Incompatibility among `1-resman` and `3-project-factory` stages
danijelTxFusion opened this issue · 1 comments
Describe the bug
In the documentation, it's specified that in the 1-resman stage, you can utilize the teams FAST feature, but it is not available in variables.tf. Without that feature, the teams folder could be created using the top_level_folder variable, but that brings several issues that are listed below.
- I still have not found a way to define a hierarchy in
3-project-factorythat would also provision a dedicated folder for each team, since3-project-factoryis defined to work on the environment level (devwith its own hierarchy and the same goes forprod). How can I achieve the following structure using1-resmanand3-project-factory:
teams
- platform
- dev
- telemetry-dev
- prod
- telemetry-prod
- zk
- dev
- zk-validator-dev
- prod
- zk-validator-prod
- Also, I am having trouble provisioning projects for both
devandprodenvironments. The link-stage.sh script generates3-project-factory-dev-providers.tf, which impersonates the service account<prefix>-dev-resman-pf-0@<prefix>-iac-core-0.iam.gserviceaccount.comthat does not have permission to create folders. The error I am receiving is similar to this one. I managed to bypass this by granting additional roles to the project factory service account.
Environment
Terraform v1.8.5
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v5.35.0
+ provider registry.terraform.io/hashicorp/google-beta v5.35.0
FAST Version commit: 1174604efe2da84432b9516ca80e484258f90770
We recently added a "main" project factory service account, which can be used to provision the hierarchy regardless of environments.
This discussion has an example on how to assign permissions on the top-level folders.
Then in the project factory hierarchy you can set environments using tag bindings on the dev and prod folders.
We need to document the new patterns, have just not got the time to do it yet. I am closing this but feel free to open a discussion if you need more or better examples.