Closed eeaton closed 3 months ago
maybe a new service account created in the SCC project would provide a better separation of concerns. the org step service account has some org level roles that would not be need for the cloud build process of the CAI function
@eeaton A quick ix for the build failure would be changing
from
runtime_env_variables = {
ROLES = join(",", var.roles_to_monitor)
SOURCE_ID = google_scc_source.cai_monitoring.id
}
to
runtime_env_variables = {
ROLES = join(",", var.roles_to_monitor)
SOURCE_ID = google_scc_source.cai_monitoring.id
LOG_EXECUTION_ID = "true"
}
Change tested locally. It does not list changes in the plan after this fix
The failing CI related to LOG_EXECUTION_ID
will be fixed in #1210. Once PR 1210 is merged, I expect the tests here will pass
@eeaton @apeabody The build is green 💚
to address https://github.com/terraform-google-modules/terraform-example-foundation/issues/1269.
I haven't been able to test it because our CI test org was not impacted by the default changes to cloud build SA, and has not encountered the permissions error.