search

terraform-google-modules / terraform-google-iam

Manages multiple IAM roles for resources on Google Cloud
https://registry.terraform.io/modules/terraform-google-modules/iam/google
Apache License 2.0
189 stars 171 forks source link

Invalid folder name for folder-iam. Module example using a folder name but it should be ID #156

Open snahim-g opened 2 years ago

snahim-g commented 2 years ago

TL;DR

Using a folder name for the folder-iam module errors out as the folder name is invalie.

Expected behavior

Adding iam roles

Observed behavior

│ Error: Error retrieving IAM policy for folder "folders/xxx-shared-iac": googleapi: Error 400: Request contains an invalid argument. │ Details: │ [ │ { │ "@type": "type.googleapis.com/google.rpc.DebugInfo", │ "detail": "[ORIGINAL ERROR] generic::invalid_argument: com.google.apps.framework.request.BadRequestException: Invalid folder resource name: folders/xxx │ ] │ , badRequest │ │ with module.iac-folder-iam.google_folder_iam_member.folder_iam_additive["default--roles/resourcemanager.folderEditor--user:xxxxx@xxxx.xxx.net"], │ on .terraform/modules/iac-folder-iam/modules/folders_iam/main.tf line 49, in resource "google_folder_iam_member" "folder_iam_additive": │ 49: resource "google_folder_iam_member" "folder_iam_additive" { │ ╵

Terraform Configuration

resource "google_folder" "iac_folder" {
  display_name = "${var.shared_folder_name}-iac"
  parent       = google_folder.shared_folder.id
  depends_on   = [google_folder.shared_folder]
}

module "iac-folder-iam" {
  source  = "terraform-google-modules/iam/google//modules/folders_iam"
  folders = ["${var.shared_folder_name}-iac"]

  mode = "additive"

  bindings = var.iac_folder_iam_bindings 

  conditional_bindings = var.iac_folder_conditional_bindings 
  depends_on   = [google_folder.iac_folder]
}

Terraform Version

terraform version
Terraform v1.0.9
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v4.18.0
+ provider registry.terraform.io/hashicorp/google-beta v4.18.0
+ provider registry.terraform.io/hashicorp/null v3.1.1
+ provider registry.terraform.io/hashicorp/random v3.1.2
+ provider registry.terraform.io/hashicorp/time v0.7.2

Your version of Terraform is out of date! The latest version
is 1.1.9. You can update by downloading from https://www.terraform.io/downloads.html

Additional information

Honestly not sure why my folder name would be used here? Wouldn't GCP require a folder ID?

bharathkkb commented 2 years ago

@snahim-g Thanks for the report. The folder resource "name" output from the folder resource actually has the id and is of form folders/{folder_id}. The module should accept both strings that are just ids or google_folder.iac_folder.name. Let me know if this works.

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_folder#name

morgante commented 2 years ago

@bharathkkb We might want to consider changing the variable to folder_ids. Even though name is the technical definition, it's definitely confusing given the presence of display_name as well.

Changing this to FR.