You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
1. Use the helper script [validate-requirements.sh](../scripts/validate-requirements.sh) to validate your environment:
The validate script checks for pre-req I AM roles include Organization Policy Admin and Organization Admin. These roles cannot be set at a folder level, so if I have configured the parent_folder variable the validate script fails.
Expected behavior
Validation script should be able to assess if I have the necessary permissions to proceed, regardless of whether I set parent_folder. It could do this in one of a few ways:
test for effective IAM roles at the folder, not the explicit IAM policy binding applied to the folder
check for some IAM roles at the org node, and some IAM roles at the folder
Improve text guidance to explain manual checks a user can make to proceed successfully even when the validation script fails
Observed behavior
Validate script fails without actionable guidance.
Roles like Org Policy Admin can only be set at the organization node, but if I configure parent_folder as the root node the script fails.
Terraform Configuration
n/a
Terraform Version
n/a
Additional information
No response
The text was updated successfully, but these errors were encountered:
**Note:** The script is not able to validate if the user is in a Cloud Identity or Google Workspace group with the required roles.
An improvement would be to instead of checking the organization IAM Policy to try use the testIamPermission method of some of the APIs to check if the user has the permissions required.
This should be able to validate the cases when the user is part of a group with the right roles
TL;DR
terraform-example-foundation/0-bootstrap/README.md
Line 164 in dc0eb29
The validate script checks for pre-req I AM roles include Organization Policy Admin and Organization Admin. These roles cannot be set at a folder level, so if I have configured the
parent_folder
variable the validate script fails.Expected behavior
Validation script should be able to assess if I have the necessary permissions to proceed, regardless of whether I set
parent_folder
. It could do this in one of a few ways:Observed behavior
Validate script fails without actionable guidance.
Roles like Org Policy Admin can only be set at the organization node, but if I configure
parent_folder
as the root node the script fails.Terraform Configuration
n/a
Terraform Version
Additional information
No response
The text was updated successfully, but these errors were encountered: