Move listing cross account keys to teardown playbook (#147)

chusopr · web-flow · commit 275d52dc98b9 · 2023-12-21T11:05:36.000-05:00
* Isolate listing cross-account keys to the teardown phase due to potentially restricted privileges 

Signed-off-by: Jesus Perez Rey &lt;jprey@bluemetrix.com&gt;
diff --git a/roles/platform/tasks/initialize_gcp.yml b/roles/platform/tasks/initialize_gcp.yml
@@ -52,22 +52,3 @@
   loop: "{{ __gcp_subnets_discovered.resources }}"
   loop_control:
     loop_var: __gcp_subnet_item
-
-- name: Discover GCP Cross Account Service Account Keys
-  register: __gcp_xaccount_sa_discovered
-  failed_when:
-    - __gcp_xaccount_sa_discovered.rc == 1
-    - "'NOT_FOUND:' not in __gcp_xaccount_sa_discovered.stderr"
-    - "'Permission iam.serviceAccountKeys.list' not in __gcp_xaccount_sa_discovered.stderr"
-  command: >
-    gcloud iam service-accounts keys list
-    --iam-account "{{ plat__gcp_xaccount_identity_name }}@{{ plat__gcp_project }}.iam.gserviceaccount.com"
-    --format="json"
-
-- name: Set discovered Cross Account Service Account keys if exists
-  when:
-    - __gcp_xaccount_sa_discovered is defined
-    - __gcp_xaccount_sa_discovered.stdout is defined
-    - __gcp_xaccount_sa_discovered.stdout | length > 0
-  ansible.builtin.set_fact:
-    plat__gcp_xaccount_keys: "{{ __gcp_xaccount_sa_discovered.stdout | from_json }}"
diff --git a/roles/platform/tasks/initialize_teardown_gcp.yml b/roles/platform/tasks/initialize_teardown_gcp.yml
@@ -12,4 +12,23 @@
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
-# limitations under the License.
+# limitations under the License.
+
+- name: Discover GCP Cross Account Service Account Keys
+  register: __gcp_xaccount_sa_discovered
+  failed_when:
+    - __gcp_xaccount_sa_discovered.rc == 1
+    - "'NOT_FOUND:' not in __gcp_xaccount_sa_discovered.stderr"
+    - "'Permission iam.serviceAccountKeys.list' not in __gcp_xaccount_sa_discovered.stderr"
+  command: >
+    gcloud iam service-accounts keys list
+    --iam-account "{{ plat__gcp_xaccount_identity_name }}@{{ plat__gcp_project }}.iam.gserviceaccount.com"
+    --format="json"
+
+- name: Set discovered Cross Account Service Account keys if exists
+  when:
+    - __gcp_xaccount_sa_discovered is defined
+    - __gcp_xaccount_sa_discovered.stdout is defined
+    - __gcp_xaccount_sa_discovered.stdout | length > 0
+  ansible.builtin.set_fact:
+    plat__gcp_xaccount_keys: "{{ __gcp_xaccount_sa_discovered.stdout | from_json }}"
