Closed soudaburger closed 3 years ago
What version are you using?
I am not explicitly setting one, so I assume latest
. Is there a way for me to find out which specific version is installed via the module? Do I need to be setting an explicit version? I installed it today, so whatever today's code has is what it pulled.
We recommend pinning a version:
module "custom-roles" {
source = "terraform-google-modules/iam/google//modules/custom_role_iam"
version = "~> 6.4"
Pinning the version didn't resolve anything. Same error.
Odd, we are verifying permissions are supported here: https://github.com/terraform-google-modules/terraform-google-iam/blob/master/modules/custom_role_iam/main.tf#L35
It looks like there's an upstream issue: https://github.com/hashicorp/terraform-provider-google/issues/7758
As a workaround, you can explicitly exclude the permission:
module "custom-roles" {
source = "terraform-google-modules/iam/google//modules/custom_role_iam"
version = "~> 6.4"
excluded_permissions = ["cloudonefs.isiloncloud.com/clusters.list"]
...
}
Right, my concern is that I'm importing nearly 2000+ permissions. I've already come across several that need to be excluded, but I'm not sure how far down the rabbit hole I need to go. I really don't want to manually run terraform apply
100+ times every time it catches a new permission. That was the beauty of this module instead of just writing this myself which I did originally. Any help would be appreciated! Thanks!
Yes, we actually do automatically exclude permissions. It just looks like some permissions aren't excluding properly: https://github.com/hashicorp/terraform-provider-google/issues/7758
data "google_iam_testable_permissions" "perms" {
full_resource_name = "//cloudresourcemanager.googleapis.com/organizations/${var.org_id}"
stages = ["GA", "ALPHA", "BETA"]
custom_support_level = "NOT_SUPPORTED"
}
module "custom-roles" {
source = "terraform-google-modules/iam/google//modules/custom_role_iam"
target_level = "org"
target_id = var.org_id
role_id = "MyRole"
title = "MyRole"
description = "Custom Role Description"
base_roles = ["roles/compute.viewer", "roles/container.admin", "roles/viewer", "roles/iam.serviceAccountUser"]
permissions = []
excluded_permissions = distinct(flatten([data.google_iam_testable_permissions.perms.permissions.*.name]))
members = ["serviceAccount:serviceaccount@example.iam"]
version = "~> 6.4"
}
For anyone else out there, you need to fetch the NOT_SUPPORTED
permissions yourself and intentionally exclude them. Thanks for the assist to getting this to work!
With the above base roles needed for a Rancher deployment documented here, I am still seeing
Error: Error creating the custom organization role Rancher Cluster Automation: googleapi: Error 400: Permission cloudonefs.isiloncloud.com/clusters.list is not supported in custom roles., badRequest
and other similar permissions that are supposed to be unsupported, thus intentionally excluded.