ResMan, top level folders and project factory: IAM denied in PF to create sub-folders under top-level-folder

[protera-jlempka]

I'm working with the v32 release of FAST and have successfully - I think - deployed stages 00-02 and am working on the stage 3 project factory. I am not implementing the features of GCVE, GKE, DP in stage 1 resman but I have implemented Sandbox and I'm attempting to implement "Teams" via a top-level-folder configuration.

While I have the default dev/prod configuration in stage 1, what I would ultimately like is something similar to what's the diagram for stage 3 project factory:

I'm running into issues with permissions errors in stage 3 when I try to create subfolders under my Teams folder :

│ Error: Error creating folder 'SAP' in 'folders/1234567890123': googleapi: Error 403: Permission 'resourcemanager.folders.create' denied on resource '//cloudresourcemanager.googleapis.com/folders/1234567890123' (or it may not exist).
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "domain": "cloudresourcemanager.googleapis.com",
│ "metadata": {
│ "permission": "resourcemanager.folders.create",
│ "resource": "folders/1234567890123"
│ },
│ "reason": "IAM_PERMISSION_DENIED"
│ }
│ ]
│ , forbidden
│
│ with module.projects.module.hierarchy-folder-lvl-1["sap"].google_folder.folder[0],
│ on .terraform/modules/projects/modules/folder/main.tf line 25, in resource "google_folder" "folder":
│ 25: resource "google_folder" "folder" {
│

My stage 3 provider is configured with impersonate_service_account = prefix-resman-pf-0@prefix-prod-iac-core-0.iam.gserviceaccount.com which does not have access to the "Teams" top-level-folder according to the console.

I'm at a loss of how to create a top-level-folder and then delegate access to project-factory to create subfolders under that top level folder. Do I need to treat the top-level-folder as a "branch" in stage 1 like branch-networking.tf, branch-project-factory.tf, branch-gcve.tf, branch-gke.tf, etc.

[ludoo]

Jason, can you try somethign similar to this in your resman stage tfvars? We need to properly document all this stuff but it's taking us longer than anticipated...

Remember to adjust project and organization ids.

top_level_folders = {
  teams = {
    name = "Teams"
    iam_by_principals = {
      "serviceAccount:[email protected]" = [
        "roles/owner",
        "roles/resourcemanager.folderAdmin",
        "roles/resourcemanager.projectCreator",
        "organizations/366118655033/roles/serviceProjectNetworkAdmin"
      ]
    }
    tag_bindings = {
      environment = "tagValues/1028757044334"
    }
  }
}

[ludoo]

tag bindings TBH you can skip of course

[protera-jlempka]

Perfecto, ludoo. Updated my 01 tfvars, applied and then applied my 03 stage and it successfully created the folders:

module.projects.module.hierarchy-folder-lvl-1["sap"].google_folder.folder[0]: Creating...
module.projects.module.hierarchy-folder-lvl-1["shared services"].google_folder.folder[0]: Creating...
module.projects.module.hierarchy-folder-lvl-1["shared services"].google_folder.folder[0]: Still creating... [10s elapsed]
module.projects.module.hierarchy-folder-lvl-1["sap"].google_folder.folder[0]: Still creating... [10s elapsed]
module.projects.module.hierarchy-folder-lvl-1["sap"].google_folder.folder[0]: Creation complete after 13s [id=folders/111]
module.projects.module.hierarchy-folder-lvl-1["shared services"].google_folder.folder[0]: Creation complete after 13s [id=folders/222]
module.projects.module.hierarchy-folder-lvl-2["sap/dev"].google_folder.folder[0]: Creating...
module.projects.module.hierarchy-folder-lvl-2["sap/prod"].google_folder.folder[0]: Creating...
module.projects.module.hierarchy-folder-lvl-2["sap/prod"].google_folder.folder[0]: Still creating... [10s elapsed]
module.projects.module.hierarchy-folder-lvl-2["sap/dev"].google_folder.folder[0]: Still creating... [10s elapsed]
module.projects.module.hierarchy-folder-lvl-2["sap/dev"].google_folder.folder[0]: Creation complete after 11s [id=folders/333]
module.projects.module.hierarchy-folder-lvl-2["sap/prod"].google_folder.folder[0]: Creation complete after 11s [id=folders/444]

[ludoo]

THanks a lot for confirming. Happy Terraforming!