Giters

cloudera-labs / cloudera.exe

cloudera.exe -- an Ansible collection enabling runlevel management of CDP Public Cloud deployments as well as numerous utilities for deployments.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Task to delete GCP Service Accounts Policies fails when SA doesn't exist

jimright opened this issue · comments

commented

Details

The task which removes GCP Service Account policies task which uses a gcloud command now fails when the Service Account does not exist. There is a failed_when condition on this task which should prevent this happending:

cloudera.exe/roles/platform/tasks/teardown_gcp_authz.yml

Lines 54 to 62 in c211d37

- name: Tear down Operational GCP Service Accounts Policies
when: plat__teardown_deletes_policies
register: __gcp_service_account_teardown
loop_control:
loop_var: __gcp_binding_item
label: __gcp_binding_item.member
failed_when:
- __gcp_service_account_teardown.rc == 1
- "'Policy bindings with the specified member and role not found!' not in __gcp_service_account_teardown.stderr"

This task uses the gcloud projects remove-iam-policy-binding command and it seems the the error message for a non-existent SA has changed slightly:

cldr full-v1.5.4 #> gcloud projects remove-iam-policy-binding <GCP_ACCOUNT> --member=serviceAccount:jenright-audit-identity@<GCP_ACCOUNT>.iam.gserviceaccount.com --role=roles/storage.objectAdmin --all
ERROR: (gcloud.projects.remove-iam-policy-binding) Policy bindings with the specified principal and role not found!

Possible Solution

Change the failed_when condition on the Tear down Operational GCP Service Accounts Policies to catch the new error message.