Open thanos-kataras opened 3 weeks ago
Error 400 when trying to create a constraints/iam.serviceAccountKeyExposureResponse list constraint during apply.
constraints/iam.serviceAccountKeyExposureResponse
The policy to be created
Error 400:
Error: googleapi: Error 400: The policy contains invalid list value(s): [<deny all> is set]. Please fix the values in the policy and try again: StoragePolicy***resource=null, constraint=constraints/iam.serviceAccountKeyExposureResponse, etag=<ByteString@cc0c7a6 size=0 contents="">, updateTime=Optional.empty, policy=ListPolicy***inheritFromParent=false, unconditionalFragment=Optional[UnconditionalFragment***allValues=DENY, allowedValues=[], deniedValues=[], suggestedValue=Optional[]***], conditionalFragments=[]*** Details: [ *** "@type": "type.googleapis.com/google.rpc.BadRequest", "fieldViolations": [ *** "description": "Invalid value: [\u003cdeny all\u003e is set].", "field": "policy.list_policy.denied_all" *** ] *** ] , badRequest
terraform module "org_service_account_key_exposure_response" { for_each = { for index, folder_id in local.dev_folder_ids : index => folder_id } source = "terraform-google-modules/org-policy/google" version = "~> 3.0" enforce = null folder_id = each.value policy_for = "folder" organization_id = local.organization_id policy_type = "list" constraint = "constraints/iam.serviceAccountKeyExposureResponse" allow = ["DISABLE_KEY"] }
### Terraform Version ```sh 0.14
Whether enforce is null, false or or true, the actual policy is applied but the deny all or allow all part is not created.
Hey, You need to specify allow_list_length = 1 variable as per:
allow_list_length = 1
https://github.com/terraform-google-modules/terraform-google-org-policy/#:~:text=List%20policies%20with,deny_list_length
TL;DR
Error 400 when trying to create a
constraints/iam.serviceAccountKeyExposureResponse
list constraint during apply.Expected behavior
The policy to be created
Observed behavior
Error 400:
Terraform Configuration
Additional information
Whether enforce is null, false or or true, the actual policy is applied but the deny all or allow all part is not created.