Workload identity pool resources take required project name, rather than optional project ID

[fiadliel]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v1.0.11 on darwin_amd64

Affected Resource(s)

• google_iam_workload_identity_pool
• google_iam_workload_identity_pool_provider

Terraform Configuration Files

Fails with:

resource "google_iam_workload_identity_pool" "xxx" {
  provider                  = google-beta
  workload_identity_pool_id = "xxx"
}

(requires specified project)

Fails with:

resource "google_iam_workload_identity_pool" "xxx" {
  provider                  = google-beta
  project                   = data.google_project.project.id
  workload_identity_pool_id = "xxx"
}

(duplicate project in API path)

Succeeds with:

resource "google_iam_workload_identity_pool" "xxx" {
  provider                  = google-beta
  project                   = data.google_project.project.name
  workload_identity_pool_id = "xxx"
}

Debug Output

https://gist.github.com/fiadliel/811c54a80ba3af7f18a74f9565d96bfd

Panic Output

No panic

Expected Behavior

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool#argument-reference states that these resources take an optional project ID.

1. The code should create a workload pool without a specified project (documentation states that the project parameter is optional).
2. Okay, if the parameter is required, it says it needs the project ID. When passing project.id, the workload pool should be created.

Actual Behavior

Terraform fails at plan time if project is not included.

When the project is specified, due to the duplication of projects/ in the path, the apply fails because the requested path isn't found. The API works when passing in the name of the project instead.

Steps to Reproduce

1. terraform apply

[megan07]

Hi @fiadliel ! Sorry you're running into this issue. In order for this to be optional, you will need to have the project set on the provider (either using an environment variable GOOGLE_PROJECT or by setting it in the provider block, as described here).

If you choose to define project on the resource, you'll want to use project_id rather than id:

resource "google_iam_workload_identity_pool" "xxx" {
  provider                  = google-beta
  project                   = data.google_project.project.project_id
  workload_identity_pool_id = "xxx"
}

Let me know if you run into issues still with either of those approaches. Thanks!

[lemoo5sg]

Hi @megan07 ,

We have also faced the issue described as Expected Behavior / 2.

From our window Expected Behavior / 1 (The code should create a workload pool without a specified project) is not a priority, documentation could just be changed to 'required' instead of 'optional' for project field.

However, we lost some time due to Expected Behavior / 2, the documentation says we have to use the project id for project field, however it fails and it was ok with the project number. Documentation should be updated to mention project number instead of project ID.

This affects google_iam_workload_identity_pool & also google_iam_workload_identity_pool_provider resources.

Could someone please fix Expected Behavior / 2 ?

Regards,

[megan07]

Hi @lemoo5sg, were you using data.google_project.project.project_id or data.google_project.project.id when you were attempting the project id? I just want to clarify that I think you want to use data.google_project.project.project_id in this case.

[lemoo5sg]

Hi @megan07 ,

Thanks for your help on this topic.

Our module do not use any data resource. We are refering to the direct project attribute of the google_iam_workload_identity_pool & google_iam_workload_identity_pool_provider resources.

From our testing, project has to be the project number, the resource fails when passing the project ID. However the documentation refers to project ID:

project: - (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Our ask is either to fix the documentation to mention project number instead of id, or to allow using the project id as documentation says in addition to the project number.

# Pool
resource "google_iam_workload_identity_pool" "workload_identity_pool" {
  provider = google-beta
  workload_identity_pool_id = "${var.prefix}-id-pool"
  display_name = "${var.prefix}-id-pool"
  description = var.description
  project = var.project_number
}

# Pool Provider
resource "google_iam_workload_identity_pool_provider" "workload_identity_pool_provider" {
  provider = google-beta
  workload_identity_pool_id = google_iam_workload_identity_pool.workload_identity_pool.workload_identity_pool_id
  workload_identity_pool_provider_id = var.prefix
  display_name = var.prefix
  project  = var.project_number
  ...
}

[kentengjin]

At Google, project id is the alphanumeric name of the project. project number is the 'real' number of the project. We can probably make the document better by saying it more clearly.