fix: add get project perm to destroy inception

GaloyMoney · Nov 9, 2023 · 287ed66 · 287ed66
1 parent 9288e54
commit 287ed66
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/ci/tasks/gcp/teardown.sh b/ci/tasks/gcp/teardown.sh
@@ -29,11 +29,15 @@ gcloud compute ssh --ssh-key-file=${CI_ROOT}/login.ssh ${bastion_name} --zone=${
 echo yes | make destroy-platform
 
 # Sometimes a resource deletion fails if a dependent resource is still being deleted
+success=0
 for i in {1..5}; do
-  echo yes | GOOGLE_CREDENTIALS=$(cat inception-sa-creds.json) make destroy-inception && break
-  echo "Attempt $i failed. Retrying..."
+  echo "Attempt $i to destroy inception"
+  echo yes | GOOGLE_CREDENTIALS=$(cat inception-sa-creds.json) make destroy-inception && success=1 && break
   sleep 10
 done
 
-echo yes | TF_VAR_tf_state_bucket_force_destroy=true make destroy-bootstrap
-
+if [ $success -eq 0 ]; then
+  exit 1
+else
+  echo yes | TF_VAR_tf_state_bucket_force_destroy=true make destroy-bootstrap
+fi
diff --git a/modules/inception/gcp/inception-roles.tf b/modules/inception/gcp/inception-roles.tf
@@ -64,6 +64,7 @@ resource "google_project_iam_custom_role" "inception_destroy" {
     "iam.serviceAccounts.delete",
     "iam.roles.delete",
     "storage.buckets.delete",
+    "resourcemanager.projects.get",
     "servicenetworking.services.get",
     "servicenetworking.services.deleteConnection",
     "serviceusage.operations.get"