Project custom role invalid permission `resourcemanager.projects.list`
jwtracy opened this issue · 2 comments
jwtracy commented
TL;DR
A project level custom role cannot be created due to resourcemanager.projects.list
permission. Something doesn't seem to be working regarding the supported and unsupported permission handling here.
Expected behavior
resourcemanager.projects.list
and other permissions gathered from base_roles
that cannot be set at the project level or lower are automatically excluded from the final custom role's permissions. resourcemanager.projects.list
may not be the only permission in question here.
Observed behavior
resourcemanager.projects.list
is supplied to the project level role resulting in a 400 error,
│ Error: Error creating the custom project role projects/plato-admin-765675/roles/devtools_plato_devs: googleapi: Error 400: Permission resourcemanager.projects.list is not valid., badRequest
│
│ with module.platform_eng_environments.module.plato_admin_instance.module.custom_roles.module.developer_project_roles["plato-devs"].google_project_iam_custom_role.project-custom-role[0],
│ on .terraform/modules/platform_eng_environments.plato_admin_instance.custom_roles.developer_project_roles/modules/custom_role_iam/main.tf line 69, in resource "google_project_iam_custom_role" "project-custom-role":
│ 69: resource "google_project_iam_custom_role" "project-custom-role" {
Terraform Configuration
locals {
developer_project_custom_roles_map = {
"plato-devs" = {
base_roles = [
"roles/container.viewer",
]
permissions = []
excluded_permissions = []
},
"plato-devs-bg" = {
base_roles = [
"roles/container.admin",
"roles/compute.osLogin",
"roles/iap.admin",
"roles/pubsub.admin",
"roles/resourcemanager.projectIamAdmin",
]
permissions = []
excluded_permissions = []
},
}
}
module "developer_project_roles" {
source = "terraform-google-modules/iam/google//modules/custom_role_iam"
version = "7.4.1"
for_each = {
for key, data in local.developer_project_custom_roles_map :
key => data
if length(concat(
data.base_roles,
data.permissions,
)) > 0
}
target_level = "project"
target_id = var.project_id
role_id = replace(format("%sdevtools-%s", var.name_prefix, each.key), "-", "_")
title = format("%s Control Plane", each.key)
description = format("Supplied to Plato admin project for %s developers", each.key)
base_roles = each.value.base_roles
permissions = each.value.permissions
excluded_permissions = each.value.excluded_permissions
members = []
}
Terraform Version
> terraform version
Terraform v1.1.2
on linux_amd64
Your version of Terraform is out of date! The latest version
is 1.2.2. You can update by downloading from https://www.terraform.io/downloads.html
### Additional information
_No response_
github-actions commented
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days