Service Account resource gets created but not added to state

[MorganPeat]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v0.11.14

Affected Resource(s)

google_service_account

Terraform Configuration Files

provider "google" {
  version      = "2.20.2"
  region       = "europe-west2"
}

resource "google_service_account" "project_compute_sa" {
  account_id   = "${local.service_account_name_prefix}-compute"
  display_name = "Project Compute User"
  project      = "${google_project.project.id}"
}

resource "google_project_iam_member" "project_compute_sa_role_member" {
  count   = "${length(var.project_compute_sa_roles)}"
  project = "${google_project.project.id}"
  role    = "${var.project_compute_sa_roles[count.index]}"
  member  = "serviceAccount:${google_service_account.project_compute_sa.email}"
}

Debug Output

https://gist.github.com/MorganPeat/b8fca25b2845e0b93dd8e4bd2c441c96

Expected Behavior

Service account is created, email address is populated so dependent resources can refer to it.

Actual Behavior

Service account is created but not added to terraform state. Dependent resources not created. Repeated terraform apply fails because underlying SA is created in GCP. Must either delete SA via GCP console or run terraform import to continue.

Steps to Reproduce

Intermittent, sadly. Not easy to reproduce.

Important Factoids

There is a hard-coded 1 second sleep after the SA is created, after which the SA detail is read back. It appears (looking at the debug output in the attached gist) that the SA was not GET-able after this time. Subsequent terraform applys were able to GET the resource.

References

https://github.com/terraform-providers/terraform-provider-google/blob/master/google/resource_google_service_account.go#L86

• #0000

[edwardmedia]

@MorganPeat your provider version is pretty old. Can you try to upgrade and see if this still happens

[Arkehlor]

I'm having similar issues with the latest provider version

[MorganPeat]

Sadly, no. We have a large number of sentinel policies and other work to do before we can move to terraform 0.12. v2.20.2 is, I think, the latest provider version that supports terrform 0.11.

But, looking at the code in the link above, nothing much seems to have changed. If there is a delay on the GCP side then the issue would occur even with a newer provider version?

[edwardmedia]

@MorganPeat I have tried running your code by creating the SA along with 12 roles on both terraform 0.11 and 0.12, still not able to catch that error.

[c2thorn]

Hi @MorganPeat, this looks very similar to #6377, but the key factor described there is project creation. Is this your scenario as well? If so, there is a workaround I posted there that may help you even in v2.20.2.

[MorganPeat]

Thanks @c2thorn that issue does look exactly like the one we are having. (Ours is on new project creation too).
We have prevented use of local-exec via Sentinel but I can look to get an exception made for this case.
But I see @mldmld68 has a workaround with depends_on = [google_project_service.main] so I'll try that first, see how it goes.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!