Bug Description
In gemini-enterprise/deploy.sh, the Identity & Access step runs gcloud identity groups describe to validate the admin/user groups (~Lines 1706–1722), and the end-of-config --- Manual Steps --- gate then asks the operator to confirm the same groups were created — a second time. The two checks are redundant, and they can disagree: the Identity-step describe warns "Cannot access or find" whenever cloudidentity is not enabled, while the Manual-Steps gate is a blind self-attestation, so an operator can pass the gate while the programmatic check "failed."
Environment and Deployment Context
- Stellar Engine Version/Commit:
main @ 3728fc98
- Deployment Type:
- Affected Component:
blueprints/fedramp-high/gemini-enterprise/deploy.sh — Identity-step group validation (~Lines 1706–1722) and the --- Manual Steps --- "User Role Groups: Created…" confirm at Step-1 end
Steps to Reproduce
- Run
./deploy.sh (Brownfield, Step 1).
- Observe the Identity step run
gcloud identity groups describe on both groups.
- At the end-of-config Manual Steps gate, observe a second prompt asking you to confirm the same groups exist.
Expected Behavior
Consolidate to a single authoritative check: make the Identity-step validation authoritative (after cloudidentity is enabled), or drop the group item from the Manual-Steps gate (keeping only the OAuth-consent-screen item there).
Actual Behavior
The same groups are validated twice per run; because the programmatic check is unreliable without cloudidentity, the two can disagree, and the Manual-Steps self-attestation can mask a real failure.
Relevant Logs and Errors
[Identity step] gcloud identity groups describe <admin-group>@... (WARNING: Cannot access or find ... if cloudidentity off)
...
--- Manual Steps ---
User Role Groups: Created? [y/N]
Bug Description
In
gemini-enterprise/deploy.sh, the Identity & Access step runsgcloud identity groups describeto validate the admin/user groups (~Lines 1706–1722), and the end-of-config--- Manual Steps ---gate then asks the operator to confirm the same groups were created — a second time. The two checks are redundant, and they can disagree: the Identity-stepdescribewarns "Cannot access or find" whenevercloudidentityis not enabled, while the Manual-Steps gate is a blind self-attestation, so an operator can pass the gate while the programmatic check "failed."Environment and Deployment Context
main@3728fc98blueprints/fedramp-high/gemini-enterprise/deploy.sh— Identity-step group validation (~Lines 1706–1722) and the--- Manual Steps ---"User Role Groups: Created…" confirm at Step-1 endSteps to Reproduce
./deploy.sh(Brownfield, Step 1).gcloud identity groups describeon both groups.Expected Behavior
Consolidate to a single authoritative check: make the Identity-step validation authoritative (after
cloudidentityis enabled), or drop the group item from the Manual-Steps gate (keeping only the OAuth-consent-screen item there).Actual Behavior
The same groups are validated twice per run; because the programmatic check is unreliable without
cloudidentity, the two can disagree, and the Manual-Steps self-attestation can mask a real failure.Relevant Logs and Errors