log-export module fails to create service accounts and export writer_identity
cfinch opened this issue · comments
TL;DR
When replicating a basic example of creating an export to a logging bucket, the base log-export module outputs an empty writer_identity string output that cannot be used as an input to the logbucket submodule. Root cause appears to be that the log-export module is not creating service accounts even though unique_writer_identity is true
Expected behavior
The parent module should create a service account and output a valid valid writer_identity string that can be used as an input to the logbucket submodule.
Observed behavior
output "log_export_1_writer_identity" {
value = module.log_export_1.writer_identity
}results in
log_export_1_writer_identity = "
Terraform Configuration
module "log_export_1" {
source = "terraform-google-modules/log-export/google"
version = "7.4.2"
destination_uri = module.destination_1.destination_uri
filter = "severity >= ERROR"
log_sink_name = "log_bucket_1"
parent_resource_id = var.project_id
parent_resource_type = "project"
unique_writer_identity = true
}
module "destination_1" {
source = "terraform-google-modules/log-export/google//modules/logbucket"
version = "7.4.2"
project_id = var.project_id
name = "log_bucket_1"
log_sink_writer_identity = module.log_export_1.writer_identity
}Terraform Version
Terraform v1.3.5
on darwin_arm64
+ provider registry.terraform.io/hashicorp/google v4.44.0
+ provider registry.terraform.io/hashicorp/google-beta v4.44.1Additional information
I am unable to test with unique_writer_identity = false because I get the error:
Error 400: Advanced sink options require using per sink service accounts. Use uniqueWriterIdentity=true to create a unique service account for this sink, badRequest
Under which circumstances can unique_writer_identity be false?
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days