Domain restricted sharing configured for incorrect domain

terraform-google-modules / terraform-google-org-policy

Manages Google Cloud organization policies

https://registry.terraform.io/modules/terraform-google-modules/org-policy/google

Apache License 2.0

79 stars 79 forks source link

Domain restricted sharing configured for incorrect domain #90

Closed cat-weazle closed 1 year ago

cat-weazle commented 1 year ago

TL;DR

When configuring domain restricted sharing for "landing-zone-challenge.nl" a policy is added that restricts sharing to "C02euq0lo".

Expected behavior

I expected that a policy would be added that restricts sharing to "landing-zone-challenge.nl".

Observed behavior

A policy is added that restricts sharing to "C02euq0lo".

Terraform Configuration

module "domain-restricted-sharing" {
  source  = "terraform-google-modules/org-policy/google//modules/domain_restricted_sharing"
  version = "5.1"

  domains_to_allow = ["landing-zone-challenge.nl"]
  organization_id  = local.organization_id
  policy_for       = "organization"
}

Terraform Version

1.4.2

Additional information

No response

cat-weazle commented 1 year ago

The terraform plan output looks like this:

Step #3 - "tf plan":   # module.domain-restricted-sharing.module.allowed-policy-member-domains.google_organization_policy.org_policy_list_allow_values[0] will be created
Step #3 - "tf plan":   + resource "google_organization_policy" "org_policy_list_allow_values" {
Step #3 - "tf plan":       + constraint  = "constraints/iam.allowedPolicyMemberDomains"
Step #3 - "tf plan":       + etag        = (known after apply)
Step #3 - "tf plan":       + id          = (known after apply)
Step #3 - "tf plan":       + org_id      = "xxx"
Step #3 - "tf plan":       + update_time = (known after apply)
Step #3 - "tf plan":       + version     = (known after apply)
Step #3 - "tf plan": 
Step #3 - "tf plan":       + list_policy {
Step #3 - "tf plan":           + suggested_value = (known after apply)
Step #3 - "tf plan": 
Step #3 - "tf plan":           + allow {
Step #3 - "tf plan":               + all    = false
Step #3 - "tf plan":               + values = [
Step #3 - "tf plan":                   + "C02euq0lo",
Step #3 - "tf plan":                 ]
Step #3 - "tf plan":             }
Step #3 - "tf plan":         }
Step #3 - "tf plan":     }

g-awmalik commented 1 year ago

As per the documentation for "Policy for Domain restricted sharing", the value expected here is a customer ID and not the actually domain name for the org. Here's a snippet of the description:

"This list constraint defines one or more Cloud Identity or Google Workspace customer IDs whose principals can be added to IAM policies."

The module "modules/domain_restricted_sharing" has logic built in to it that maps the domain name to the customer ID so the caller doesn't have to.

Hope this helps. Closing this now but feel free to comment .

cat-weazle commented 1 year ago

Thanks for clarifying this. The ID that is displayed is indeed the customer ID I see in the Google Workspace admin console. So it works as it should.