Cannot create a google_sql_user of type CLOUD_IAM_SERVICE_ACCOUNT for mysql instances

[red8888]

Terraform Version

Terraform v0.14.11
+ provider registry.terraform.io/cyrilgdn/postgresql v1.14.0
+ provider registry.terraform.io/hashicorp/aws v3.56.0
+ provider registry.terraform.io/hashicorp/google v3.65.0
+ provider registry.terraform.io/hashicorp/google-beta v3.82.0
+ provider registry.terraform.io/hashicorp/http v2.1.0

Terraform Configuration Files

What is this syntax? https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_user#import

$ terraform import google_sql_user.users my-project/main-instance/my-domain.com/me What is domain here?

My instance is mysql My org is "mycompany.com" My project is myproject_id My connection name is: myproject_id:us-central1:my_instance

The user I'm importing is: name: myuser email: myuser@myproject_id.iam.gserviceaccount.com Authentication: IAM (service account)

TF config

resource "google_sql_user" "myuser" {
  name     = myuser@myproject_id.iam.gserviceaccount.com
  instance = "my_instance"
  type     = "CLOUD_IAM_SERVICE_ACCOUNT"
}

Attempts that throw Error: Cannot import non-existent remote object

import google_sql_user.myuser myproject_id/my_instance/myuser
import google_sql_user.myuser myproject_id/my_instance/myuser@myproject_id.iam.gserviceaccount.com
import google_sql_user.myuser myproject_id/my_instance/mycompany.com/myuser
import google_sql_user.myuser myproject_id/my_instance/mycompany.com/myuser@myproject_id.iam.gserviceaccount.com

Debug Output

not relevant

Expected Behavior

Some documentation with real examples

Actual Behavior

I have no idea what the right syntax is

Steps to Reproduce

Not relevant

Additional Context

No response

References

No response

[red8888]

I finally got this after looking at the debug output- this really needs to be documented:

{
    "kind": "sql#user",
    "etag": "dfsdfsdfsdfsdfsdf",
    "name": "myuser",
    "host": "%",
    "instance": "my_instance",
    "project": "myproject_id",
    "type": "CLOUD_IAM_SERVICE_ACCOUNT"
}

So the import statement is this: import google_sql_user.myuser myproject_id/my_instance/%/myuser

But here is the problem if I create a user with this config I get an error saying the name must be the full email name:

resource "google_sql_user" "myuser" {
  name     = myuser@myproject_id.iam.gserviceaccount.com
  instance = "my_instance"
  type     = "CLOUD_IAM_SERVICE_ACCOUNT"
}

Terraform fails but the user is still created and its name is myuser.

So currently the only we to terraform a mysql CLOUD_IAM_SERVICE_ACCOUNT user is to:

1. Terraform with full email name and get an error
2. Import the user that was created by terraform when it errored out into the resource definition
3. Change the resource def to use the short name not the email name (I also had to include host = "%" to avoid a diff)

I haven't tested creating a new user via terraform with the host = "%" field but regardless tf shouldn't error like it did.

[philip-harvey]

This may not be a bug, but there is a serious lack of documentation here. The issue is you have to trim ".gserviceaccount.com" off the end of any SA name.

e.g.

resource "google_sql_user" "iam_user" {
  for_each = local.iam_users_set
  name     = endswith(each.key, ".gserviceaccount.com") ? trimsuffix(each.key,".gserviceaccount.com") : each.key
  project  = var.project_id
  instance = var.database_instance_name
  type = endswith(each.key, ".gserviceaccount.com") ? (
    "CLOUD_IAM_SERVICE_ACCOUNT"
    ) : (
    "CLOUD_IAM_USER"
  )
}

There is zero documentation or examples on this and it's rather difficult to work out. The best idea would be to simply fix the provider so it handles this. i.e. put the above logic into the provider so it's not needed in every call to the resource.

[scuba-st3v3]

I am hitting a similar error for postgresql instances and importing a google_sql_user of type BUILT_IN.