Error 400: Requested policy version (1) cannot be less than the existing policy version (3)

[Lirt]

HI,

I have following simple IAM config, which worked fine:

module "projects_iam_bindings" {
  source  = "terraform-google-modules/iam/google//modules/projects_iam"
  version = "~> 5.0"

  project = "XXX"
  mode    = "additive"

    "roles/errorreporting.user" = [
      "group:XXX@YYY",
    ]
}

But now second time totally randomly it shows this error:

Error: Error reading Resource "project \"XXX\"" with IAM Member: Role "roles/errorreporting.writer" Member "serviceAccount:[email protected]": Error retrieving IAM policy for project "XXX": googleapi: Error 400: Requested policy version (1) cannot be less than the existing policy version (3). For more information, please refer to https://cloud.google.com/iam/docs/policies#versions., badRequest

Since I didn't manually alter any IAM setting I think that there is a different issue.
It may be connected with the new condition feature, which uses IAM policy version 3. So if Google changes the policy version, the module still wants to use version 1.

What do you think about that?
I don't know how to prove this, but I hope someone here can help me.

[morgante]

I don't think this is an issue with our module, please file an issue on the provider: https://github.com/terraform-providers/terraform-provider-google/issues

[Lirt]

If it was relevant for somebody, here is the issue in `terraform-provider-google' hashicorp/terraform-provider-google#5218