-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Terraform plan after apply has additional ACL changes required and never resolves #8957
Terraform plan after apply has additional ACL changes required and never resolves #8957
Comments
Hi @jdstone! I'm sorry you're running into this. I was unable to reproduce it exactly, however, I did see similar behavior when I tried to assign
In the given configuration, I see one is a project_number variable, and the other is hard-coded, could you double-check that these are different project numbers?
Please, let me know if they are indeed different users and you are still experiencing this. Thanks! |
Hi @megan07, Interesting, I didn't catch that. Thanks for pointing that out, but that did not fix the issue. Here is the updated config and the result of the plan after applying. resource "google_storage_bucket_acl" "example-artifacts" {
bucket = google_storage_bucket.example-artifacts.name
role_entity = [
"OWNER:project-owners-${var.google_project_number}",
"OWNER:project-editors-${var.google_project_number}",
"READER:project-viewers-${var.google_project_number}",
"OWNER:group-engineering@example.com",
"OWNER:user-dev-ccie-gcr-upload-key@example-production.iam.gserviceaccount.com",
"OWNER:project-editors-398082806114",
"OWNER:user-${var.google_project_number}-compute@developer.gserviceaccount.com",
]
} # google_storage_bucket_acl.example-artifacts will be updated in-place
~ resource "google_storage_bucket_acl" "example-artifacts" {
id = "example-artifacts-acl"
~ role_entity = [
- "OWNER:group-engineering@example.com",
- "READER:user-348419557177-compute@developer.gserviceaccount.com",
"OWNER:project-owners-348419557177",
# (1 unchanged element hidden)
"READER:project-viewers-348419557177",
+ "OWNER:group-engineering@example.com",
"OWNER:user-dev-ccie-gcr-upload-key@example-production.iam.gserviceaccount.com",
"OWNER:project-editors-398082806114",
+ "OWNER:user-348419557177-compute@developer.gserviceaccount.com",
]
# (1 unchanged attribute hidden)
} |
Sure! And sorry again, I want to clarify that with this plan output, it is the plan after an |
Yes, that is correct -- this is the plan after an |
Hi @jdstone ! Would I be able to get the debug logs for your latest change? Stepping through the code, we do something a little different with showing the changes in this resource. We compare all the role_entities in state with whats in the configuration, if their lengths are different (the initial situation) we show the entire diff, and if there is an entry in state that is not in the config (this last situation, Unfortunately, I'm unable to reproduce it locally, and from the previous debug logs, the only Thanks! |
My apologies for the delayed response @megan07. Here is a link to the debug logs for my latest change: |
Hi @jdstone - I'm so sorry, I want to double-check again, is this the debug from the plan or the apply? I don't see a |
@megan07, this is from the |
@jdstone sorry for all the back and forth, i was able to reproduce it now and have a fix coming! thank you for your patience! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
Community Note
modular-magician
user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot
, a community member has claimed the issue already.Summary
After running terraform apply, a subsequent terraform plan indicates it needs to perform additional changes for ACLs even though the plan indicated it completed. (see output samples below)
Terraform Version
Affected Resource(s)
Terraform Configuration Files
Debug Output
https://gist.github.com/jdstone/924c882f8b1f0fbf634fa9e3ffb4a663
Panic Output
N/A
Expected Behavior
It should not think it needs to make additional changes after an apply is run.
Actual Behavior
After configuring the ACLs, which seems to work, it thinks it needs to update the ACLs again.
Steps to Reproduce
terraform plan
terraform apply
terraform plan
Important Factoids
N/A
References
The text was updated successfully, but these errors were encountered: