search

yandex-cloud / terraform-provider-yandex

Terraform Yandex provider
https://www.terraform.io/docs/providers/yandex/
Mozilla Public License 2.0
211 stars 115 forks source link

"Service account is not available" when using `service_account_id` inside yandex_function resource #134

Closed vitkhab closed 3 years ago

vitkhab commented 3 years ago 
resource "yandex_function" "yc_function" {
  name               = var.function_name
  description        = var.function_desc
  user_hash          = data.archive_file.zipfile.output_md5
  runtime            = var.function_runtime
  entrypoint         = var.function_entrypoint
  memory             = var.function_memory
  execution_timeout  = var.function_execution_timeout
  service_account_id = "ajefmbbids7ivhmgrfmu"
  package {
    bucket_name = yandex_storage_bucket.yc_bucket.bucket
    object_name = yandex_storage_object.yc_artifact.key
  }
}

This configuration produces error:

Error: Error while requesting API to create version for Yandex Cloud Function: server-request-id = 7129e336-5017-b8fc-9212-18097d2a7a54 server-trace-id = 39b259dc0eaaaa61:d3b3a75d770fca61:39b259dc0eaaaa61:1 client-request-id = 0abca85f-b6c9-4804-8618-e7ae5fbc7462 client-trace-id = 5ef7e217-3584-42ed-903b-dadf376a690f rpc error: code = InvalidArgument desc = Service account ajefmbbids7ivhmgrfmu is not available

I can assign service account manually through console. Then, after using teraform refresh, it gets the same service_account_id into tfstate. If there is no change terraform does nothing saying it's all up to date. And if there is a change then terraform produces the same error.

    {
      "module": "module.yc_functions_python",
      "mode": "managed",
      "type": "yandex_function",
      "name": "yc_function",
      "provider": "module.yc_functions_python.provider[\"registry.terraform.io/yandex-cloud/yandex\"]",
      "instances": [
        {
          "attributes": {
            ...
            "service_account_id": "ajefmbbids7ivhmgrfmu",
            ...
          },
        }
      ]
    },

I would expect configuration above to be working. I'm using version 0.49.0 of yandex-cloud/yandex provider.

P.S. I didn't change service_account_id in log and configuration, but I've already deleted it in Yandex Cloud.

vitkhab commented 3 years ago

Solved with adding iam.serviceAccounts.user role to service account used by terraform.