OS Config OS Policy Assignment: Error: Value for unconfigurable attribute

[AlxCloudRl]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v1.6.5
on linux_amd64

• provider registry.terraform.io/hashicorp/google v5.8.0
• provider registry.terraform.io/hashicorp/google-beta v5.8.0
• provider registry.terraform.io/hashicorp/null v3.2.2
• provider registry.terraform.io/hashicorp/random v3.5.1
• provider registry.terraform.io/hashicorp/time v0.10.0

Affected Resource(s)

google_os_config_os_policy_assignment

Terraform Configuration Files

resource "google_os_config_os_policy_assignment" "install_software" {
  project     = module.myproject.project_id
  name        = "install-software"
  description = "Install necessary software"
  location    = var.deployment_zone

  instance_filter {
    all = true
  }

  os_policies {
    id          = "software-policy"
    description = ""
    mode        = "ENFORCEMENT"

    resource_groups {
      resources {
        id = "copy-terragrunt-binary" 
        file {
          state = "PRESENT"
          path  = "/usr/local/bin/terragrunt"
          permissions = 755
          file {
            gcs {
              bucket     = google_storage_bucket.bucketname.name
              object     = "terragrunt"
              generation = "XXXXX"
            }
          }
        }
      }
      resources {
        id = "copy-adduser-conf"
        file {
          state = "CONTENTS_MATCH"
          path  = "/etc/adduser.conf"
          permissions = 755
          file {
            allow_insecure = true 
            gcs {
              bucket     = google_storage_bucket.bucket.name
              object     = google_storage_bucket_object.file.output_name
            }
          }
        }
      }
    }
  }

  rollout {
    disruption_budget {
      fixed = 3
    }
    min_wait_duration = "3.5s"
  }

  timeouts {
    create = "60m"
    update = "30m"
  }
}

Debug Output

Error: Value for unconfigurable attribute
│
│ with google_os_config_os_policy_assignment.install_software,
│ on gcp_compute_engine.tf line 189, in resource "google_os_config_os_policy_assignment" "install_software":
│ 189: permissions = 755
│
│ Can't configure a value for "os_policies.0.resource_groups.0.resources.8.file.0.permissions": its value will be decided automatically based on the result of applying this configuration.

Panic Output

Expected Behavior

The plan should success and we should be able to set the permissions

Actual Behavior

The plan fail and the permissions are not even set to default. I end with a file without permissions and cannot access it.

Steps to Reproduce

1. terraform apply

b/315582306

[edwardmedia]

@AlxCloudRl This seems by design. I see permissions is a readonly field. Why did you think you can set it up?

permissions - (Output) Consists of three octal digits which represent

[AlxCloudRl]

@edwardmedia Indeed, it's confusing, why is it listed as a supported argument? Also in the API, it's not clear if we can set it or not (not listed as required, but still an argument): https://cloud.google.com/compute/docs/osconfig/rest/v1/projects.locations.osPolicyAssignments#fileresource

[edwardmedia]

Oh I see. Forwarding it to the service team for double check

[AlxCloudRl]

Hello, any news on this?

[MahmoudNada0]

I think the reason is that the "permissions" argument is set as Computed in terraform-provider-google source code. Its not optional like other args (see this line).
Also here its written that "permissions" is (Output) not (Optional) like other args which means that automatically determined and not configurable by the user in terraform.

But in VMM doc its not mentioned anywhere that "permissions" arg is not optional.
So, I believe this is an issue in the terraform-provider-google source code as "permissions" arg should be optional not computed.

[AlxCloudRl]

Yes, I'm just trying to see how I can specify a binary copied from gcs with the proper DAC permissions. Currently, the binary is copied but then my users cannot execute it. Some workarounds exists with an exec block, but having the possibility to configure the permissions would be more clean and handy.

[MahmoudNada0]

I saw in the config u used the value assigned to permissions is 755. However the default value is already 755 based on the public doc.
Why don't u use the default one?

[AlxCloudRl]

I saw in the config u used the value assigned to permissions is 755. However the default value is already 755 based on the public doc. Why don't u use the default one?

It's not 755, when a file is copied from Google Cloud storage into usr/local/bin/, its permission is 644.