terraform-google-org-policy icon indicating copy to clipboard operation
terraform-google-org-policy copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

Module does not support constraints/iam.serviceAccountKeyExposureResponse

Open thanos-kataras opened this issue 1 year ago • 1 comments

TL;DR

Error 400 when trying to create a constraints/iam.serviceAccountKeyExposureResponse list constraint during apply.

Expected behavior

The policy to be created

Observed behavior

Error 400:

Error: googleapi: Error 400: The policy contains invalid list value(s): [<deny all> is set]. Please fix the values in the policy and try again:
StoragePolicy***resource=null, constraint=constraints/iam.serviceAccountKeyExposureResponse, etag=<ByteString@cc0c7a6 size=0 contents="">, updateTime=Optional.empty, policy=ListPolicy***inheritFromParent=false, unconditionalFragment=Optional[UnconditionalFragment***allValues=DENY, allowedValues=[], deniedValues=[], suggestedValue=Optional[]***], conditionalFragments=[]***
Details:
[
  ***
    "@type": "type.googleapis.com/google.rpc.BadRequest",
    "fieldViolations": [
      ***
        "description": "Invalid value: [\u003cdeny all\u003e is set].",
        "field": "policy.list_policy.denied_all"
      ***
    ]
  ***
]
, badRequest

Terraform Configuration

terraform
module "org_service_account_key_exposure_response" {
  for_each        = { for index, folder_id in local.dev_folder_ids : index => folder_id }
  source          = "terraform-google-modules/org-policy/google"
  version         = "~> 3.0"
  enforce         = null
  folder_id       = each.value
  policy_for      = "folder"
  organization_id = local.organization_id
  policy_type     = "list"
  constraint      = "constraints/iam.serviceAccountKeyExposureResponse"
  allow           = ["DISABLE_KEY"]
}



### Terraform Version

```sh
0.14

Additional information

Whether enforce is null, false or or true, the actual policy is applied but the deny all or allow all part is not created.

thanos-kataras avatar Jun 10 '24 17:06 thanos-kataras

Hey, You need to specify allow_list_length = 1 variable as per:

  • List policies with allow or deny values require the length to be set (a workaround for https://github.com/hashicorp/terraform/issues/10857)
    • allow_list_length
    • deny_list_length

https://github.com/terraform-google-modules/terraform-google-org-policy/#:~:text=List%20policies%20with,deny_list_length

tyymoo avatar Jun 19 '24 14:06 tyymoo

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

github-actions[bot] avatar Aug 18 '24 23:08 github-actions[bot]