Skip to content

Fix read-only CI/CD SAs #2018

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
juliocc opened this issue Jan 30, 2024 Discussed in #2017 · 0 comments · Fixed by #2019
Closed

Fix read-only CI/CD SAs #2018

juliocc opened this issue Jan 30, 2024 Discussed in #2017 · 0 comments · Fixed by #2019

Comments

@juliocc
Copy link
Collaborator

juliocc commented Jan 30, 2024

  • Update sourcerepo templates to use plan service accounts
  • Fix concat() calls

Discussed in #2017

Originally posted by fbadso January 30, 2024
Is Terraform > 1.4.4 supported for release 29.0.0?
Using Terraform 1.7.1 or higher, in 0-bootstrap everything worked fine until I enable CICD with Cloudbuild.

As soon as I add CICD with Cloudbuild I get:

Error: Invalid function argument
│
│   on cicd.tf line 85, in module "automation-tf-cicd-repo":
│   83:     "roles/source.reader" = concat(
│   84:       [module.automation-tf-cicd-sa[each.key].iam_email],
│   85:       each.key == "bootstrap"
│   86:       ? module.automation-tf-bootstrap-r-sa.iam_email
│   87:       : module.automation-tf-resman-r-sa.iam_email
│   88:     )
│     ├────────────────
│     │ while calling concat(seqs...)
│     │ each.key is "bootstrap"
│     │ module.automation-tf-bootstrap-r-sa.iam_email is "serviceAccount:someprefix-prod-bootstrap-0r@someprefix-prod-iac-core-0.iam.gserviceaccount.com"
│     │ module.automation-tf-resman-r-sa.iam_email is "serviceAccount:someprefix-prod-resman-0r@someprefix-prod-iac-core-0.iam.gserviceaccount.com"
│
│ Invalid value for "seqs" parameter: all arguments must be lists or tuples; got string.
╵
╷
│ Error: Invalid function argument
│
│   on outputs.tf line 22, in locals:
│   21:     for k, v in local.cicd_repositories : k => templatefile(
│   22:       "${path.module}/templates/workflow-${v.type}.yaml", {
│   23:         # If users give a list of custom audiences we set by default the first element.
│   24:         # If no audiences are given, we set
https://iam.googleapis.com/{PROVIDER_NAME}
│   25:         audiences = try(
│   26:           local.cicd_providers[v["identity_provider"]].audiences, ""
│   27:         )
│   28:         identity_provider = try(
│   29:           local.cicd_providers[v["identity_provider"]].name, ""
│   30:         )
│   31:         outputs_bucket = module.automation-tf-output-gcs.name
│   32:         service_accounts = {
│   33:           apply = try(module.automation-tf-cicd-sa[k].email, "")
│   34:           plan  = try(module.automation-tf-cicd-r-sa[k].email, "")
│   35:         }
│   36:         stage_name = k
│   37:         tf_providers_files = {
│   38:           apply = local.cicd_workflow_providers[k]
│   39:           plan  = local.cicd_workflow_providers["${k}_r"]
│   40:         }
│   41:         tf_var_files = local.cicd_workflow_var_files[k]
│   42:       }
│   43:     )
│     ├────────────────
│     │ local.cicd_providers is object with no attributes
│     │ local.cicd_workflow_providers is object with 4 attributes
│     │ local.cicd_workflow_var_files is object with 2 attributes
│     │ module.automation-tf-cicd-r-sa is object with 1 attribute "bootstrap"
│     │ module.automation-tf-cicd-sa is object with 1 attribute "bootstrap"
│     │ module.automation-tf-output-gcs.name is "someprefix-prod-iac-core-outputs-0"
│     │ v["identity_provider"] is "google-beta"
│
│ Invalid value for "vars" parameter: vars map does not contain key "tf_providers_file", referenced at ./templates/workflow-sourcerepo.yaml:96,25-42.

terraform.tfvars:

billing_account = {
  id = "somebillingid"
}
 
# locations for GCS, BigQuery, and logging buckets created here
locations = {
  bq      = "EU"
  gcs     = "EU"
  logging = "eu"
  #pubsub = [ ]
  pubsub  = [ "europe-west3", "europe-west10" ]
}
 
# use `gcloud organizations list`
organization = {
  domain      = "somedomain"
  id          = someid
  customer_id = "somecustomerid"
}
 
outputs_location = "~/fast-config"
 
# use something unique and no longer than 9 characters (real prefix is just 2 chars long)
prefix = "someprefix"
 
fast_features = {
  data_platform   = false
  gke             = true
  project_factory = true
  sandbox         = true
  teams           = true
}
 
cicd_repositories = {
 bootstrap = {
   branch            = "master"
   name              = "fast-bootstrap"
   identity_provider = "google-beta"
   type              = "sourcerepo"
 }
#  resman = {
#    branch            = "master"
#    name              = "fast-resman"
#    identity_provider = "google-beta"
#    type              = "sourcerepo"
#  }
}
juliocc added a commit that referenced this issue Jan 30, 2024
@juliocc
Fix sourcerepo templates and concat call
84d2499 
Fixes #2018
@juliocc juliocc mentioned this issue Jan 30, 2024
Merged
juliocc added a commit that referenced this issue Jan 30, 2024
@juliocc
Fix sourcerepo templates and concat call (#2019)
cdf6530 
* Fix sourcerepo templates and concat call

Fixes #2018

* Fix iam

* Fix another sourcerepo template
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix sourcerepo templates and concat call GoogleCloudPlatform/cloud-foundation-fabric
1 participant
@juliocc