Enhance the IAM role binding process #4511
Conversation
| "You can either re-run `firebase deploy` as a project owner or manually run the following set of `gcloud` commands:", | ||
| "warn" | ||
| ); | ||
| for (const binding of requiredBindings) { |
src/deploy/functions/checkIam.ts
Outdated
| requiredBindingsPromises.push(service.requiredProjectBindings!(projectNumber)); | ||
| } | ||
| const nestedRequiredBindings = await Promise.all(requiredBindingsPromises); | ||
| const requiredBindings = nestedRequiredBindings.reduce((requiredBindings, binding) => { |
There was a problem hiding this comment.
Is this not just const requiredBindings = functional.flattenArray(nestedRequiredBindings)?
There was a problem hiding this comment.
🤯 🤯 🤯 just realizing that we have this module!
src/deploy/functions/checkIam.ts
Outdated
| throw new FirebaseError( | ||
| "We failed to modify the IAM policy for the project. The functions " + | ||
| "deployment requires specific roles to be granted to service agents," + | ||
| " otherwise the deployment will fail.", | ||
| { original: err } | ||
| ); | ||
| } | ||
|
|
||
| if (!skipSleep) { |
There was a problem hiding this comment.
- What happens if we don't sleep? Do deploys fail or do requests fail?
- Is there really nothing we can query to see if this has gone into effect?
- Can we get a comment explaining concern 1 & 2?
There was a problem hiding this comment.
I added this in for unit testing.
After playing around with personal accounts, I opted to remove this sleep since we aren't guaranteed to have everything setup in this timeframe. Looking deeper, there are some corner cases where we must trigger eventarc through a create operation before everything is generated correctly. So I enhanced our error message when we run into this case (it will only be on the first deploy) to have the user re-run the deploy in a few minutes (this is also what Eventarc does)
…loy, and replacing reduce with our functional module
…iam-permission-bindings
ensureServiceAgentRoles