Shared VPC granting is broken #97
Comments
|
I have verified on our end that the fix listed does correct the condition of not adding the group_name to the project level if condition 3 is met. However group_name does not get cleaned up from the shared subnet on project destroy. |
glarizza
added a commit
to glarizza/terraform-google-project-factory
that referenced
this issue
Mar 7, 2019
This commit addresses issue terraform-google-modules#97 (terraform-google-modules#97) and updates the logic around IAM bindings with regard to shared VPC subnets. The logic is as follows: 1. If `var.shared_vpc` and `var.shared_vpc_subnets` are empty no bindings are mad 2. If `var.shared_vpc` is set but no subnets are provided with `var.shared_vpc_subnets` then the IAM bindings are set at the Host Project 3. If `var.shared_vpc` is set and `var.shared_vpc_subnets` contains subnets then the IAM bindings are granted on the subnetworks themselve This commit updates the logic used to calculate the Host Project bindings based on scenario 3 above. The tests have also been modified to ensure that those bindings AREN'T set.
glarizza
added a commit
to glarizza/terraform-google-project-factory
that referenced
this issue
Mar 7, 2019
This commit addresses issue terraform-google-modules#97 (terraform-google-modules#97) and updates the logic around IAM bindings with regard to shared VPC subnets. The logic is as follows: 1. If `var.shared_vpc` and `var.shared_vpc_subnets` are empty no bindings are mad 2. If `var.shared_vpc` is set but no subnets are provided with `var.shared_vpc_subnets` then the IAM bindings are set at the Host Project 3. If `var.shared_vpc` is set and `var.shared_vpc_subnets` contains subnets then the IAM bindings are granted on the subnetworks themselve This commit updates the logic used to calculate the Host Project bindings based on scenario 3 above. The tests have also been modified to ensure that those bindings AREN'T set.
glarizza
added a commit
to glarizza/terraform-google-project-factory
that referenced
this issue
Mar 8, 2019
This commit addresses issue terraform-google-modules#97 (terraform-google-modules#97) and updates the logic around IAM bindings with regard to shared VPC subnets. The logic is as follows: 1. If `var.shared_vpc` and `var.shared_vpc_subnets` are empty no bindings are mad 2. If `var.shared_vpc` is set but no subnets are provided with `var.shared_vpc_subnets` then the IAM bindings are set at the Host Project 3. If `var.shared_vpc` is set and `var.shared_vpc_subnets` contains subnets then the IAM bindings are granted on the subnetworks themselve This commit updates the logic used to calculate the Host Project bindings based on scenario 3 above. The tests have also been modified to ensure that those bindings AREN'T set.
|
Fixed by #164. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In #72, we messed up the logic for granting networkUser permission.
There are meant to be 3 different conditions.
shared_vpcand no subnets => no grantsshared_vpcand no subnets => grant to the project (all networks/subnets)shared_vpcand subnets => grant to the subnets (and not to the project)The text was updated successfully, but these errors were encountered: