diff --git a/fast/stages/00-bootstrap/README.md b/fast/stages/00-bootstrap/README.md index ce12c6c8..9290b343 100644 --- a/fast/stages/00-bootstrap/README.md +++ b/fast/stages/00-bootstrap/README.md @@ -118,6 +118,8 @@ for role in $FAST_ROLES; do done ``` +Then make sure the same user is also part of the `gcp-organization-admins` group so that impersonating the automation service account later on will be possible. + #### Billing account in a different organization If you are using a billing account belonging to a different organization (e.g. in multiple organization setups), some initial configurations are needed to ensure the identities running this stage can assign billing-related roles. @@ -233,7 +235,7 @@ terraform apply \ -var bootstrap_user=$(gcloud config list --format 'value(core.account)') ``` -Once the initial `apply` completes successfully, configure a remote backend using the new GCS bucket, and impersonation on the automation service account for this stage. To do this, you can use the generated `providers.tf` file if you have configured output files as described above, or extract its contents from Terraform's output, then migrate state with `terraform init`: +Once the initial `apply` completes successfully, configure a remote backend using the new GCS bucket, and impersonation on the automation service account for this stage. To do this you can use the generated `providers.tf` file if you have configured output files as described above, or extract its contents from Terraform's output, then migrate state with `terraform init`: ```bash # if using output files via the outputs_location and set to `../../config` @@ -247,6 +249,8 @@ terraform init -migrate-state terraform apply ``` +Make sure the user you're logged in with is a member of the `gcp-organization-admins` group or impersonation will not be possible. + ## Customizations Most variables (e.g. `billing_account` and `organization`) are only used to input actual values and should be self-explanatory. The only meaningful customizations that apply here are groups, and IAM roles.