google_project_service_identity's member attribute is not found

[esn89]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.8.3
on linux amd64

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "6.8.0"
    }
    google-beta = {
      source  = "hashicorp/google-beta"
      version = "6.8.0"
    }
  }
}

provider "google" {
  project = var.project
  region  = var.region
}

provider "google-beta" {
  project = var.project
  region  = var.region
}

Affected Resource(s)

data "google_project" "this_project" {
}
# This is related to the storage.googleapis.com, it gives the GCS service agent
# the ability to publish to pub sub topics
resource "google_project_service_identity" "storage_service_agent" {
  provider = google-beta

  project = data.google_project.this_project.project_id
  service = "storage.googleapis.com"
}

resource "google_project_iam_member" "gcs_service_agent_pubsub" {
  provider = google-beta
  project  = data.google_project.this_project.project_id
  role     = "roles/pubsub.publisher"
  member   = google_project_service_identity.storage_service_agent.member
}

The `google_project_iam_member", when planned always show:

╷
│ Error: Missing required argument
│ 
│   with google_project_iam_member.gcs_service_agent_pubsub,
│   on main.tf line 28, in resource "google_project_iam_member" "gcs_service_agent_pubsub":
│   28:   member   = google_project_service_identity.storage_service_agent.member
│ 
│ The argument "member" is required, but no definition was found.
╵

Here is what the plan looks like:

Terraform will perform the following actions:

  # google_project_iam_member.gcs_service_agent_pubsub will be created
  + resource "google_project_iam_member" "gcs_service_agent_pubsub" {
      + etag    = (known after apply)
      + id      = (known after apply)
      + member  = (known after apply)
      + project = "my-project"
      + role    = "roles/pubsub.publisher"
    }

  # google_project_service_identity.storage_service_agent will be created
  + resource "google_project_service_identity" "storage_service_agent" {
      + email   = (known after apply)
      + id      = (known after apply)
      + member  = (known after apply)
      + project = "my-project"
      + service = "storage.googleapis.com"
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

google_project_service_identity.storage_service_agent: Creating...
google_project_service_identity.storage_service_agent: Creation complete after 0s [id=projects/my-project/services/storage.googleapis.com]
╷
│ Error: Missing required argument
│ 
│   with google_project_iam_member.gcs_service_agent_pubsub,
│   on main.tf line 28, in resource "google_project_iam_member" "gcs_service_agent_pubsub":
│   28:   member   = google_project_service_identity.storage_service_agent.member
│ 
│ The argument "member" is required, but no definition was found.

Terraform Configuration

data "google_project" "this_project" {
}
# This is related to the storage.googleapis.com, it gives the GCS service agent
# the ability to publish to pub sub topics
resource "google_project_service_identity" "storage_service_agent" {
  provider = google-beta

  project = data.google_project.this_project.project_id
  service = "storage.googleapis.com"
}

resource "google_project_iam_member" "gcs_service_agent_pubsub" {
  provider = google-beta
  project  = data.google_project.this_project.project_id
  role     = "roles/pubsub.publisher"
  member   = google_project_service_identity.storage_service_agent.member
}

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "6.8.0"
    }
    google-beta = {
      source  = "hashicorp/google-beta"
      version = "6.8.0"
    }
  }
}

provider "google" {
  project = var.project
  region  = var.region
}

provider "google-beta" {
  project = var.project
  region  = var.region
}

variable "project" {
  type        = string
  description = "The project name"
}

variable "region" {
  type        = string
  description = "The GCP region"
}

Debug Output

No response

Expected Behavior

It should be planned and applied with the member field populated.

Actual Behavior

member is not found.

Steps to reproduce

1. terraform apply

Important Factoids

No response

References

No response

[ggtisc]

Hi @esn89!

I noticed you are assigning the following value for the google_project_iam_member.member resource:

member = google_project_service_identity.storage_service_agent.member

This is not an expected value for the member argument. According to terraform registry documentation this argument expects a value in any of the following formats:

• user:{emailid}: An email address that represents a specific Google account. For example, [email protected] or [email protected].

• serviceAccount:{emailid}: An email address that represents a service account. For example, [email protected].

• group:{emailid}: An email address that represents a Google group. For example, [email protected].

• domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.

On the other hand you are trying to assign the value of your google_project_service_identity.storage_service_agent.member being that again according to the terraform registry documentation there is no argument called member for the google_project_service_identity. There is an attribute called member but below I will tell you the difference:

• Arguments: Are your inputs to create a resource.

• Attributes: Are the outputs or properties of the resource that Terraform manages

I suggest you check this link of terraform registry and read the documentation to understand how these resources work.

[esn89]

Hi @ggtisc

I am simply following this example: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service_identity#example-usage---service-identity-basic

The project service identity does have an attribute called "member": https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service_identity#member

Which should give: serviceAccount:{email}, correct?

With this, I can then pass it to: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#member/members

[ggtisc]

In summary, you must use one of the formats that I mentioned before with its appropriate prefix depending on what type of member you need. I again invite you to review the documentation for a better understanding of how resources and the API work

[esn89]

I did have a read over that, and I'd assume that "attributes" are things that I can see after apply, correct?

Would it be fair to say then, that this would yield some outputs after application?

output "storage_service_email" {
  value = google_project_service_identity.storage_service_agent.email
}

output "storage_service_member" {
  value = google_project_service_identity.storage_service_agent.member
}

Furthermore, I dug around for examples and I have even tried using email like the one shown in this example, but that doesn't seem to work either.

[ggtisc]

Could you share your updated code to confirm that it has the valid format explained in the official documentation?

[esn89]

I have it done like so:

resource "google_project_service_identity" "storage_service_agent" {
  provider = google-beta

  project = data.google_project.this_project.project_id
  service = "storage.googleapis.com"
}

output "storage_service_email" {
  value = google_project_service_identity.storage_service_agent.email
}

output "storage_service_member" {
  value = google_project_service_identity.storage_service_agent.member
}

The outputs do not show anything

[ggtisc]

Thanks!

I'm going to explain in other words, please read it carefully. According to the documentation I shared a couple of times, the member argument of google_project_iam_member is expected:

1. An user like user:[email protected]. Example:

resource "google_project_iam_member" "project_iam_member_19970" {
  project  = "my-project"
  role     = "roles/pubsub.publisher"
  member   = "user:[email protected]" # it needs to be a valid existing user of your GCP organization
}

2. A Service Account like a google_service_account.email. Example:

resource "google_service_account" "sa_19970" {
  account_id = "sa-19970"
}

resource "google_project_iam_member" "project_iam_member_19970" {
  project  = "my-project"
  role     = "roles/pubsub.publisher"
  member   = "serviceAccount:${google_service_account.sa_20388.email}"
}

3. A group like [email protected]. Example:

resource "google_project_iam_member" "project_iam_member_19970" {
  project  = "my-project"
  role     = "roles/pubsub.publisher"
  member   = "group:[email protected]" # it needs to be a valid existing group of your GCP organization
}

4. A domain like domain/example.com. Example:

resource "google_project_iam_member" "project_iam_member_20388" {
  project = "my-project"
  role    = "roles/pubsub.publisher"
  member  = "domain:my-domain.com" # it needs to be a valid existing domain of your GCP organization
}

Note that in each example it needs to be used the corresponding prefix according to the documentation examples (user:, group:, domain:) which you are not using.

It is not allowed to use a google_project_service_identity as you are trying to use. These are the unique allowed options according to the documentation that I'm sharing again here.

[tomoyukik]

I'm experiencing the same problem.

The google_project_service_identity resource's member attribute also has the serviceAccount: prefix as documented here: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service_identity

Therefore, the example in comment #19970 should work, suggesting a potential issue with the google_project_service_identity resource itself.