Terraform-provider-google: terraform-plan with a google_project_iam_custom_role resource with an ALPHA stage incorrectly reports the stage as empty

Created on 22 Jul 2018  ·  8Comments  ·  Source: hashicorp/terraform-provider-google

Summary:

I have several google_project_iam_custom_role resources. Roles with a stage of ALPHA are not handled correctly when running terraform plan.

Terraform Version

λ terraform -v
Terraform v0.11.7
+ provider.google v1.16.0

Affected Resource(s)

  • google_project_iam_custom_role

Terraform Configuration Files

I've included the relevant code below.

resource "google_project_iam_custom_role" "foo" {
  role_id = "foo"
  title = "My Custom Role"
  description = "My custom role description"
  stage = "ALPHA"
  deleted = "false"
  permissions = [
    ...
  ]
}

Debug Output

There's nothing particularly useful shown in the debug log, and lots of resource names to redact, so I'm choosing not to include this publicly. If it is needed in order to determine the issue, I can provide it privately.

Expected Behavior

Given the above resource block, the expected behavior is no changes after importing the matching resource.

Actual Behavior

λ gcloud iam roles describe foo --project myproject
description: My custom role description
etag: BwVxi4Dbtd0=
includedPermissions:
- [permissions]
name: projects/myproject/roles/foo
stage: ALPHA
title: My Custom Role


λ terraform import google_project_iam_custom_role.foo projects/myproject/roles/foo
google_project_iam_custom_role.foo: Importing from ID "projects/myproject/roles/foo"...
google_project_iam_custom_role.foo: Import complete!
  Imported google_project_iam_custom_role (ID: projects/myproject/roles/foo)
google_project_iam_custom_role.foo: Refreshing state... (ID: projects/myproject/roles/foo)

Import successful!


λ terraform state show google_project_iam_custom_role.foo
id                = projects/myproject/roles/foo
deleted           = false
description       = My custom role description
permissions.#     = [some_number]
permissions.[...] = [permissions]
project           = myproject
role_id           = foo
stage             = ALPHA
title             = My Custom Role


λ terraform plan
 [...output redacted for brevity...]
  ~ google_project_iam_custom_role.foo
      stage: "" => "ALPHA"

Note the empty stage value when running terraform plan. This occurs when the state has a value of ALPHA for the stage property, no matter what value it is being changed to.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. With the above resource block, run terraform plan.
  2. View the output, noting the bug.

Important Factoids

  • If the desired state of the custom role _is_ ALPHA, as in the above example, terraform plan and terraform apply will _always_ show this bug.

References

N/A

bug
Source
picture sudoforge
👍2

Most helpful comment

Until the API issue is resolved we've had to ignore the change:

  lifecycle = {
    ignore_changes = ["stage"]
  }

Not ideal but keeps our plans clean in the meantime 😞

picture domudall on 4 Sep 2018
👍2

All 8 comments

This seems to be a problem with the Google IAM API itself; although it's documented to return the stage, it currently isn't being returned in the JSON response. Doesn't seem to be a bug with the Terraform provider, but also unsure where this can be escalated to within Google 🙁

domudall picture domudall on 4 Sep 2018

Until the API issue is resolved we've had to ignore the change:

  lifecycle = {
    ignore_changes = ["stage"]
  }

Not ideal but keeps our plans clean in the meantime 😞

domudall picture domudall on 4 Sep 2018
👍2

@danawillow was an issue filed with the upstream project?

sudoforge picture sudoforge on 8 Oct 2018

@sudoforge Seems like not. This one is still continuing…

vertexclique picture vertexclique on 24 Oct 2018

Hey all, I just took a look at the API docs and it looks like this is documented behavior, so not actually an upstream bug: https://cloud.google.com/iam/reference/rest/v1/projects.roles:

If the ALPHA launch stage has been selected for a role, the stage field will not be included in the returned definition for the role.

We should be able to fix this without too much effort on our end with a DiffSuppressFunc. Marking this as a bug instead of upstream so it gets handled appropriately.

danawillow picture danawillow on 26 Oct 2018

Interesting. I'd still expect the stage field to be included - the conditional omission is _weird_ - but I digress. Using DiffSuppressFunc makes sense!

sudoforge picture sudoforge on 27 Oct 2018

Fixed in #2370.

danawillow picture danawillow on 31 Oct 2018
🎉1

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

hashibot[bot] picture hashibot[bot] on 29 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

kaifresh picture kaifresh  ·  4Comments
mumblez picture mumblez  ·  4Comments
Dmitry1987 picture Dmitry1987  ·  3Comments
terraform-ctc picture terraform-ctc  ·  4Comments
ewbankkit picture ewbankkit  ·  4Comments