Remove gcloud dependency

[morgante]

We would like to remove all null_resources from this module and not require gcloud in the execution environment.

This will require:

• Removing the need for the precheck script: Remove preconditions script #407
• Adding native Terraform support to handle deleting/disabling the default service account

[bharathkkb]

Adding native Terraform support to handle deleting/disabling the default service account

@morgante this would be in the provider right?

[morgante]

@morgante this would be in the provider right?

Correct

[umairidris]

Does the org policy constraints/iam.automaticIamGrantsForDefaultServiceAccounts remove the need for step 2?

[morgante]

Unfortunately that doesn't support cases where you don't manage the org policies for the organization or folder. (Even google.com is an example.)

[leone145]

I would like to see this. If the module.gcloud_deprivilege.null_resource.run_command[0] becomes tainted and editor was previously removed, it will not apply without manual intervention.

[djbingham]

I would also love to see this. I've abandoned plans to use Terraform Cloud because I couldn't get this module to work properly (Terraform Cloud doesn't have gcloud in its execution environment).

Would a reasonable alternative (or temporary) solution be to depend on the gcloud Terraform module, rather than requiring gcloud to be pre-installed in the execution environment? Other modules do that and seem to work ok.

[morgante]

@djbingham Yes that would be a reasonable workaround to get this working on Terraform Cloud. I haven't had cycles to work on it, but I'd be happy to review a PR.

[thiagonache]

@morgante can you mark task number one as done and update the second task with currently issue on the provider repo, please? I'll try to get this done.

[thiagonache]

@morgante we have the new resource on the master of terraform provider.
I've been thinking about how to remove gcloud. Maybe we can add the new resource and remove the gcloud local exec but keep the variables to avoid a breaking change, but we'll need to remove these variables at some point. Or let's just assume it is a breaking change?

[morgante]

@thiagonache Which variables are you referring to?

[thiagonache]

Download gcloud ie

…

On 2 Nov 2020, at 23:15, Morgante Pell ***@***.***> wrote:  @thiagonache Which variables are you referring to? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[thiagonache]

variable "use_tf_google_credentials_env_var" {
  description = "Use GOOGLE_CREDENTIALS environment variable to run gcloud auth activate-service-account with."
  type        = bool
  default     = false
}

variable "skip_gcloud_download" {
  description = "Whether to skip downloading gcloud (assumes gcloud is already available outside the module)"
  type        = bool
  default     = false
}

My understanding is that we don't need these two variables anymore.

Also,

variable "default_service_account" {
  description = "Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`."
  default     = "disable"
  type        = string
}

This should be upper case, which is simple to fix but we should change it to the upper case at some point.

[thiagonache]

I've drafted a PR it is working on my machine, but we'll have to wait until the next release of terraform google provider.
#491

[bharathkkb]

fixed by #491