Allow definining simple_bucket's iam_members for_each key statically

Question

Allow definining simple_bucket's iam_members for_each key statically

KamilaBorowska opened this issue 2 years ago · 15 comments

TL;DR

Currently it's not possible to have a list of IAM members with dynamically created members. Trying to do so causes an error:

╷
│ Error: Invalid for_each argument
│ 
│   on .terraform/modules/storage_buckets/modules/simple_bucket/main.tf line 94, in resource "google_storage_bucket_iam_member" "members":
│   94:   for_each = {
│   95:     for m in var.iam_members : "${m.role} ${m.member}" => m
│   96:   }
│     ├────────────────
│     │ var.iam_members is list of object with 1 element
│ 
│ The "for_each" map includes keys derived from resource attributes that cannot be determined until apply, and so Terraform cannot determine the full set of keys that will identify the instances of this resource.
│ 
│ When working with unknown values in for_each, it's better to define the map keys statically in your configuration and place apply-time results only in the map values.
│ 
│ Alternatively, you could use the -target planning option to first apply only the resources that the for_each value depends on, and then apply a second time to fully converge.
╵

I think it would make sense to allow providing an optional own name for for_each key to avoid this issue.

Terraform Resources

No response

Detailed design

No response

Additional information

No response

Answer 1 · 2023-01-04T12:44:30.000Z

This is quite a problem as it means that iam_member cannot contain create resources such as service accounts.

I think the solution is in other terraform-google-modules
https://registry.terraform.io/modules/terraform-google-modules/iam/google/7.4.1/submodules/storage_buckets_iam

  bindings = {
    "roles/storage.legacyBucketReader" = [
      "serviceAccount:my-sa@my-project.iam.gserviceaccount.com",
      "group:my-group@my-org.com",
      "user:my-user@my-org.com",
    ]
    "roles/storage.legacyBucketWriter" = [
      "serviceAccount:my-sa@my-project.iam.gserviceaccount.com",
      "group:my-group@my-org.com",
      "user:my-user@my-org.com",
    ]
  }

Answer 2 · 2023-01-24T22:30:58.000Z

Just wondering if there is any specific reason that google_storage_bucket_iam_member was used in simple-bucket sub-module instead of google_storage_bucket_iam_binding?

Answer 3 · 2023-03-25T23:17:59.000Z