Open eeaton opened 2 months ago
@eeaton what was the failure?
the script is checking if the user is on the organization IAM policy with the required roles, which has this limitation https://github.com/terraform-google-modules/terraform-example-foundation/blob/dc0eb29e3303bb27cd7ed180d9573a9709981b33/0-bootstrap/README.md?plain=1#L170
An improvement would be to instead of checking the organization IAM Policy to try use the testIamPermission
method of some of the APIs to check if the user has the permissions required.
This should be able to validate the cases when the user is part of a group with the right roles
TL;DR
https://github.com/terraform-google-modules/terraform-example-foundation/blob/dc0eb29e3303bb27cd7ed180d9573a9709981b33/0-bootstrap/README.md?plain=1#L164
The validate script checks for pre-req I AM roles include Organization Policy Admin and Organization Admin. These roles cannot be set at a folder level, so if I have configured the
parent_folder
variable the validate script fails.Expected behavior
Validation script should be able to assess if I have the necessary permissions to proceed, regardless of whether I set
parent_folder
. It could do this in one of a few ways:Observed behavior
Validate script fails without actionable guidance. Roles like Org Policy Admin can only be set at the organization node, but if I configure
parent_folder
as the root node the script fails.Terraform Configuration
Terraform Version
Additional information
No response