Terraform: google_project_iam_policy: There were concurrent policy changes

Created on 10 Jun 2017 · 4Comments · Source: hashicorp/terraform

Terraform Version

Terraform v0.9.8

Affected Resource(s)

google_project_iam_policy

Terraform Configuration Files

resource "google_service_account" "stackdriver_api" {
  account_id   = "stackdriver-api"
  display_name = "Stackdriver (api)"
}

resource "google_project_iam_policy" "stackdriver" {
  project     = "${var.google_project_id}"
  policy_data = "${data.google_iam_policy.stackdriver.policy_data}"
}

data "google_iam_policy" "stackdriver" {
  binding {
    role    = "roles/errorreporting.writer"
    members = ["serviceAccount:${google_service_account.stackdriver_api.email}"]
  }

  binding {
    role    = "roles/cloudtrace.agent"
    members = ["serviceAccount:${google_service_account.stackdriver_api.email}"]
  }

  binding {
    role    = "roles/logging.logWriter"
    members = ["serviceAccount:${google_service_account.stackdriver_api.email}"]
  }
}

resource "google_service_account" "cert_bot" {
  account_id   = "cert-bot"
  display_name = "CertBot"
}

resource "google_project_iam_policy" "cert_bot" {
  project     = "${var.google_project_id}"
  policy_data = "${data.google_iam_policy.cert_bot.policy_data}"
}

data "google_iam_policy" "cert_bot" {
  binding {
    role    = "roles/dns.admin"
    members = ["serviceAccount:${google_service_account.cert_bot.email}"]
  }
}

Error Output

error is googleapi: Error 409: There were concurrent policy changes. Please retry the whole read-modify-write with exponential backoff., aborted

Expected Behavior

Apply the policies.

Actual Behavior

It fails, because Google apparently doesn't like multiple policies changed at the same time.

Running apply with -parallelism=1 fixes the issue.

Source

mattes

👍3

Most helpful comment

@mattes What's the alternative for this? The documentation states:

policy_data - (Required) The google_iam_policy data source that represents the IAM policy that will be applied to the project. The policy will be merged with any existing policy applied to the project.

We've got multiple modules manipulating the same project and i don't like the idea of merging all policies into one when in fact they are used by different modules

lobeck on 28 Jun 2017

👍8

All 4 comments

user error. only one data "google_iam_policy" can exist.

mattes on 10 Jun 2017

@mattes What's the alternative for this? The documentation states:

policy_data - (Required) The google_iam_policy data source that represents the IAM policy that will be applied to the project. The policy will be merged with any existing policy applied to the project.

We've got multiple modules manipulating the same project and i don't like the idea of merging all policies into one when in fact they are used by different modules

lobeck on 28 Jun 2017

👍8

We've got multiple modules manipulating the same project and i don't like the idea of merging all policies into one when in fact they are used by different modules

:100: to this being a problem. We have the same issue where we have modules managing service accounts and the custom policies associated with them. Aggregating config into a single data "google_iam_policy" is not a great option/pattern. The work around for -parallelism=1 does work for us for now.

l-wang on 22 Feb 2018

👍3

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.