Fix GCP deployment manager formatting #2529
Conversation
| @@ -35,7 +35,7 @@ fi | |||
|
|
|||
| result="$(gcloud deployment-manager deployments create --automatic-rollback-on-error "${DEPLOYMENT_NAME}" --project "${PROJECT_NAME}" \ | |||
| --template service_account.py \ | |||
| --properties scope:"${SCOPE}",parentId:"${PARENT_ID}",serviceAccountName:"${SERVICE_ACCOUNT_NAME}")" | |||
| --properties "scope:'${SCOPE}',parentId:'${PARENT_ID}',serviceAccountName:'${SERVICE_ACCOUNT_NAME}'")" | |||
There was a problem hiding this comment.
this format is required to ensure the values passed are treated as strings
see https://cloud.google.com/sdk/gcloud/reference/deployment-manager/deployments/create
in this specific case, ORG_ID is actually a number, but we need it as a string
|
This pull request does not have a backport label. Could you fix it @orouz? 🙏
|
| @@ -14,7 +14,7 @@ def generate_config(context): | |||
| "name": sa_name, | |||
| "type": "iam.v1.serviceAccount", | |||
| "properties": { | |||
| "accountId": sa_name, | |||
| "accountId": f"{sa_name}-id", | |||
There was a problem hiding this comment.
i'm not entirely sure why this is needed in addition to dependsOn, but i ran into some flakiness when deploying the service account, this seems to fix it.
|
moved to #2530 |
|
|
Summary of your changes
there were 2 issues preventing GCP CSPM on agentless from successfully deploying a service account for organizations. the first was a slightly off copy-paste command in kibana which ended up not passing
ORG_IDto the deployment script, so the deployment assumed it's for a project. the second issue, after providingORG_ID, the deployment script complained about it being a number and not a string (as per its schema). this is what this PR fixes.after fixing both of these, i've deployed GCP CSPM on agentless and got findings for an organization account:
Screenshot/Data
Related Issues