Skip to content

Problem having log-export and logbucket destination on same project #116

New issue
New issue
Closed
Closed
Problem having log-export and logbucket destination on same project#116
Labels
P2high priority issuesbugSomething isn't workinggood first issueGood for newcomerstriagedScoped and ready for work
@felipecrescencio-cit

Description

@felipecrescencio-cit
felipecrescencio-cit
opened on Jul 18, 2022

TL;DR

When trying to use log-export module for a project "X" and create the destination logbucket on the same project "X" it raises an error.

Expected behavior

Create the log sink resource (based on log-export module) and logbucket as a destination of the sink.

Observed behavior

It raised the following error because field log_sink_writer_identity in module.destination has a blank value:

Error: Request `Create IAM Members roles/logging.bucketWriter  for project "my-project"` returned error: Error applying IAM policy for project "my-project": Error setting IAM policy for project "my-project": googleapi: Error 400: Policy members must be of the form "<type>:<value>".
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.BadRequest",
    "fieldViolations": [
      {
        "description": "Policy members must be prefixed of the form '\u003ctype\u003e:\u003cvalue\u003e', where \u003ctype\u003e is 'domain', 'group', 'serviceAccount', or 'user'.",
        "field": "policy.bindings.member"
      }
    ]
  },
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "domain": "cloudresourcemanager.googleapis.com",
    "reason": "PROJECT_SET_IAM_DISALLOWED_MEMBER_TYPE"
  },
  {
    "@type": "type.googleapis.com/google.rpc.ResourceInfo",
    "resourceName": "projects/my-project"
  }
]
, badRequest

  on .terraform/modules/destination_logbucket/modules/logbucket/main.tf line 45, in resource "google_project_iam_member" "logbucket_sink_member":
  45: resource "google_project_iam_member" "logbucket_sink_member" {

Terraform Configuration

module "log_export" {
  source  = "terraform-google-modules/log-export/google"
  version = "~> 7.3.0"

  destination_uri        = module.destination_logbucket.destination_uri
  filter                 = ""
  log_sink_name          = "my-sink-name"
  parent_resource_id     = "my-project"
  parent_resource_type   = "project"
  unique_writer_identity = true
  include_children       = true
}

module "destination_logbucket" {
  source  = "terraform-google-modules/log-export/google//modules/logbucket"
  version = "~> 7.4.0"

  project_id               = "my-project"
  name                     = "my-log-bucket-name"
  log_sink_writer_identity = module.log_export.writer_identity
  location                 = "us-east4"
  retention_days           = "30"
}

Terraform Version

Terraform v0.13.7
+ provider registry.terraform.io/hashicorp/google v4.27.0
+ provider registry.terraform.io/hashicorp/google-beta v4.27.0
+ provider registry.terraform.io/hashicorp/random v3.3.2

Additional information

According to Configure and manage sinks documentation:

If you're using a sink to route logs between Logging buckets in the same Cloud project, no new service account is created; the sink works without the unique writer identity.

Metadata

Metadata

Assignees

No one assigned

    Labels

    P2high priority issuesbugSomething isn't workinggood first issueGood for newcomerstriagedScoped and ready for work

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions