Is it still a requirement to use the allUsers member on google_cloudfunctions_function_iam_member?
mrdevnull opened this issue · 2 comments
Hey all, firstly thanks for this terraform code.
Can someone explain further on the comment on google_cloudfunctions_function_iam_member?
# use AllUsers since config-url does not support IAM.
Is this still a requirement, and are there alternatives as allUsers is never recommended?
I currently get this (expected) error
google_cloudfunctions_function_iam_member.invoker: Creating...
Error: Error applying IAM policy for cloudfunctions cloudfunction "projects/XXX/locations/australia-southeast1/functions/fortigateautoscale-tttcs": Error setting IAM policy for cloudfunctions cloudfunction "projects/XXX/locations/australia-southeast1/functions/fortigateautoscale-tttcs": googleapi: Error 400: One or more users named in the policy do not belong to a permitted customer.
Details:
[
{
"@type": "type.googleapis.com/google.rpc.PreconditionFailure",
"violations": [
{
"description": "User allUsers is not in permitted organization.",
"subject": "orgpolicy:XXX/australia-southeast1/fortigateautoscale-tttcs?configvalue=allUsers",
"type": "constraints/iam.allowedPolicyMemberDomains"
}
]
}
]
on main.tf line 284, in resource "google_cloudfunctions_function_iam_member" "invoker":
284: resource "google_cloudfunctions_function_iam_member" "invoker" {
Obviously I have to do what it says to make this work, but I'd rather not if possible hence interest in the reason.
I've tried configuring a service account replacement, which applies fine, but on execution in fortigate just results in 403 errors.
Thanks!
Yes, Unfortunately this is still necessary. The config-url is used to bootstrap the device and doesn't relay any token for authentication. So the function is internal only, but accessible to any internal user to call.
Thanks @Joel-Cripps.
Sorta ironic that adding a security device is making things less secure. But at least it is confined to internal use. Thanks for confirming.