CODEWITHSUNDEEP
google-cloud-platformterraformterraform-provider-gcpgoogle-iamgoogle-cloud-iam
tmp dev
tmp dev

Reputation: 9219

gcp google_project_iam_member gives invalid argument message on terraform

I'm using terraform to deploy the following

resource "google_project_iam_custom_role" "brw-user-function-item-registered-role" {
  role_id     = "brw_user_function_item_registered_role"
  title       = "brw-user-function-item-registered-role"
  description = "Role used by the brw-user-function item-registered"
  permissions = [     
    "storage.objects.create",
    "storage.objects.get",
    "storage.objects.list"
  ]
}

resource "google_service_account" "brw-user-function-item-registered-service-account" {
  account_id   = "brw-user-function-item-reg-svc"
  display_name = "brw-user-function-item-registered-service_account"
}

resource "google_project_iam_member" "brw-user-function-item-registered-service-account-binding" {  
  project = local.project
  role    = "roles/${google_project_iam_custom_role.brw-user-function-item-registered-role.role_id}"
  member  = "serviceAccount:${google_service_account.brw-user-function-item-registered-service-account.email}"
  depends_on = [
    google_project_iam_custom_role.brw-user-function-item-registered-role,
    google_service_account.brw-user-function-item-registered-service-account
  ]
}

However when I try to deploy this through terraform, I get the following error

Request "Create IAM Members roles/brw_user_function_item_registered_role serviceAccount:brw-user-function-item-reg-svc@brw-user.iam.gserviceaccount.com for \"project \\\"BRW-User\\\"\"" returned error: Error retrieving IAM policy for project "BRW-User": googleapi: Error 400: Request contains an invalid argument., badRequest

I'm not sure what is wrong here, I have added the depends_on as well just to make sure it is created in the correct order. Could the member attribute be wrong, I tried giving account_id as well and I still get the same error.

Upvotes: 0

Views: 1896

Answers (2)

John Hanley
John Hanley

Reputation: 81464

Only predefined roles have the string roles/ in front of the name.

You are using the string:

role = "roles/${google_project_iam_custom_role.brw-user-function-item-registered-role.role_id}"

Change it to:

role = google_project_iam_custom_role.brw-user-function-item-registered-role.name

Note the removal of roles/, changing role_id to name, and removing string interpolation.

Upvotes: 4

CaioT
CaioT

Reputation: 2211

In the resource google_project_iam_member, if you are passing a custom role it must be of the format:

[projects|organizations]/{parent-name}/roles/{role-name}

Here is an example:

resource "google_project_iam_member" "access" {
  project = var.project_name
  role    = "projects/${var.project_name}/roles/${google_project_iam_custom_role.customer_access.role_id}"
  member  = "serviceAccount:${google_service_account.service_account.email}"
}

Also, as a best practice avoid using dashes in the resources name (better underscore) and try not make it too long. I've run into issues with long names.

Upvotes: 2

Related Questions