Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move org policies to their own directory #103

Closed
wants to merge 1 commit into from

Conversation

markmandel
Copy link
Member

This means we don't have the extra API requirement (which take a long time to propagate?), and can mark it as an optional step on our README, which can be skipped over for most (?) of our end users.

This means we don't have the extra API requirement (which take a long
time to propagate?), and can mark it as an optional step on our README,
which can be skipped over for most (?) of our end users.
@markmandel markmandel requested review from bbhuston and abmarcum March 3, 2023 23:16
@markmandel
Copy link
Member Author

@bbhuston please confirm my additions to the README make sense / are correct.

@abmarcum please take a look - I'm fairly sure this is the approach we had discussed the other day.

@bbhuston
Copy link
Collaborator

bbhuston commented Mar 4, 2023

@markmandel I just tested this branch and it does not work for me. (Example error below.)

What's missing still is the user_project_override = true attribute in the google provider. Without this, terraform will throw 403s for all org-level resource creation attempts.

provider "google" {
  project = var.project
  user_project_override = true
}

ERROR for PR

│ Error: Error creating Policy: failed to create a diff: failed to retrieve Policy resource: googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the orgpolicy.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters.
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│     "domain": "googleapis.com",
│     "metadata": {
│       "consumer": "projects/618104708054",
│       "service": "orgpolicy.googleapis.com"
│     },
│     "reason": "SERVICE_DISABLED"
│   }
│ ]
│ 
│   with module.gcp_org_policy_v2_vmExternalIpAccess.google_org_policy_policy.project_policy[0],
│   on .terraform/modules/gcp_org_policy_v2_vmExternalIpAccess/modules/org_policy_v2/list_constraints.tf line 92, in resource "google_org_policy_policy" "project_policy":
│   92: resource "google_org_policy_policy" "project_policy" {

Let me do some more testing on your branch using brand new GCP projects to get everything sorted out. Also, I'd like to move the org policies directory inside of the infra directory. (Logically, this keeps all the terraform in the same top-level folder, which I think is cleaner.) Thoughts on that approach?

@bbhuston
Copy link
Collaborator

bbhuston commented Mar 4, 2023

One more catch. I think that you copied a stale version of the org-policies.tf file into your PR. This has some misconfigurations in it that we need to tweak.

@markmandel
Copy link
Member Author

Let me do some more testing on your branch using brand new GCP projects to get everything sorted out. Also, I'd like to move the org policies directory inside of the infra directory. (Logically, this keeps all the terraform in the same top-level folder, which I think is cleaner.) Thoughts on that approach?

Thanks for doing all the testing!

It pulls in a lot of dependencies (and extra commands, like gcloud auth application-default set-quota-project ${PROJECT_ID} (I still don't remember why we need this?)) , and also I am concerned this (a) won't apply to many people, and (b) a lot of people won't be able to apply it if they don't have permission to do so, and the repercussions therein? But it's possible that's just FUD on my end.

That being said, the alternate approach may be to use the approach in terraform-google-modules/terraform-google-project-factory#564

And use that to fix all the API enablement race conditions. If you have a play and see that that does fix things, maybe that's the better approach.

@markmandel
Copy link
Member Author

@bbhuston we can close this PR now, yeah?

@bbhuston
Copy link
Collaborator

bbhuston commented Mar 6, 2023 via email

@markmandel
Copy link
Member Author

That's right, that's right - you were going to work on this branch to get it all working. Got it, got it!

Thanks for the reminder.

@markmandel
Copy link
Member Author

Should we close this PR for now, just to keep things clean, and file an issue on it to track the upcoming work?

This branch is just falling farther and farther behind at this point.

@bbhuston
Copy link
Collaborator

bbhuston commented Mar 16, 2023

Should we close this PR for now, just to keep things clean, and file an issue on it to track the upcoming work?

This branch is just falling farther and farther behind at this point.

@markmandel

Apologies for the delay on this. Been slammed recently but now have bandwidth to push things over the finish line. Here's my plan to minimize clunky git history baggage as I do this.

  • Close this PR
  • Split new branch of main and cherry-pick from locally stashed commits there
  • Update issue tracker to include additional need for standalone README on org policies, pre-req org IAM permissions etc from both Platform Admin and Platform User perspective. (i.e., something that a user can show to an admin to get Org settings configured correctly.)
  • Update issue tracker to use the terraform gcp module that ensures orgpolicy APIs are fully active prior to provisioning other assets. etc
  • Put all content (docs and TF assets) into separate standalone org-policy top-level directory.
  • Structure terraform manifests to work as a completely independent (and optional) module

TL/DR would like to use this PR and issue to explicitly document/address the "how should your GCP organization be confirmed for this demo to work" question

@markmandel
Copy link
Member Author

That sounds fantastic! And no worries on the delay - happens to all of us.

Shall I move the above comment into an issue for tracking? (happy to do it for you) or did you want to?

@bbhuston bbhuston closed this Mar 19, 2023
@bbhuston
Copy link
Collaborator

That sounds fantastic! And no worries on the delay - happens to all of us.

Shall I move the above comment into an issue for tracking? (happy to do it for you) or did you want to?

@markmandel Just wrote this up in #158

@bbhuston bbhuston deleted the cleanup/move-org-policies branch April 11, 2023 14:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants