Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

terraform-plan with a google_project_iam_custom_role resource with an ALPHA stage incorrectly reports the stage as empty #1801

Closed
sudoforge opened this issue Jul 22, 2018 · 8 comments
Closed

terraform-plan with a google_project_iam_custom_role resource with an ALPHA stage incorrectly reports the stage as empty #1801

sudoforge opened this issue Jul 22, 2018 · 8 comments
Assignees
@danawillow
Labels
bug forward/review In review; remove label to forward service/iam-core

Comments

@sudoforge
Copy link

sudoforge commented Jul 22, 2018
edited
Loading

Summary:

I have several google_project_iam_custom_role resources. Roles with a stage of ALPHA are not handled correctly when running terraform plan.

Terraform Version

λ terraform -v
Terraform v0.11.7
+ provider.google v1.16.0

Affected Resource(s)

  • google_project_iam_custom_role

Terraform Configuration Files

I've included the relevant code below.

resource "google_project_iam_custom_role" "foo" {
  role_id = "foo"
  title = "My Custom Role"
  description = "My custom role description"
  stage = "ALPHA"
  deleted = "false"
  permissions = [
    ...
  ]
}

Debug Output

There's nothing particularly useful shown in the debug log, and lots of resource names to redact, so I'm choosing not to include this publicly. If it is needed in order to determine the issue, I can provide it privately.

Expected Behavior

Given the above resource block, the expected behavior is no changes after importing the matching resource.

Actual Behavior

λ gcloud iam roles describe foo --project myproject
description: My custom role description
etag: BwVxi4Dbtd0=
includedPermissions:
- [permissions]
name: projects/myproject/roles/foo
stage: ALPHA
title: My Custom Role


λ terraform import google_project_iam_custom_role.foo projects/myproject/roles/foo
google_project_iam_custom_role.foo: Importing from ID "projects/myproject/roles/foo"...
google_project_iam_custom_role.foo: Import complete!
  Imported google_project_iam_custom_role (ID: projects/myproject/roles/foo)
google_project_iam_custom_role.foo: Refreshing state... (ID: projects/myproject/roles/foo)

Import successful!


λ terraform state show google_project_iam_custom_role.foo
id                = projects/myproject/roles/foo
deleted           = false
description       = My custom role description
permissions.#     = [some_number]
permissions.[...] = [permissions]
project           = myproject
role_id           = foo
stage             = ALPHA
title             = My Custom Role


λ terraform plan
 [...output redacted for brevity...]
  ~ google_project_iam_custom_role.foo
      stage: "" => "ALPHA"

Note the empty stage value when running terraform plan. This occurs when the state has a value of ALPHA for the stage property, no matter what value it is being changed to.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. With the above resource block, run terraform plan.
  2. View the output, noting the bug.

Important Factoids

  • If the desired state of the custom role is ALPHA, as in the above example, terraform plan and terraform apply will always show this bug.

References

N/A
@sudoforge sudoforge changed the title tf-plan with a google_project_iam_custom_role resource with an ALPHA stage incorrectly reports the stage as empty terraform-plan with a google_project_iam_custom_role resource with an ALPHA stage incorrectly reports the stage as empty Jul 22, 2018
@domdoescode
Copy link

This seems to be a problem with the Google IAM API itself; although it's documented to return the stage, it currently isn't being returned in the JSON response. Doesn't seem to be a bug with the Terraform provider, but also unsure where this can be escalated to within Google 🙁

@domdoescode
Copy link

Until the API issue is resolved we've had to ignore the change:

  lifecycle = {
    ignore_changes = ["stage"]
  }

Not ideal but keeps our plans clean in the meantime 😞

@danawillow danawillow self-assigned this Sep 4, 2018
@sudoforge
Copy link
Author

@danawillow was an issue filed with the upstream project?

@vertexclique
Copy link

@sudoforge Seems like not. This one is still continuing…

@danawillow
Copy link
Contributor

Hey all, I just took a look at the API docs and it looks like this is documented behavior, so not actually an upstream bug: https://cloud.google.com/iam/reference/rest/v1/projects.roles:

If the ALPHA launch stage has been selected for a role, the stage field will not be included in the returned definition for the role.

We should be able to fix this without too much effort on our end with a DiffSuppressFunc. Marking this as a bug instead of upstream so it gets handled appropriately.

@danawillow danawillow added bug and removed upstream labels Oct 26, 2018
@sudoforge
Copy link
Author

Interesting. I'd still expect the stage field to be included - the conditional omission is weird - but I digress. Using DiffSuppressFunc makes sense!

modular-magician pushed a commit to modular-magician/terraform-provider-google that referenced this issue Oct 30, 2018
@danawillow @modular-magician
add diffsuppress for iam custom role stage. fixes TPG hashicorp#1801
034aec8
danawillow pushed a commit that referenced this issue Oct 31, 2018
@modular-magician @danawillow
add diffsuppress for iam custom role stage. fixes TPG #1801 (#2370)
77ba7d0
@danawillow
Copy link
Contributor

Fixed in #2370.

nat-henderson pushed a commit that referenced this issue Dec 21, 2018
@modular-magician @nat-henderson
add diffsuppress for iam custom role stage. fixes TPG #1801 (#2370)
4bfd9ac
nat-henderson pushed a commit that referenced this issue Dec 21, 2018
@modular-magician @nat-henderson
add diffsuppress for iam custom role stage. fixes TPG #1801 (#2370)
c27ec18
luis-silva pushed a commit to luis-silva/terraform-provider-google that referenced this issue May 21, 2019
@danawillow @modular-magician
add diffsuppress for iam custom role stage. fixes TPG hashicorp#1801
8155059
luis-silva pushed a commit to luis-silva/terraform-provider-google that referenced this issue May 21, 2019
@danawillow
Merge pull request hashicorp#66 from modular-magician/codegen-pr-652
830ffa6 
add diffsuppress for iam custom role stage. fixes TPG hashicorp#1801
@ghost
Copy link

ghost commented Mar 29, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 29, 2020
@github-actions github-actions bot added forward/review In review; remove label to forward service/iam-core labels Jan 15, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@danawillow danawillow

Labels
bug forward/review In review; remove label to forward service/iam-core
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@domdoescode @vertexclique @danawillow @sudoforge