search

terraform-google-modules / terraform-google-project-factory

Creates an opinionated Google Cloud project by using Shared VPC, IAM, and Google Cloud APIs
https://registry.terraform.io/modules/terraform-google-modules/project-factory/google
Apache License 2.0
826 stars 535 forks source link

Organization viewer is required #283

Closed ideasculptor closed 4 years ago

ideasculptor commented 4 years ago

The org viewer requirement seems totally unnecessary, yet it is impossible to run this module without that permission. I see other (closed) issues making the same point, with no explanation for the closure. Meanwhile, even a user with full Folder Administrator privileges cannot bring up a project in that folder with this module. They will require permission sufficient to grant Organzation Viewer to themselves, and they won't have that if they are restricted to administrative access of a single folder. They will need to modify their own permissions at the organization level.

I was under the impression that one of the purposes of the folder hierarchy is to allow administrative privileges to be delegated for subtrees. This module prevents that model from working, but it seems to do that for largely optional reasons - a user must be modified at the organization level to be granted Organization Viewer. I can certainly do all of the things that this module seems to need to do in order to end up where it ends up - I can manually manage resources in the console to look just like the resources created by the module - without being Organization Viewer. But I'm not using gsuite integration ATM.

morgante commented 4 years ago

Hi @ideasculptor,

Thanks for the report. As discussed in #20, our goal actually is that org viewer should be optional.

If you manually pass in the org_id, everything should work properly without org_viewer. Have you tested this and seen errors? If this isn't working, we can and will fix it.

ideasculptor commented 4 years ago

I believe I have, but I need to recreate the circumstance and confirm. I was working from an account that was Folder Admin for a folder, and no privileges in the organization, and I could grant the service account I was using everything I needed except Org Viewer and I couldn't get it to work, and I did provide org_id.

I'm in the midst of publishing something on github, so I'll be back with a link to an example or to confirm that I was wrong.

ideasculptor commented 4 years ago

Confirmed - If I don't have Organization Viewer or Organization Administrator, it complains about being unable to read the {org_id} - Granting the service account Organization Viewer fixed the problem. And I was definitely passing a valid value for org_id.

I just confirmed it using the gsuite_enabled module, but I had the same difficulty using the fabric_project module.

# A folder to serve as the root of the infrastructure
module "root-folder" {
  source            = "terraform-google-modules/folders/google"
  version           = "2.0.0"
  parent            = var.root_node
  names             = [var.root_folder_name]
}

# The root project for infrastructure
module "root-project" {
  source                  = "terraform-google-modules/project-factory/google//modules/gsuite_enabled"
  version                 = "3.3.1"

  folder_id               = module.root-folder.id
  billing_account         = var.billing_account_id
  create_group            = var.create_group
  group_name              = var.group_name
  group_role              = var.group_role
  project_id              = var.root_project_id_prefix
  random_project_id       = var.random_project_id
  name                    = var.root_project_name
  org_id                  = var.org_id
  sa_group                = var.sa_group
  default_service_account = "delete"
  lien                    = "true"

  activate_apis           = var.project_services

  bucket_name             = var.bucket_name
  bucket_project          = var.root_project_id_prefix
  bucket_location         = var.bucket_location

  credentials_path        = "path/to/file.json"
}

My variables.tf file has only 3 values that don't use the defaults:

variable "root_node" {
  description = "Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'."
  type        = string
}

variable "billing_account_id" {
  type = string
}

variable "org_id" {
  type = string
}

variable "root_folder_name" {
  description = "Name of the root folder to create"
  default = "Reference Infrastructure"
}

variable "create_group" {
  default = "true"
}

variable "group_name" {
  default = "group-name"
}

variable "group_role" {
  default = "roles/editor"
}

variable "root_project_id_prefix" {
  default = "my-project-id"
}

variable "random_project_id" {
  default = "true"
}

variable "root_project_name" {
  default = "Reference Architecture Root"
}

variable "sa_group" {
  default = "group@domain.com"
}

variable "project_services" {
  description = "Service APIs enabled by default in new projects."
  default = [
    "cloudbilling.googleapis.com",
    "cloudresourcemanager.googleapis.com",
    "compute.googleapis.com",
    "iam.googleapis.com",
    "iamcredentials.googleapis.com",
    "logging.googleapis.com",
    "serviceusage.googleapis.com",
    "storage-api.googleapis.com",
  ]
}

variable "bucket_name" {
  default = "my_root_tf_state"
}

variable "bucket_location" {
  default = "us-west1"
}
morgante commented 4 years ago

@ideasculptor Can you share the exact error/log output?

I'm having trouble reproducing and this is particularly surprising because our test harness specifically does not include the org viewer role.

ideasculptor commented 4 years ago

I'm sure I'll end up bootstrapping a new development environment eventually, but until i do, it is a headache to verify this issue, so I'm closing it. I'll re-open if it shows up again.