search

terraform-google-modules / terraform-google-iam

Manages multiple IAM roles for resources on Google Cloud
https://registry.terraform.io/modules/terraform-google-modules/iam/google
Apache License 2.0
189 stars 171 forks source link

An attempt to configure Firestore audit logs returns BadRequest HTTP 400 #161

Closed firestore-auditor closed 2 years ago

firestore-auditor commented 2 years ago

TL;DR

An attempt to apply audit config for firestore results in a bad request.

Service firestore.googleapis.com does not exist or does not support service level configuration of Google Cloud audit logging.

Expected behavior

Config applied.

Observed behavior

googleapi: Error 400: Service firestore.googleapis.com does not exist or does not support service level configuration of Google Cloud audit logging., badRequest

Terraform Configuration

module "firestore_audit_logs" {
  source  = "terraform-google-modules/iam/google//modules/audit_config"

  project = var.my_project_id
  audit_log_config = [
    {
      service          = "firestore.googleapis.com"
      log_type         = "DATA_WRITE"
      exempted_members = []
    },
  ]
}

Terraform Version

Terraform v1.2.3
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v4.26.0
+ provider registry.terraform.io/hashicorp/google-beta v4.26.0
+ provider registry.terraform.io/hashicorp/random v3.3.2

Additional information

Changing values via UI works.

firestore-auditor commented 2 years ago

I have tried to use different service names, and it works with: service = datastore.googleapis.com

This aspect may be evident for long-term GCP users now using Firestone in Datastore mode. It isn't apparent to new platform users. I can see two solutions:

github-actions[bot] commented 2 years ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days