feat: add a lien for the seed project

[cagataygurturk]

Fixes #135

[comment-bot-dev]

Thanks for the PR! 🚀
✅ Lint checks have passed.

[bharathkkb]

Thanks for the PR @cagataygurturk
This makes sense to me. Let's expose this as a variable so users have control. In the next breaking release we can flip this variable to a default of true. /cc @rjerrems

[morgante]

@bharathkkb I'm not sure we need to make this a variable, since Terraform will handle tearing down the lien properly. It also doesn't need to be a breaking release since AFAIK it won't break anything.

[cagataygurturk]

I have considered making this a variable but I then thought there is not a situation where a user wouldn't want a lien. After all this module is encouraging a secure design based on IaC and a lien makes 100% sure that the very important seed project can't be shut down easily out of IaC.
I am happy to add a variable if you think differently.

[bharathkkb]

@cagataygurturk makes sense, for some reason I thought TF deleting the lien was a no-op. But @morgante is right, we can keep as is.

[bharathkkb]

/gcbrun

[bdubaut]

Hi! There seems to be a permission that my service account does not have, which makes my pipelines fail as I get the following error message: Error: Error creating Lien: googleapi: Error 403: The caller does not have permission

Error: Error creating Lien: googleapi: Error 403: The caller does not have permission
[172](https://github.com/getjellydog/0_bootstrap/runs/5174524454?check_suite_focus=true#step:9:172)
│ 
[173](https://github.com/getjellydog/0_bootstrap/runs/5174524454?check_suite_focus=true#step:9:173)
│   with module.seed_bootstrap.module.seed_project.module.project-factory.google_resource_manager_lien.lien[0],
[174](https://github.com/getjellydog/0_bootstrap/runs/5174524454?check_suite_focus=true#step:9:174)
│   on .terraform/modules/seed_bootstrap.seed_project/modules/core_project_factory/main.tf line 79, in resource "google_resource_manager_lien" "lien":
[175](https://github.com/getjellydog/0_bootstrap/runs/5174524454?check_suite_focus=true#step:9:175)
│   79: resource "google_resource_manager_lien" "lien" ***

In my main.tf using the bootstrap module, I have the following permissions set:

module "seed_bootstrap" {
  source                         = "terraform-google-modules/bootstrap/google"
  version                        = "5.0.0"

  sa_org_iam_permissions = [
    "roles/accesscontextmanager.policyAdmin",
    "roles/billing.user",
    "roles/compute.networkAdmin",
    "roles/compute.xpnAdmin",
    "roles/compute.xpnAdmin",
    "roles/iam.securityAdmin",
    "roles/iam.serviceAccountAdmin",
    "roles/iam.serviceAccountTokenCreator",
    "roles/logging.configWriter",
    "roles/orgpolicy.policyAdmin",
    "roles/resourcemanager.folderAdmin",
    "roles/resourcemanager.organizationViewer",
    "roles/resourcemanager.projectCreator",
    "roles/securitycenter.notificationConfigEditor",
    "roles/storage.admin",
    "roles/storage.objectAdmin"
  ]

What am I missing ?

[cagataygurturk]

@bdubaut please try with roles/resourcemanager.lienModifier

[bdubaut]

@bdubaut please try with roles/resourcemanager.lienModifier

Thanks! I just tried and unfortunately I get the same error:

│ Error: Error creating Lien: googleapi: Error 403: The caller does not have permission
│ 
[246](https://github.com/getjellydog/0_bootstrap/runs/5265805948?check_suite_focus=true#step:9:246)
│   with module.seed_bootstrap.module.seed_project.module.project-factory.google_resource_manager_lien.lien[0],
[247](https://github.com/getjellydog/0_bootstrap/runs/5265805948?check_suite_focus=true#step:9:247)
│   on .terraform/modules/seed_bootstrap.seed_project/modules/core_project_factory/main.tf line 79, in resource "google_resource_manager_lien" "lien":
[248](https://github.com/getjellydog/0_bootstrap/runs/5265805948?check_suite_focus=true#step:9:248)
│   79: resource "google_resource_manager_lien" "lien" ***