANAGER_ID}"
ERROR: (gcloud.access-context-manager.policies.list) PERMISSION_DENIED: The caller does not have permission
access_context_manager_policy_id =

Expected behavior

No response

Observed behavior

No response

Terraform Configuration

shell

Terraform Version

1.7.4

Additional information

No response

obriensystems commented 6 months ago

1-org step 5 continued

step 5 of https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/1-org/README.md#deploying-with-cloud-build

michael@cloudshell:~/tef-olapp/github/gcp-org (tef-olapp)$ export ACCESS_CONTEXT_MANAGER_ID=$(gcloud access-context-manager policies list --organization ${ORGANIZATION_ID} --format="value(name)")ERROR: (gcloud.access-context-manager.policies.list) PERMISSION_DENIED: The caller does not have permission

fix add to super admin - "Access Context Manager Admin"

Screenshot 2024-03-12 at 10 48 13

no ACM policies yet

michael@cloudshell:~/tef-olapp/github/gcp-org (tef-olapp)$ export ACCESS_CONTEXT_MANAGER_ID=$(gcloud access-context-manager policies list --organization ${ORGANIZATION_ID} --format="value(name)")michael@cloudshell:~/tef-olapp/github/gcp-org (tef-olapp)$ echo "access_context_manager_policy_id = ${ACCESS_CONTEXT_MANAGER_ID}"
access_context_manager_policy_id = 

michael@cloudshell:~/tef-olapp/github/gcp-org (tef-olapp)$ gcloud access-context-manager policies list --organization ${ORGANIZATION_ID}
Listed 0 items.
daniel-cit commented 5 months ago

See https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/1-org/README.md?plain=1#L199C1-L204C4

fmichaelobrien commented 5 months ago

A 2nd org deployment with the workaround role added to the super admin is working - I'll add a PR for the readme

stale bot timer restart - https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/.github/workflows/stale.yml#L21