Resource is required to link a project to a billing account which isnt a project itself #3792
Comments
ghost
added
the
|
I'm pretty sure you can add roles/billing.projectManager at an org level? I have it set for my terraform service account at an Org level:
|
|
@emilymye even though you can do this, we operate a finer-grained permissions model where this would not be acceptable (to have billing manager on someone elses projects is the bit thats not acceptable) Thanks for the suggestion though! |
Signed-off-by: Modular Magician <[email protected]>
Signed-off-by: Modular Magician <[email protected]>
* upstream/master: Add a random string to ad directory so tests can be run in parallel (hashicorp#3802) (hashicorp#6905) Set context early on in LoadAndValidate to prevent NPE (hashicorp#3800) (hashicorp#6903) Add tests for DICOM store pubsub topic removal. (hashicorp#3442) (hashicorp#6893) Bump Bigtable version from 1.1.0 to 1.5.0 (hashicorp#6890) Fix colon in doc notes (hashicorp#3796) (hashicorp#6888) Fix bug: diff being detected for source_repo_repository even when there are no changes (hashicorp#3786) (hashicorp#6886) Use proper prefix inside router_interface test (hashicorp#3795) (hashicorp#6883) Update Bigtable Num of Clusters Block Docs (hashicorp#3792) (hashicorp#6881)
|
Moving to goals- this makes sense to add. |
|
I have a working implementation of this. I'll be sending a PR by EOW |
|
here's the PR: GoogleCloudPlatform/magic-modules#8112 |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
github-actions
bot
added
forward/review
Description
You can set
billing_account_idongoogle_projectresource - which is fine for normal operations where you dont have multiple service accounts in play, and at least its optional so you can decide not to include it.However, we need one person (read: terraform) to be creating projects, and another (terraform) to be linking those projects to a billing account using different providers. Why? We are building a multi-tenant system, and because BillingAdmin can only be created on an Org, and not a folder, it is not possible to delegate it down to a tenant via a folder iam.
using roles/billing.projectManager is the only approach which is allowed but it is only allowed on a project, and that project has to exist, thereby creating the chicken and egg, of not having a single resource doing both.
For this reason, a separate resource is required, something like google_project_linked_billing_account which is able to just deliver the link between the already existing project (from e.g. a datasource google_project), and the already existing billing_account (once again via a datasource). Such a new resource could then be configured to use a different provider with access to the billing.Admin on the organizational account, or it could be able to use the billing.projectManager role which might have been conferred onto it.
This is a 2 step process and another resource for this would be very useful. I have found it not possible to automate this without jumping out to gcloud sdk otherwise.
PS: it would be able to work with existing google_project resource via a lifecycle ignore_change of "billing_account_id"
New or Affected Resource(s)
google_billing_account
google_project
google_project_linked_billing_account
Potential Terraform Configuration
References
The text was updated successfully, but these errors were encountered: