Spanky•3w ago

Terraform: InvalidArgument desc = Project member is invalid (PROJECT-3m9d)

I've got all of my Terraform set up and working well, but I"m running into an error I can't figure out. I'm creating a zitadel_project_role like so, and it's creating the Project Role just fine:

resource "zitadel_project_role" "this" {
  project_id   = var.project_id
  org_id       = var.org_id
  role_key     = "super-user"
  display_name = "Administrator"
}

resource "zitadel_project_role" "this" {
  project_id   = var.project_id
  org_id       = var.org_id
  role_key     = "super-user"
  display_name = "Administrator"
}

Then I try to give this role to my user:

resource "zitadel_project_member" "this" {
  for_each = { for k, v in var.users : k => v if length(v.roles.project) > 0 }

  org_id     = var.org_id
  project_id = var.project_id
  roles      = each.value.roles.project
  user_id    = zitadel_human_user.this[each.key].id

  depends_on = [zitadel_project_role.this]
}

resource "zitadel_project_member" "this" {
  for_each = { for k, v in var.users : k => v if length(v.roles.project) > 0 }

  org_id     = var.org_id
  project_id = var.project_id
  roles      = each.value.roles.project
  user_id    = zitadel_human_user.this[each.key].id

  depends_on = [zitadel_project_role.this]
}

(Don't stress over the for_each and values, I've hardcoded them with the same results) When I put my role into the roles list, I get the error: │ Error: failed to update projectmember: rpc error: code = InvalidArgument desc = Project member is invalid (PROJECT-3m9d) When I go to the Console and perform the same action, it works. If I change the role to a built-in role, like PROJECT_OWNER, the Terraform works. I've verified the Org, Project and User ID are correct. I've also verified the role is present in the Console. No matter what I do, I continue to get this error. Any help is appreciated!

5 Replies

Ask Inkeep•3w ago

Hi @Spanky, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question. Answer The error "Project member is invalid" that you're experiencing is similar to issues documented in the sources (1) . The underlying ZITADEL APIs require that roles be provided correctly when adding project members (2) . Looking at the API documentation, when adding a project member, if no roles are provided the user won't have any rights, so the member definition will be regarded as invalid . The API expects the roles parameter to contain valid role keys . Based on a GitHub discussion, there was a similar issue where someone was getting invalid project member errors, and the solution was ensuring the correct role key format was being used (3) . In that case, the user needed to verify they were using the exact role key as specified in the project . Since your Terraform works with built-in roles like PROJECT_OWNER but fails with your custom role super-user, the issue is likely with how the custom role key is being referenced. The role key must match exactly what was created in the project . I'd recommend: 1. Double-check that the role key in your roles list matches exactly the role_key value from your zitadel_project_role resource 2. Ensure there are no timing issues - the role must exist before the member assignment 3. Verify the role is actually created successfully in the target project and organization The sources also indicate that these endpoints have been deprecated and replaced with newer administrator management APIs (4) (2) [(5) ](https://zita del.com/docs/apis/resources/mgmt/management-service-update-project-member) , though this shouldn't affect Terraform usage. If you continue having issues, I'd suggest clicking the "Ask for help" button to tag a team member for more specific Terraform troubleshooting. To learn more, see the sources I considered: [1] I try to add a member to a granted project, but I keep getting an error "PROJECT-m9gKK" [2] Add Project Member [3] Assign project role to user authorization via API [4] Add Project Grant Member [5] Update Project Member Feel free to tag @Ask Inkeep with additional questions. Got it. Tagging @Rajat for additional help.

SpankyOP•3w ago

I have already done the things suggested by Inkeep. It is not a timing issue either.

Rajat•3w ago

hey @Spanky I will look into it and will get back to you

SpankyOP•3w ago

Thanks! Meanwhile I'll try some more things This the Terraform state of the Project Role:

❯ terraform state show module.company_setup_dev.zitadel_project_role.this
# module.company_setup_dev.zitadel_project_role.this:
resource "zitadel_project_role" "this" {
    display_name = "Administrator"
    group        = null
    id           = "340998471756575805_340998472058565693_super-user"
    org_id       = "340998471756575805"
    project_id   = "340998472058565693"
    role_key     = "super-user"
}

❯ terraform state show module.company_setup_dev.zitadel_project_role.this
# module.company_setup_dev.zitadel_project_role.this:
resource "zitadel_project_role" "this" {
    display_name = "Administrator"
    group        = null
    id           = "340998471756575805_340998472058565693_super-user"
    org_id       = "340998471756575805"
    project_id   = "340998472058565693"
    role_key     = "super-user"
}

and this is what Terraform is trying to create:

  # module.company_setup_dev.zitadel_project_member.this["tom"] will be created
  + resource "zitadel_project_member" "this" {
      + id         = (known after apply)
      + org_id     = "340998471756575805"
      + project_id = "340998472058565693"
      + roles      = [
          + "super-user",
        ]
      + user_id    = "341001072912921661"
    }

  # module.company_setup_dev.zitadel_project_member.this["tom"] will be created
  + resource "zitadel_project_member" "this" {
      + id         = (known after apply)
      + org_id     = "340998471756575805"
      + project_id = "340998472058565693"
      + roles      = [
          + "super-user",
        ]
      + user_id    = "341001072912921661"
    }

So you can see that the IDs of things match I think what's happening here is that this resource is not where you add this role. This resource only takes built-in roles. What I think is needed is a zitadel_user_grant? Yeah, when I switch the role from mine (super-user) to PROJECT_OWNER, the resource shows up under the User's MEMBERSHIPS and not Authorizations. Yup. When I add a zitadel_user_grant it works with my super-user role and shows up where expected. Thanks for listening. Hopefully this helps someone else in the future!

Gigi the Giraffe (Zitadel)•3w ago

🎉 Looks like you just helped out another community member! Thanks for being so helpful <@1158138363161890857>! You're now one step closer to leveling up—keep up the amazing peer support! 🚀

Terraform: InvalidArgument desc = Project member is invalid (PROJECT-3m9d)

Did you find this page helpful?