-
Notifications
You must be signed in to change notification settings - Fork 725
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: grant membership to bootstrap terraform SA to access required groups #1301
Conversation
/gcbrun |
@daniel-cit looks like all the CI tests are failing again, due to a breaking issue in the upstream provider. I found another repo that identified the perma-diff introduced by Cloud Functions API changing it's behavior to add LOG_EXECUTION_ID to the env variables if not explicitly specified. I expect the same fix should work for us. Incidentally, this issue might be avoided by the PR #1304 that is hiding this module behind an enablement flag, so will avoid deploying the Function, but we should still find a way to address it for those who explicitly enable the module. I'll do a quick PR to add the explicit LOG_EXECUTION_ID and see if that helps. |
I think that the flag option is a good one as a temporary fix. there are two sets of environment variables in the cloud function, build time and run time. For the run time we already have code that sets the the strange thing is that the error is on the runtime part that has the configuration just presented, like if something was messing up with the env vars:
|
The unrelated issues from Functions provider in the last few comments have been addressed by #1311 , I'll resume running tests on this PR. |
CI tests are green, but I don't think our tests were accurately checking for the scenario of creating groups through terraform config because the automation never encountered the reported issues. I'll try to reproduce locally to verify the changes. |
# works only with google-beta | ||
provider = google-beta | ||
depends_on = [module.seed_bootstrap, google_service_account.terraform-env-sa, module.required_group] | ||
for_each = local.required_groups_to_create |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I ran through this in my local setup, seems to address the permission problem identified in 1206, because we explicitly add the bootstrap SA as group owner.
However, this code is just addressing the required groups block, can you extend the logic to also address the optional groups block?
Getting that error when running
Where can I find this |
This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days |
No description provided.