terraform-provider-google: Error with service account id on google_service_account_iam_member

Terraform Version

v0.10.8

Affected Resource(s)

  • google_service_account_iam_member

Terraform Configuration Files

resource "google_service_account_iam_member" "service_account_iam_additive" {
  count = "${local.service_account_additive_iam ? length(local.additive_bindings_array) : 0}"
  service_account_id = "${var.service_account}"
  member             = "${element(split(",", local.additive_bindings_array[count.index]), 1)}"
  role               = "${element(split(",", local.additive_bindings_array[count.index]), 0)}"
}

Hello, Something weird is happening on the resource above. In this case var.service_account = “” and

local.service_account_additive_iam = false

and

length(local.additive_bindings_array) = 5

So, the resource shouldn’t be created, but with terraform plan command, this happens:

Error: module.iam_binding.google_service_account_iam_member.service_account_iam_additive: "service_account_id" ("") doesn't match regexp "projects/(?:(?:[-a-z0-9]{1,63}\\.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?))/serviceAccounts/[a-z](?:[-a-z0-9]{4,28}[a-z0-9])@[-a-z0-9\\.]{1,63}\\.iam\\.gserviceaccount\\.com$"

But if I put on the service_account_id a valid service account string like this:

resource "google_service_account_iam_member" "service_account_iam_additive" {
  count = "${local.service_account_additive_iam ? length(local.additive_bindings_array) : 0}"

  service_account_id = "projects/foo-project/serviceAccounts/terraform@foo-project.iam.gserviceaccount.com"

  member             = "${element(split(",", local.additive_bindings_array[count.index]), 1)}"
  role               = "${element(split(",", local.additive_bindings_array[count.index]), 0)}"
}

The resource is NOT created and the error disappears when I perform terraform plan

No changes. Infrastructure is up-to-date.

This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, no
actions need to be performed.

One important thing is that this error doesn’t happen with google_service_account_iam_binding resource. I have the same logic for count and also the service_account_id value is “”, and there’s no error.

Thanks!

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 21 (8 by maintainers)

Most upvoted comments

Right. What I think is happening is, this resource validates its fields before it sends requests. It validates them even if the count is 0, which you might be able to argue is a bug - but it’d be a terraform bug, not a provider bug, and you could ask for that to be changed on the main terraform repo. Other resources might not do that validation. As a hacky solution, you might try

service_account_id = "${local.service_account_additive_iam ? ${var.service_account} : projects/fake-project/serviceAccounts/terraform@fake-project.iam.gserviceaccount.com}"

That will pass local regex validation, but since the count is 0, it will never be tried, so it doesn’t matter that the string is fake. Does that work?

If not, please post the debug logs - the output you get by running TF_LOG=debug terraform apply.

+1
nat-henderson on Apr 17, 2018
Read more comments on GitHub
← terraform-provider-google: Error reading service account after creation - 403 Halts Execution
terraform-provider-google: False positive diff in `google_cloud_tasks_queue` resources on field `app_engine_routing_override` →