-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: updated the role for CF Gen 2 #88
Conversation
@amandakarina Can you or your team revisit the roles used in the secure module? |
@prabhu34 I tried to use the modifications from your PR locally, but it is generating an error when applying. module.cloud_functions2.google_cloudfunctions2_function_iam_member.invokers["allUsers"]: Creating...
╷
│ Error: Error applying IAM policy for cloudfunctions2 function "projects/xxx/locations/us-east4/functions/function-terragrunt": Error setting IAM policy for cloudfunctions2 function "projects/xxx/locations/us-east4/functions/function-terragrunt": googleapi: Error 400: Invalid argument: 'An invalid argument was specified. Please check the fields and try again.'
│
│ with module.cloud_functions2.google_cloudfunctions2_function_iam_member.invokers["allUsers"],
│ on module/main.tf line 131, in resource "google_cloudfunctions2_function_iam_member" "invokers":
│ 131: resource "google_cloudfunctions2_function_iam_member" "invokers" ***
│
╵
time=2024-01-28T16:25:53Z level=error msg=Module /home/runner/work/terraform-modules/terraform-modules/terraform/cloudfunctions2 has finished with an error: 1 error occurred:
* exit status 1
prefix=[/home/runner/work/terraform-modules/terraform-modules/terraform/cloudfunctions2]
time=2024-01-28T16:25:53Z level=error msg=1 error occurred:
* exit status 1 |
I found the error. I made a PR similar to this with the necessary changes to not generate the mentioned error. |
@prabhu34 Is it still necessary to create the |
It would gradually go off in future versions. But for now this is to support the existing usage of the role bindings. |
/gcbrun |
@bharathkkb - I think this can be approved/merged while the CI is failing and we figure out the root cause. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, just a question
@@ -153,3 +153,31 @@ resource "google_cloudfunctions2_function_iam_member" "developers" { | |||
google_cloudfunctions2_function.function | |||
] | |||
} | |||
|
|||
// IAM for invoking HTTP functions (roles/run.invoker) | |||
resource "google_cloud_run_service_iam_member" "invokers" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to grant both google_cloudfunctions2_function_iam_member
and google_cloud_run_service_iam_member
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bharathkkb Not necessarily. I thought this could be affecting existing users and left both of them. Previous comment.
@g-awmalik @bharathkkb @apeabody PR chore: add retry to secure cloud function test should make the build process stable enough. A further improvement can be added by increasing the possibles values for the access level create in the test in this other fix!: replace random_id with random_string to increase number of possible access levels . It can be used after we got a new release of the This should fix most of the build errors base in the last 50 failing build (VPC-SC propagation and VPC-SC name collision) |
cloudfunctions.invoker
torun.invoker
and fromcloudfunctions.developer
torun.developer
.#71
#87