-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provider produced inconsistent result after apply #10193
Provider produced inconsistent result after apply #10193
Comments
The issue appears to be related to use |
@sethvargo yes. Below are the member formats that are supported. Closing this issue then
|
@edwardmedia okay, but that doesn't match the list of allowed values IAM accepts for principals. Service account emails are re-usable, but service account IDs are unique and are not subject to eventual consistency challenges like emails. |
At the very least, if you don't want to support this, Terraform should catch this and raise a more specific error. The current error specifically notes that this is a bug in the provider and should be reported upstream. /cc @rileykarson |
We'll probably have to validate away
We could probably figure it out and handle this correctly in a Duplicate entries showing up is, uh, some extra fun. It should work w/o issues, but it may be worth having the onduty trace through the IAM code to see if it'll cause any issues. @sethvargo: Do you happen to know where we'd find an updated list of member types offhand? That's a new one to me, and doesn't show up at https://cloud.google.com/resource-manager/reference/rest/Shared.Types/Binding. |
I'll ping you a link privately. |
Thanks! For Googlers: go/iam-types |
Yeah - that's going to be pretty challenging to work out, I'm not sure if an API endpoint exists that we could use to check that the ID is equal to the email address that gets returned. Hm. I'll investigate to see what can be done, but I suspect this is going to get "persistent bug" treatment - this whole area could use a cleanup, since I notice many items on go/iam-types that we don't support.. |
@ndmckinley - could we just reject these types entirely at graph time? Basically, we can create an allowlist of valid prefixes that are known to work (or a denylist of those that fail) and bail the Terraform run early. That would avoid the "this is always a bug in the provider" error. You could also ping cache to see if he knows of an endpoint you could query. |
@ndmckinley: See #10193 (comment), an endpoint to get the email exists but is gonna need extra permissions so we probably don't want to use it. Using validation to reject the value will stop users hitting permadiffs, at least. I think a broader IAM fix is going to need a breaking change in order to completely remove the case-insensitivity behaviour in the provider / lock it behind certain principal types, definitely a larger change than the bug-at-hand. |
Ah, of course - I forgot that Okay, acknowledged, this bug is exclusively to reject the types we can't currently handle. |
Hi, service account team here. Even though service account emails are reusable, in IAM policy under the hood, we differentiate service accounts with the same email with unique IDs. If a service account is deleted, purged, and recreated again using the same email, a policy binding created for the old service account won't work on the new service account. The old account binding will be marked as "deleted:serviceaccount:" in IAM policy before it's eventually purged, and you can add a new policy binding for the new account. Hence you can safely use service account email in TF IAM policy module. |
We can consider adding 409 handling (if 409, do GetServiceAccount) in https://github.com/hashicorp/terraform-provider-google/blob/main/google/services/resourcemanager/resource_google_service_account.go#L117-L122 to adapt to the eventual consistency of account creation. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
modular-magician
user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot
, a community member has claimed the issue already.Terraform Version
Affected Resource(s)
Terraform Configuration Files
Debug Output
https://gist.github.com/sethvargo/6d940d2d95bf373f2a1d1b2f279ac5b9
Expected Behavior
Apply should work.
Actual Behavior
Steps to Reproduce
terraform apply
Important Factoids
None
References
b/304724862
The text was updated successfully, but these errors were encountered: