search

terraform-google-modules / terraform-google-org-policy

Manages Google Cloud organization policies
https://registry.terraform.io/modules/terraform-google-modules/org-policy/google
Apache License 2.0
79 stars 79 forks source link

unable to create policy at project level root #101

Closed yb-jmogavero closed 8 months ago

yb-jmogavero commented 10 months ago

TL;DR

When deploying an org policy constraint with a project level root, a permission error is received

The service account being used by terraform has the role orgpolicy.policyAdmin at the organization level (and this role is unavailable to be assigned at a level below organization)

Expected behavior

I expect it to apply the constraint as written in the terraform policy at the project level of hierarchy

Observed behavior

When trying to create a new policy constraint at the project level, per these lines from the sample code:

policy_root      = "organization"    # either of organization, folder or project
policy_root_id   = "123456789"       # either of org id, folder id or project id

a 403 permission error is received. 

Error: Error creating Policy: googleapi: Error 403: Permission 'orgpolicy.policies.create' denied on resource '//cloudresourcemanager.googleapis.com/projects/<project-name-redacted>' (or it may not exist).

Terraform Configuration

module "VMVMPublicAllowList" {
  # For projects using this policy, allow VMs to have public IPs if the owner tag exists
  # Any VMs that can't or won't get an owner tag can still be allowed via the list if listed
  source  = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
  version = "5.2.2"
  policy_root = "project"
  policy_root_id = "redacted-project-name"
  constraint = "constraints/compute.vmExternalIpAccess"
  policy_type = "list"
  rules = [
    {
        enforcement = false
        allow = []
        deny = []
        conditions = [{
            description = "allow VMs with owner tag to get a public IP"
            expression = "resource.hasTagKey(${data.google_organization.yugabyte.org_id}/owner)"
            title = "allow owners public IPs"
            location = "pubip.log"
        }]
    }
  ]
}

Terraform Version

Terraform v1.4.5
on darwin_arm64

+ provider registry.terraform.io/hashicorp/google v4.72.1

Additional information

No response

github-actions[bot] commented 8 months ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days