Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding service account with group membership is bugged #212

Open
csimard01 opened this issue Nov 17, 2021 · 11 comments
Open

Adding service account with group membership is bugged #212

csimard01 opened this issue Nov 17, 2021 · 11 comments
Assignees
@megan07
Labels
bug Something isn't working triaged Acknowledged, we have what we need to work on this waiting-response Waiting for a response

Comments

@csimard01
Copy link

Hi Google Workspace terraform team,

I love your provider and I'm happy to have it.

I'm using googleworkspace_group_members to add a google Service Account to a group.

  • GOOD : The adding works well. We can find the SA in the group (IAM --> Groups --> group details)
  • BUG : However, the field "type" seem blank in group description (IAM --> Groups --> group details)
  • BUG : Using policy troubleshooter (IAM --> Policy troublehsooter) the SA doesn't have permission of the gorup

Expected behavior

  • Adding a Service Acount to a group should give it the permissions of the group. Exactly the way it is in the web interface.
@csimard01
Copy link
Author

Precision :
The SA I'm trying to add is the Google cloud build in the format of <project_number>@cloudbuild.gserviceaccount.com which is a Google created Service account.

@megan07
Copy link
Contributor

megan07 commented Nov 23, 2021

Hi @csimard01! Thanks for the positive feedback! That always makes us feel good! I'm sorry you're experiencing this issue! I've tried it out and wasn't able to reproduce the problem. However, I'm not convinced we have this set up the same. Could you include your configuration to make sure what we have matches? For both the group and group_members resources?
Thanks!

@megan07 megan07 added bug Something isn't working triaged Acknowledged, we have what we need to work on this waiting-response Waiting for a response labels Nov 23, 2021
@alvarorm22
Copy link

alvarorm22 commented Nov 25, 2021
edited
Loading

Hi @megan07 , we are also using this provider and I think that we have the same issue. This is our module config:

# Create service account
resource "google_service_account" "onprem" {
  account_id   = "serv-${local.tenant_id}"
  project      = local.project_id
  display_name = "Terraform - Service account for Onpremises ${local.tenant_id}"
}

# Add service account to group
resource "googleworkspace_group_member" "onprem_installations_group" {
  group_id = var.group_for_onprem_sa
  type     = "USER"
  email    = google_service_account.onprem.email
  role     = "MEMBER"
}

# Create a service account key
resource "google_service_account_key" "onprem_sa_key" {
  service_account_id = google_service_account.onprem.name
}

And we initialize the module with following:

  workspace_api_service_account             = google_service_account.onprem.email
  workspace_subscriber_service_account = google_service_account.onprem.email

Our settings:

terraform {
  required_version = ">0.14, <1.1"

  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "~> 3.80"
    }
    googleworkspace = {
      source  = "hashicorp/googleworkspace"
      version = "~> 0.5.2"
    }
  }
}

The problem is, in some cases, the member is added to the group without any kind of type, we can check this in Gcp Console -> Iam -> Groups -> Members

And the user has not the permissions associated with that group.

If we look into Google Admin Gsuite groups, we can found this member inside the group with User kind, instead of serviceaccount.

Now, If we delete this user and recreate manually, this change works well and now we can find the correct kind of group member and the permissions applied correctly.

@csimard01
Copy link
Author

Hi @megan07 , we are also using this provider and I think that we have the same issue. This is our module config:

# Create service account
resource "google_service_account" "onprem" {
  account_id   = "serv-${local.tenant_id}"
  project      = local.project_id
  display_name = "Terraform - Service account for Onpremises ${local.tenant_id}"
}

# Add service account to group
resource "googleworkspace_group_member" "onprem_installations_group" {
  group_id = var.group_for_onprem_sa
  type     = "USER"
  email    = google_service_account.onprem.email
  role     = "MEMBER"
}

# Create a service account key
resource "google_service_account_key" "onprem_sa_key" {
  service_account_id = google_service_account.onprem.name
}

And we initialize the module with following:

  workspace_api_service_account             = google_service_account.onprem.email
  workspace_subscriber_service_account = google_service_account.onprem.email

Our settings:

terraform {
  required_version = ">0.14, <1.1"

  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "~> 3.80"
    }
    googleworkspace = {
      source  = "hashicorp/googleworkspace"
      version = "~> 0.5.2"
    }
  }
}

The problem is, in some cases, the member is added to the group without any kind of type, we can check this in Gcp Console -> Iam -> Groups -> Members

And the user has not the permissions associated with that group.

If we look into Google Admin Gsuite groups, we can found this member inside the group with User kind, instead of serviceaccount.

Now, If we delete this user and recreate manually, this change works well and now we can find the correct kind of group member and the permissions applied correctly.

Hi confirm alvarorm22 behavior.

Adding it manually work well.

@csimard01
Copy link
Author

Hi @csimard01! Thanks for the positive feedback! That always makes us feel good! I'm sorry you're experiencing this issue! I've tried it out and wasn't able to reproduce the problem. However, I'm not convinced we have this set up the same. Could you include your configuration to make sure what we have matches? For both the group and group_members resources? Thanks!

We've try group and group_members. Id didn't work.

Best regards

@csimard01
Copy link
Author

csimard01 commented Dec 1, 2021
edited
Loading

Hi @csimard01! Thanks for the positive feedback! That always makes us feel good! I'm sorry you're experiencing this issue! I've tried it out and wasn't able to reproduce the problem. However, I'm not convinced we have this set up the same. Could you include your configuration to make sure what we have matches? For both the group and group_members resources? Thanks!

To reproduce the problem here's what you can do.

Google project 1

  • create a bucket
  • create a worksapce group with read permission to the bucket

Google project 2

  • Activate a service that require service account "cloud build."

Use group or group members to add "cloud buid" of project 2 to group with permission on project 1

The service account "cloud build" will be added to the group but will not have read permission. However, if you add it manually, it will have permission...

Regards

@megan07 megan07 removed the waiting-response Waiting for a response label Dec 13, 2021
@megan07
Copy link
Contributor

megan07 commented Dec 13, 2021

@csimard01 @alvarorm22 I'm so sorry, I am still unable to reproduce this, with both suggestions.
This code snippet is what I'm running, my intent is to encapsulate both set-ups that you've suggested. Please let me know if I am missing an important piece

terraform {
  required_version = ">0.14, <1.1"

  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "~> 3.80"
    }
    googleworkspace = {
      source  = "hashicorp/googleworkspace"
      version = "~> 0.5.2"
    }
  }
}

resource "googleworkspace_group" "group" {
  email       = "my-group@example.com"
}

# Create service account
resource "google_service_account" "onprem" {
  account_id   = "my-sa"
  display_name = "My SA"
}

# Create a bucket
resource "google_storage_bucket" "default" {
  name          = "my-bucket"
  location      = "us-central1"
  force_destroy = true
}

# Create IAM permissions for the created group
resource "google_storage_bucket_iam_member" "member" {
  bucket = google_storage_bucket.default.name
  role = "roles/storage.objectViewer"
  member = "group:${googleworkspace_group.group.email}"
}

resource "google_project_service" "bq-proj" {
  project = "project-2"
  service = "bigquery.googleapis.com"

  disable_dependent_services = true
}

data "google_bigquery_default_service_account" "bq_sa" {
  project = "project-2"
}

resource "googleworkspace_group_members" "members" {
  group_id = googleworkspace_group.group.id

  members {
    type = "USER"
    email = google_service_account.onprem.email
    role  = "MEMBER"
  }

  members {
    type = "USER"
    email = data.google_bigquery_default_service_account.bq_sa.email
    role = "MEMBER"
  }
}

Then, after apply, I jump to the console and look under Group Details and see both members listed with type Service account, then I go to Policy Analyzer > Custom Query, I run it twice (with "Principal" and each email address) and both show the created bucket and the "Storage Object Viewer" role grant.

Is there something you see that I am missing?
Thank you for your patience in this!

@megan07 megan07 added the waiting-response Waiting for a response label Dec 13, 2021
@megan07 megan07 self-assigned this Dec 13, 2021
@csimard01
Copy link
Author

csimard01 commented Dec 16, 2021 via email

@csimard01
Copy link
Author

the name of the service account didn't parse well. Here is the name

project_number@cloudbuild.gserviceaccount.com

@megan07 megan07 removed the waiting-response Waiting for a response label Dec 16, 2021
@megan07
Copy link
Contributor

megan07 commented Dec 16, 2021

Hi @csimard01, sorry for the confusion, I should have noted:

data "google_bigquery_default_service_account" "bq_sa" {
  project = "project-2"
}

is the Google-created default service account for big query (bq-<project-number>@bigquery-encryption.iam.gserviceaccount.com

No worries on the delay, I totally understand! If you see anything else with my set-up that isn't correct, please let me know! I'll keep digging into it as best I can. Thanks!

@megan07
Copy link
Contributor

megan07 commented Feb 15, 2022

Hi @csimard01 @alvarorm22 , I wanted to follow up to see if you were still encountering this issue.

@megan07 megan07 added the waiting-response Waiting for a response label Feb 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@megan07 megan07

Labels
bug Something isn't working triaged Acknowledged, we have what we need to work on this waiting-response Waiting for a response
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@megan07 @alvarorm22 @csimard01