From b2d27b5f12a55e696f955c39530e29f27478bea4 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Thu, 28 Sep 2023 11:41:56 +0200 Subject: [PATCH] Update bootstrap and destroy roles --- fast/stages/0-bootstrap/README.md | 5 ++-- fast/stages/0-bootstrap/organization-iam.tf | 4 ++- fast/stages/CLEANUP.md | 28 ++++++++------------- 3 files changed, 17 insertions(+), 20 deletions(-) diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md index 81d9be56b..e9b0982c3 100644 --- a/fast/stages/0-bootstrap/README.md +++ b/fast/stages/0-bootstrap/README.md @@ -156,6 +156,7 @@ The roles that the Organization Admin used in the first `apply` needs to self-gr - Organization Administrator (`roles/resourcemanager.organizationAdmin`) - Project Creator (`roles/resourcemanager.projectCreator`) - Tag Admin (`roles/resourcemanager.tagAdmin`) +- Owner (`roles/owner`) To quickly self-grant the above roles, run the following code snippet as the initial Organization Admin: @@ -170,8 +171,8 @@ export FAST_ORG_ID=123456 # set needed roles export FAST_ROLES="roles/billing.admin roles/logging.admin \ roles/iam.organizationRoleAdmin roles/resourcemanager.projectCreator \ - roles/resourcemanager.tagAdmin roles/orgpolicy.policyAdmin \ - roles/serviceusage.serviceUsageConsumer roles/resourcemanager.organizationAdmin" + roles/resourcemanager.organizationAdmin roles/resourcemanager.tagAdmin \ + roles/owner" for role in $FAST_ROLES; do gcloud organizations add-iam-policy-binding $FAST_ORG_ID \ diff --git a/fast/stages/0-bootstrap/organization-iam.tf b/fast/stages/0-bootstrap/organization-iam.tf index b8abc00f3..9cc996659 100644 --- a/fast/stages/0-bootstrap/organization-iam.tf +++ b/fast/stages/0-bootstrap/organization-iam.tf @@ -142,8 +142,10 @@ locals { "roles/logging.admin", "roles/owner", "roles/resourcemanager.organizationAdmin", - "roles/resourcemanager.projectCreator" + "roles/resourcemanager.projectCreator", + "roles/resourcemanager.tagAdmin" ] + # TODO: align additive roles with the README additive = ( local.billing_mode != "org" ? [] : [ "roles/billing.admin", diff --git a/fast/stages/CLEANUP.md b/fast/stages/CLEANUP.md index baee9d79d..83ad251cd 100644 --- a/fast/stages/CLEANUP.md +++ b/fast/stages/CLEANUP.md @@ -65,14 +65,11 @@ Just like before, we manually remove several resources (GCS buckets and BQ datas ```bash cd $FAST_PWD/0-bootstrap/ +export FAST_BU=$(gcloud config list --format 'value(core.account)') -# remove provider config to execute without SA impersonation -rm 0-bootstrap-providers.tf +terraform apply -var bootstrap_user=$FAST_BU -# migrate to local state -terraform init -migrate-state - -# remove GCS buckets and BQ dataset manually +# remove GCS buckets and BQ dataset manually. Projects will be destroyed anyway for x in $(terraform state list | grep google_storage_bucket.bucket); do terraform state rm "$x"; done @@ -81,7 +78,13 @@ for x in $(terraform state list | grep google_bigquery_dataset); do terraform state rm "$x"; done +## remove the providers file and migrate state +rm 0-bootstrap-providers.tf + +# migrate to local state +terraform init -migrate-state terraform destroy + ``` When the destroy fails, continue with the steps below. Again, make sure your user (the one you are using to execute this step) has the Organization Administrator role, as we will remove the permissions for the organization-admins group @@ -90,21 +93,12 @@ When the destroy fails, continue with the steps below. Again, make sure your use # Add the Organization Admin role to $BU_USER in the GCP Console # then execute the command below to grant yourself the permissions needed # to finish the destruction -export FAST_DESTROY_ROLES="roles/billing.admin roles/logging.admin \ - roles/iam.organizationRoleAdmin roles/resourcemanager.projectDeleter \ - roles/resourcemanager.folderAdmin roles/owner roles/resourcemanager.organizationAdmin" - -export FAST_BU=$(gcloud config list --format 'value(core.account)') - -# find your org id -gcloud organizations list --filter display_name:[part of your domain] +export FAST_DESTROY_ROLES="roles/resourcemanager.projectDeleter \ + roles/owner roles/resourcemanager.organizationAdmin" # set your org id export FAST_ORG_ID=XXXX -terraform destroy -var boostrap_user=$FAST_BU -terraform destroy - for role in $FAST_DESTROY_ROLES; do gcloud organizations add-iam-policy-binding $FAST_ORG_ID \ --member user:$FAST_BU --role $role --condition None