Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Conditional IAM resulting into duplicate roles (one with condition and one without condition created during enabeling API) #6697

Open
sarbajitrath opened this issue Jun 25, 2020 · 0 comments
Open

Conditional IAM resulting into duplicate roles (one with condition and one without condition created during enabeling API) #6697

sarbajitrath opened this issue Jun 25, 2020 · 0 comments
Labels
bug forward/linked service/cloudresourcemanager-crm

Comments

@sarbajitrath
Copy link

sarbajitrath commented Jun 25, 2020
edited by modular-magician

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

0.12.20

Affected Resource(s)

IAM

  • google_project_iam_binding

Terraform Configuration Files

resource "google_project_iam_binding" "container_engine_robot_loadbancer" {
provider = google-beta
depends_on = [google_project_service.enable_kubernetes_engine_api]
members = ["serviceAccount:service-${google_project.tenant_project.number}@container-engine-robot.iam.gserviceaccount.com"]
role = "roles/container.serviceAgent"
project = google_project.tenant_project.project_id

condition {
title = "intenal load balancer condition"
description = "intenal load balancer condition for role roles/container.serviceAgent"
expression = "compute.isForwardingRuleCreationOperation() && compute.matchLoadBalancingSchemes(['INTERNAL','INTERNAL_MANAGED','INTERNAL_SELF_MANAGED']) || !compute.isForwardingRuleCreationOperation()"
}
}

Debug Output

Panic Output

Expected Behavior

Ideally the role should be added once

Actual Behavior

The role is added twice

  1. When the Kubernetes API is enabled (role without condition)
  2. Role with condition as per the code pasted above

Steps to Reproduce

  1. terraform apply

Important Factoids

References

https://www.terraform.io/docs/providers/google/r/google_project_iam.html
Duplicate Role

  • #0000

b/304725267
@ghost ghost added the bug label Jun 25, 2020
@venkykuberan venkykuberan self-assigned this Jun 27, 2020
modular-magician added a commit to modular-magician/terraform-provider-google that referenced this issue Oct 17, 2022
@modular-magician
A topic's schema can't be changed after it's created. (hashicorp#6697)
d4e372a 
Signed-off-by: Modular Magician <magic-modules@google.com>
modular-magician added a commit that referenced this issue Oct 17, 2022
@modular-magician
A topic's schema can't be changed after it's created. (#6697) (#12806)
abf19d6 
Signed-off-by: Modular Magician <magic-modules@google.com>

Signed-off-by: Modular Magician <magic-modules@google.com>
@github-actions github-actions bot added forward/review In review; remove label to forward service/cloudresourcemanager-crm labels Sep 27, 2023
@edwardmedia edwardmedia removed the forward/review In review; remove label to forward label Oct 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug forward/linked service/cloudresourcemanager-crm
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@venkykuberan @modular-magician @edwardmedia @sarbajitrath