search

DataDog / terraform-provider-datadog

Terraform Datadog provider
https://www.terraform.io/docs/providers/datadog/
Mozilla Public License 2.0
399 stars 375 forks source link

`delegate_account_email` does not get set on `datadog_integration_gcp_sts` during import #2508

Open dhermes opened 2 months ago

dhermes commented 2 months ago

Datadog Terraform Provider Version

3.39.0

Terraform Version

1.9.0

What resources or data sources are affected?

datadog_integration_gcp_sts

Terraform Configuration Files

terraform {
  required_version = "= 1.9.0"

  required_providers {
    datadog = {
      source  = "DataDog/datadog"
      version = "3.39.0"
    }

    google = {
      source  = "hashicorp/google"
      version = "5.35.0"
    }
  }

  backend "gcs" {
    bucket = "sandbox-terraform-states-..."
    prefix = "workspaces/..."
  }
}

data "google_secret_manager_secret_version" "datadog_api_key" {
  secret = "sandbox-datadog-api-key-terraform"
}

data "google_secret_manager_secret_version" "datadog_app_key" {
  secret = "sandbox-datadog-application-key-terraform"
}

provider "datadog" {
  api_key = data.google_secret_manager_secret_version.datadog_api_key.secret_data
  app_key = data.google_secret_manager_secret_version.datadog_app_key.secret_data
}

provider "google" {
  project = "sandbox-..."
  region  = "us-central1"
}

resource "google_service_account" "datadog_integration" {
  account_id   = "datadog-integration"
  display_name = "Datadog Integration"
}

data "google_iam_policy" "datadog_integration" {
  binding {
    role = "roles/iam.serviceAccountTokenCreator"

    members = [
      "serviceAccount:ddgci-...@datadog-gci-sts-us1-prod.iam.gserviceaccount.com",
    ]
  }
}

resource "google_service_account_iam_policy" "datadog_integration" {
  service_account_id = google_service_account.datadog_integration.name
  policy_data        = data.google_iam_policy.datadog_integration.policy_data
}

resource "datadog_integration_gcp_sts" "sandbox" {
  client_email = google_service_account.datadog_integration.email
}

Relevant debug or panic output

No response

Expected Behavior

$ gcloud storage cat gs://sandbox-terraform-states-.../workspaces/.../default.tfstate \
>   | jq '.resources[] | select( .type == "datadog_integration_gcp_sts" ) | .instances[].attributes.delegate_account_email'
"ddgci-...@datadog-gci-sts-us1-prod.iam.gserviceaccount.com"

Actual Behavior

$ gcloud storage cat gs://sandbox-terraform-states-.../workspaces/.../default.tfstate \
>   | jq '.resources[] | select( .type == "datadog_integration_gcp_sts" ) | .instances[].attributes.delegate_account_email'
null

Steps to Reproduce

terraform import datadog_integration_gcp_sts.sandbox "..."

Important Factoids

No response

References

No response

mliljedahl commented 1 month ago

I can confirm that this is still an issue in provider v3.43.1. Testing the example provided in the Datadog Terraform documentation it works great creating new integrations. When importing the resources all looks fine but when running the terraform plan with the imported resources the resource google_service_account_iam_member.sa_iam throws the following error:

Error: Error in function call
  on .terraform/modules/datadog_example.tf line 29, in resource "google_service_account_iam_member" "sa_iam":
  29:   member             = format("serviceAccount:%s", datadog_integration_gcp_sts.foo.delegate_account_email)
    ├────────────────
    │ while calling format(format, args...)
    │ datadog_integration_gcp_sts.foo.delegate_account_email is null

With TF_LOG=debug set as suggested in #2197 I could not see any requests to /api/v2/integration/gcp/sts_delegate

mliljedahl commented 1 month ago

If it helps some one else a temporary workaround is to set the member = "serviceAccount:the_delegate_account_email" manually in the example when doing the plan and apply of the imported resources.