Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle deleted: prefix when deduplicating IAM member map #2819

Merged
merged 2 commits into from
Dec 11, 2019
Merged

Handle deleted: prefix when deduplicating IAM member map #2819

merged 2 commits into from
Dec 11, 2019

Conversation

slevenick
Copy link
Contributor

@slevenick slevenick commented Dec 11, 2019
edited
Loading

I thought this wasn't going to be an issue, but it seems to be. We run all IAM members through this function to deduplicate them case insensitively, but new deleted IAM principals cause issues with serviceAccount members as we split on the : character that is prefixed to the deleted principal. This causes us to downcase serviceAccount which is case sensitive, so when we send the IAM policy back to the server it doesn't recognize serviceaccount as serviceAccount and throws a 400.

This causes issues because even when we specify a single IAM member, we retrieve the IAM policy for the resource and run it through this method. We send back the resulting IAM policy (after our addition) which has been modified via downcasing by this method.

The fix checks for deleted: as a prefix and only downcases the principal value not the type

Release Note Template for Downstream PRs (will be copied)

`iam`: Fixed a bug that causes badRequest errors on IAM resources due to deleted serviceAccount principals

@modular-magician
Copy link
Collaborator

Hi! I'm the modular magician, I work on Magic Modules.
I see that this PR has already had some downstream PRs generated. Any open downstreams are already updated to your most recent commit, d1ef609.

Pull request statuses

No diff detected in Ansible.

New Pull Requests

I built this PR into one or more new PRs on other repositories, and when those are closed, this PR will also be merged and closed.
depends: hashicorp/terraform-provider-google-beta#1501
depends: GoogleCloudPlatform/terraform-google-conversion#288
depends: hashicorp/terraform-provider-google#5142
depends: modular-magician/inspec-gcp#279

@slevenick slevenick mentioned this pull request Dec 11, 2019
Closed
@slevenick slevenick force-pushed the iam-serviceaccount-case branch from d1ef609 to a814b6f Compare December 11, 2019 21:31
@modular-magician
Copy link
Collaborator

Hi! I'm the modular magician, I work on Magic Modules.
I see that this PR has already had some downstream PRs generated. Any open downstreams are already updated to your most recent commit, a814b6f.

Pull request statuses

terraform-provider-google-beta already has an open PR.
No diff detected in terraform-google-conversion.
terraform-provider-google already has an open PR.
No diff detected in Ansible.
No diff detected in Inspec.

New Pull Requests

I didn't open any new pull requests because of this PR.

@slevenick slevenick requested a review from danawillow December 11, 2019 21:46
danawillow
danawillow approved these changes Dec 11, 2019
View reviewed changes
Copy link
Contributor

@danawillow danawillow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM pending clean magician run

@slevenick slevenick force-pushed the iam-serviceaccount-case branch 2 times, most recently from 9f7364e to d4de503 Compare December 11, 2019 23:03
@modular-magician
Copy link
Collaborator

Hi! I'm the modular magician, I work on Magic Modules.
I see that this PR has already had some downstream PRs generated. Any open downstreams are already updated to your most recent commit, 9f7364e.

Pull request statuses

terraform-provider-google-beta already has an open PR.
No diff detected in terraform-google-conversion.
terraform-provider-google already has an open PR.
No diff detected in Ansible.
No diff detected in Inspec.

New Pull Requests

I didn't open any new pull requests because of this PR.

@modular-magician
Copy link
Collaborator

Hi! I'm the modular magician, I work on Magic Modules.
I see that this PR has already had some downstream PRs generated. Any open downstreams are already updated to your most recent commit, d4de503.

Pull request statuses

terraform-provider-google-beta already has an open PR.
No diff detected in terraform-google-conversion.
terraform-provider-google already has an open PR.
No diff detected in Ansible.
No diff detected in Inspec.

New Pull Requests

I didn't open any new pull requests because of this PR.

slevenick and others added 2 commits December 11, 2019 23:39
@slevenick @modular-magician
Handle deleted: prefix when deduplicating IAM member map
644940e
@modular-magician
Update tracked submodules -> HEAD on Wed Dec 11 23:39:56 UTC 2019
c742f34 
Tracked submodules are build/terraform-beta build/terraform-mapper build/terraform build/ansible build/inspec.
@modular-magician modular-magician merged commit 249ad77 into GoogleCloudPlatform:master Dec 11, 2019
@ct-dh ct-dh mentioned this pull request Jul 6, 2020
Closed
@slevenick slevenick mentioned this pull request Sep 15, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danawillow danawillow danawillow approved these changes

Assignees
No one assigned
Labels
automerged cla: yes downstream-generated inspec terraform-google-conversion terraform-provider-google terraform-provider-google-beta
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@slevenick @modular-magician @danawillow @googlebot