search

terraform-google-modules / terraform-google-iam

Manages multiple IAM roles for resources on Google Cloud
https://registry.terraform.io/modules/terraform-google-modules/iam/google
Apache License 2.0
189 stars 171 forks source link

Project custom role invalid permission `resourcemanager.projects.list` #158

Closed jwtracy closed 2 years ago

jwtracy commented 2 years ago

TL;DR

A project level custom role cannot be created due to resourcemanager.projects.list permission. Something doesn't seem to be working regarding the supported and unsupported permission handling here.

Expected behavior

resourcemanager.projects.list and other permissions gathered from base_roles that cannot be set at the project level or lower are automatically excluded from the final custom role's permissions. resourcemanager.projects.list may not be the only permission in question here.

Observed behavior

resourcemanager.projects.list is supplied to the project level role resulting in a 400 error,

│ Error: Error creating the custom project role projects/plato-admin-765675/roles/devtools_plato_devs: googleapi: Error 400: Permission resourcemanager.projects.list is not valid., badRequest
│ 
│   with module.platform_eng_environments.module.plato_admin_instance.module.custom_roles.module.developer_project_roles["plato-devs"].google_project_iam_custom_role.project-custom-role[0],
│   on .terraform/modules/platform_eng_environments.plato_admin_instance.custom_roles.developer_project_roles/modules/custom_role_iam/main.tf line 69, in resource "google_project_iam_custom_role" "project-custom-role":
│   69: resource "google_project_iam_custom_role" "project-custom-role" {

Terraform Configuration

locals {  
  developer_project_custom_roles_map = {
    "plato-devs" = {
      base_roles = [
        "roles/container.viewer",
      ]
      permissions          = []
      excluded_permissions = []
    },
    "plato-devs-bg" = {
      base_roles = [
        "roles/container.admin",
        "roles/compute.osLogin",
        "roles/iap.admin",
        "roles/pubsub.admin",
        "roles/resourcemanager.projectIamAdmin",
      ]
      permissions          = []
      excluded_permissions = []
    },
  }
}

module "developer_project_roles" {
  source  = "terraform-google-modules/iam/google//modules/custom_role_iam"
  version = "7.4.1"

  for_each = {
    for key, data in local.developer_project_custom_roles_map :
    key => data
    if length(concat(
      data.base_roles,
      data.permissions,
    )) > 0
  }

  target_level         = "project"
  target_id            = var.project_id
  role_id              = replace(format("%sdevtools-%s", var.name_prefix, each.key), "-", "_")
  title                = format("%s Control Plane", each.key)
  description          = format("Supplied to Plato admin project for %s developers", each.key)
  base_roles           = each.value.base_roles
  permissions          = each.value.permissions
  excluded_permissions = each.value.excluded_permissions
  members              = []
}

Terraform Version

> terraform version
Terraform v1.1.2
on linux_amd64

Your version of Terraform is out of date! The latest version
is 1.2.2. You can update by downloading from https://www.terraform.io/downloads.html


### Additional information

_No response_
github-actions[bot] commented 2 years ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

dirsigler commented 1 month ago

Bug still exists.