google_storage_bucket_iam_member: constantly add IAM permission to bucket without updating tfstate

[theophileds]

Hi there,

Terraform Version

Terraform version: 0.11.7

Affected Resource(s)

Please list the resources as a list, for example:

• google_storage_bucket_iam_member

Terraform Configuration Files

resource "google_service_account" "test" {
  project      = "data"
  account_id   = "test"
  display_name = "Test"
}

resource "google_storage_bucket" "test-export" {
  project  = "data
  name     = "bucket-test"
  location = "EU"
}

resource "google_storage_bucket_iam_member" "test-export-bucket-ops-object-admin" {
  bucket = "${google_storage_bucket.test-export.name}"
  role   = "roles/storage.objectAdmin"
  member = "group:ops@data.com"
}

Debug Output

The last line printed after a terraform apply command

2018-07-02T17:47:34.982+0200 [DEBUG] plugin.terraform-provider-google_v1.15.0_x4: 2018/07/02 17:47:34 [DEBUG]: Member "group:ops@data.com" for binding for role "roles/storage.objectAdmin" does not exist in policy of Storage Bucket "bucket-test", removing from state.

Expected Behavior

When I run terraform apply, it prints out that IAM permission authorizing the group ops@data.com as Object Admin to bucket test-export will be added

Actual Behavior

Every time I run terraform apply, it asks me again to add the same IAM permission to the same bucket.
However, the rule has been successfully added to the GCS bucket, even if I manually delete it then use terraform apply command it will be added again but not in terraform state...

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. Run terraform apply

  + google_storage_bucket_iam_member.test-export-bucket-ops-object-admin
      id:     <computed>
      bucket: "bucket-test"
      etag:   <computed>
      member: "group:ops@data.com"
      role:   "roles/storage.objectAdmin"

2. Run terraform apply
   The same output will appear

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:

• Permadiff on google_storage_default_object_acl #1678

[morgante]

To clarify, it looks like this is related to IAM membership (not ACLs) which are actually two separate permission systems.

[paddycarver]

Would it be possible to get a debug log for an apply of this? That would help get to the bottom of what's happening here.

[theophileds]

The full debug log contains more than 10k lines, and sensitive information may be present, do you have a specific part you might need for me to adapt it?

[danawillow]

@Doritos250, the various POST and GET requests and their contents would be ideal. Are you working with @morgante? If so, feel free to send the logs to him and he'll forward them to me.

[TheSecureTux]

I used to get a similar issue until I checked the state of the bucket, turns out on top of the bucket ACL in the state there was " "OWNER:project-owners-XXXXXXXX". I added this ACL member in my code at the top and the error message disapeared.

[rileykarson]

Hey @jmg87, have you encountered this in a recent version of the provider / was that issue recently?

[rileykarson]

Closing as stale.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!