Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Terraform fails to create "google_iap_web_backend_service_iam_binding" #4515

Closed
JanMa opened this issue Sep 20, 2019 · 11 comments
Closed

Terraform fails to create "google_iap_web_backend_service_iam_binding" #4515

JanMa opened this issue Sep 20, 2019 · 11 comments
Labels
forward/linked persistent-bug Hard to diagnose or long lived bugs for which resolutions are more like feature work than bug work service/iap size/m
Milestone
Goals

Comments

@JanMa
Copy link

JanMa commented Sep 20, 2019
edited by roaks3
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
  • If an issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to "hashibot", a community member has claimed the issue already.

Terraform Version

Affected Resource(s)

  • google_iap_web_backend_service_iam_binding

Terraform Configuration Files

resource "google_iap_web_backend_service_iam_binding" "zabbix" {
  web_backend_service = module.zabbix-lb-iap.backend_services[0]
  role = "roles/iap.httpsResourceAccessor"
  members = [
    "user:<my-email>",
  ]
}

Debug Output

https://gist.github.com/JanMa/5d47695c38ec6406fc6d2cab7643ef50

Expected Behavior

Terraform should create the google_iap_web_backend_service_iam_binding. My google account has all the necessary permissions for it.

Actual Behavior

Terraform fails with the error message

Error: Error retrieving IAM policy for iap webbackendservice "projects/www.googleapis.com/iap_web/compute/services/compute": googleapi: Error 403: Permission denied on resource project www.googleapis.com.

I suspect the url it tries to use is wrong. It should be something like projects/<project-name>/iap_web/compute/services/compute

Steps to Reproduce

Create an IAP loadbalancer and try to apply the config shown above.
If you need more detailed configuration I will try to write a simple config which can reproduce the issue.

Important Factoids

I am running this as a user account and not with a service account.

b/299442846
@ghost ghost added the bug label Sep 20, 2019
@slevenick
Copy link
Collaborator

Hey @JanMa

Sorry about this! I see the issue, the resource is not parsing the backend service self link correctly.

As a workaround you can specify just the short name of the backend service, so rather than https://www.googleapis.com/compute/v1/projects/{project}/global/backendServices/{name}, just specify name.

I'll get this fixed

@slevenick
Copy link
Collaborator

On further review, I'm not sure passing a backend service self link to an IAP IAM resource is going to work, as these resources operate on entirely different products. I'll move this to an enhancement, as it would certainly be nice to have

Changing your config to web_backend_service = basename(module.zabbix-lb-iap.backend_services[0]) should fix this issue, using the basename function found here: https://www.terraform.io/docs/configuration/functions/basename.html

@slevenick slevenick added enhancement and removed bug labels Sep 20, 2019
@JanMa
Copy link
Author

JanMa commented Sep 21, 2019

Hello @slevenick

thank you very much for your quick response. I tried your suggested workaround using the basename function and now the resource gets created :-)

Kind regards,
Jan

@sashameltser
Copy link

Hello @slevenick I have tried both your suggestion and I am still receiving
Error: Error reading Resource "iap webbackendservice "projects/www.googleapis.com/iap_web/compute/services/compute"" with IAM Policy: Error retrieving IAM policy for iap webbackendservice "projects/www.googleapis.com/iap_web/compute/services/compute": googleapi: Error 403: Permission denied on resource project www.googleapis.com.

I am getting this error message when using
"google_iap_web_backend_service_iam_policy" resource

@paddycarver paddycarver added this to the Backlog milestone Dec 6, 2019
@shako92
Copy link

shako92 commented Dec 23, 2020
edited
Loading

I'm also getting the same type of behavior:

PROJECT ID = management-299206

`Terraform v0.12.29
Initializing plugins and modules...
2020/12/23 07:14:48 [DEBUG] Using modified User-Agent: Terraform/0.12.29 TFC/294fe188ce

Error: Error retrieving IAM policy for iap webbackendservice "projects/management-299206/iap_web/compute/services/jenkins-https-lb-backend-default": googleapi: Error 403: The caller does not have permission`

This is a piece of TF which tries to create binding:

resource "google_iap_web_backend_service_iam_binding" "enable-iap-access-to-jenkins" {
project = module.create-jenkins-https-lb.backend_services["default"].project
web_backend_service = basename(module.create-jenkins-https-lb.backend_services["default"].name)
role = "roles/iap.httpsResourceAccessor"
members = [
"group:${var.iap_access_group}"
]
}

@slevenick
Copy link
Collaborator

I'm also getting the same type of behavior:

PROJECT ID = management-299206

`Terraform v0.12.29
Initializing plugins and modules...
2020/12/23 07:14:48 [DEBUG] Using modified User-Agent: Terraform/0.12.29 TFC/294fe188ce

Error: Error retrieving IAM policy for iap webbackendservice "projects/management-299206/iap_web/compute/services/jenkins-https-lb-backend-default": googleapi: Error 403: The caller does not have permission`

This is a piece of TF which tries to create binding:

resource "google_iap_web_backend_service_iam_binding" "enable-iap-access-to-jenkins" {
project = module.create-jenkins-https-lb.backend_services["default"].project
web_backend_service = basename(module.create-jenkins-https-lb.backend_services["default"].name)
role = "roles/iap.httpsResourceAccessor"
members = [
"group:${var.iap_access_group}"
]
}

This looks like a permission issue rather than the issue with the self link the others are seeing. Are you sure that the service account/user that Terraform is using has access to set IAP IAM?

@shako92
Copy link

shako92 commented Dec 23, 2020

@slevenick yep you are right, SA had Primitive Editor Role, which doesn't cover IAP.
the solution for me was to add "IAP Policy Admin" to the SA.

Thank you

@caddac caddac mentioned this issue Mar 12, 2021
Closed
modular-magician added a commit to modular-magician/terraform-provider-google that referenced this issue Mar 18, 2021
@modular-magician @upodroid
Add Google HC Datasource (hashicorp#4515)
8f9109b 
* mark field as updatable

Co-authored-by: upodroid <[email protected]>

* add google hc ds

Co-authored-by: upodroid <[email protected]>
Signed-off-by: Modular Magician <[email protected]>
modular-magician added a commit that referenced this issue Mar 18, 2021
@modular-magician @upodroid
Add Google HC Datasource (#4515) (#8725)
857bb83 
* mark field as updatable

Co-authored-by: upodroid <[email protected]>

* add google hc ds

Co-authored-by: upodroid <[email protected]>
Signed-off-by: Modular Magician <[email protected]>

Co-authored-by: upodroid <[email protected]>
@rileykarson rileykarson added persistent-bug Hard to diagnose or long lived bugs for which resolutions are more like feature work than bug work and removed enhancement labels Jun 20, 2023
@rileykarson rileykarson removed this from the Backlog milestone Jun 20, 2023
@rileykarson
Copy link
Collaborator

I suspect this predated the persistent-bug label, so retagging with that. I'm not sure why this is in backlog- it just seems like a bug on a read-through.

@rileykarson rileykarson added this to the Goals milestone Jun 26, 2023
@github-actions github-actions bot added forward/review In review; remove label to forward service/iap labels Aug 17, 2023
@ScottSuarez ScottSuarez removed the forward/review In review; remove label to forward label Aug 25, 2023
@Jojoooo1
Copy link

Do you have any new on that bug ? Seems to still not work.

@bryan0515
Copy link

Verified that this work with version = "4.51.0". I think this bug can be closed.

@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 17, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
forward/linked persistent-bug Hard to diagnose or long lived bugs for which resolutions are more like feature work than bug work service/iap size/m
Projects
None yet
Milestone
Goals
Development

No branches or pull requests
10 participants
@paddycarver @shako92 @rileykarson @slevenick @sashameltser @ScottSuarez @bryan0515 @Jojoooo1 @modular-magician @JanMa