Skip to content

feat(gcp): warn on project-scope installs missing organization_id#49

Closed
tim-thacker-nullify wants to merge 1 commit into
mainfrom
fix/gcp-warn-project-scope-missing-org-data
Closed

feat(gcp): warn on project-scope installs missing organization_id#49
tim-thacker-nullify wants to merge 1 commit into
mainfrom
fix/gcp-warn-project-scope-missing-org-data

Conversation

@tim-thacker-nullify
Copy link
Copy Markdown
Member

@tim-thacker-nullify tim-thacker-nullify commented Apr 30, 2026

Claude

Summary

  • Follow-up to fix(gcp): split custom-role permissions by scope #47. When a customer installs the GCP cloud connector with scope = \"projects\" and no organization_id, the apply succeeds and they get a green console verify, but VPC Service Controls perimeters / access policies and organization policies silently never appear in their Nullify inventory — those resources live at the organisation level and the corresponding GCP APIs return empty results when queried at project scope.
  • Adds a Terraform check block in modules/nullify-gcp-integration/main.tf that emits a warning in this exact configuration explaining what's not visible and how to enable it (set organization_id, or switch to scope = \"organization\" / \"folder\").
  • check blocks (Terraform 1.5+, already required by the module) emit warnings without failing the plan, so legitimate single-project POC installs are unaffected — they just get a heads-up in the plan output.

Why a check block, not a precondition

The existing terraform_data.input_validation uses preconditions, which fail the plan. That's correct for the cases it covers (e.g. scope = \"folder\" without folder_id cannot work). But here the install genuinely works — single-project is a documented POC mode (examples/single-project/) — we just want the user to know about the gap. A precondition would force every single-project user to either set organization_id or pass a --var override, which is the wrong UX.

Test plan

  • terraform validate passes for examples/single-project, examples/folder, and examples/organization against the modified module
  • terraform fmt -check -recursive clean
  • CI (terraform-validate.yml) green across the matrix
  • Manual: re-run plan against the single-project install we hit in fix(gcp): split custom-role permissions by scope #47 and confirm the warning surfaces in the plan output (no creds needed in CI for this — assertion only references vars, so it evaluates pre-refresh)

Notes

  • Org-scoped and folder-scoped installs are unaffected (the check condition is only false when scope == \"projects\" && organization_id == \"\").
  • No new variables. No breaking changes. Bumps no behavior — only adds a diagnostic.

@tim-thacker-nullify @claude
feat(gcp): warn on project-scope installs missing organization_id
1224311 
Adds a `check` block that emits a Terraform warning at plan/apply when
`scope = "projects"` is used without `organization_id`. The install still
succeeds — single-project is a valid POC mode — but the user is informed
up-front that VPC Service Controls perimeters / access policies and
organization policies will not appear in the inventory at this scope
(those resources live at organisation scope; the corresponding GCP APIs
return empty results when queried at project scope).

`check` blocks (Terraform 1.5+) emit warnings without failing the plan,
which is what we want here: the existing single-project example must
continue to apply cleanly with no organization_id, just with a heads-up
in the plan output.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@tim-thacker-nullify tim-thacker-nullify added the patch Patch version updates (fixes) label Apr 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

patch Patch version updates (fixes)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tim-thacker-nullify