Giters

cloudera-labs / cloudera.exe

cloudera.exe -- an Ansible collection enabling runlevel management of CDP Public Cloud deployments as well as numerous utilities for deployments.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CDP on GCP: Error during teardown of Operational GCP Service Accounts Policies

jimright opened this issue · comments

commented

Details

During teardown of a CDP environment on GCP, get an error when "Tear down Operational GCP Service Accounts Policies" in the platform role.

Failing Ansible Task: cloudera.exe.platform : Tear down Operational GCP Service Accounts Policies. Code link below:

cloudera.exe/roles/platform/tasks/teardown_gcp_authz.yml

Line 68 in 28b5650

- name: Tear down Operational GCP Service Accounts Policies

Error message (snippet):

{
    "changed": true,
    "stdout": "",
    "stderr": "ERROR: (gcloud.projects.remove-iam-policy-binding) Policy bindings with the specified principal and role not found!",
    "rc": 1,
    "cmd": [
        "gcloud",
        "projects",
        "remove-iam-policy-binding",
        "<GCP_PROJECT>",
        "--member=serviceAccount:jegcpt-logs-identity@<GCP_PROJECT>.iam.gserviceaccount.com",
        "--role=projects/<GCP_PROJECT>/roles/jegcpt_logs_role",
        "--all"
    ],
    "start": "2022-02-24 16:50:01.181110",
    "end": "2022-02-24 16:50:03.351317",
    "delta": "0:00:02.170207",
    "msg": "non-zero return code",
    "invocation": {
        "module_args": {
            "_raw_params": "gcloud projects remove-iam-policy-binding <GCP_PROJECT> --member=serviceAccount:jegcpt-logs-identity@<GCP_PROJECT>.iam.gserviceaccount.com --role=projects/<GCP_PROJECT>/roles/jegcpt_logs_role --all\n",
            "warn": true,
            "_uses_shell": false,
            "stdin_add_newline": true,
            "strip_empty_ends": true,
            "argv": null,
            "chdir": null,
            "executable": null,
            "creates": null,
            "removes": null,
            "stdin": null
        }
    },
    "stdout_lines": [],
    "stderr_lines": [
        "ERROR: (gcloud.projects.remove-iam-policy-binding) Policy bindings with the specified principal and role not found!"
    ],
    "_ansible_no_log": false,
    "failed_when_result": true,
    "__gcp_binding_item": {
        "member": "serviceAccount:jegcpt-logs-identity@<GCP_PROJECT>.iam.gserviceaccount.com",
        "role": "projects/<GCP_PROJECT>/roles/jegcpt_logs_role"
    },
    "ansible_loop_var": "__gcp_binding_item",
    "_ansible_item_label": "__gcp_binding_item.member"
}

Reason for error

This tasks attempts to remove GCP IAM role & policy bindings from the their associated service accounts. However these service accounts have already been removed in a previous task (L54-L66 Tear down Operational GCP Service Accounts)

Possible Solution

I believe this is just an ordering problem - iam-policy-bindings should be removed before deleting the Service Accounts so that they can still be referenced in the gcloud projects remove-iam-policy-binding command.