Hello community
I’m trying to create the following gcp resources
- service account
- iam policy
- bucket
resource "google_service_account" "sa" { count = length(var.service_accounts) account_id = var.service_accounts[count.index] } resource "google_service_account_key" "key" { count = length(var.service_accounts) service_account_id = google_service_account.sa[count.index].name #private_key_type = "TYPE_GOOGLE_CREDENTIALS_FILE" } resource "local_file" "json" { count = length(var.service_accounts) content = base64decode(google_service_account_key.key[count.index].private_key) filename = "../secrets/${element(var.service_accounts, count.index)}.json" } resource "google_project_iam_member" "jenkins-manager-role-storage-admin" { member = "serviceAccount:jenkins-manager@${var.global_params.project_id}.iam.gserviceaccount.com" role = "roles/storage.admin" } resource "google_storage_bucket" "dataset-generator" { default_event_based_hold = "false" force_destroy = "false" location = "EUROPE-WEST3" name = "${var.global_params["project_id"]}-dataset-generator" requester_pays = "false" storage_class = "REGIONAL" uniform_bucket_level_access = "true" } resource "google_storage_bucket_iam_policy" "dataset-generator-policy" { bucket = "b/${var.global_params["project_id"]}-dataset-generator" policy_data = <<POLICY { "bindings": [ { "members": [ "serviceAccount:jenkins-manager@${var.global_params["project_id"]}.iam.gserviceaccount.com" ], "role": "roles/storage.admin" }, { "members": [ "projectEditor:${var.global_params["project_id"]}", "projectOwner:${var.global_params["project_id"]}" ], "role": "roles/storage.legacyBucketOwner" }, { "members": [ "projectViewer:${var.global_params["project_id"]}" ], "role": "roles/storage.legacyBucketReader" }, { "members": [ "projectEditor:${var.global_params["project_id"]}", "projectOwner:${var.global_params["project_id"]}" ], "role": "roles/storage.legacyObjectOwner" }, { "members": [ "projectViewer:${var.global_params["project_id"]}" ], "role": "roles/storage.legacyObjectReader" }, { "members": [ "serviceAccount:jenkins-manager@${var.global_params["project_id"]}.iam.gserviceaccount.com" ], "role": "roles/storage.objectAdmin" } ] } POLICY }
At first run I am unable to complete the creation of all resources.
The process interrupts with the following error
Error: Error setting IAM policy for storage bucket “b/decatest-dataset-generator”: googleapi: Error 404: Not Found, notFound
on storage_bucket_iam_policy.tf line 2, in resource “google_storage_bucket_iam_policy” “dataset-generator-policy”:
2: resource “google_storage_bucket_iam_policy” “dataset-generator-policy” {
At second attempt it complete without problem
[snip…]
google_storage_bucket_iam_policy.dataset-generator-policy: Creating…
google_storage_bucket_iam_policy.dataset-generator-policy: Creation complete after 1s [id=b/decatest-dataset-generator]Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
Then If I run destroy, process ends with the following error
Error: Error setting IAM policy for storage bucket “b/decatest-dataset-generator”: googleapi: Error 404: Not Found, notFound
It never completes even after several attempts.
The only solution is to remove the resource with terraform state rm
Suggestions?
Thanks in advance