guardian icon indicating copy to clipboard operation
guardian copied to clipboard
verified publisher icon raystack

Gcloud provider plugin allows only one resource in provider config resource list.

Open utsav14nov opened this issue 3 years ago • 3 comments

Description Gcloud provider plugin allows only one resource in provider config resource list but there can be 2 possible resource types (project and organization) for gcloud.

To Reproduce Create/update provider having two resources in resource list Eg:

....
...
  "resources": [
    {
      "type": "project",
      "policy": {
        "id": "policy_id",
        "version": 4
      },
      "roles": [
        {
          "id": "Role Owner",
          "name": "Role Owner",
          "permissions": [
            "roles/owner"
          ]
        }
      ]
    },
    {
      "type": "organization",
      "policy": {
        "id": "policy_id",
        "version": 1
      },
      "roles": [
        {
          "id": "Bigquery Data Viewer",
          "name": "Bigquery Data Viewer",
          "permissions": [
            "roles/bigquery.dataViewer"
          ]
        }
      ]
    }
  ]

Error

{
    "code": 13,
    "message": "failed to update provider: gcloud_iam should have one resource"
}

utsav14nov avatar Sep 15 '22 05:09 utsav14nov

@rahmatrhd @bsushmith IS this related to bulk approval?

ravisuhag avatar Sep 20 '22 06:09 ravisuhag

@ravisuhag Currently, the gcloud_iam provider lets a user configure either project or organization as a resource. But only one per provider.

Code - https://github.com/odpf/guardian/blob/main/plugins/providers/gcloudiam/config.go#L104

The documentation helps to understand this a bit. But coming from other providers - where one can onboard multiple resource types per provider, the limitation on the gcloud_iam provider is not immediately clear. If the doc can be improved to point this out, that would be great.

cc/ @utsav14nov

bsushmith avatar Sep 20 '22 07:09 bsushmith

Understood.

ravisuhag avatar Sep 20 '22 09:09 ravisuhag