Comments (22)
Hi Davide,
I'm not sure what you mean in step 2. Could you include an example config for the IAM policies you're trying to change?
Our general recommendation is to use the project creation template to create the project and any service accounts. Then you should use a different deployment in the created project to manage IAM permissions and resources in that project.
from deploymentmanager-samples.
Hi,
like in your "project_creation" example (on this repo) this deployment manage also the IAM policy on the new project. I can use another deployment on the new project to manage IAM policies, but the problem about the requirement to manage google default service accounts permissions remain. And on top I think the two deployment can overwrite each other the IAM settings.
The example config you ask for may evolve from this (on project creation):
imports:
- path: project.py
resources:
# The "name" property below will be the name of the new project
- name: <my-project>
type: project.py
properties:
...
iam-policy:
bindings:
- role: roles/iam.securityReviewer
members:
- group:[email protected]
to this (on project update):
imports:
- path: project.py
resources:
# The "name" property below will be the name of the new project
- name: <my-project>
type: project.py
properties:
...
iam-policy:
bindings:
- role: roles/iam.securityReviewer
members:
- group:[email protected]
- group:[email protected]
With the update action the google default service accounts permission vanish because I don't configure explicitly the IAM policies about them.
What I would like to do is not have to handle the google default service accounts permissions on the project, i.e. permissions on the project about this accounts:
- <project_number>[email protected]
- service-<project_number>@container-engine-robot.iam.gserviceaccount.com
- service-<project_number>@containerregistry.iam.gserviceaccount.com
- ...
Thank you
from deploymentmanager-samples.
Ah that is clear now. Thanks for providing a config example.
The iam-policy sections define the entirety of the policy. Unfortunately, we aren't able to support partial updates to this property. We're working on a better story around this, but don't have anything to report yet.
I'm going to change the title of this issue so other users can find it, and we'll update back here once we have something more concrete.
from deploymentmanager-samples.
Ok,
thank you for the fast reply!
I hope to hear you soon
from deploymentmanager-samples.
Added support for add and not override IAM policies, please check #47 For a sample of making one service account owner
from deploymentmanager-samples.
Hi @aljim ,
to me this code return:
message: '{"ResourceType":"gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy","ResourceErrorCode":"409","ResourceErrorMessage":{"code":409,"message":"There
were concurrent policy changes. Please retry the whole read-modify-write with
exponential backoff.","status":"ABORTED","statusMessage":"Conflict","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/xxx:setIamPolicy","httpMethod":"POST"}}'
What can be? And how to solve this problem?
Thanks
from deploymentmanager-samples.
I also see the same issue. Seems it's a bug?
from deploymentmanager-samples.
Reopenenig so our on-call can take a look. Sorry nobody saw this sooner Davide, we've been changing a lot about how we monitor this repo and it looks like your comment was before those changes.
from deploymentmanager-samples.
I found the work-around for this issue. I'll send a PR soon.
from deploymentmanager-samples.
#71 is out for review
from deploymentmanager-samples.
Hi @krwenholz @mihnjong ,
I've tried the fix but I've te following error:
$ gcloud deployment-manager deployments update "$DMPROJECT" --config project.yaml
The fingerprint of the deployment is Cd7LCauKuMOv3hC-xk_cEg==
Waiting for update [operation-1512987810798-5600ded0319b0-980c8251-2af424f3]...failed.
ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1512987810798-5600ded0319b0-980c8251-2af424f3]: errors:
- code: CYCLIC_REFERENCES
message: |
A cycle was found during reference analysis:
Cycles detected:
deploymentmanager.googleapis.com <- get-iam-policy-1512987812 <- patch-iam-policy <- get-iam-policy-1512987537
I've tried also to delete, recreate and update the deployment. But the update step fails always with a CYCLIC_REFERENCES error.
Thanks
from deploymentmanager-samples.
@davidebelloni
The error indicate there is cycle between the resources mentioned in the error message.
It seems you have the resource dependencies like deploymentmanager.googleapis.com <- get-iam-policy- <- patch-iam-policy
After you creating the deployment and try to do the update, can you try to update the config file to remove the dependency between deploymentmanager.googleapis.com and get-iam-policy-? Does this work for the update?
resources.extend([{
'name': get_iam_policy_name,
'action': 'gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy',
'properties': {
'resource': project_id,
},
''' remove below:
'metadata': {
'dependsOn': [ApiResourceName(project_id, 'deploymentmanager.googleapis.com')]
}
'''
},
from deploymentmanager-samples.
Hi @likeulb ,
after removing "deploymentmanager.googleapis.com" the update task works.
This dependency is also in your code, why it has been necessary to remove it? I can't see the cyclic reference between the resources pointed out and I think the dependency between deploymentmanager.googleapis.com and get-iam-policy are correct.
Can you explain me?
Thanks
from deploymentmanager-samples.
DM will ensure the dependencies between resources to make sure the order when creating/updating/deleting them based on the "ref" or "dependsOn" specified in the config file. The cycle error due to the current processing logic of DM. But we have to admit this is some rare cases that DM cannot handle perfectly. We will have more investigation about this.
On the other side, we will have a coming fix that you will not need to attach "timestamp" to force a new "get-iam-policy" action. This will address most of the problems discussed here. And we will update the project creation sample accordingly.
Thanks
from deploymentmanager-samples.
Ok,
I think the problem now is on deployment/project creation, that return:
ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1513351309840-560628f3e4e81-5a62a677-4ed1f747]: errors:
- code: RESOURCE_ERROR
location: /deployments/dtdd-appb2c-customers-test/resources/get-iam-policy-1513351314
message: '{"ResourceType":"gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/dtdd-appb2c-customers-test:getIamPolicy","httpMethod":"POST"}}'
from deploymentmanager-samples.
Hi @davidebelloni
Does this happen when you remove the dependency?
You may need the "dependsOn" to make sure the deployment manager API has been activated before doing getIamPolicy. You may remove it for a temporary fix if you need to update the deployment.
Also, can you double check if the service account [project_number]@cloudservices.gserviceaccount.com has "project owner" role?
from deploymentmanager-samples.
Hi @likeulb ,
yes the problem derives from the removed dependency.
I think that manually remove the dependency for the update task is not suitable for an enterprise service, in particular for code shared with a template (project.py) between different projects.
Is there a forecast for a complete fix that solve these problems about GCP projects management?
Thanks
from deploymentmanager-samples.
Hi, @davidebelloni
We will probably do some testing later this weeks, and will update the github sample according. Thanks.
from deploymentmanager-samples.
Hi @likeulb ,
I've solved the issue with the code " 'runtimePolicy': ['UPDATE_ALWAYS']" (see #52)
I hope to see this features more documented in the next future.
Thanks for the help
from deploymentmanager-samples.
Hi @davidebelloni
Thanks for the update! There will be updated documentation about Actions in January.
Thanks.
from deploymentmanager-samples.
#74 Is updating the sample
from deploymentmanager-samples.
The sample has been updated. Closing the issue now.
from deploymentmanager-samples.
Related Issues (20)
- Incorrect assignment to database_name
- property should be notFoundPage instead of notFoundpage
- bucket property on defaultObjectAcl keeps throwing me an error
- Ref in Instance Template errors with CYCLIC_REFERENCES
- Broken link to community/cloud-foundation on front page HOT 1
- Create service accounts return INVALID_ARGUMENT
- Project creation sample missing HOT 2
- Miss
- Multiple Instances - Lables HOT 1
- How to assign roles to service account using jinja & YAML file HOT 2
- how to initially we can invoke cloud function from deployment manager?
- Assigning roles to groups using deployment manager
- Unable to provide conditional access to a service account on a project using DM HOT 1
- Create workload identity federation resources with gcloud
- lustre doesn't deploy if existing VPC is specified.
- How to Roll Back (Undo) a Deployment in GCP with Google Cloud Deployment Manager?
- Provide Support for Inline Function Code for Cloud Function Creation via Deployment Manager
- Deployment manager UPDATE error
- Failure issue with google deployment manager CLI
- container_manifest.yaml missing link to reference
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from deploymentmanager-samples.