SetIamPolicy fails if there are leftover "deleted:" permissions in project

[uhinze]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• If an issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to "hashibot", a community member has claimed the issue already.

Terraform Version

Terraform v0.12.17

• provider.external v1.2.0
• provider.google v3.0.0

Affected Resource(s)

• google_project_iam_member
• probably other IAM resources

Terraform Configuration Files

resource "google_project_iam_member" "permissions" {
  role    = "roles/logging.logWriter"
  member  = "serviceAccount:[email protected]"
}

Expected Behavior

Permission is added to project. Speaking error message in case an error occurs.

Actual Behavior

Error message: 'googleapi: Error 400: Policy members must be of the form ":"., badRequest'

But I had the correct format entered, as shown above.

Upon investigation, I found some leftover permissions in the project for service accounts that were deleted. The "member" information for those read like: "deleted:serviceAccount:[email protected]"

After deleting the leftover permissions, terraform apply ran without any error.

Steps to Reproduce

1. Create service account and assign project permissions via console
2. Delete service account but leave permissions in place
3. terraform apply

[c3st7n]

This is due after a recent change to the IAM API which had introduced the 'delete:' prefix. We have been hit by this also.

To make matters worse, the API change is being done in a phased rollout between December 9th and 13th so the new behaviour is intermittent in this period, so you cannot rely on doing a getIamPolicy call to check for delete entries reliably.

[griffinator76]

See also #5151

[griffinator76]

@c3st7n have you seen anything published online about this? I couldn't find anything that mentioned this change, although the timing of when this started does line up with what you said.

[c3st7n]

@griffinator76 yeah stumbled across this release note: https://cloud.google.com/iam/docs/release-notes

Look at the entry for December 9th.

[slevenick]

Looks like this is a duplicate of #5107

This was caused by the API change that started returning deleted: IAM members. A fix will be included in the next release of the provider. I'm going to close this issue in favor of #5107

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!