dev-desh
commented
2 years ago I was able to overcome this issue by using the policy module however the option Merge with parent which states that Rules are combined at all levels regardless of hierarchy. "Deny" overrides "allow" is not present.
module "org-policy" {
source = "terraform-google-modules/org-policy/google"
version = "~> 3.0.2"
constraint = "constraints/iam.allowedPolicyMemberDomains"
policy_type = "list"
policy_for = "project"
project_id = var.project_id
allow_list_length = "1"
allow = ["is:EXTERNALCUSTOMERID"]
}With this I'll have to duplicate the Organization policy which allowes my Customer ID on all the projects/folders where I want to override it.
github-actions[bot]
TL;DR
By default you can grant any Cloud Identity IAM bindings to your GCP instance. Domain Restricted Sharing is a GCP feature that allows to restrict the principals which can have IAM bindings. However the current configuration does not allow for external (to the organization) domains which is possible by using the GCP Console.
Expected behavior
Terraform should allow for external domains to be added
Observed behavior
Terraform looks up the domain on the organization data but it cannot find them when the domain is not part of the organization. This defeats the purpose of "Domain Restricted Sharing"
Following error happens in terraform cloud while applying the mentioned code
Terraform Configuration
Terraform Version
Additional information
It looks like the problem is that we are trying to get the organization details from the organization data source but these don't exist in my organization so it errors with domain not found. https://github.com/terraform-google-modules/terraform-google-org-policy/blob/master/modules/domain_restricted_sharing/main.tf#L30
Instead we should just accept the Customer ID as opposed to the domain.
I have tried the same setup directly in the GCP console and it works fine