validate step in 0-bootstrap fails when parent_folder is set.

[eeaton]

TL;DR

https://github.com/terraform-google-modules/terraform-example-foundation/blob/dc0eb29e3303bb27cd7ed180d9573a9709981b33/0-bootstrap/README.md?plain=1#L164

The validate script checks for pre-req I AM roles include Organization Policy Admin and Organization Admin. These roles cannot be set at a folder level, so if I have configured the parent_folder variable the validate script fails.

Expected behavior

Validation script should be able to assess if I have the necessary permissions to proceed, regardless of whether I set parent_folder. It could do this in one of a few ways:

• test for effective IAM roles at the folder, not the explicit IAM policy binding applied to the folder
• check for some IAM roles at the org node, and some IAM roles at the folder
• Improve text guidance to explain manual checks a user can make to proceed successfully even when the validation script fails

Observed behavior

Validate script fails without actionable guidance. Roles like Org Policy Admin can only be set at the organization node, but if I configure parent_folder as the root node the script fails.

Terraform Configuration

n/a

Terraform Version

n/a

Additional information

No response

[daniel-cit]

@eeaton what was the failure?

the script is checking if the user is on the organization IAM policy with the required roles, which has this limitation https://github.com/terraform-google-modules/terraform-example-foundation/blob/dc0eb29e3303bb27cd7ed180d9573a9709981b33/0-bootstrap/README.md?plain=1#L170

An improvement would be to instead of checking the organization IAM Policy to try use the testIamPermission method of some of the APIs to check if the user has the permissions required. This should be able to validate the cases when the user is part of a group with the right roles