terraform-example-foundation icon indicating copy to clipboard operation
terraform-example-foundation copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

1-org - ACM policy API failure - step 5 requires "Access Context Manager Admin" or lower on the super admin account

Open obriensystems opened this issue 1 year ago • 1 comments

TL;DR

Same as #1145

step 5 https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/1-org/README.md#deploying-with-cloud-build

michael@cloudshell:~/tef-olapp/github/gcp-org (tef-olapp)$ export ACCESS_CONTEXT_MANAGER_ID=$(gcloud access-context-manager policies list --organization ${ORGANIZATION_ID} --format="value(name)")
echo "access_context_manager_policy_id = ${ACCESS_CONTEXT_MANAGER_ID}"
ERROR: (gcloud.access-context-manager.policies.list) PERMISSION_DENIED: The caller does not have permission
access_context_manager_policy_id =

Expected behavior

No response

Observed behavior

No response

Terraform Configuration

shell

Terraform Version

1.7.4

Additional information

No response

obriensystems avatar Mar 07 '24 18:03 obriensystems

1-org step 5 continued

step 5 of https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/1-org/README.md#deploying-with-cloud-build

michael@cloudshell:~/tef-olapp/github/gcp-org (tef-olapp)$ export ACCESS_CONTEXT_MANAGER_ID=$(gcloud access-context-manager policies list --organization ${ORGANIZATION_ID} --format="value(name)")ERROR: (gcloud.access-context-manager.policies.list) PERMISSION_DENIED: The caller does not have permission

fix add to super admin - "Access Context Manager Admin"

Screenshot 2024-03-12 at 10 48 13

no ACM policies yet

michael@cloudshell:~/tef-olapp/github/gcp-org (tef-olapp)$ export ACCESS_CONTEXT_MANAGER_ID=$(gcloud access-context-manager policies list --organization ${ORGANIZATION_ID} --format="value(name)")michael@cloudshell:~/tef-olapp/github/gcp-org (tef-olapp)$ echo "access_context_manager_policy_id = ${ACCESS_CONTEXT_MANAGER_ID}"
access_context_manager_policy_id = 

michael@cloudshell:~/tef-olapp/github/gcp-org (tef-olapp)$ gcloud access-context-manager policies list --organization ${ORGANIZATION_ID}
Listed 0 items.

obriensystems avatar Mar 12 '24 14:03 obriensystems

See https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/1-org/README.md?plain=1#L199C1-L204C4

daniel-cit avatar Mar 27 '24 13:03 daniel-cit

A 2nd org deployment with the workaround role added to the super admin is working - I'll add a PR for the readme

stale bot timer restart - https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/.github/workflows/stale.yml#L21

fmichaelobrien avatar Apr 11 '24 15:04 fmichaelobrien