Terraform google_proejct_iam_member giving Error 400: Policy members must be of the form "<type>:<value>"., badRequest

Question

I'm trying to create an IAM resource in GCP to assign a custom role to a service account.

The terraform code is given below.

resource "google_project_iam_member" "basic_role_permissions" {
  project = "${var.project}"
  role    = "projects/${var.project}/roles/${google_project_iam_custom_role.basic_role.role_id}"
  member = "serviceAccount:${google_service_account.falcon.email}"
}

While deploying this I'm getting following error

 Batch "iam-project-PROJECT-ID modifyIamPolicy" for request "Create IAM Members projects/PROJECT-ID/roles/test_CloudSqlClient serviceAccount:[email protected] for \"project \\\"PROJECT-ID\\\"\"" returned error: Error applying IAM policy for project "PROJECT-ID": Error setting IAM policy for project "PROJECT-ID": googleapi: Error 400: Policy members must be of the form "<type>:<value>"., badRequest

Following is the version information

Terraform : 0.12.20

google Provider : ~> 3.0.0

google-beta Provider : ~> 3.0.0

I can see the member string is of correct format <type>:<member> and yet Terraform is complaining.

Answer 1

I have found a possible workaround here please try pinning your provider version to 2.12.0 and check if it works or not.

Answer 2

I just hit this myself (we're still using google provider v3.2.0 at work).

The bug is https://github.com/hashicorp/terraform-provider-google/issues/5151 (fixed in 2.20.1/3.3.0).

An easy fix is to search on https://console.cloud.google.com/iam-admin/iam for "deleted" and manually remove the members that start with deleted: (if there's a deleted member in any role at the project level, this bug affects you).

For more details on the underlying issue, see https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/iam_deleted_members