role_id with more than 30 characters doesn't match regexp

[pdecat]

Terraform Version

# terraform version
Terraform v0.11.14
+ provider.google v2.6.0
+ provider.google-beta v2.6.0

Affected Resource(s)

Please list the resources as a list, for example:

• google_project_iam_custom_role

Terraform Configuration Files

resource "google_project_iam_custom_role" "storage_object_creator" {
  role_id     = "myproject.cloudStorageObjectCreator"
  title       = "My Project Cloud Storage Object Creator"
  description = "Role to enable object creation access to a Google Cloud Storage Bucket"

  permissions = [
    "storage.objects.create",
  ]
}

Debug Output

N/A

Panic Output

N/A

Expected Behavior

What should have happened?

Configuration should apply fine like in previous versions up to 2.5.1.

Actual Behavior

What actually happened?

Configuration is rejected:

Error: google_project_iam_custom_role.storage_object_creator: "role_id" ("myproject.cloudStorageObjectCreator") doesn't match regexp "^[a-zA-Z0-9_\\.\\-]{1,30}$"

Steps to Reproduce

1. terraform plan

Important Factoids

N/A

References

N/A

[pdecat]

This is caused by bc232a2 which was first released in 2.6.0.

Can confirm the issue does not occur with version 2.5.1 of the google and google-beta providers.

[pdecat]

This role id is accepted by gcloud:

# gcloud --project myproject iam roles create myproject.cloudStorageObjectCreator --description "Role to enable object creation access to a Google Cloud Storage Bucket" --title "My Project Cloud Storage Object Creator" --permissions storage.objects.create
Created role [myproject.cloudStorageObjectCreator].
description: Role to enable object creation access to a Google Cloud Storage Bucket
etag: BwWJToUtwUE=
includedPermissions:
- storage.objects.create
name: projects/myproject/roles/myproject.cloudStorageObjectCreator
stage: ALPHA
title: My Project Cloud Storage Object Creator

# gcloud --project myproject iam roles describe myproject.cloudStorageObjectCreator
description: Role to enable object creation access to a Google Cloud Storage Bucket
etag: BwWJToUtwUE=
includedPermissions:
- storage.objects.create
name: projects/myproject/roles/myproject.cloudStorageObjectCreator
stage: ALPHA
title: My Project Cloud Storage Object Creator

[rremer]

"myproject.cloudStorageObjectCreator" is 36 characters, while the documentation the validation function was written from specifies a max of 30 characters. I'll find out what the actual boundary is and update the documentation and validation function.

For reference: https://cloud.google.com/iam/docs/understanding-custom-roles#naming_the_role

[pdecat]

Here's the actual limit:

# gcloud --project myproject iam roles create 01234567890123456789012345678901234567890123456789012345678901234 --description "Role to enable object creation access to a Google Cloud Storage Bucket" --title "My Project Cloud Storage Object Creator" --permissions storage.objects.create
ERROR: (gcloud.iam.roles.create) INVALID_ARGUMENT: The role_id "01234567890123456789012345678901234567890123456789012345678901234" is invalid. It doesn't match pattern "[a-zA-Z0-9_\.]{3,64}". The role_id must be 3 to 64 characters long and can be a mix of uppercase and lowercase English letters, digits, underscores and periods.

This passes:

# gcloud --project myproject iam roles create 0123456789012345678901234567890123456789012345678901234567890123 --description "Role to enable object creation access to a Google Cloud Storage Bucket" --title "My Project Cloud Storage Object Creator" --permissions storage.objects.create
Created role [0123456789012345678901234567890123456789012345678901234567890123].
description: Role to enable object creation access to a Google Cloud Storage Bucket
etag: BwWJU8CI5r0=
includedPermissions:
- storage.objects.create
name: projects/myproject/roles/0123456789012345678901234567890123456789012345678901234567890123
stage: ALPHA
title: My Project Cloud Storage Object Creator

[danawillow]

Thanks for reporting, @pdecat! Next time, would you mind keeping the lines in the issue template that say to keep them for our automation? That helps HashiBot automatically assign the correct label to the issue, which makes it easier for us to triage. It's also nice to keep the community note too that way people understand how we hope they react to the issue.

[pdecat]

Hi @danawillow, I was actually surprised not to find the usual issue template when I opened this issue this morning.
When I clicked on the "New issue" button, I first had a github error message and when I refreshed, I had the default issue template instead:

[pdecat]

Actually, I had an error when accessing https://github.com/terraform-providers/terraform-provider-google/issues/new/choose, refreshing did not help, then I removed the /choose part from the URL and it worked.

Maybe the default template should also be updated.

[danawillow]

Ah I see, thanks! Will do!

[pdecat]

Thanks @rremer & @danawillow!

[pdecat]

Fix confirmed with provider version 2.7.0, thanks again!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!