terraform-google-modules / terraform-google-iam

Manages multiple IAM roles for resources on Google Cloud
https://registry.terraform.io/modules/terraform-google-modules/iam/google
Apache License 2.0
200 stars 171 forks source link

Invalid KeyRing id format #127

Open zxpower opened 3 years ago

zxpower commented 3 years ago

Overview

When creating KMS keyring binding, I got following error message:

Invalid KeyRing id format, expecting `{projectId}/{locationId}/{keyRingName}` or `{locationId}/{keyRingName}.`

Code used when I got the error below:

module "gha_service_account" {
  source  = "terraform-google-modules/service-accounts/google"
  version = "3.0.1"

  project_id = var.project
  prefix     = "gha"
  names      = ["master-sa"]

  project_roles = [
  ]

  display_name  = "Github Actions SA"
  description   = "Service Account used for Github Actions"
  generate_keys = true
}

module "kms_key_ring-iam-bindings" {
  source  = "terraform-google-modules/iam/google//modules/kms_key_rings_iam"
  version = "6.4.1"
  kms_key_rings = [
    "master-keyring",
  ]

  mode = "authoritative"

  bindings = {
    "roles/cloudkms.cryptoKeyDecrypter" = [
      "serviceAccount:${module.gha_service_account.email}",
    ]
  }
}

Solved this by just adding global/ before master-keyring as it was created as global resource.

morgante commented 3 years ago

Since this is solved, I'm not sure we need to do anything to fix in this module.

zxpower commented 3 years ago

I suggest to at least update README for the module because by default you don't set the zone for keyrings because they're mostly global, but there could be times when you create region specific keyring.

morgante commented 3 years ago

Got it, yes we could update the README. I'm happy to review a PR.