Error applying IAM policy for folder ... googleapi: Error 400: Policy members must be of the form ...

Question

Error applying IAM policy for folder ... googleapi: Error 400: Policy members must be of the form ...

maestrofx opened this issue 5 years ago · 7 comments

Hi there,

I have an error due to creation of folders in the organizations type as below

module.folders.google_folder_iam_binding.owners[2]: Creating...
module.folders.google_folder_iam_binding.owners[0]: Creating...
module.folders.google_folder_iam_binding.owners[1]: Creating...
module.folders.google_folder_iam_binding.owners[3]: Creating...

Error: Error applying IAM policy for folder "folders/NUMBER-HERE": Error setting IAM policy for folder "folders/NUMBER-HERE": googleapi: Error 400: Policy members must be of the form "<type>:<value>"., badRequest

  on .terraform/modules/folders/terraform-google-modules-terraform-google-folders-6764061/main.tf line 34, in resource "google_folder_iam_binding" "owners":
  34: resource "google_folder_iam_binding" "owners" {

...
repeated 3 times

Config state:

I grant a user with an organization level
Using service-account.json created in a project and adding the service-account's email (terraforming@cloud-infra-internal.iam.gserviceaccount.com into a member in an organization level (Role: Owner,Folder Admin, Folder IAM Admin, Organization Viewer)

Thanks.

Answer 1 · 2019-09-25T12:16:08.000Z

You need to prefix the email with serviceAccount:, no space after :. Terraform IAM-related resources need the type prefix as in the error message you pasted. Types are user, serviceAccount, group, domain.

Answer 2 · 2019-09-25T12:37:17.000Z

You need to prefix the email with serviceAccount:, no space after :. Terraform IAM-related resources need the type prefix as in the error message you pasted. Types are user, serviceAccount, group, domain.

Hi @ludoo,
Actually with the error as I described, it successfully created the folder.
But, I still didn't get your point. Pardon me.

Do you mean like this?

Answer 3 · 2019-09-25T12:50:18.000Z

So the error was not on the folder resource, but on the IAM policy for the folder, the resource in the message is module.folders.google_folder_iam_binding.owners.

From the console UI like in your screenshot, you just type emails/domains. From Terraform you need the type prefixes.

Answer 4 · 2019-09-25T15:15:04.000Z

Solved!
As I try to dig-in and see the resource's definition of google_folder_iam_binding in the docs [1].
It should be like this for terraform.tfvars

# ...
  per_folder_admins = [
    "user:alice@gmail.com",
    "serviceAccount:admin@cloud-infra-internal.iam.gserviceaccount.com"
  ]
  all_folder_admins = [
    "user:alice@gmail.com",
    "serviceAccount:admin@cloud-infra-internal.iam.gserviceaccount.com"
  ]

And, @ludoo, thanks for your help.

Ref:

https://www.terraform.io/docs/providers/google/r/google_folder_iam_binding.html

Answer 5 · 2019-09-25T15:27:18.000Z

Exactly, it's a bit puzzling the first time you hit this issue, then it becomes a habit. :)

Answer 6 · 2019-09-25T15:29:32.000Z

Should we consider improving the docs to make this clearer?

Answer 7 · 2019-09-25T17:52:53.000Z

Good idea. I'll send something in the coming days.