Bucket resource returns as completed before it actually exists

[preston-hf]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v0.12.23
+ provider.google v3.17.0
+ provider.google-beta v3.17.0
+ provider.template v2.1.2

Affected Resource(s)

• google_storage_bucket
• google_storage_bucket_iam_member

Terraform Configuration Files

resource "google_storage_bucket" "bkt_bucket" {
  name = "${var.bkt_name}_source"
  labels = {
    controlled-by-terraform = true
  }
  project = var.project_id
  force_destroy = true

}

resource "google_storage_bucket_iam_member" "bkt_access" {
  bucket = google_storage_bucket.bkt_bucket.name
  member = module.bkt_service_account.iam_email
  role = "roles/storage.objectAdmin"
}

Expected Behavior

I should be able to add permissions (IAM members) to the bucket in the same terraform apply as the bucket is created.

Actual Behavior

An error is generated when the IAM permissions are applied:

Error: Error applying IAM policy for storage bucket "b/foo_source": Error setting IAM policy for storage bucket "b/foo_source": googleapi: Error 412: Precondition Failed, conditionNotMet

If you attempt to apply immediately after this error is received, it works fine. This indicates that bucket creation is eventually consistent and the resource does not properly verify the bucket fully exists before continuing. This is new behavior, possibly introduced to the GCS service in the past week or two, it was working fine previously. I am working around right now by using a local-exec provisioner that sleeps for 10 seconds, but this is an ugly hack that the resource itself should take care of.

Steps to Reproduce

1. terraform apply

[venkykuberan]

google_storage_bucket makes a GET call following the Create call to ensure resource creation is complete and its available to use. However we see similar eventual consistent issue with other resources trying to consume the recently created GCS resources. Since its working fine if you rerun the Apply command immediately, its good candidate for retry approach.

I tried few times its not happening for me, however i have seen that happening for other users.

[preston-hf]

Maybe instead of simply GETting the bucket, you could issue a strongly-consistent operation like listing the bucket contents or something? https://cloud.google.com/storage/docs/consistency

[preston-hf]

Additionally, if it's determined that the existing behavior should be strongly consistent, we should open an Issue Tracker issue because this is likely a regression that others will have problems with.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!