"Invalid reference" for app-gen-eng-sandbox reference

naisu07-us · April 25, 2022, 12:22am

Hi TF experts, I am trying to use the same code for two different loops with Google Cloud Service accounts with multiple roles, but I am getting these errors.

│ Error: Invalid reference
│
│   on main.tf line 89, in resource "google_project_iam_member" "admins":
│   89:    project = app-gen-eng-sandbox
│
│ A reference to a resource type must be followed by at least one attribute access, specifying the resource name.

naisu07-us · April 25, 2022, 12:25am

Here is complete code main.tf

variable "roles_for_gcp" {
  default = {
    "computevpc"             = "roles/compute.admin"
    "storage"                = "roles/storage.admin"
    /* "iam"                    = "roles/resourcemanager.projectIamAdmin"
    "kubernetes"             = "roles/container.admin"
    "datastore"              = "roles/datastore.owner"
    "googleappengine"        = "roles/appengine.appAdmin"
    "cloudfunctions"         = "roles/cloudfunctions.admin"
    "cloudscheduler"         = "roles/cloudscheduler.admin"
    "cloudtasks"             = "roles/cloudtasks.admin"
    "memorystore"            = "roles/redis.admin"
    "serverlessvpcconnector" = "roles/vpcaccess.admin"
    */
  }
}

locals {
  admin_role_memberships = [
    for pair in setproduct(keys(var.admins), values(var.roles_for_gcp)) : {
      username = pair[0]
      account  = "serviceAccount:${google_service_account.create-serviceaccounts[pair[0]].email}"
      role     = pair[1]
    }
  ]
}

locals {
  admin_role_mapping =  {
       for m in local.admin_role_memberships : "${m.account} ${m.role}" => m
   }
}

# test service admin accounts 
variable "admins" {
   default = {
     "joesmith" = "my-service-test1"
     "alicebrown" = "my-service-test2"
     "anotherone" = "my-service-test3"
   }
}

resource "google_service_account" "create-serviceaccounts" {
  for_each     = var.admins
  account_id   = each.key
}

resource "google_project_iam_member" "admins" {
   for_each = local.admin_role_mapping

   role   = each.value.role
   member = each.value.account
   project = app-gen-eng-sandbox

}

apparentlymart · April 25, 2022, 4:29pm

Hi @naisu07-us,

Unfortunately this seems to be a correct error message, although worded in a confusing way: there isn’t anything named app-gen-eng-sandbox in this context and so Terraform can’t figure out what this is a reference to.

Unfortunately that name doesn’t appear anywhere else in your example and so I’m not sure what should replace it either. If you want to specify the literal name app-gen-eng-sandbox then you’d need to write it in quotes, like this:

  project = "app-gen-eng-sandbox"

Otherwise, if you have a google_project resource elsewhere in your module which you didn’t include in your example then you could potentially refer to it here to ensure that the project will always be created/updated before the IAM member.