search

terraform-google-modules / terraform-google-iam

Manages multiple IAM roles for resources on Google Cloud
https://registry.terraform.io/modules/terraform-google-modules/iam/google
Apache License 2.0
189 stars 170 forks source link

project needs to be a required variable in service_accounts_iam #205

Closed sjahl closed 7 months ago

sjahl commented 10 months ago

TL;DR

The readme for the service_accounts_iam module indicates that project is not a required variable, and defaults it to an empty string. However, when you try to apply this module with an empty string as the project, it uses an invalid service account ID when creating the bindings (e.g. projects//serviceAccounts/my-service-account@project.iam.gserviceaccount.com)

Expected behavior

I expect the module to generate an error if the project isn't specified.

Observed behavior

Error: "service_account_id" ("projects//serviceAccounts/REDACTED@REDACTED.iam.gserviceaccount.com") doesn't match regexp "projects/(?:(?:[-a-z0-9]{1,63}\\.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?)|-)/serviceAccounts/((?:(?:[-a-z0-9]{1,63}\\.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?))@[a-z]+.gserviceaccount.com$|[0-9]{1,20}-compute@developer.gserviceaccount.com|[a-z](?:[-a-z0-9]{4,28}[a-z0-9])@[-a-z0-9\\.]{1,63}\\.iam\\.gserviceaccount\\.com$)"

    with module.app_service_accounts_iam_binding.google_service_account_iam_member.service_account_iam_additive["default--roles/iam.workloadIdentityUser--serviceAccount:REDACTED.svc.id.goog[default/REDACTED]"],
│   on .terraform/modules/hail_search_service_accounts_iam_binding/modules/service_accounts_iam/main.tf line 51, in resource "google_service_account_iam_member" "service_account_iam_additive":
│   51:   service_account_id = "projects/${var.project}/serviceAccounts/${module.helper.bindings_additive[each.key].name}"

Terraform Configuration

module "app_service_accounts_iam_binding" {
  source  = "terraform-google-modules/iam/google//modules/service_accounts_iam"
  version = "7.7.1"
  service_accounts = [google_service_account.app.email]
  mode = "additive"

  bindings = {
    "roles/iam.workloadIdentityUser" = [
      "serviceAccount:${data.google_project.project.project_id}.svc.id.goog[default/REDACTED]"
    ]
  }
}


### Terraform Version

```sh
➜ terraform version
Terraform v1.5.7
on darwin_amd64
+ provider registry.terraform.io/hashicorp/google v4.52.0
+ provider registry.terraform.io/hashicorp/google-beta v4.69.1

Additional information

No response

github-actions[bot] commented 8 months ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days