search

terraform-google-modules / terraform-google-iam

Manages multiple IAM roles for resources on Google Cloud
https://registry.terraform.io/modules/terraform-google-modules/iam/google
Apache License 2.0
189 stars 171 forks source link

Error 400: Requested policy version (1) cannot be less than the existing policy version (3) #86

Closed Lirt closed 4 years ago

Lirt commented 4 years ago

HI,

I have following simple IAM config, which worked fine:

module "projects_iam_bindings" {
  source  = "terraform-google-modules/iam/google//modules/projects_iam"
  version = "~> 5.0"

  project = "XXX"
  mode    = "additive"

    "roles/errorreporting.user" = [
      "group:XXX@YYY",
    ]
}

But now second time totally randomly it shows this error:

Error: Error reading Resource "project \"XXX\"" with IAM Member: Role "roles/errorreporting.writer" Member "serviceAccount:XXX@XXX.iam.gserviceaccount.com": Error retrieving IAM policy for project "XXX": googleapi: Error 400: Requested policy version (1) cannot be less than the existing policy version (3). For more information, please refer to https://cloud.google.com/iam/docs/policies#versions., badRequest

Since I didn't manually alter any IAM setting I think that there is a different issue. It may be connected with the new condition feature, which uses IAM policy version 3. So if Google changes the policy version, the module still wants to use version 1.

What do you think about that? I don't know how to prove this, but I hope someone here can help me.

morgante commented 4 years ago

I don't think this is an issue with our module, please file an issue on the provider: https://github.com/terraform-providers/terraform-provider-google/issues

Lirt commented 4 years ago

If it was relevant for somebody, here is the issue in `terraform-provider-google' https://github.com/terraform-providers/terraform-provider-google/issues/5218