Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More than one matching organization found #36

Closed
mikemeiercb opened this issue May 13, 2020 · 1 comment
Closed

More than one matching organization found #36

mikemeiercb opened this issue May 13, 2020 · 1 comment

Comments

@mikemeiercb
Copy link

TF v 0.12.24

When using the Domain Restricted Sharing module of the Org Policfy CFT, an error is encountered if the user or service account has view access to more than one organization with similar domain names. This will cause terraform plan to fail.

The module is supposed to make it easy to translate from a domain name in the TF code to a Google Customer ID which is the immutable ID which identifies the Cloud Identity/G Suite tenant that the GCP Organization is linked to. The module calls the terraform "google_organizations" provider module which uses the organizations.search API to do a lookup on the provided domain name to retrieve the customer ID. The problem with this API is that it will only provide a fuzzy lookup based on the domain name. This means for example if you have access to example.com and dev.example.com GCP organizations, the API will return both in the same call and the TF google_organization module doesn't know which to use.

This seems to be an issue in the provider which does not perform additional filtering or matching and depends instead on the API returning exactly what is needed, although the API itself does not do exact lookups.

This results in the error message:

Error: More than one matching organization found

  on .terraform/modules/domain_restricted_sharing/modules/domain_restricted_sharing/main.tf line 17, in data "google_organization" "orgs":
  17: data "google_organization" "orgs" {

Example API return:

{
  "organizations": [
    {
      "displayName": "dev.example.com",
      "owner": {
        "directoryCustomerId": "C01xxxxxx"
      },
      "creationTime": "2020-02-05T01:45:07.948Z",
      "lifecycleState": "ACTIVE",
      "name": "organizations/111111111111"
    },
    {
      "displayName": "example.com",
      "owner": {
        "directoryCustomerId": "C02xxxxxx"
      },
      "creationTime": "2017-01-12T17:24:43.214Z",
      "lifecycleState": "ACTIVE",
      "name": "organizations/222222222222"
    }
  ]
}

Example terraform file:

provider "google" {
  version = ">= 3.18.0"
}

variable "organization_id" {
  description = " This is the organization ID in which projects will be created."
}

variable "domains_allowed_external_sharing" {
  description = "The list of domains allowed to shared externally to"
}

module "domain_restricted_sharing" {
  source           = "terraform-google-modules/org-policy/google//modules/domain_restricted_sharing"
  policy_for       = "organization"
  organization_id  = var.organization_id
  domains_to_allow = var.domains_allowed_external_sharing
}

I can provide a trace level TF log if requested.
@morgante
Copy link
Contributor

Thanks for the report, could you open an issue on the provider itself?

@mikemeiercb mikemeiercb mentioned this issue May 13, 2020
Closed
@morgante morgante closed this as completed Jan 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@morgante @mikemeiercb