Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

validate step in 0-bootstrap fails when parent_folder is set. #1216

Open
eeaton opened this issue May 3, 2024 · 2 comments
Open

validate step in 0-bootstrap fails when parent_folder is set. #1216

eeaton opened this issue May 3, 2024 · 2 comments
Assignees
@eeaton
Labels
backlog bug Something isn't working

Comments

@eeaton
Copy link
Collaborator

eeaton commented May 3, 2024

TL;DR

terraform-example-foundation/0-bootstrap/README.md

Line 164 in dc0eb29

1. Use the helper script [validate-requirements.sh](../scripts/validate-requirements.sh) to validate your environment:

The validate script checks for pre-req I AM roles include Organization Policy Admin and Organization Admin. These roles cannot be set at a folder level, so if I have configured the parent_folder variable the validate script fails.

Expected behavior

Validation script should be able to assess if I have the necessary permissions to proceed, regardless of whether I set parent_folder. It could do this in one of a few ways:

  • test for effective IAM roles at the folder, not the explicit IAM policy binding applied to the folder
  • check for some IAM roles at the org node, and some IAM roles at the folder
  • Improve text guidance to explain manual checks a user can make to proceed successfully even when the validation script fails

Observed behavior

Validate script fails without actionable guidance.
Roles like Org Policy Admin can only be set at the organization node, but if I configure parent_folder as the root node the script fails.

Terraform Configuration

n/a

Terraform Version

n/a

Additional information

No response
@eeaton eeaton added the bug Something isn't working label May 3, 2024
@daniel-cit
Copy link
Contributor

@eeaton what was the failure?

the script is checking if the user is on the organization IAM policy with the required roles, which has this limitation

terraform-example-foundation/0-bootstrap/README.md

Line 170 in dc0eb29

**Note:** The script is not able to validate if the user is in a Cloud Identity or Google Workspace group with the required roles.

An improvement would be to instead of checking the organization IAM Policy to try use the testIamPermission method of some of the APIs to check if the user has the permissions required.
This should be able to validate the cases when the user is part of a group with the right roles

@eeaton eeaton self-assigned this May 23, 2024
@eeaton eeaton added the backlog label May 23, 2024
@github-actions GitHub Actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

@github-actions github-actions bot added the Stale label Jul 22, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jul 30, 2024
@eeaton eeaton reopened this Jul 31, 2024
@github-actions github-actions bot removed the Stale label Jul 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eeaton eeaton

Labels
backlog bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eeaton @daniel-cit