Missing Groups in Fabric FAST
chpetit-capgemini opened this issue · 2 comments
Describe the bug
Required/used Fabric FAST groups are no longer aligned with the Google Cloud setup checklist (https://cloud.google.com/docs/enterprise/setup-checklist).
The following roles are missing:
gcp-logging-admins
gcp logging viewers
gcp-monitoring-admins
gcp developers
I'm fairly new to Fabric FAST. I don't know if it's okay or not. If this is normal, it should probably be mentioned in the bootstrap documentation (at least to avoid issue ticket creation).
Environment
Documentation
To Reproduce
Read https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/blob/master/fast/stages/0-bootstrap/README.md#customizations
Result
Documentation and Source code should be aligned with the official recommandations (https://cloud.google.com/docs/enterprise/setup-checklist).
Yes, we don't use all the roles defined in the checklist.
As an example, in our experience there's no centralized logging or monitoring function, but those are managed for specific contexts (network team has their own dashboards on their part of the org, etc.). The checklist uses a different approach, where segmentation of IAM contexts via folders is not used but functions are centralized and assigned organization-level roles.
Having those groups created is fine, and they can already be used like any other principal via the iam_ variables exposed in several stages. But since we only define groups in variables when they are actually used by the IAM bindings we have in code, adding the extra groups to our variables would just force more information or edits on users with little actual benefit.
Mentioning this in the README as you suggest on the other hand, is useful and would prevent users puzzling on the differences. :) Would you care to send a PR to the stage 0 README to mention this? Or we can do it of course if you're short on time. Thanks for raising this!
Thank you for the update!