1.5 KiB
Remove initial gcloud commands needed to bootstrap
authors: Ludo
date: July 13, 2023
Status
Rejected.
Context
The initial gcloud commands that grant IAM roles to the user running apply for the first time, are sometimes seen as an extra hurdle and an unnecessary complication.
These are the roles in question
roles/logging.adminroles/ownerroles/resourcemanager.organizationAdminroles/resourcemanager.projectCreator
One proposal we investigated was internalizing those IAM bindings in the actual Terraform code, either via bare resources or an additional organization module invocation, and depending subsequent resources on it.
On further investigation, this poses a few challenges
- the roles in question are managed authoritatively, and it would be best they remained so (e.g. to clear the Project Creator role, or ensure Organization Administrators match what is in the code)
- project creation depends on those roles, but this creates a cycle dependency as the service accounts created are also assigned those roles, and they cannot implicitly depend (via the project) on the same roles
Working around this issue would require a substantial amount of hoops and a lot of development effort. It would also result in potentially less safe and more fragile code.
Decision
What we decided is to leave those external commands in place, as the hurdle is minimal and not worth the expense and risks of removing it.
Consequences
Nothing changes due to this decision.