Trouble applying security label to Google Groups. Remove: forceNew from labels?

[jeffbryner]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

1.0.6

Affected Resource(s)

Cloud identity group labels

Terraform Configuration Files

# Copy-paste your Terraform configurations here.
#
# For large Terraform configs, please use a service like Dropbox and share a link to the ZIP file.
# For security, you can also encrypt the files using our GPG public key:
#    https://www.hashicorp.com/security
#
# If reproducing the bug involves modifying the config file (e.g., apply a config,
# change a value, apply the config again, see the bug), then please include both:
# * the version of the config before the change, and
# * the version of the config after the change.

Debug Output

not relevant

Panic Output

none

Expected Behavior

Expected to be able to patch an existing google workspace group with the security label using the cloud identity groups resource.

Actual Behavior

Tried it a couple of ways: ( as mentioned in hashicorp/terraform-provider-googleworkspace#113 (comment) )

• Create a group with the workspace provider, reference it in the cloudidentity resource with a security label
• Create a group solely with the cloudidentity resource and apply a security label

Couldn't get either to work?

In either case, cloudidentity attempts to create a group. If you create a group you apparently cannot do so with an initial label set to security. You can only patch an existing group.

If you do two terraform runs one to create with the normal discussion group label, then try again adding a security label, terraform replaces the group in place which again causes the error:

Error 400: Cannot create a security group directly
~ labels = { # forces replacement

• "cloudidentity.googleapis.com/groups.security" = ""

Suggestion from the workspace provider project was to remove the 'forceNew' on the labels attribute, I believe in this source:

terraform-provider-google/google/resource_cloud_identity_group.go

Line 86 in e2e533f

ForceNew: true,

References

Are there any other GitHub issues (open or closed) or pull requests that should be linked here? Vendor documentation? For example:
--->

• Feature request: Security group labels terraform-provider-googleworkspace#113 (comment)

[melinath]

closing as duplicate of #7991

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.