"activate_api_identities"throwing error that email can't be null

[katiyuki]

TL;DR

I am using "activate_api_identities" with api "cloudfunctions.googleapis.com" so I can create the "appspot" google managed service account, and assign roles to it. terraform plan fails with:

on .terraform/modules/project-factory/modules/project_services/main.tf line 84, in resource "google_project_iam_member" "project_service_identity_roles":"
member = "serviceAccount:${each.value.email}
each.value.email is null
The expression result is null. Cannot include a null value in a string template

Expected behavior

terraform plan to succeed, with use of activate_api_identities", mapping API to roles

Observed behavior

on .terraform/modules/project-factory/modules/project_services/main.tf line 84, in resource "google_project_iam_member" "project_service_identity_roles":"
member = "serviceAccount:${each.value.email}
each.value.email is null
The expression result is null. Cannot include a null value in a string template

Terraform Configuration

variable "activate_api_identities" {
  type = list(object({
    api   = string
    roles = list(string)
  }))
  description = "The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles)."
  default     = []
}

-------
module "project-factory" {
  count   = var.create_project ? 1 : 0
  source  = "terraform-google-modules/project-factory/google"
  version = "13.0.0"
  ...
  activate_api_identities = var.activate_api_identities
}
----------
activate_api_identities = [
  {
    api = "cloudfunctions.googleapis.com"
    roles = [
      "roles/editor",
      "roles/artifactregistry.repoAdmin",
      "roles/cloudbuild.builds.builder",
      "roles/cloudfunctions.invoker",
      "roles/run.serviceAgent",
      "roles/secretmanager.secretAccessor",
      "roles/storage.admin",
      "roles/workflows.invoker"
    ]
  },
  {
    api = "compute.googleapis.com"
    roles = [
      "roles/editor"
    ]
  }
]

Terraform Version

terraform {
  required_version = "~> 1.0"

  backend "gcs" {}
}

Additional information

No response

[katiyuki]

when I removed the "compute.googleapis.com" part in "activate_api_identities" list, terraform plan ran successfully.

why?

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

[bharathkkb]

@katiyuki this maybe because the compute API does not return the service identity. Usually a way to check if a service supports returns an identity is by running the gcloud command gcloud beta services identity create --service=cloudfunctions.googleapis.com --format json. In this case within the module, I think we should filter out any each.value.email that is null.

[imrannayer]

It is needed for very few APIs like healthcare etc. There is no way to find which API is supported. It should not be used unless user is aware of the API which needs it.

[imrannayer]

I have added in the variable description that it only APIs which are supported by command gcloud beta services identity create