Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge BucketPolicyMembership into BucketPolicy? #368

Open
negz opened this issue Sep 15, 2021 · 3 comments
Open

Merge BucketPolicyMembership into BucketPolicy? #368

negz opened this issue Sep 15, 2021 · 3 comments
Labels
bug Something isn't working

Comments

@negz
Copy link
Member

negz commented Sep 15, 2021

What happened?

It seems like BucketPolicy and BucketPolicyMembership actually both manipulate the same underlying API object, per https://cloud.google.com/storage/docs/json_api/v1/buckets/setIamPolicy. This doesn't seem idiomatic - I would expect there to be a single BucketPolicy type that could be updated to add and remove members.

How can we reproduce it?

What environment did it happen in?

Crossplane version:
@negz negz added the bug Something isn't working label Sep 15, 2021
@negz
Copy link
Member Author

negz commented Sep 15, 2021

@turkenh I forget whether this was discussed when you implemented #291. Was there a reason to split this into two different managed resources?

@turkenh
Copy link
Contributor

turkenh commented Sep 15, 2021

TL;DR: It was because BucketPolicy resource could remove google managed policies breaking basic access to the bucket from console or cli.

@negz I don't remember any public discussion that I could refer to. However, I remember the reason why I ended up doing so. My primary use case for the resources introduced with #291 was to provision required infrastructure to run a production-grade Vault on GKE with proper configuration.

After creating a bucket and a service account for Vault storage, I need to add two members to the policy of the bucket which corresponds to the following commands:

gsutil iam ch \
  ${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com:objectAdmin \
  gs://${GCS_BUCKET_NAME}

gsutil iam ch \
  ${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com:legacyBucketReader \
  gs://${GCS_BUCKET_NAME}

My first attempt was to achieve this with a single BucketPolicy object, however, when I created a managed resource with the above two members, I could no longer access the bucket from the GKE web console since it overrides some existing google managed policies which was allowing me to do so. I believe, it was the same as in this stackoverflow post. Later I noticed that, terraform also has separate resources for policy and member and followed the same approach.

@negz
Copy link
Member Author

negz commented Sep 15, 2021

Yeah, I started using BucketPolicyMember in earnest last night after raising this issue and I can see why we've modelled it this way. I feel a little uncomfortable about potentially having N managed resources all managing the state of one API endpoint, but it does lead to a much better UX. 😬

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@negz @turkenh