-
Notifications
You must be signed in to change notification settings - Fork 695
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
1-org: Apply fails for scc resources with API version error. #1189
Comments
I have seen a similar SCC API error in a 1st run through the TEF - a fix and a 2nd run were ok try adding directly to the tf service account as a temporary workaround until a check on the roles added during sa creation are tested account sa-terraform-bootstrap@seed... is used for steps 1+
on a 2nd run after enabling roles/securitycenterAdmin on the super admin running the deployment although this sa is only used for 0-bootstrap, as sa-terraform-bootstrap@seed... is used for steps 1+
|
Hi @zexoor, the scc_notification_config entry in the registry has a note regarding enrolling in SCC.
maybe you need to follow that enrollment procedure for your organization. |
Hi @daniel-cit @zexoor, I am also running through the fundamentals setup (using terraform cloud) and I am experiencing the same issues. I am enrolled in SCC Premium, but still get the error mentioned above: I also tried what @fmichaelobrien suggested, but did not solve the issue for me. |
I was able to run the code for the creation of the notification config in my organization, but it already had Security Command Center enable for a long time. Could you do a test to check if the problem is specific to Terraform or is it a general one? Could you please try to use gcloud to create the SCC notification on the same Organization using the resources created in the deploy of the foundation?
if it fails, cloud you add |
Hi @daniel-cit Thank you for your help! I tried the manual steps, but run into the same error: In the logs, I see the following:
The output of gcloud --version:
Based on |
hey folks, did you enable SCC api in which level? Organization, folder or project? |
Hi @amandakarina, I see the SCC api enabled on the project level (I can confirm it's at least enabled in prj-c-scc & prj-b-seed). I didn't do this manually, but I did just go the the SCC via the UI and I went through the wizard before applying my gcp-org with terraform. I enabled SCC Premium (not the API specifically) on organization level. However, I'm not able to enable API's at the organization or folder level. Should I? |
I'm encountering the same issue in a demo org that has not enabled SCC before. When deploying with the helpers/foundation_deployer script, step gcp-org will consistently fail at this point. Running once and re-applying, or manually enabling the SCC subscription (security center.googleapis.com enabled at project level, SCC standard activated at the organization level, the SCC service account given the service agent role at org) does not fix the issue.
|
I found I can also reliably trigger this issue from the -validate step of the foundation_deploy script, before any resources are created.
|
I think I've identified the root cause. The helper script has a line that calls It seems that API v2 must specify a location, gcloud has some logic to differentiate versions based on the format of the notification name and/or flags, and v1 of the API has recently been deprecated. You can demonstrate this with some simple commands on gcloud:
And, I can reliably recreate this when trying to use the Terraform SCC resources. Running TF apply with the following will reliably produce the same error about api v2. (Make sure you've authenticated with a service account, not user identity, otherwise there's a different WAI error about user credentials).
To fix this across the repo, there are a few changes required:
|
Updates:
Unfortunately there isn't a good workaround until the product team fixes the v2 API and provider. (targeting end of q2). In the meantime, the best I can recommend is to remove the offending resources from your terraform config: #gcp-org/modules/cai-monitoring/main.tf L136
resource "google_scc_source" "cai_monitoring" {
#gcp-org/envs/shared/scc_notification.tf L32
resource "google_scc_notification_config" "scc_notification_config" {
|
TL;DR
When running an initial deployment for cloud-build. During the deployment of SCC resources for CAI monitoring terraform fails.
Expected behavior
Expected behaviour is for the resources to be created as intended
Observed behavior
Resource creation failed due to the API not being supported.
Terraform Configuration
Terraform Version
Additional information
I have deployed standard tier SCC in the Organization as per https://github.com/umbrl-limited/umbrl-infra/blob/main/1-org/README.md#prerequisites
The text was updated successfully, but these errors were encountered: