terraform-google-iam
terraform-google-iam copied to clipboard
terraform-google-modules
Error using on the bucket that does not exist yet.
resource "google_storage_bucket" "logsinc_bucket_tools" {
name = "${var.environment_name}-log-sink"
project = data.google_project.tools_project.project_id
}
module "logsinc_bucket_iam_bindings" {
source = "terraform-google-modules/iam/google//modules/storage_buckets_iam"
version = "~> 3.0"
storage_buckets = [google_storage_bucket.logsinc_bucket_tools.id]
mode = "additive"
bindings = {
"roles/storage.objectCreator" = [
"group:[email protected]",
]
"roles/storage.objectViewer" = [
"group:[email protected]",
]
}
}
Causes an error:
Error: Invalid count argument
on .terraform/modules/hsq-uat.logsinc_bucket_iam_bindings/terraform-google-modules-terraform-google-iam-ace2efe/modules/storage_buckets_iam/main.tf line 45, in resource "google_storage_bucket_iam_member" "storage_bucket_iam_additive": 45: count = var.bindings_num > 0 ? var.bindings_num * local.additive * local.storage_bucket_count : length(local.bindings_formatted) * local.additive
Any progress on that - it's prevents us from using the module when the bucket is first created.
This is unfortunately a bit of a bug in Terraform.
However, I believe we can make this work for the singular case where only a single bucket is being managed (using the same approach as projects).
@cray0000 please take this on.
Sure, @morgante
I think this should already be working without additional work though. Even though there is a separate option to specify one project, it's not being used to make the configuration behave in a static way.
One can already specify only a single element to the array of entities and in this case it will ignore it when doing the for_each (which is replacing the old count we used for iam in version 3.0 which @mikhail-khodorovskiy is getting an error about).
At least it behaves this way in the static-and-dynamic unit tests, which are testing this same dynamically created resources for projects
@mikhail-khodorovskiy I'm going to add a similar test for the dynamically created bucket to confirm whether it's working or not and will let you know. In case it doesn't, I'll try to find a workaround.
Good point. @mikhail-khodorovskiy It's probably also worth upgrading to version 5.0 and seeing if that fixes your problems.
Actually I have a different error:
Terraform v0.12.8
+ provider.external v1.2.0
+ provider.google v2.13.0
+ provider.google-beta v2.13.0
+ provider.null v2.1.2
+ provider.random v2.1.2
Error: Invalid for_each argument
The "for_each" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to first apply only the resources that the for_each depends on.
Even for the existing bucket when I migrate 2.20.0 google provider to 3.5.0 google provider I get the same error even on existing buckets in both adaptive and authoritative modes.
Same issue here with a configuration declaring a custom role and using the module (version 5.1.0) to create IAM bindings to it:
Error: Invalid for_each argument
on .terraform\modules\project-iam-bindings\terraform-google-modules-terraform-google-iam-01965a1\modules\projects_iam\main.tf line 44, in resource "google_project_iam_member" "project_iam_additive":
44: for_each = module.helper.set_additive
The "for_each" value depends on resource attributes that cannot be determined
until apply, so Terraform cannot predict how many instances will be created.
To work around this, use the -target argument to first apply only the
resources that the for_each depends on.
I filed a different issue regarding this since this seems unrelated: https://github.com/terraform-google-modules/terraform-google-iam/issues/92.