Running make docker_test_prepare fails at some point when applying configuration from test/setup/iam.tf. Specifically google_organization_iam_member.org_admins_group:
╷
│ Error: Error retrieving IAM policy for organization "00000000000": googleapi: Error 403: The caller does not have permission, forbidden
│
│ with google_organization_iam_member.org_admins_group["roles/resourcemanager.organizationAdmin"],
│ on iam.tf line 39, in resource "google_organization_iam_member" "org_admins_group":
│ 39: resource "google_organization_iam_member" "org_admins_group" {
│
╵
Expected behavior
No errors
Observed behavior
Exhaustive list of errors when running make docker_test_prepare:
╷
│ Error: Error retrieving IAM policy for organization "00000000000": googleapi: Error 403: The caller does not have permission, forbidden
│
│ with google_organization_iam_member.org_admins_group["roles/billing.user"],
│ on iam.tf line 39, in resource "google_organization_iam_member" "org_admins_group":
│ 39: resource "google_organization_iam_member" "org_admins_group" {
│
╵
╷
│ Error: Error retrieving IAM policy for organization "00000000000": googleapi: Error 403: The caller does not have permission, forbidden
│
│ with google_organization_iam_member.org_admins_group["roles/viewer"],
│ on iam.tf line 39, in resource "google_organization_iam_member" "org_admins_group":
│ 39: resource "google_organization_iam_member" "org_admins_group" {
│
╵
╷
│ Error: Error retrieving IAM policy for organization "00000000000": googleapi: Error 403: The caller does not have permission, forbidden
│
│ with google_organization_iam_member.org_admins_group["roles/compute.orgSecurityPolicyAdmin"],
│ on iam.tf line 39, in resource "google_organization_iam_member" "org_admins_group":
│ 39: resource "google_organization_iam_member" "org_admins_group" {
│
╵
╷
│ Error: Error retrieving IAM policy for organization "00000000000": googleapi: Error 403: The caller does not have permission, forbidden
│
│ with google_organization_iam_member.org_admins_group["roles/compute.orgSecurityResourceAdmin"],
│ on iam.tf line 39, in resource "google_organization_iam_member" "org_admins_group":
│ 39: resource "google_organization_iam_member" "org_admins_group" {
│
╵
╷
│ Error: Error retrieving IAM policy for organization "00000000000": googleapi: Error 403: The caller does not have permission, forbidden
│
│ with google_organization_iam_member.org_admins_group["roles/compute.xpnAdmin"],
│ on iam.tf line 39, in resource "google_organization_iam_member" "org_admins_group":
│ 39: resource "google_organization_iam_member" "org_admins_group" {
│
╵
╷
│ Error: Error retrieving IAM policy for organization "00000000000": googleapi: Error 403: The caller does not have permission, forbidden
│
│ with google_organization_iam_member.org_admins_group["roles/resourcemanager.organizationViewer"],
│ on iam.tf line 39, in resource "google_organization_iam_member" "org_admins_group":
│ 39: resource "google_organization_iam_member" "org_admins_group" {
│
╵
╷
│ Error: Error retrieving IAM policy for organization "00000000000": googleapi: Error 403: The caller does not have permission, forbidden
│
│ with google_organization_iam_member.org_admins_group["roles/accesscontextmanager.policyAdmin"],
│ on iam.tf line 39, in resource "google_organization_iam_member" "org_admins_group":
│ 39: resource "google_organization_iam_member" "org_admins_group" {
│
╵
╷
│ Error: Error retrieving IAM policy for organization "00000000000": googleapi: Error 403: The caller does not have permission, forbidden
│
│ with google_organization_iam_member.org_admins_group["roles/iam.serviceAccountTokenCreator"],
│ on iam.tf line 39, in resource "google_organization_iam_member" "org_admins_group":
│ 39: resource "google_organization_iam_member" "org_admins_group" {
│
╵
╷
│ Error: Error retrieving IAM policy for organization "00000000000": googleapi: Error 403: The caller does not have permission, forbidden
│
│ with google_organization_iam_member.org_admins_group["roles/orgpolicy.policyAdmin"],
│ on iam.tf line 39, in resource "google_organization_iam_member" "org_admins_group":
│ 39: resource "google_organization_iam_member" "org_admins_group" {
│
╵
╷
│ Error: Error retrieving IAM policy for organization "00000000000": googleapi: Error 403: The caller does not have permission, forbidden
│
│ with google_organization_iam_member.org_admins_group["roles/securitycenter.admin"],
│ on iam.tf line 39, in resource "google_organization_iam_member" "org_admins_group":
│ 39: resource "google_organization_iam_member" "org_admins_group" {
│
╵
╷
│ Error: Error retrieving IAM policy for organization "00000000000": googleapi: Error 403: The caller does not have permission, forbidden
│
│ with google_organization_iam_member.org_admins_group["roles/logging.admin"],
│ on iam.tf line 39, in resource "google_organization_iam_member" "org_admins_group":
│ 39: resource "google_organization_iam_member" "org_admins_group" {
│
╵
╷
│ Error: Error retrieving IAM policy for organization "00000000000": googleapi: Error 403: The caller does not have permission, forbidden
│
│ with google_organization_iam_member.org_admins_group["roles/resourcemanager.folderAdmin"],
│ on iam.tf line 39, in resource "google_organization_iam_member" "org_admins_group":
│ 39: resource "google_organization_iam_member" "org_admins_group" {
│
╵
╷
│ Error: Error retrieving IAM policy for organization "00000000000": googleapi: Error 403: The caller does not have permission, forbidden
│
│ with google_organization_iam_member.org_admins_group["roles/resourcemanager.projectCreator"],
│ on iam.tf line 39, in resource "google_organization_iam_member" "org_admins_group":
│ 39: resource "google_organization_iam_member" "org_admins_group" {
│
╵
╷
│ Error: Error retrieving IAM policy for organization "00000000000": googleapi: Error 403: The caller does not have permission, forbidden
│
│ with google_organization_iam_member.org_admins_group["roles/resourcemanager.organizationAdmin"],
│ on iam.tf line 39, in resource "google_organization_iam_member" "org_admins_group":
│ 39: resource "google_organization_iam_member" "org_admins_group" {
│
╵
make: *** [Makefile:66: docker_test_prepare] Error 1
Terraform Configuration
Nothing specific.
Terraform Version
Not sure. Whatever is installed on cft/developer-tools version 1.21, in gcr.io/cloud-foundation-cicd. Thought: would be great if that image were to output Terraform version at the beginning of any .sh script.
I ended up adding Security Admin role to the SA mentioned in CONTRIBUTING, but maybe there's a better (less permissive) role?
I'm submitting a PR to update CONTRIBUTING.
TL;DR
Running
make docker_test_prepare
fails at some point when applying configuration fromtest/setup/iam.tf
. Specifically google_organization_iam_member.org_admins_group:Expected behavior
No errors
Observed behavior
Exhaustive list of errors when running
make docker_test_prepare
:Terraform Configuration
Terraform Version
Additional information
I ran
docker_test_prepare
after adding-e TF_LOG_PROVIDER=DEBUG
but I didn't get any insightful errors (I was expecting to see the actual permission being denied). The Terraform documentation on (google_organization_iam)[https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam#google_organization_iam_member] also doesn't provide any information on the required roles needed to apply such resource.I ended up adding
Security Admin
role to the SA mentioned in CONTRIBUTING, but maybe there's a better (less permissive) role? I'm submitting a PR to update CONTRIBUTING.