Error 400: Request contains an invalid argument while creating google_cloudbuild_trigger resource in Terraform from github source

Question

While trying to create a Cloud Build Trigger using Terraform to my github repo. My Terraform configuration for the google_cloudbuild_trigger resource is as follows:

resource "google_cloudbuild_trigger" "apply_trigger" {
  project  = var.project_id
  name     = "${var.env_code}-${var.repository}-apply-trigger"
  description = "Deploys ${var.repository} to ${var.environment}"
  location = var.region

  github {
    owner = "lgrsys"
    name  = var.repository
    push {
      branch = "^${var.environment}$"
    }
  }

  filename        = var.filename
  substitutions   = var.substitutions
  service_account = var.service_account_email
}

When running terraform plan, the evaluation seems correct:

# module.env.module.data_model_trigger.google_cloudbuild_trigger.apply_trigger will be created
+ resource "google_cloudbuild_trigger" "apply_trigger" {
    + create_time     = (known after apply)
    + description     = "Deploys lgr-data-model to development"
    + filename        = "cloudbuild.yaml"
    + id              = (known after apply)
    + location        = "europe-west1"
    + name            = "d-lgr-data-model-apply-trigger"
    + project         = "prj-ib97"
    + service_account = "sa-proj@prj-9209.iam.gserviceaccount.com"
    + substitutions   = {
        + "_SA_EMAIL"           = "proj@prj-ib97.iam.gserviceaccount.com"
        + "_SECRETS_PROJECT_ID" = "prj-d-pe4c"
      }
    + trigger_id      = (known after apply)
    + github {
        + name  = "lgr-data-model"
        + owner = "lgrsys"
        + push {
            + branch = "^development$"
          }
      }
  }

However, when I try to apply the changes, I'm receiving the following error:

Error: Error creating Trigger: googleapi: Error 400: Request contains an invalid argument.
  with module.env.module.data_model_trigger.google_cloudbuild_trigger.apply_trigger,
  on ../../modules/cloudbuild/main.tf line 1, in resource "google_cloudbuild_trigger" "apply_trigger":
   1: resource "google_cloudbuild_trigger" "apply_trigger" 

I've verified the validity of my arguments, the permissions of the service account, and the GitHub repository connection configuration, which already exists in the target region as a 1st gen repo. What am I missing?

Answer 1

Noticed the same issue but unsure of the route cause, did how ever manage to find a way around the error by providing the service account in the following format

projects/{project_id}/serviceAccounts/{your_service_acccount}@{your_project}.iam.gserviceaccount.com

Setting your variable service_account_email default value to - "projects/-/serviceAccounts/sa-proj@prj-9209.iam.gserviceaccount.com"

Answer 2

For me, it was the missing service account that caused this exact error. Looks like Google just made a service account required when creating a trigger.

Fix looks something like this, note that in your case custom service account may require more permissions.

resource "google_service_account" "cloudbuild_service_account" {
  account_id   = "cloudbuild-sa"
  display_name = "cloudbuild-sa"
  description  = "Cloud build service account"
}

resource "google_project_iam_member" "act_as" {
  project = var.project_id
  role    = "roles/iam.serviceAccountUser"
  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
}

resource "google_project_iam_member" "logs_writer" {
  project = var.project_id
  role    = "roles/logging.logWriter"
  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
}


resource "google_cloudbuild_trigger" "push_to_branch_build" {
   ...
   service_account = google_service_account.cloudbuild_service_account.id
   ...
}