Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix 0-bootstrap iam_by_principals not taking into account all principals #2267

Merged
merged 3 commits into from
May 12, 2024
Merged

Fix 0-bootstrap iam_by_principals not taking into account all principals #2267

merged 3 commits into from
May 12, 2024

Conversation

wiktorn
Copy link
Collaborator

@wiktorn wiktorn commented May 12, 2024

When I provide iam_by_principals to bootstrap stage, not all entries are taken into account, as only principals listed local.iam_principals were used. For example, if using this to grant permissions to non-FAST defined groups, this would not work.

Checklist

I applicable, I acknowledge that I have:

  • Read the contributing guide
  • Ran terraform fmt on all modified files
  • Regenerated the relevant README.md files using tools/tfdoc.py
  • Made sure all relevant tests pass

@ludoo
Copy link
Collaborator

ludoo commented May 12, 2024

Can you provide repro, and of course this should only consider normal apply once a bootstrap SA has been created.

ludoo
ludoo approved these changes May 12, 2024
View reviewed changes
Copy link
Collaborator

@ludoo ludoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feel free to merge we can discuss later, don't want ro block you.

@wiktorn wiktorn force-pushed the wiktorn/fast_bootstrap_iam_by_principal_fix branch from a78cd30 to 71d9858 Compare May 12, 2024 09:35
@wiktorn
Copy link
Collaborator Author

wiktorn commented May 12, 2024
edited

local.iam_principals contains principals defined in var.groups as keys. Hence the code is it is now, works only for those principals, i.e.:

groups = {
  gcp-billing-admins      = "group:ba@example.com"
  gcp-devops              = "group:do@example.com"
  gcp-network-admins      = "group:na@example.com"
  gcp-organization-admins = "group:oa@example.com"
  gcp-security-admins     = "group:sa@example.com"
  gcp-support             = "group:su@example.com"
}
iam_by_principals = {
  "group:su@example.com" = [ "roles/owner" ]
}

Works, but this won't work:

groups = {
  gcp-billing-admins      = "group:ba@example.com"
  gcp-devops              = "group:do@example.com"
  gcp-network-admins      = "group:na@example.com"
  gcp-organization-admins = "group:oa@example.com"
  gcp-security-admins     = "group:sa@example.com"
  gcp-support             = "group:su@example.com"
}
iam_by_principals = {
  "group:another@example.com" = [ "roles/owner" ]
}

We need to either document this limitation of iam_by_principals or fix this.

@ludoo
Copy link
Collaborator

ludoo commented May 12, 2024

local.iam_principals contains principals defined in var.groups as keys. Hence the code is it is now, works only for those principals, i.e.:

groups = {
  gcp-billing-admins      = "group:ba@example.com"
  gcp-devops              = "group:do@example.com"
  gcp-network-admins      = "group:na@example.com"
  gcp-organization-admins = "group:oa@example.com"
  gcp-security-admins     = "group:sa@example.com"
  gcp-support             = "group:su@example.com"
}
iam_by_principals = {
  "group:su@example.com" = [ "roles/owner" ]
}

Works, but this won't work:

groups = {
  gcp-billing-admins      = "group:ba@example.com"
  gcp-devops              = "group:do@example.com"
  gcp-network-admins      = "group:na@example.com"
  gcp-organization-admins = "group:oa@example.com"
  gcp-security-admins     = "group:sa@example.com"
  gcp-support             = "group:su@example.com"
}
iam_by_principals = {
  "group:another@example.com" = [ "roles/owner" ]
}

We need to either document this limitation of iam_by_principals or fix this.

Makes sense, good catch.

@wiktorn wiktorn merged commit af253c9 into master May 12, 2024
13 checks passed
@wiktorn wiktorn deleted the wiktorn/fast_bootstrap_iam_by_principal_fix branch May 12, 2024 19:02
sruffilli pushed a commit that referenced this pull request May 15, 2024
@wiktorn @ludoo @sruffilli
Fix 0-bootstrap iam_by_principals not taking into account all princip…
d4a4535 
…als (#2267)

* Fix 0-bootstrap iam_by_principals not taking into account all principals
* Add test-case for iam_by_principals for 0-bootstrap stage

---------

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ludoo ludoo ludoo approved these changes

Assignees
No one assigned
Labels
on:FAST
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@wiktorn @ludoo