Permadiff on google_storage_default_object_acl

[morgante]

Terraform Version

Terraform v0.11.7
+ provider.external v1.0.0
+ provider.google (unversioned)

Affected Resource(s)

Please list the resources as a list, for example:

• google_storage_default_object_acl

Terraform Configuration Files

locals {
  # Make a list of uploader roles
  uploader_acl = "${formatlist("OWNER:user-%s", var.uploaders)}"

  # Store core roles in a list to combine later
  core_acl = [
    "OWNER:user-${var.cicd_service_account}",
    "READER:group-${var.sa_reader_group}",
  ]

  bucket_acl = "${concat(local.uploader_acl, local.core_acl)}"
}

resource "google_storage_default_object_acl" "cert-bucket-default-acl" {
  bucket = "${var.cert_bucket}"

  role_entity = "${local.bucket_acl}"
}

Expected Behavior

It should update the default ACL without concern for ordering.

Actual Behavior

If the order locally is different, then it constantly tries to do a diff. Because the GCS API reorders the items after you set them, this causes a permadiff.

Steps to Reproduce

1. Run terraform apply once and see the diff:

  ~ module.cert-iam.google_storage_default_object_acl.cert-bucket-default-acl
      role_entity.1: "OWNER:user1" => "OWNER:user3"
      role_entity.2: "READER:user2" => "OWNER:user1"
      role_entity.3: "OWNER:user3" => "READER:user2"

As you can see, it's just reordering the list. This completes successfully.

2. Run terraform apply again and it wants to reorder again:

  ~ module.cert-iam.google_storage_default_object_acl.cert-bucket-default-acl
      role_entity.1: "OWNER:user1" => "OWNER:user3"
      role_entity.2: "READER:user2" => "OWNER:user1"
      role_entity.3: "OWNER:user3" => "READER:user2"

[emilymye]

looks like this param was added as List types instead of Set - will get out a PR to fix this soon

[pdecat]

Related PR: #1525

[paddycarver]

Yeah, #1525 is the solution to this problem, we're just holding on merging because it's technically a breaking change. More discussion on that in the PR. I think we're likely to stick with that PR implementation, though, so I'm not sure it's worthwhile for @emilymye to open a new one.

[emilymye]

@paddycarver @pdecat Totally didn't see that! Makes sense, I'm going to stop working on mine :)

[paddycarver]

We got a non-breaking solution out in 1.15.0 for storage_bucket_acl. I can probably apply the same strategy here. I'll give it a shot.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!