Closed ideasculptor closed 4 years ago
Hi @ideasculptor,
Thanks for the report. As discussed in #20, our goal actually is that org viewer should be optional.
If you manually pass in the org_id, everything should work properly without org_viewer. Have you tested this and seen errors? If this isn't working, we can and will fix it.
I believe I have, but I need to recreate the circumstance and confirm. I was working from an account that was Folder Admin for a folder, and no privileges in the organization, and I could grant the service account I was using everything I needed except Org Viewer and I couldn't get it to work, and I did provide org_id.
I'm in the midst of publishing something on github, so I'll be back with a link to an example or to confirm that I was wrong.
Confirmed - If I don't have Organization Viewer
or Organization Administrator
, it complains about being unable to read the {org_id}
- Granting the service account Organization Viewer
fixed the problem. And I was definitely passing a valid value for org_id.
I just confirmed it using the gsuite_enabled module, but I had the same difficulty using the fabric_project module.
# A folder to serve as the root of the infrastructure
module "root-folder" {
source = "terraform-google-modules/folders/google"
version = "2.0.0"
parent = var.root_node
names = [var.root_folder_name]
}
# The root project for infrastructure
module "root-project" {
source = "terraform-google-modules/project-factory/google//modules/gsuite_enabled"
version = "3.3.1"
folder_id = module.root-folder.id
billing_account = var.billing_account_id
create_group = var.create_group
group_name = var.group_name
group_role = var.group_role
project_id = var.root_project_id_prefix
random_project_id = var.random_project_id
name = var.root_project_name
org_id = var.org_id
sa_group = var.sa_group
default_service_account = "delete"
lien = "true"
activate_apis = var.project_services
bucket_name = var.bucket_name
bucket_project = var.root_project_id_prefix
bucket_location = var.bucket_location
credentials_path = "path/to/file.json"
}
My variables.tf file has only 3 values that don't use the defaults:
variable "root_node" {
description = "Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'."
type = string
}
variable "billing_account_id" {
type = string
}
variable "org_id" {
type = string
}
variable "root_folder_name" {
description = "Name of the root folder to create"
default = "Reference Infrastructure"
}
variable "create_group" {
default = "true"
}
variable "group_name" {
default = "group-name"
}
variable "group_role" {
default = "roles/editor"
}
variable "root_project_id_prefix" {
default = "my-project-id"
}
variable "random_project_id" {
default = "true"
}
variable "root_project_name" {
default = "Reference Architecture Root"
}
variable "sa_group" {
default = "group@domain.com"
}
variable "project_services" {
description = "Service APIs enabled by default in new projects."
default = [
"cloudbilling.googleapis.com",
"cloudresourcemanager.googleapis.com",
"compute.googleapis.com",
"iam.googleapis.com",
"iamcredentials.googleapis.com",
"logging.googleapis.com",
"serviceusage.googleapis.com",
"storage-api.googleapis.com",
]
}
variable "bucket_name" {
default = "my_root_tf_state"
}
variable "bucket_location" {
default = "us-west1"
}
@ideasculptor Can you share the exact error/log output?
I'm having trouble reproducing and this is particularly surprising because our test harness specifically does not include the org viewer role.
I'm sure I'll end up bootstrapping a new development environment eventually, but until i do, it is a headache to verify this issue, so I'm closing it. I'll re-open if it shows up again.
The org viewer requirement seems totally unnecessary, yet it is impossible to run this module without that permission. I see other (closed) issues making the same point, with no explanation for the closure. Meanwhile, even a user with full Folder Administrator privileges cannot bring up a project in that folder with this module. They will require permission sufficient to grant Organzation Viewer to themselves, and they won't have that if they are restricted to administrative access of a single folder. They will need to modify their own permissions at the organization level.
I was under the impression that one of the purposes of the folder hierarchy is to allow administrative privileges to be delegated for subtrees. This module prevents that model from working, but it seems to do that for largely optional reasons - a user must be modified at the organization level to be granted Organization Viewer. I can certainly do all of the things that this module seems to need to do in order to end up where it ends up - I can manually manage resources in the console to look just like the resources created by the module - without being Organization Viewer. But I'm not using gsuite integration ATM.