read/write iam policies at version 3 in GA provider

[danawillow]

Conditions will still only be able to be set in the beta provider, but this way we don't end up in situations where people are stuck because they're only managing part of their IAM in terraform, and the part that doesn't has a condition, so the policy version is 3 but we're reading at 1. Fixes hashicorp/terraform-provider-google#5218, which explains the problem a bit better.

This also makes sure that the changes outlined in b/147505583 won't affect us.

Tested by adding a member with a condition to a role in the console, and then using Terraform to add another member to the same role, but with no condition.

Technically this would break users that have an IAM binding resource defined in their config, have modified it out of band to have a condition on it, upgrade to the version with this change, and then modify the member list. Since those users should be using the beta provider and defining the condition in their config anyway, I'm not too worried about it.

Release Note Template for Downstream PRs (will be copied)

iam: starts reading/writing IAM policies at version 3 in the GA provider. If you have an IAM resource defined in your config that has a condition on it created outside of Terraform, you should start using the beta provider and defining the condition in your config to avoid unexpected behavior.

iam: fixes issue where users of the GA provider who used IAM conditions outside of Terraform were getting an error

[modular-magician]

Hi! I'm the modular magician, I work on Magic Modules.
I see that this PR has already had some downstream PRs generated. Any open downstreams are already updated to your most recent commit, 073ced6.

Pull request statuses

WARNING: The following files changed in commit 073ced6 may need corresponding changes in third_party/validator:

• third_party/terraform/utils/iam_project.go.erb

No diff detected in terraform-provider-google-beta.
No diff detected in terraform-google-conversion.
No diff detected in Ansible.
No diff detected in Inspec.

New Pull Requests

I built this PR into one or more new PRs on other repositories, and when those are closed, this PR will also be merged and closed.
depends: hashicorp/terraform-provider-google#5469

[slevenick]

Would it make sense to preserve the existing IAM policy version if it exists? And only set version 3 if the policy is already version 3 or they specify a condition?

It seems like we are creating a situation where downgrading the provider will be impossible for users with any IAM resources, but that might be inevitable

[danawillow]

Versions are actually computed based on the content of the policy, so if you set it as 3, it doesn't contain any conditions, and then read it as 3, it'll say it's 1: https://cloud.google.com/iam/docs/policies#specifying-version (there's an example under the setting the policy section, scenario 1)

[modular-magician]

Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are.

Diff report:

Terraform GA: Diff