Closed tomasgareau closed 2 years ago
If projects are created using the bootstrap process + examples in this repo, the Terraform account should get owner access already.
if you're using some other process to create the projects (it's not entirely clear where your implementation diverged from the example), you should go ahead and grant the Terraform service account editor permission. You can add that to the roles granted in the bootstrap by overriding sa_org_iam_permissions
.
(it's not entirely clear where your implementation diverged from the example)
Agreed, haha -- I'm trying to nail down exactly how the org-terraform
account is granted owner access since this seems to be missing from our implementation.
To clarify, our bootstrap module is loosely based on the jenkins-agent example from this repo. Instead of uncommenting the jenkins-agent
lines from
project_factory
module (similarly to here in the jenkins-agent
module)org_admins
group, similarly to here in the jenkins-agent
moduleThat said, I think I've figured this out.
I suspect that what I'm bumping into is similar to this Github issue from the terraform-google-bootstrap
module. Since I initially ran the Terraform module manually, it was my user account that created the seed & CICD projects, and so my user account was set as the project owner. :chicken: :egg:
The linked issue above suggests that an iam_binding
resource could be used to move "owner" permissions to the org-terraform
account. Something like this?
resource "google_project_iam_binding" "owner" {
project = module.cicd_project.project_id
role = "roles/owner"
member = "serviceAccount:${module.seed_bootstrap.terraform_sa_email}"
}
Then for future steps (1-org
, 2-environments
...) this shouldn't be a problem since the org-terraform
account would be the one creating the projects (and hence will automatically be set as the owner).
Is this is the case then great, we can close this issue. If you think it would be worth expanding the README documentation in this repo to describe this let me know -- I'd be happy to submit a PR for review.
Yep, iam_binding
should fix that for you! Since this should be working automatically out of the box if people use this repo directly, we probably don't need additional docs for it quite yet (they can find this issue in search).
The Cloud Security Foundations Guide mentions in section 5.3.6. that
It's not clear to me where (or if) these permissions are configured for the Terraform service account in the
0-bootstrap
module.In my specific case, I've replaced the Cloudbuild/Jenkins project with a custom CI/CD project that creates:
I then successfully deployed this manually to create the seed & CI/CD projects. Now, I'm trying to plan this while impersonating the Terraform service account from the seed project and I'm getting errors refreshing my state:
Just wondering what the recommended approach is here per the CFT guide & this example repo. Should I:
google_*_iam_member
bindings to the Terraform service account for the resources created in all child projects (seems tedious & error-prone)?Or have I simply goofed the manual bootstrapping steps and this should already be working?