terraform-google-modules/terraform-google-iam

Project custom role invalid permission `resourcemanager.projects.list`

jwtracy opened this issue · 2 comments

jwtracy commented

TL;DR

A project level custom role cannot be created due to resourcemanager.projects.list permission. Something doesn't seem to be working regarding the supported and unsupported permission handling here.

Expected behavior

resourcemanager.projects.list and other permissions gathered from base_roles that cannot be set at the project level or lower are automatically excluded from the final custom role's permissions. resourcemanager.projects.list may not be the only permission in question here.

Observed behavior

resourcemanager.projects.list is supplied to the project level role resulting in a 400 error,

│ Error: Error creating the custom project role projects/plato-admin-765675/roles/devtools_plato_devs: googleapi: Error 400: Permission resourcemanager.projects.list is not valid., badRequest
│ 
│   with module.platform_eng_environments.module.plato_admin_instance.module.custom_roles.module.developer_project_roles["plato-devs"].google_project_iam_custom_role.project-custom-role[0],
│   on .terraform/modules/platform_eng_environments.plato_admin_instance.custom_roles.developer_project_roles/modules/custom_role_iam/main.tf line 69, in resource "google_project_iam_custom_role" "project-custom-role":
│   69: resource "google_project_iam_custom_role" "project-custom-role" {

Terraform Configuration

locals {  
  developer_project_custom_roles_map = {
    "plato-devs" = {
      base_roles = [
        "roles/container.viewer",
      ]
      permissions          = []
      excluded_permissions = []
    },
    "plato-devs-bg" = {
      base_roles = [
        "roles/container.admin",
        "roles/compute.osLogin",
        "roles/iap.admin",
        "roles/pubsub.admin",
        "roles/resourcemanager.projectIamAdmin",
      ]
      permissions          = []
      excluded_permissions = []
    },
  }
}

module "developer_project_roles" {
  source  = "terraform-google-modules/iam/google//modules/custom_role_iam"
  version = "7.4.1"

  for_each = {
    for key, data in local.developer_project_custom_roles_map :
    key => data
    if length(concat(
      data.base_roles,
      data.permissions,
    )) > 0
  }

  target_level         = "project"
  target_id            = var.project_id
  role_id              = replace(format("%sdevtools-%s", var.name_prefix, each.key), "-", "_")
  title                = format("%s Control Plane", each.key)
  description          = format("Supplied to Plato admin project for %s developers", each.key)
  base_roles           = each.value.base_roles
  permissions          = each.value.permissions
  excluded_permissions = each.value.excluded_permissions
  members              = []
}

Terraform Version

> terraform version
Terraform v1.1.2
on linux_amd64

Your version of Terraform is out of date! The latest version
is 1.2.2. You can update by downloading from https://www.terraform.io/downloads.html


### Additional information

_No response_
github-actions commented

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days