Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

google_storage_bucket_iam_member: constantly add IAM permission to bucket without updating tfstate #1722

Closed
theophileds opened this issue Jul 2, 2018 · 8 comments
Labels

Comments

@theophileds
Copy link

theophileds commented Jul 2, 2018

Hi there,

Terraform Version

Terraform version: 0.11.7

Affected Resource(s)

Please list the resources as a list, for example:

  • google_storage_bucket_iam_member

Terraform Configuration Files

resource "google_service_account" "test" {
  project      = "data"
  account_id   = "test"
  display_name = "Test"
}

resource "google_storage_bucket" "test-export" {
  project  = "data
  name     = "bucket-test"
  location = "EU"
}

resource "google_storage_bucket_iam_member" "test-export-bucket-ops-object-admin" {
  bucket = "${google_storage_bucket.test-export.name}"
  role   = "roles/storage.objectAdmin"
  member = "group:[email protected]"
}

Debug Output

The last line printed after a terraform apply command

2018-07-02T17:47:34.982+0200 [DEBUG] plugin.terraform-provider-google_v1.15.0_x4: 2018/07/02 17:47:34 [DEBUG]: Member "group:[email protected]" for binding for role "roles/storage.objectAdmin" does not exist in policy of Storage Bucket "bucket-test", removing from state.

Expected Behavior

When I run terraform apply, it prints out that IAM permission authorizing the group [email protected] as Object Admin to bucket test-export will be added

Actual Behavior

Every time I run terraform apply, it asks me again to add the same IAM permission to the same bucket.
However, the rule has been successfully added to the GCS bucket, even if I manually delete it then use terraform apply command it will be added again but not in terraform state...

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. Run terraform apply
  + google_storage_bucket_iam_member.test-export-bucket-ops-object-admin
      id:     <computed>
      bucket: "bucket-test"
      etag:   <computed>
      member: "group:[email protected]"
      role:   "roles/storage.objectAdmin"
  1. Run terraform apply
    The same output will appear

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:

@morgante
Copy link

morgante commented Jul 2, 2018

To clarify, it looks like this is related to IAM membership (not ACLs) which are actually two separate permission systems.

@theophileds theophileds changed the title google_storage_bucket_iam_member constantly add ACL without updating tfstate google_storage_bucket_iam_member constantly add IAM permission to bucket without updating tfstate Jul 3, 2018
@theophileds theophileds changed the title google_storage_bucket_iam_member constantly add IAM permission to bucket without updating tfstate google_storage_bucket_iam_member: constantly add IAM permission to bucket without updating tfstate Jul 3, 2018
@paddycarver
Copy link
Contributor

Would it be possible to get a debug log for an apply of this? That would help get to the bottom of what's happening here.

@theophileds
Copy link
Author

The full debug log contains more than 10k lines, and sensitive information may be present, do you have a specific part you might need for me to adapt it?

@danawillow
Copy link
Contributor

@Doritos250, the various POST and GET requests and their contents would be ideal. Are you working with @morgante? If so, feel free to send the logs to him and he'll forward them to me.

@TheSecureTux
Copy link

I used to get a similar issue until I checked the state of the bucket, turns out on top of the bucket ACL in the state there was " "OWNER:project-owners-XXXXXXXX". I added this ACL member in my code at the top and the error message disapeared.

@rileykarson
Copy link
Collaborator

Hey @jmg87, have you encountered this in a recent version of the provider / was that issue recently?

@rileykarson
Copy link
Collaborator

Closing as stale.

@ghost
Copy link

ghost commented Jul 27, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

@ghost ghost locked and limited conversation to collaborators Jul 27, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

6 participants