Closed klondikedragon closed 1 month ago
Hi @klondikedragon thanks for your report.
The first time 1-org was executed, the configuration of the Organization Policies was executed and the Domain Restrict Sharing one was applied.
This Org Policy prevents user from outside the configured organization to be added to IAM policies.
Your problem is similar to this one in this troubleshooting instructions: BigQuery log sink for a billing account
Could you try to follow these instructions to fix your problem?
@daniel-cit - that was perfect advice thank you! I set the domain sharing restriction policy to allow all, reapplied, and everything went through. It wasn't obvious to me that the log sink for a billing account is considered external. Perhaps a tip about this could be added to the troubleshooting doc? Thanks!
Glad to hear that this could resolve the issue. We have some backlog tasks to improve troubleshooting for all the edge cases where terraform fails during the apply stage and gets stuck in a weird state. We're also trying to escalate the root issue that some GCP services are not compatible with the domain restricted sharing org policy.
I'll close this issue for now but feel free to re-open if needed.
TL;DR
I'm following the GitHub CI readme, and working on deploying step 1. Applying step 1 first failed because of project quota errors. I have already requested and received an increase project quota, and cleaned up the terraform state. It's now progressing and creating the projects properly.
However, it's now failing to apply an IAM policy to the itl-c-logging project. It fails with "Error 400: One or more users named in the policy do not belong to a permitted customer."
Expected behavior
terraform apply should be successful.
Observed behavior
Terraform apply is failing with (billing account ID redacted):
Terraform Configuration
Terraform Version
Additional information
This was starting from an empty organization before stage 0-bootstrap was run. Any ideas?