google_project_service_identity's member attribute is not found

esn89 commented 1 week ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.
If an issue is assigned to a user, that user is claiming responsibility for the issue.
Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.8.3 on linux amd64

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "6.8.0"
    }
    google-beta = {
      source  = "hashicorp/google-beta"
      version = "6.8.0"
    }
  }
}

provider "google" {
  project = var.project
  region  = var.region
}

provider "google-beta" {
  project = var.project
  region  = var.region
}

Affected Resource(s)

data "google_project" "this_project" {
}
# This is related to the storage.googleapis.com, it gives the GCS service agent
# the ability to publish to pub sub topics
resource "google_project_service_identity" "storage_service_agent" {
  provider = google-beta

  project = data.google_project.this_project.project_id
  service = "storage.googleapis.com"
}

resource "google_project_iam_member" "gcs_service_agent_pubsub" {
  provider = google-beta
  project  = data.google_project.this_project.project_id
  role     = "roles/pubsub.publisher"
  member   = google_project_service_identity.storage_service_agent.member
}

The `google_project_iam_member", when planned always show:


╷
│ Error: Missing required argument
│ 
│   with google_project_iam_member.gcs_service_agent_pubsub,
│   on main.tf line 28, in resource "google_project_iam_member" "gcs_service_agent_pubsub":
│   28:   member   = google_project_service_identity.storage_service_agent.member
│ 
│ The argument "member" is required, but no definition was found.
╵

Here is what the plan looks like:

Terraform will perform the following actions:

  # google_project_iam_member.gcs_service_agent_pubsub will be created
  + resource "google_project_iam_member" "gcs_service_agent_pubsub" {
      + etag    = (known after apply)
      + id      = (known after apply)
      + member  = (known after apply)
      + project = "my-project"
      + role    = "roles/pubsub.publisher"
    }

  # google_project_service_identity.storage_service_agent will be created
  + resource "google_project_service_identity" "storage_service_agent" {
      + email   = (known after apply)
      + id      = (known after apply)
      + member  = (known after apply)
      + project = "my-project"
      + service = "storage.googleapis.com"
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

google_project_service_identity.storage_service_agent: Creating...
google_project_service_identity.storage_service_agent: Creation complete after 0s [id=projects/my-project/services/storage.googleapis.com]
╷
│ Error: Missing required argument
│ 
│   with google_project_iam_member.gcs_service_agent_pubsub,
│   on main.tf line 28, in resource "google_project_iam_member" "gcs_service_agent_pubsub":
│   28:   member   = google_project_service_identity.storage_service_agent.member
│ 
│ The argument "member" is required, but no definition was found.

Terraform Configuration

data "google_project" "this_project" {
}
# This is related to the storage.googleapis.com, it gives the GCS service agent
# the ability to publish to pub sub topics
resource "google_project_service_identity" "storage_service_agent" {
  provider = google-beta

  project = data.google_project.this_project.project_id
  service = "storage.googleapis.com"
}

resource "google_project_iam_member" "gcs_service_agent_pubsub" {
  provider = google-beta
  project  = data.google_project.this_project.project_id
  role     = "roles/pubsub.publisher"
  member   = google_project_service_identity.storage_service_agent.member
}

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "6.8.0"
    }
    google-beta = {
      source  = "hashicorp/google-beta"
      version = "6.8.0"
    }
  }
}

provider "google" {
  project = var.project
  region  = var.region
}

provider "google-beta" {
  project = var.project
  region  = var.region
}

variable "project" {
  type        = string
  description = "The project name"
}

variable "region" {
  type        = string
  description = "The GCP region"
}

Debug Output

No response

Expected Behavior

It should be planned and applied with the member field populated.

Actual Behavior

member is not found.

Steps to reproduce

terraform apply

Important Factoids

No response

References

No response

ggtisc commented 5 days ago

Hi @esn89!

I noticed you are assigning the following value for the google_project_iam_member.member resource:

member = google_project_service_identity.storage_service_agent.member

This is not an expected value for the member argument. According to terraform registry documentation this argument expects a value in any of the following formats:

user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.

On the other hand you are trying to assign the value of your google_project_service_identity.storage_service_agent.member being that again according to the terraform registry documentation there is no argument called member for the google_project_service_identity. There is an attribute called member but below I will tell you the difference:

Arguments: Are your inputs to create a resource.
Attributes: Are the outputs or properties of the resource that Terraform manages

I suggest you check this link of terraform registry and read the documentation to understand how these resources work.

esn89 commented 5 days ago

Hi @ggtisc

I am simply following this example: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service_identity#example-usage---service-identity-basic

The project service identity does have an attribute called "member": https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service_identity#member

Which should give: serviceAccount:{email}, correct?

With this, I can then pass it to: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#member/members

ggtisc commented 4 days ago

In summary, you must use one of the formats that I mentioned before with its appropriate prefix depending on what type of member you need. I again invite you to review the documentation for a better understanding of how resources and the API work

hashicorp / terraform-provider-google