Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Can't specify support_email with google_iap_brand resource #6104

Closed
pierrefevrier opened this issue Apr 13, 2020 · 4 comments
Closed

Can't specify support_email with google_iap_brand resource #6104

pierrefevrier opened this issue Apr 13, 2020 · 4 comments
Assignees
@venkykuberan
Labels
bug

Comments

@pierrefevrier
Copy link

Hi,

I'm trying to use the google_iap_brand but always got the following error: Error: Error creating Brand: googleapi: Error 400: Support email is not allowed: fake@my-domain.com.

I'm executing Terraform with a gcp project specific service account.

I tried several email address and groups but nothing works.
I'm asking my-self whether the only way to make it works is to run Terraform with the user that correspond to the email I set on support_email ?

Thanks for your help.
@venkykuberan venkykuberan self-assigned this Apr 13, 2020
@venkykuberan
Copy link
Contributor

@pierrefevrier can you try your google group email (of your org) for support_email attrubute and see if the error goes away.

@slevenick
Copy link
Collaborator

Hey @pierrefevrier

Wanted to chime in with some extra information on the support_email field.

You are onto something: https://cloud.google.com/iap/docs/programmatic-oauth-clients the support_email field has restrictions as follows:

The support email displayed on the OAuth consent screen. This email address can either be a user's address or a Google Groups alias. While service accounts also have an email address, they are not actual valid email addresses, and cannot be used when creating a brand. However, a service account can be the owner of a Google Group. Either create a new Google Group or configure an existing group and set the desired service account as an owner of the group.

Generally terraform runs as a service account, so the easiest way to have the service account own the support_email address would be to have the service account be an owner of a Google Group.

Alternatively you could run terraform as the user that owns the support email, but I haven't tested this and it could be difficult if you have other infrastructure in your terraform config

@pierrefevrier
Copy link
Author

Thank you @venkykuberan and @slevenick.
By adding the service account as owner of the Cloud Identity group I want to use the email address to use as support_email, it works !

@ghost ghost removed the waiting-response label Apr 14, 2020
@ghost
Copy link

ghost commented May 15, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

@ghost ghost locked and limited conversation to collaborators May 15, 2020
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees

@venkykuberan venkykuberan

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pierrefevrier @slevenick @venkykuberan