"activate_api_identities"throwing error that email can't be null #751
Description
TL;DR
I am using "activate_api_identities" with api "cloudfunctions.googleapis.com" so I can create the "appspot" google managed service account, and assign roles to it. terraform plan fails with:
on .terraform/modules/project-factory/modules/project_services/main.tf line 84, in resource "google_project_iam_member" "project_service_identity_roles":"
member = "serviceAccount:${each.value.email}
each.value.email is null
The expression result is null. Cannot include a null value in a string template
Expected behavior
terraform plan to succeed, with use of activate_api_identities", mapping API to roles
Observed behavior
on .terraform/modules/project-factory/modules/project_services/main.tf line 84, in resource "google_project_iam_member" "project_service_identity_roles":"
member = "serviceAccount:${each.value.email}
each.value.email is null
The expression result is null. Cannot include a null value in a string template
Terraform Configuration
variable "activate_api_identities" {
type = list(object({
api = string
roles = list(string)
}))
description = "The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles)."
default = []
}
-------
module "project-factory" {
count = var.create_project ? 1 : 0
source = "terraform-google-modules/project-factory/google"
version = "13.0.0"
...
activate_api_identities = var.activate_api_identities
}
----------
activate_api_identities = [
{
api = "cloudfunctions.googleapis.com"
roles = [
"roles/editor",
"roles/artifactregistry.repoAdmin",
"roles/cloudbuild.builds.builder",
"roles/cloudfunctions.invoker",
"roles/run.serviceAgent",
"roles/secretmanager.secretAccessor",
"roles/storage.admin",
"roles/workflows.invoker"
]
},
{
api = "compute.googleapis.com"
roles = [
"roles/editor"
]
}
]Terraform Version
terraform {
required_version = "~> 1.0"
backend "gcs" {}
}Additional information
No response