search

osinfra-io / terraform-google-kubernetes-engine

Terraform example module for Google Cloud Platform Kubernetes Engine cluster.
https://www.osinfra.io
GNU General Public License v2.0
1 stars 0 forks source link

Can't set IAM member until a Kubernetes project workload identity pool is created #61

Open brettcurtis opened 7 months ago

brettcurtis commented 7 months ago

Error: Request Create IAM Members roles/compute.networkViewer serviceAccount:plt-k8s-tf39-sb.svc.id.goog[gke-mcs/gke-mcs-importer] for project "plt-k8s-tf39-sb" returned error: Error applying IAM policy for project "plt-k8s-tf39-sb": Error setting IAM policy for project "plt-k8s-tf39-sb": googleapi: Error 400: Identity Pool does not exist (plt-k8s-tf39-sb.svc.id.goog). Please check that you specified a valid resource name as returned in the name attribute in the configuration API.

Fails for the following resources:

  # module.kubernetes_engine_global.google_service_account_iam_member.workload_identity["backstage"] will be created
  + resource "google_service_account_iam_member" "workload_identity" {
      + etag               = (known after apply)
      + id                 = (known after apply)
      + member             = "serviceAccount:plt-k8s-tf39-sb.svc.id.goog[backstage/workload-identity]"
      + role               = "roles/iam.workloadIdentityUser"
      + service_account_id = "projects/plt-k8s-tf39-sb/serviceAccounts/gke-tfcac569-workload-identity@plt-k8s-tf39-sb.iam.gserviceaccount.com"
    }

  # module.kubernetes_engine_global.google_service_account_iam_member.workload_identity["istio-ingress"] will be created
  + resource "google_service_account_iam_member" "workload_identity" {
      + etag               = (known after apply)
      + id                 = (known after apply)
      + member             = "serviceAccount:plt-k8s-tf39-sb.svc.id.goog[istio-ingress/workload-identity]"
      + role               = "roles/iam.workloadIdentityUser"
      + service_account_id = "projects/plt-k8s-tf39-sb/serviceAccounts/gke-tf1bf05e-workload-identity@plt-k8s-tf39-sb.iam.gserviceaccount.com"
    }

  # module.kubernetes_engine_global.google_service_account_iam_member.workload_identity["istio-system"] will be created
  + resource "google_service_account_iam_member" "workload_identity" {
      + etag               = (known after apply)
      + id                 = (known after apply)
      + member             = "serviceAccount:plt-k8s-tf39-sb.svc.id.goog[istio-system/workload-identity]"
      + role               = "roles/iam.workloadIdentityUser"
      + service_account_id = "projects/plt-k8s-tf39-sb/serviceAccounts/gke-tf20227d-workload-identity@plt-k8s-tf39-sb.iam.gserviceaccount.com"
    }