Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Module does not support constraints/iam.serviceAccountKeyExposureResponse #137

Open
thanos-kataras opened this issue Jun 10, 2024 · 1 comment
Open

Module does not support constraints/iam.serviceAccountKeyExposureResponse #137

thanos-kataras opened this issue Jun 10, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@thanos-kataras
Copy link

TL;DR

Error 400 when trying to create a constraints/iam.serviceAccountKeyExposureResponse list constraint during apply.

Expected behavior

The policy to be created

Observed behavior

Error 400:

Error: googleapi: Error 400: The policy contains invalid list value(s): [<deny all> is set]. Please fix the values in the policy and try again:
StoragePolicy***resource=null, constraint=constraints/iam.serviceAccountKeyExposureResponse, etag=<ByteString@cc0c7a6 size=0 contents="">, updateTime=Optional.empty, policy=ListPolicy***inheritFromParent=false, unconditionalFragment=Optional[UnconditionalFragment***allValues=DENY, allowedValues=[], deniedValues=[], suggestedValue=Optional[]***], conditionalFragments=[]***
Details:
[
  ***
    "@type": "type.googleapis.com/google.rpc.BadRequest",
    "fieldViolations": [
      ***
        "description": "Invalid value: [\u003cdeny all\u003e is set].",
        "field": "policy.list_policy.denied_all"
      ***
    ]
  ***
]
, badRequest

Terraform Configuration

terraform
module "org_service_account_key_exposure_response" {
  for_each        = { for index, folder_id in local.dev_folder_ids : index => folder_id }
  source          = "terraform-google-modules/org-policy/google"
  version         = "~> 3.0"
  enforce         = null
  folder_id       = each.value
  policy_for      = "folder"
  organization_id = local.organization_id
  policy_type     = "list"
  constraint      = "constraints/iam.serviceAccountKeyExposureResponse"
  allow           = ["DISABLE_KEY"]
}


### Terraform Version

```sh
0.14

Additional information

Whether enforce is null, false or or true, the actual policy is applied but the deny all or allow all part is not created.
@thanos-kataras thanos-kataras added the bug Something isn't working label Jun 10, 2024
@tyymoo
Copy link

tyymoo commented Jun 19, 2024
edited
Loading

Hey,
You need to specify allow_list_length = 1 variable as per:

https://github.com/terraform-google-modules/terraform-google-org-policy/#:~:text=List%20policies%20with,deny_list_length

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thanos-kataras @tyymoo