-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provider produced inconsistent result after apply with resource google_bigquery_dataset_access #8171
Comments
@Clausewitz45 Can you clarify why you want to create the same resource twice in the config ? |
Hi @venkykuberan , sorry it seems only because of the redacted information. In the end, I'm managing multiple projects from a single Terraform repository, and these two resources belong to two different projects. Both projects are containing two different BigQuery datasets with the same name (logs dataset for internal statistics). The resources were provisioned ~2-3 months earlier with different terraform versions, and during the provisioning, I didn't have this issue. Now I'm trying to extend the permissions with a new group as a new resource, and I'm having this error. |
@Clausewitz45 can you check line 312 in the original log and confirm whether the groups are identical or not? I see Additionally, do you use a provider-default project? And if so, does it match the one of that resource? I suspect that Terraform may be messing up the project(s) in use. |
I get a success with the following, which leads me to believe the issue is not a project thing and it's more likely something weird is happening with the returned emails. Can you inspect the matching section in the unobfuscated logs and ensure that there are no differences between the values? We expect them to match exactly-- even a minor capitalization difference could be the cause.
resource "google_bigquery_dataset" "default" {
project = "project1"
dataset_id = "foo"
friendly_name = "test"
description = "This is a test description"
location = "EU"
default_table_expiration_ms = 3600000
labels = {
env = "default"
}
}
resource "google_bigquery_dataset" "default2" {
project = "project2"
dataset_id = "foo"
friendly_name = "test"
description = "This is a test description"
location = "EU"
default_table_expiration_ms = 3600000
labels = {
env = "default"
}
}
resource "google_bigquery_dataset_access" "project1_access_logs_controlling" {
project = "project1"
dataset_id = google_bigquery_dataset.default.dataset_id
role = "READER"
group_by_email = "[email protected]"
}
resource "google_bigquery_dataset_access" "project2_access_logs_controlling" {
project = "project2"
dataset_id = google_bigquery_dataset.default2.dataset_id
role = "READER"
group_by_email = "[email protected]"
} |
Hi @rileykarson , thanks for coming back to me. Unfortunately I don't have the old logs - lost in time somewhere, but I was able to reproduce the same issue with terraform version Background: terraform has it's own project with a single service account, and has the permission to manage ~24 other projects. So the resources are not in the provider default project, and referenced with The user backend is Google Workspace / Suite with Cloud Identity. I checked first our Cloud Identity if the email address is matching what is in the logs - it was matching, so no issue here. I also checked the capitalization of the characters, it is fine now, but it turned out, previously the group email address was created like this: Then I was running a full plan, and apply with debug outputs - this is a huge TF repository (please don't judge - there are multiple reasons, and one of them is a Security Officer) with more than 4900 resources there. I checked the new logs and you were right. If I take the old logs as an example, and checking the line 312/313 the email addresses are not matching there. Line 312 contains a capitalization issue, in 313 is weird because the
I did a grep for both in the code - but the capitalized version is coming from nowhere - no sign of it in the code. As I mentioned at the beginning, previously it was capitalized, but by checking the audit logs, it was changed roughly a month ago. What can I do with this thingy? P.s.: if you can tell me how to share with you securely the non-obfuscated logs, I would be happy to do that. |
Great! This seems like a pretty likely cause. The value in your config right now is |
Hi @rileykarson . The value in my config is with the small capital: Here comes the fun part. When I was adding the email address manually on the Cloud Console, I entered it with the small capital: like This is the reason why I think there must be some "discrepancy" between Cloud Identity (where the email was originally created with big capital) and GCP - during the information exchange - and this is why I think that this is not a Terraform bug, but inconsistency between the two other actor. Many thanks for the help and if you agree we can close the ticket. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
Community Note
modular-magician
user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot
, a community member has claimed the issue already.Terraform Version
The issue is reproducible with terraform version
0.13.5
, and provider versions3.51.1
and3.51.0
also.Affected Resource(s)
Terraform Configuration Files
Debug Output
GitHub Gist with debug.log output
Expected Behavior
Providing BigQuery Data Reader permission to the specified email group.
Actual Behavior
Steps to Reproduce
terraform apply
The text was updated successfully, but these errors were encountered: