google_storage_bucket_iam* does not allow project per the docs

[GavBurke]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v0.12.23

Affected Resource(s)

• google_storage_bucket_iam*

Terraform Configuration Files

resource "google_storage_bucket_iam_member" "hidden_name_of_iam" {
  project = "my_changed_project"
  bucket  = "my_bucket_name"
  role    = "roles/storage.objectAdmin"
  member  = "serviceAccount:${module.dev-core-sch-tasks.service_account}"
}

Debug Output

Error: Unsupported argument

on permissions.tf line 2, in resource "google_storage_bucket_iam_member" "hidden_name_of_iam":
2: project = "my_changed_project"

An argument named "project" is not expected here.

Expected Behavior

IAM policy is applied to the named bucket in the named project

Actual Behavior

The terraform plan errors not expecting project

Steps to Reproduce

1. Use above snip-it of code
2. terraform plan

[edwardmedia]

@GavBurke can you post the debug log?

[ct-dh]

Simple repro with debug log attached for a terraform plan:

provider "google" {
  project     = "some-project"
  region      = "europe-west1"
}

resource "google_storage_bucket_iam_member" "hidden_name_of_iam" {
  project = "my_changed_project"
  bucket  = "my_bucket_name"
  role    = "roles/storage.objectAdmin"
  member  = "bob"
}

debug.log

[GavBurke]

Thanks @ct-dh , sorry I completely forgot to come back to this @edwardmedia

Just for info though, a colleague of mine suggested removing the project and let Google figure out itself which project the bucket is in, and to my surprise that just worked!

The original issue, however, is still prevalent in that the documentation says you can specify project in the bucket_iam resources but that doesn’t work

[edwardmedia]

@GavBurke by removing project, the Google provider will pick the default value you have already set on your box It will not work if you have not done so. Below is the link to the detailed description you may want to review. I am glad you have got the answer and closing this issue then.

https://www.terraform.io/docs/providers/google/guides/provider_reference.html#project-1

[ct-dh]

@edwardmedia you seem to have misunderstood the issue. The provider docs state that you can supply the project attribute on the resource, but you can't. If you do the provider complains as below and the run fails. The easiest fix in my mind is to remove that attribute from the docs.

Error: Unsupported argument

  on main.tf line 12, in resource "google_storage_bucket_iam_member" "hidden_name_of_iam":
  12:   project = "my_changed_project"

An argument named "project" is not expected here.

Excerpt from the docs page at https://www.terraform.io/docs/providers/google/r/storage_bucket_iam.html:

project - (Optional) The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

[mvn-srizzari]

I'm also facing this issue in Terraform v0.13.3, provider registry.terraform.io/hashicorp/google v3.42.0. Seems like this was closed without addressing the problem brought up. Can someone reopen it please? Thanks in advance.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

[edwardmedia]

This resource assigns a policy on a bucket which is global unique and which is already specified its relation to a project. It does not make sense to take a project. Agreed with @ct-dh suggestion, going to remove the project from the docs

[melinath]

b/169953815

[sairajm]

FWIW, I still see the project in the documentation. I get @edwardmedia's point about not requiring it because bucket name is unique, but please do remove it from the docs. It's confusing. I see that https://github.com/GoogleCloudPlatform/magic-modules/pull/4899 is still open and that should fix it.

[mariux]

This resource assigns a policy on a bucket which is global unique and which is already specified its relation to a project. It does not make sense to take a project. Agreed with @ct-dh suggestion, going to remove the project from the docs

we just had a case where we moved a bucket to a new project and the initial plan did not trigger any IAM recreation as terraform does not know about the underlying relationship. for terraform the bucket name stays the same so no changes were planned.

i assume there is a trigger missing if the underlying project of a bucket actually changes? we will work around this with explicit dependencies now in a module...

[roaks3]

I see that GoogleCloudPlatform/magic-modules#4662 and GoogleCloudPlatform/magic-modules#4899 were both attempts at fixing this, but they do not entirely work and have been stalled for quite a while. There is agreement that the project parameter should be removed from the docs, but in this case it is slightly more complicated because this line of the documentation is shared across many resources.

@mariux I think explicit dependencies are what you want to use in your case, but to clarify, that would be for the google_storage_bucket resource, correct? The IAM resource mentioned in this issue would most likely depend on the bucket implicitly by using something like bucket = google_storage_bucket.default.name. If that's the case, I would suggest creating a separate issue if you have a question about that configuration or think there is a problem with the provider. That will allow us to work on and close out this documentation issue independently.

[roaks3]

b/251565688

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.