Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix bug in gsuite_group module that requires organizationViewer role #172

Merged
merged 2 commits into from
Mar 25, 2019
Merged

Fix bug in gsuite_group module that requires organizationViewer role #172

merged 2 commits into from
Mar 25, 2019

Conversation

sosimon
Copy link

@sosimon sosimon commented Mar 18, 2019
edited
Loading

  • roles/organizationViewer role should not be necessary if domain is specified.
  • Error occurs when project factory is scoped to the folder level (i.e. no org-level permissions, only folder-level permissions)
data.google_organization.org: Refreshing state...
       Error: Error refreshing state: 1 error(s) occurred:
       * module.project-factory.module.gsuite_group.data.google_organization.org: 1 error(s) occurred:
       * module.project-factory.module.gsuite_group.data.google_organization.org: data.google_organization.org: Error reading Organization Not Found : <org-id-redacted>: googleapi: Error 403: The caller does not have permission, forbidden

The fix disables the data.organization lookup when the variable domain is specified.

@morgante
Copy link
Contributor

We should also add a test suite to make sure this doesn't regress again.

@sosimon sosimon force-pushed the bugfix/domain_org_id branch from a85fef1 to dadf88c Compare March 22, 2019 21:29
Fix bug in gsuite_group module that requires organizationViewer role
77f9cea 
organizationViewer role should not be necessary if domain is specified.
@sosimon sosimon force-pushed the bugfix/domain_org_id branch from dadf88c to 77f9cea Compare March 22, 2019 21:32
@sosimon
Copy link
Author

sosimon commented Mar 22, 2019

@morgante @aaron-lane
I did some investigation and I don't believe we need an additional test suite. Our existing test suite would have failed (as we would expect) if the CI service account did not have resourcemanager.organizationViewer at the org-level (it has it right now, but it shouldn't; it's not defined in our test_fixtures). I created a separate bug to track the permissions cleanup on our CI service account (b/129068671)

@aaron-lane aaron-lane merged commit fc5118b into terraform-google-modules:master Mar 25, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@morgante morgante morgante approved these changes

@aaron-lane aaron-lane Awaiting requested review from aaron-lane

@adrienthebo adrienthebo Awaiting requested review from adrienthebo

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sosimon @morgante @aaron-lane