Manually removed google_project_iam_binding is not detected and recreated

[EricHorst]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• If an issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to "hashibot", a community member has claimed the issue already.

Terraform Version

$ terraform -v
Terraform v0.12.10
+ provider.google v2.17.0

Affected Resource(s)

• google_project_iam_binding

Terraform Configuration Files

$ cat test.tf
variable "container_view_groups" {
  description = "Groups that are GKE Viewers"
  type        = list(string)
}
resource "google_project_iam_binding" "container-viewer" {
  project = "uwit-mci-0001"
  role    = "roles/container.viewer"
  members = formatlist("%s:%s", "group", var.container_view_groups)
}
provider "google" {
  version     = "~> 2.17.0"
  credentials = file("../../.secrets/credential_file")
}

$ cat terraform.tfvars 
container_view_groups = [ 
    "[email protected]"
]

Debug Output

Trace output from step 4 of recreation steps below
https://gist.github.com/EricHorst/f7cea376a8a8a55d4e62a32585bf4a82

Expected Behavior

Manually removed google_project_iam_binding should be recreated.

Actual Behavior

When a role binding exists and all members are removed, leaving no users bound to that role, then Terraform does not detect it and recreate.

However, if the binding has multiple members and only one is removed, leaving at least one member, then Terraform detects the removed member and re-adds it. (This is not demonstrated here.)

Steps to Reproduce

1. First apply:

$ terraform apply

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_project_iam_binding.container-viewer will be created
  + resource "google_project_iam_binding" "container-viewer" {
      + etag    = (known after apply)
      + id      = (known after apply)
      + members = [
          + "group:[email protected]",
        ]
      + project = "uwit-mci-0001"
      + role    = "roles/container.viewer"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

google_project_iam_binding.container-viewer: Creating...
google_project_iam_binding.container-viewer: Still creating... [10s elapsed]
google_project_iam_binding.container-viewer: Creation complete after 16s [id=uwit-mci-0001/roles/container.viewer]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

2. Verify creation:

$ gcloud projects get-iam-policy uwit-mci-0001 --flatten=bindings --filter="bindings.role:roles/container.viewer"
---
bindings:
  members:
  - group:[email protected]
  role: roles/container.viewer
etag: BwWU6FuJJ3E=
version: 1

3. Remove and verify removal:

$ gcloud projects remove-iam-policy-binding uwit-mci-0001 --member=group:[email protected] --role=roles/container.viewer

$ gcloud projects get-iam-policy uwit-mci-0001 --flatten=bindings --filter="bindings.role:roles/container.viewer"
Listed 0 items.

4. Attempt to recreate:

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

google_project_iam_binding.container-viewer: Refreshing state... [id=uwit-mci-0001/roles/container.viewer]

------------------------------------------------------------------------

No changes. Infrastructure is up-to-date.

This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, no
actions need to be performed.

Important Factoids

Nothing atypical. Executing as a Google service account.

References

• None

[slevenick]

Found the cause of this, and have a possible fix.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!