GoogleCloudPlatform/terraform-google-secured-data-warehouse

Bug: Org Policy should allow service account creation

Closed this issue ยท 1 comments

mlutx commented

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave +1 or me too comments; they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If the issue is assigned to a user, that user is claiming responsibility for the issue.

Secured Data Warehouse Specifications

  • Version: v0.2.0
  • Platform:

Terraform execution logs

Please provide a link to a GitHub Gist containing the REDACTED Terraform execution log.
Please do NOT paste the execution log in the issue; just paste a link to the Gist.
--->

Expected Behavior

We used this blueprint as a foundation and added additional notebooks to the projects, expected new notebook will be created with its service account.

Actual Behavior

However, we are not able to create new service account, the org policy set to every project not only disable service account key creation but also disable service account creation.

Steps to Reproduce

Important Factoids

By looking at the code history, the original requirement is to disable service account key creation (see modules/org-policies/iam.tf), but the constraint used is iam.disableServiceAccountCreation. Later iam.disableServiceAccountKeyCreation was added.

We fully understand that service account key should be disabled, but disabling service accounts for all projects (including non-confidential, etc.) is too extreme and makes the blueprint not adaptable at all.

We recommend removing the iam.disableServiceAccountCreation org policy from the modules/org-policies/iam.tf. If needed it can be applied to data ingestion and data governance projects, (see policy-library/policies/constraints/deny_service_account_creation_data_ingestion_data_governance.yaml).

References

  • #0000
github-actions commented

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days