Closed kvudata closed 3 weeks ago
Confirmed issue!
When trying to create the resource google_bigquery_table_iam_member
with the shared code or even with the terraform registry example it returns the following message:
Error: Error applying IAM policy for bigquery table "projects/redacted/datasets/test/tables/test": Error setting IAM policy for bigquery table "projects/redacted/datasets/test/tables/test": googleapi: Error 400: IAM setPolicy failed for Table redacted:test.test: Can't set conditional policy on this resource
Confirmed as well. Thanks for reporting the issue, I will forward the internal version of this issue to the Table/IAM API team.
@kvudata and others impacted - I received the following guidance from the BigQuery Security and Governance team:
IAM Conditions are only supported at the project, folder, and organization level.
Please see https://cloud.google.com/bigquery/docs/conditions.
Could you try setting the condition on e.g. google_project_iam_member
and setting resource.name
and resource.type
in expression
(see examples) to scope the grant to a specific Table?
In terms of documentations, I double checked that https://cloud.google.com/iam/docs/resource-types-with-conditional-roles doesn't mention BigQuery, but we'll update https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/bigquery_table_iam#google_bigquery_table_iam_member to remove the example config since it's invalid.
Yes, I've managed to workaround this by using google_project_iam_member.
Thank you for confirming. We'll be removing the misleading example on the Terraform resource documentations about setting IAM conditions on Table and others.
Community Note
Terraform Version & Provider Version(s)
Terraform v1.6.3 on linux_amd64
Affected Resource(s)
google_bigquery_table_iam_member
Terraform Configuration
(slightly modified)
Debug Output
No response
Expected Behavior
The resource should've been created successfully
Actual Behavior
Fails with an error
Steps to reproduce
terraform apply
Important Factoids
No response
References
Per https://cloud.google.com/iam/docs/resource-types-with-conditional-roles, it looks like BigQuery tables do not support conditions so it seems like a bug for the provider to provide that in the API.
b/351528828