google_iap_web_backend_service_iam_policy parsing forward slash in web_backend_service

[justin-yan]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

$ terraform -v
Terraform v0.14.10
+ provider registry.terraform.io/hashicorp/google v3.64.0

Affected Resource(s)

• google_iap_web_backend_service_iam_policy

Terraform Configuration Files

terraform {
  required_providers {
    google = {
      source = "hashicorp/google"
      version = "3.64.0"
    }
  }
}

provider "google" {
  project = "myprojectname"
  region  = "us-central1"
  zone    = "us-central1-c"
}

data "google_iam_policy" "policy" {
  binding {
    role = "roles/iap.httpsResourceAccessor"
    members = [
      "domain:mydomain.com",
    ]
  }
}

resource "google_iap_web_backend_service_iam_policy" "policy" {
  project = "myprojectname"
  web_backend_service = "default/sps"
  policy_data = data.google_iam_policy.policy.policy_data
}

I've changed the projectname and the member domain, but this otherwise is the config we're using.

Expected Behavior

terraform apply should create an IAP permission policy for the backendservice default/sps.

Actual Behavior

I get the following error:

Error: Error setting IAM policy for iap webbackendservice "projects/default/iap_web/compute/services/sps": googleapi: Error 403: Permission denied on resource project default.

It looks like including a forward slash in web_backend_service (e.g. default/sps) results in the project being set to default instead of myprojectname. Removing the forward slash, with say default-sps, seems to resolve the project and service name correctly.

Steps to Reproduce

1. terraform apply

References

• Ability to reference a GKE google_compute_backend_service by kubernetes.io/service-name label #5468 : I have a similar setup (GKE ingress services behind IAP), though my services are named fairly statically (namespace/servicename) so I would like to manage the IAP permissions with this terraform config.

[justin-yan]

Apologies if this behavior is as intended and isn't actually a bug! I couldn't find documentation on the legal formatting of web_backend_service (https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_web_backend_service_iam#web_backend_service) and whether forward slashes are expected to be unsupported.

[edwardmedia]

@justin-yan you might want to use a reference to the backendservice (resource or data source) instead.

Here is an example that you might want to take look.

resource "google_iap_web_backend_service_iam_policy" "policy" {
  project = "myprojectname"
  web_backend_service = data.google_compute_backend_service.baz.name 
 #web_backend_service = google_compute_backend_service.default.name
  policy_data = data.google_iam_policy.policy.policy_data
}

data "google_compute_backend_service" "baz" {
  name = "foobar"
}

resource "google_compute_backend_service" "default" {
  name          = "backend-service"
  health_checks = [tolist(data.google_compute_backend_service.baz.health_checks)[0]]
}

[justin-yan]

Thanks for the suggestion! I tried adding the following:

data "google_compute_backend_service" "sps" {
  name = "default/sps"
}

resource "google_iap_web_backend_service_iam_policy" "policy" {
  project = "myprojectname"
  web_backend_service = data.google_compute_backend_service.sps.name
  policy_data = data.google_iam_policy.policy.policy_data
}

But I get

$ terraform plan

Error: Missing required argument

  on iam.tf line 42, in resource "google_iap_web_backend_service_iam_policy" "policy":
  42:   web_backend_service = data.google_compute_backend_service.sps.name

The argument "web_backend_service" is required, but no definition was found.

The backend services are not themselves managed by terraform, and I'm not entirely sure how to introspect the values produced by the data resource. A terraform show gives me:

$ terraform show
# data.google_compute_backend_service.sps:
data "google_compute_backend_service" "sps" {}
...

[justin-yan]

Deepest apologies:

After taking a closer look at the documentation for the google_compute_backend_service data resource (https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_backend_service), I realized that the name of the web_backend_service is the name of the backend_service as displayed related to the load balancer, not as named in the IAP console.

This is totally user error/inexperience on my part - thanks for taking the time to look at the issue!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!