New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhance the IAM role binding process #4511
Conversation
"You can either re-run `firebase deploy` as a project owner or manually run the following set of `gcloud` commands:", | ||
"warn" | ||
); | ||
for (const binding of requiredBindings) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤯 dedication to DevX!
src/deploy/functions/checkIam.ts
Outdated
requiredBindingsPromises.push(service.requiredProjectBindings!(projectNumber)); | ||
} | ||
const nestedRequiredBindings = await Promise.all(requiredBindingsPromises); | ||
const requiredBindings = nestedRequiredBindings.reduce((requiredBindings, binding) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this not just const requiredBindings = functional.flattenArray(nestedRequiredBindings)
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤯 🤯 🤯 just realizing that we have this module!
src/deploy/functions/checkIam.ts
Outdated
throw new FirebaseError( | ||
"We failed to modify the IAM policy for the project. The functions " + | ||
"deployment requires specific roles to be granted to service agents," + | ||
" otherwise the deployment will fail.", | ||
{ original: err } | ||
); | ||
} | ||
|
||
if (!skipSleep) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- What happens if we don't sleep? Do deploys fail or do requests fail?
- Is there really nothing we can query to see if this has gone into effect?
- Can we get a comment explaining concern 1 & 2?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added this in for unit testing.
After playing around with personal accounts, I opted to remove this sleep since we aren't guaranteed to have everything setup in this timeframe. Looking deeper, there are some corner cases where we must trigger eventarc through a create
operation before everything is generated correctly. So I enhanced our error message when we run into this case (it will only be on the first deploy) to have the user re-run the deploy
in a few minutes (this is also what Eventarc does)
…loy, and replacing reduce with our functional module
…iam-permission-bindings
ensureServiceAgentRoles