400 error with the project_iam_additive resource

[miguelangelmorenochacon]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version

1.5.4

Affected Resource(s)

project_iam_additive

Terraform Configuration

We're using Google IAM module

module "carto_dw_project_iam_bindings" {
  source  = "terraform-google-modules/iam/google//modules/projects_iam"
  version = "v7.7.1"

  projects = [
    local.carto_dw_project_id,
    local.project_id
  ]
  bindings = transpose({
    "serviceAccount:${local.carto_dw_access_sa_name}@${local.project_id}.iam.gserviceaccount.com" = [
      "roles/bigquery.dataOwner",
    ]
  })

  depends_on = [google_service_account.carto_dw]
}

The final resource in the plan is

resource "google_project_iam_member" "project_iam_additive" {
  member  = "serviceAccount:carto-dw-access@carto-ps-mndps-safety-pro.iam.gserviceaccount.com"
  project = "carto-dw-ac-iz45b23s"
  role    = "roles/bigquery.dataOwner"
}

Our Google provider version is 5.7.0

Debug Output

Error: Request `Create IAM Members roles/bigquery.connectionAdmin serviceAccount:carto-dw-access@carto-ps-mndps-safety-pro.iam.gserviceaccount.com for project "carto-dw-ac-iz45b23s"` returned error: Batch request and retried single request "Create IAM Members roles/bigquery.connectionAdmin serviceAccount:carto-dw-access@carto-ps-mndps-safety-pro.iam.gserviceaccount.com for project \"carto-dw-ac-iz45b23s\"" both failed. Final error: Error applying IAM policy for project "carto-dw-ac-iz45b23s": Error setting IAM policy for project "carto-dw-ac-iz45b23s": googleapi: Error 400: Email 'cdw-0-65eb0843b9fa2e60a7898916@carto-dw-ac-iz45b23s.iam.gserviceaccount.com' is not the primary email address for unique ID '118050033781291738342' of deleted member 'cdw-0-65eb0843b9fa2e60a7898916@carto-dw-ac-iz45b23s.iam.gserviceaccount.com?uid=118050033781291738342'., badRequest

Expected Behavior

Changes applied without error

Actual Behavior

It throws a 400 error

Steps to reproduce

No response

Important Factoids

The Service Account mentioned in the error is not managed with Terraform and apparently has been deleted (CDW-0-65eb0843b9fa2e60a7898916@carto-dw-ac-iz45b23s.iam.gserviceaccount.com?uid=118050033781291738342)

If that entry in the IAM is manually deleted, the Terraform apply works flawless

References

No response

[ggtisc]

Hi @miguelangelmorenochacon!

This error message seems to be related to Terraform attempting to create an IAM policy for a service account. It appears that there's an issue with the email address associated with the service account.

The error message indicates that the email address cdw-0-65eb0843b9fa2e60a7898916@carto-dw-ac-iz45b23s.iam.gserviceaccount.com is not the primary email address for the unique ID 118050033781291738342 of a deleted member.

From this point you need to check the email address and the unique ID

1. Terraform attempted to create an IAM policy for a service account with the email address carto-dw-access@carto-ps-mndps-safety-pro.iam.gserviceaccount.com in the project carto-dw-ac-iz45b23s
2. Both a batch request and a retried single request failed
3. The final error states that setting the IAM policy failed due to a Google API error with status code 400 (Bad Request).
4. The specific error message from the Google API indicates that the email address cdw-0-65eb0843b9fa2e60a7898916@carto-dw-ac-iz45b23s.iam.gserviceaccount.com is not the primary email address for the unique ID 118050033781291738342 of a deleted member.

It seems there may be a mismatch or inconsistency in the IAM configuration or the service account's state in the GCP project. You might need to investigate the state of the service account, ensure it exists and is properly configured, and verify that the email address associated with it matches the one Terraform is attempting to use. Additionally, check for any deleted members or outdated configurations that might be causing this issue.

[miguelangelmorenochacon]

But I don't understand, the Service Account IAM policy I'm trying to set has nothing to do with the cdw-0-65eb0843b9fa2e60a7898916@carto-dw-ac-iz45b23s.iam.gserviceaccount.com, why is Terraform failing because of an external IAM policy not declared in the Terraform code? Why aren't those resource completely independent?

[ggtisc]

@miguelangelmorenochacon this is an issue related to your user permissions, you need to read the terraform documentation for permissions to understand that both are separated topics. This issue was replicated with a simple configuration without errors messages as it is in this link.