Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Compute instance] Adding a service account block with an empty scope list and no email does nothing #8792

Closed
alsyia opened this issue Mar 30, 2021 · 1 comment · Fixed by GoogleCloudPlatform/magic-modules#4634, hashicorp/terraform-provider-google-beta#3098 or #8801
Closed

[Compute instance] Adding a service account block with an empty scope list and no email does nothing #8792

alsyia opened this issue Mar 30, 2021 · 1 comment · Fixed by GoogleCloudPlatform/magic-modules#4634, hashicorp/terraform-provider-google-beta#3098 or #8801
Assignees
@edwardmedia
Labels
bug

Comments

@alsyia
Copy link

alsyia commented Mar 30, 2021

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

  • Terraform v0.14.9
  • registry.terraform.io/hashicorp/google v3.62.0
  • registry.terraform.io/hashicorp/google-beta v3.62.0

Affected Resource(s)

  • google_compute_instance

Terraform Configuration Files

First

resource "google_compute_instance" "my_instance" {
  name         = "my-instance"
  machine_type = "n1-standard-1"
  zone         = "europe-west1-b"

  boot_disk {
    initialize_params {
      image = "gce-uefi-images/ubuntu-1804-lts"
    }
  }

  network_interface {
    subnetwork = "my-subnet"
  }
}

and then

resource "google_compute_instance" "my_instance" {
  name         = "my-instance"
  machine_type = "n1-standard-1"
  zone         = "europe-west1-b"

  boot_disk {
    initialize_params {
      image = "gce-uefi-images/ubuntu-1804-lts"
    }
  }

  network_interface {
    subnetwork = "my-subnet"
  }

  service_account {
    scopes = []
  }
}

Expected Behavior

I have an instance that was created without a service_account block, so it has no service account configured (which is not the Console/API default behaviour, but that's ok).
I later wanted to add the default Compute service account to this VMs with no scopes (so that I can enable VM Manager and OS Patching on my instance).

I expected that by adding this block, Terraform would configure the default Compute service account with an empty scopes list for the VM, since the doc states that when email is empty, it defaults to the default Compute service account.

  service_account {
    scopes = []
  }

Actual Behavior

Nothing! No service account configured.
Plan looks like this:

  ~ resource "google_compute_instance" "my_instance" {
        id                   = "projects/my-project/zones/europe-west1-b/instances/my-instance"
        name                 = "my-instance"
        # (X unchanged attributes hidden)

      + service_account {}

        # (Y unchanged blocks hidden)
    }

Apply succeeds but the VM is not modified, and the next plan shows the same diff.

Steps to Reproduce

  1. Create an instance without any service account (no service_account block)
  2. Add a service_account block with an empty scopes list
  3. Apply
  4. Observe how nothing changed and Terraform still shows a diff in the next terraform plan

Important Factoids

An acceptable workaround is to fetch the service account email manually and insert it in the service_account block:

data "google_compute_default_service_account" "default" {
}

resource "google_compute_instance" "my_instance" {
  name         = "my-instance"
  machine_type = "n1-standard-1"
  zone         = "europe-west1-b"

  boot_disk {
    initialize_params {
      image = "gce-uefi-images/ubuntu-1804-lts"
    }
  }

  network_interface {
    subnetwork = "my-subnet"
  }

  service_account {
    email = data.google_compute_default_service_account.default.email
    scopes = []
  }
}

I am not sure if the behaviour is known or intended. I guess the empty scopes list results in Terraform somehow displaying a diff but not applying anything?

This is definitely not a big deal, but I was a bit surprised.

Thanks! :)
@ghost ghost added bug labels Mar 30, 2021
@edwardmedia edwardmedia self-assigned this Mar 30, 2021
@edwardmedia edwardmedia mentioned this issue Mar 30, 2021
Merged
5 tasks
This was referenced Mar 30, 2021
Merged
Merged
This was referenced Apr 8, 2021
Closed
Closed
@ghost
Copy link

ghost commented Apr 30, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Apr 30, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@edwardmedia edwardmedia

Labels
bug
Projects
None yet
Milestone
No milestone
2 participants
@alsyia @edwardmedia