Role roles/iap.tunnelInstances.accessViaIAP is not supported for google_project_iam resource

[serpro69]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.9.1 on linux_amd64

• provider registry.terraform.io/hashicorp/google v6.5.0
• provider registry.terraform.io/hashicorp/google-beta v6.5.0

Affected Resource(s)

google_project_iam_binding google_project_iam_member

Terraform Configuration

resource "google_project_iam_binding" "iap_tunnel_access" {
  project = var.project_id
  role    = "roles/iap.tunnelInstances.accessViaIAP"
  members = ["user:bar@baz.test"]
}

or

resource "google_project_iam_member" "iap_tunnel_access" {
  project = var.project_id
  role    = "roles/iap.tunnelInstances.accessViaIAP"
  member  = "user:bar@baz.test"
}

Debug Output

No response

Expected Behavior

I can set this fine via UI console, so terraform should be able to do the same via APIs?

Actual Behavior

Tried both iam binding and member resources, and both return the same error:

│ Error: Request `Set IAM Binding for role "roles/iap.tunnelInstances.accessViaIAP" on "project \"foo\""` returned error: Error applying IAM policy for project "foo": googleapi: Error 400: Role roles/iap.tunnelInstances.accessViaIAP is not supported for this resource., badRequest

│ Error: Request `Create IAM Members roles/iap.tunnelInstances.accessViaIAP user:bar@baz.test for project "foo\"" both failed. Final error: Error applying IAM policy for project "foo": googleapi: Error 400: Role roles/iap.tunnelInstances.accessViaIAP is not supported for this resource., badRequest

Steps to reproduce

1. terraform apply

Important Factoids

No response

References

No response

b/372713789

[ggtisc]

Confirmed issue!

After trying to create both resources they returned the described error and there isn't any list specifying if there are roles that aren't supported for these resources in terraform registry:

│ Error: RequestSet IAM Binding for role "roles/iap.tunnelInstances.accessViaIAP" on "project \"foo\""returned error: Error applying IAM policy for project "foo": googleapi: Error 400: Role roles/iap.tunnelInstances.accessViaIAP is not supported for this resource., badRequest