From 13061ce9398d7e9472b2f9a2f1eb4f1e0a3c6783 Mon Sep 17 00:00:00 2001 From: John Skiles Skinner Date: Mon, 15 Apr 2024 17:25:04 -0700 Subject: [PATCH] Update README about the -m flag when creating a SpaceDeployer --- terraform/README.md | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/terraform/README.md b/terraform/README.md index 1d75967f0..e72ca8a6f 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -89,17 +89,19 @@ These steps assume shared [Terraform state credentials](#terraform-state-credent 1. Run `cf spaces` and, from the output, copy the space name for the environment you are working in, such as `notify-sandbox`. -1. Next you will set up a SpaceDeployer. Prepare to fill in these values: - * `` will be the string you copied from the prior step - * `` can be anything, although we recommend something that communicates the purpose of the deployer. For example: "circleci-deployer" for the credentials CircleCI uses to deploy the application, or "sandbox-" for credentials to run terraform manually. +1. Next you will set up a SpaceDeployer service account instance. This is something like a stub user account, just for deployment. Note these two values which you will use both to create and destroy the account: + 1. `` will be the string you copied from the prior step + 1. `` can be anything, although we recommend something that communicates the purpose of the deployer. For example: "circleci-deployer" for the credentials CircleCI uses to deploy the application, or "sandbox-" for credentials to run terraform manually. - Put those two values into this command: + Put those two values into this command: ```bash - ./create_service_account.sh -s -u > secrets.auto.tfvars + ../create_service_account.sh -s -u > secrets.auto.tfvars ``` The script will output the `username` (as `cf_user`) and `password` (as `cf_password`) for your ``. The [cloud.gov service account documentation](https://cloud.gov/docs/services/cloud-gov-service-account/) has more information. + Some resources you might work on require a SpaceDeployer account with higher permissions. Add the `-m` flag to the command to get this. + The command uses the redirection operator (`>`) to write that output to the `secrets.auto.tfvars` file. Terraform will find the username and password there, and use them as input variables. 1. While still in an environment directory, initialize Terraform: @@ -137,6 +139,8 @@ These steps assume shared [Terraform state credentials](#terraform-state-credent ./destroy_service_account.sh -s -u ``` + List `cf services` if you are unsure which space deployer service instances still exist + Optionally, you can also `rm secrets.auto.tfvars` ## Structure @@ -195,3 +199,12 @@ You need to re-authenticate with the Cloud Foundry CLI cf login -a api.fr.cloud.gov --sso ``` You may also need to log in again to the Cloud.gov website. + +### CF account not authorized + +``` +Error: You are not authorized to perform the requested action +``` +This error indicates that the Cloud Foundry user account (or service account) needs OrgManager permissions to take the action. +* When you create a SpaceDeployer service account, use the `-m` flag when running the `./create_service_account.sh` script +* Your own CF user may may also require OrgManager permissions to run the script