More than one matching organization found

[mikemeiercb]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v0.12.24
+ provider.google v3.20.0
+ provider.null v2.1.2

Affected Resource(s)

• google_organization

Terraform Configuration Files

variable "organization_id" {
  description = "The organization id for putting the policy"
  type        = string
  default     = null
}

variable "domains_to_allow" {
  description = "The list of domain names to allow users from"
  type        = list(string)
}

data "google_organization" "orgs" {
  for_each = toset(var.domains_to_allow)
  domain   = each.value
}

module "allowed-policy-member-domains" {
  source            = "terraform-google-modules/org-policy/google"
  policy_for        = "organization"
  organization_id   = var.organization_id
  constraint        = "constraints/iam.allowedPolicyMemberDomains"
  policy_type       = "list"
  allow             = [for org in data.google_organization.orgs : org["directory_customer_id"]]
  allow_list_length = length(var.domains_to_allow)
}

Debug Output

Redacted personally identifying information:

https://gist.github.com/mikemeiercb/f659b6cc410aa3c7dfda977aae342465

Panic Output

none

Expected Behavior

Terraform should have used the list of human readable domains to retrieve the Google Customer ID using the google_organization module, and used that Customer ID key to apply the organization policy constraints/iam.allowedPolicyMemberDomains.

This code was taken from the Cloud Foundation Toolkit here: https://github.com/terraform-google-modules/terraform-google-org-policy/tree/master/modules/domain_restricted_sharing

Actual Behavior

The google_organization module uses the organizations.search API to lookup the provided domain name and returns the matching information about that domain name, including the organization ID and the Customer ID. The org policy uses the Customer ID to set a constraint on users that are allowed to be added to IAM bindings.

When the user or service account has access to more than one GCP organization with similar names, such as dev.example.com and example.com, the organizations.search performs only a fuzzy lookup and can potentially return more than one organization in the response body. This results in the google_organization module throwing an error which can be found here: https://github.com/terraform-providers/terraform-provider-google/blob/master/google/data_source_google_organization.go#L73

Ideally, the provider module would perform an exact match lookup on the returned response body and explicitly match to the provided domain name, and maybe provide a warning that other similar domains were found but an exact match was used.

Steps to Reproduce

1. terraform init
2. terraform plan

Results in

Error: More than one matching organization found

  on org_policy.tf line 12, in data "google_organization" "orgs":
  12: data "google_organization" "orgs" {

Important Factoids

Authenticating as a user account that has Organization Viewer role for an organization at a root domain and an organization for a subdomain of the root domain.

References

• More than one matching organization found terraform-google-modules/terraform-google-org-policy#36

[edwardmedia]

@mikemeiercb Using exact match lookup? Should we consider other use cases when users do not need exact match?

[mikemeiercb]

@edwardmedia The way I interpret the documentation for how the module is used is that the given domain name in the domain attribute should match exactly to a domain to retrieve information from that domain. https://www.terraform.io/docs/providers/google/d/google_organization.html

I can also understand a scenario where a user may want to see information on all similar domains as the API returns them. Maybe a flag for exact_match = true/false would be a useful feature, and instead of a single organization it would return an array of orgs as the API by default returns them. I think the module should default to an exact match, and the exact_match = false flag would be used to get the full list available to allow the user's code to sort through in a further step.

[c2thorn]

@mikemeiercb Returning all of the fuzzy matches of the API wouldn't be a bad idea, but would require a new "array" resource such as google_organizations. We wouldn't be able to modify google_organization to fit that. However, that isn't something you actually want right?

If I am understanding correctly, all you need is for the provider to use the organization that exactly matches the given domain in the case that the API returns multiple organizations. Since that is just a bit of logic bound to an already failing use case, it shouldn't affect any other use cases. Does this sound right to you?

[mikemeiercb]

Yes, I think that is the ideal fix to the current scenario, where when the API returns multiple results, perform some further logic to find the result that matches the domain name provided in the original domain parameter of the module.

Since the API request body doesn't seem to allow for strict filtering from what I can find, I think the google_organization should apply that strict filtering in the edge case that the API returns more than one result. This keeps it consistent where providing a domain name to the module that matches an organization results in the information of only that organization being returned to terraform.

[c2thorn]

Hi @mikemeiercb,
I have a pull request ready, but it's proven difficult for me to set up a real testing scenario with multiple closely matching organizations. It's a straightforward solution that should work... but if you were able to pull/build the generated provider commit and test it in your environment, it has the potential to save a round of releasing/adjusting.

If that's not possible, no worries!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!