Error updating ACL for bucket: Invalid argument - google-cloud-platform

I am trying to create a container registry and add the service account with the OWNER role by changing the google_storage_bucket_acl.
According to the docs, the name of that bucket can be accessed via google_container_registry.<name>.id.
resource "google_container_registry" "registry" {
project = var.project_id
location = "EU"
}
resource "google_storage_bucket_acl" "image_store_acl" {
depends_on = [google_container_registry.registry]
bucket = google_container_registry.registry.id
role_entity = [
"OWNER:${local.terraform_service_account}",
]
}
$terraform plan
..
Terraform will perform the following actions:
# google_storage_bucket_acl.image_store_acl will be created
+ resource "google_storage_bucket_acl" "image_store_acl" {
+ bucket = "eu.artifacts.dev-00-ebcd.appspot.com"
+ id = (known after apply)
+ role_entity = [
+ "OWNER:terraform-service-account#dev-00-ebcd.iam.gserviceaccount.com",
]
}
Plan: 1 to add, 0 to change, 0 to destroy.
However, if I run terraform apply, the following error is what I get:
google_storage_bucket_acl.image_store_acl: Creating...
╷
│ Error: Error updating ACL for bucket eu.artifacts.dev-00-ebcd.appspot.com: googleapi: Error 400: Invalid argument., invalid
│
│ with google_storage_bucket_acl.image_store_acl,
│ on docker.tf line 6, in resource "google_storage_bucket_acl" "image_store_acl":
│ 6: resource "google_storage_bucket_acl" "image_store_acl" {
│
╵

Related

Error when using Terraform Plan and Google Provider "Cannot determine region"

When I do a 'terraform plan', I get the following error:
│ Error: Cannot determine region: set in this resource, or set provider-level 'region' or 'zone'.
│
│
│ Error: Cannot determine region: set in this resource, or set provider-level 'region' or 'zone'.
│
│
Operation failed: failed running terraform plan (exit 1)
My provider looks like this
provider "google" {
project = "test"
region = "europe-west2"
zone = "europe-west2-c"
}
An example of a resource is
resource "google_bigquery_dataset" "test" {
location = "EU"
dataset_id = "test"
friendly_name = "test"
}

Terraform - Error when Creating Lambda Versions

I'm trying to do an AWS-Terraform-GitHub pipeline for a serverless app. In terraform i define a lambda function and on push i want to update the lambda function code and create a new lambda function version (to be used with an alias at a later date).
This is my code
data "archive_file" "zip" {
type = "zip"
source_file = "${path.module}/lambda/hello.js"
output_path = "${path.module}/lambda/hello.zip"
}
resource "aws_lambda_function" "hello_terraform" {
filename = data.archive_file.zip.output_path
source_code_hash = filebase64sha256(data.archive_file.zip.output_path)
function_name = var.project_name
role = aws_iam_role.lambda_role.arn
handler = "hello.handler"
runtime = "nodejs12.x"
timeout = 10
publish = true
}
data "aws_iam_policy_document" "lambda_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["lambda.amazonaws.com"]
}
}
}
resource "aws_iam_role" "lambda_role" {
name = "${var.project_name}-lambda-role"
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
}
When i do the initial push , or a a change that does not involve the code in lambda function everything works. However when i do a code modification i get this error on github workflow (on terraform apply)
│ Error: Error publishing Lambda Function (lambda-terraform-github-actions) version: ResourceConflictException: The operation cannot be performed at this time. An update is in progress for resource: arn:aws:lambda:us-east-1:961736190498:function:lambda-terraform-github-actions
│ {
│ RespMetadata: {
│ StatusCode: 409,
│ RequestID: "d8c86252-a471-46be-9662-751fc935083c"
│ },
│ Message_: "The operation cannot be performed at this time. An update is in progress for resource: arn:aws:lambda:us-east-1:961736190498:function:lambda-terraform-github-actions",
│ Type: "User"
│ }
│
│ with aws_lambda_function.hello_terraform,
│ on lambda.tf line 9, in resource "aws_lambda_function" "hello_terraform":
│ 9: resource "aws_lambda_function" "hello_terraform" {
│
╵
Operation failed: failed running terraform apply (exit 1)
I try adding depends_on but i still have the same problem .
I also try the same thing on a local environment , doing terraform apply on the same code without the pipeline but the same thing happens.
If i remove the "publish" the terraform apply works, the function gets updates but of course there is no new function version.

Terraform bucket ACL with for_each

I'm trying to build multiple s3 buckets and each will have its own ACL configuration.
The problem is that I won't know the ID of each bucket until it is created and I need the ID in order to pass the ACL to be set.
When I run terraform validate with the code below there is no error. But after running the plan it tries to access the ID value within the values ​​I configured for each bucket and as ID does not exist it returns an error.
locals {
bucket_settings = {
bucket-code-pipeline = {
name = "cache-codepipeline-${var.env}-bucket-01"
acl = "private"
},
bucket-alb = {
name = "alb-logs-${var.env}-bucket-02"
acl = "private"
}
}
}
resource "aws_s3_bucket" "bucket" {
for_each = local.bucket_settings
bucket = each.value.name
}
resource "aws_s3_bucket_acl" "acl" {
for_each = local.bucket_settings
bucket = local.bucket_settings[each.value.id]
acl = each.value.acl
}
➜ s3 git:(master) ✗ terraform validate
Success! The configuration is valid.
➜ s3 git:(master) ✗ terraform plan
var.env
Enter a value: dev
╷
│ Error: Unsupported attribute
│
│ on s3-buckets.tf line 37, in resource "aws_s3_bucket_acl" "acl":
│ 37: bucket = local.bucket_settings[each.value.id]
│ ├────────────────
│ │ each.value is object with 2 attributes
│
│ This object does not have an attribute named "id".
I'd like to understand why I can't access the bucket ID through each each.value.id.
Instead of
bucket = local.bucket_settings[each.value.id]
it should be
bucket = aws_s3_bucket.bucket[each.key].id
or
bucket = each.value.name

ValidationError: The specified value for roleName is invalid

I've successfully applied and deployed this script a week ago. I made 0 changes since then, to the script or to other factors used within this. Running it this morning throws this -
Terraform v1.0.8
on linux_amd64
Configuring remote state backend...
Initializing Terraform configuration...
aws_iam_role.iam_for_lambda: Refreshing state... [id=iam_for_lambda]
aws_lambda_function.lambda: Refreshing state... [id=MissingPostedTransactions]
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_iam_role_policy_attachment.tf_vpc_execution_policy will be created
+ resource "aws_iam_role_policy_attachment" "tf_vpc_execution_policy" {
+ id = (known after apply)
+ policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+ role = "arn:aws:iam::<arn no>:role/iam_for_lambda"
}
Then I type "yes" to apply the supposed "change", and I get this -
aws_iam_role_policy_attachment.tf_vpc_execution_policy: Creating...
╷
│ Error: Error attaching policy arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole to IAM Role arn:aws:iam::<arn no>:role/iam_for_lambda: ValidationError: The specified value for roleName is invalid. It must contain only alphanumeric characters and/or the following: +=,.#_-
│ status code: 400, request id: 8d354476-df67-4c2d-b3b8-c7aa7efce060
│
│ with aws_iam_role_policy_attachment.tf_vpc_execution_policy,
│ on main.tf line 55, in resource "aws_iam_role_policy_attachment" "tf_vpc_execution_policy":
│ 55: resource "aws_iam_role_policy_attachment" "tf_vpc_execution_policy" {
What am I missing here?
Everything is ok in your resources except you should specify role_name and not role_arn. Please refer to documentation from Terraform for more info:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment
+ id = (known after apply)
+ policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+ role = "<ROLE_NAME>"
}

terraform create pub/sub on gcp gives error

I have the following terraform file
provider "google" {
project = "prj1-user"
region = "APAC"
zone = "australia-southeast1-a"
}
resource "google_pubsub_topic" "prj1-messages" {
name = "prj1Messages"
labels = {
foo = "bar"
}
}
however when I try to provision this through terraform apply I get the following error
│ Error: Error creating Topic: Put "https://pubsub.googleapis.com/v1/projects/prj1-user/topics/prj1Messages?alt=json": oauth2/google: invalid token JSON from metadata: EOF
│
│ with google_pubsub_topic.brwmessages,
│ on main.tf line 7, in resource "google_pubsub_topic" "prj1Messages":
│ 7: resource "google_pubsub_topic" "prj1Messages" {
The version I'm using is
Terraform v1.0.0
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v3.71.0