google_storage_object_access_control does not encode path properly

[riptl]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v1.0.1
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v3.74.0

Affected Resource(s)

• google_storage_object_access_control

Terraform Configuration Files

resource "google_storage_object_access_control" "test" {
  bucket = "my-bucket"
  object = "a/b/c"
  role   = "READER"
  entity = "allUsers"
}

Debug Output

2021-06-29T10:31:17.979+0200 [INFO]  provider.terraform-provider-google_v3.74.0_x5: 2021/06/29 10:31:17 [DEBUG] Creating new ObjectAccessControl: map[string]interface {}{"bucket":"my-bucket", "entity":"allUsers", "object":"a/b/c", "role":"READER"}: timestamp=2021-06-29T10:31:17.979+0200
2021-06-29T10:31:17.979+0200 [INFO]  provider.terraform-provider-google_v3.74.0_x5: 2021/06/29 10:31:17 [DEBUG] Waiting for state to become: [success]: timestamp=2021-06-29T10:31:17.979+0200
2021-06-29T10:31:17.980+0200 [INFO]  provider.terraform-provider-google_v3.74.0_x5: 2021/06/29 10:31:17 [DEBUG] Retry Transport: starting RoundTrip retry loop: timestamp=2021-06-29T10:31:17.980+0200
2021-06-29T10:31:17.980+0200 [INFO]  provider.terraform-provider-google_v3.74.0_x5: 2021/06/29 10:31:17 [DEBUG] Retry Transport: request attempt 0: timestamp=2021-06-29T10:31:17.980+0200
2021-06-29T10:31:17.981+0200 [INFO]  provider.terraform-provider-google_v3.74.0_x5: 2021/06/29 10:31:17 [DEBUG] Google API Request Details:
---[ REQUEST ]---------------------------------------
POST /storage/v1/b/my-bucket/o/a/b/c/acl?alt=json HTTP/1.1
Host: storage.googleapis.com
User-Agent: Terraform/1.0.1 (+https://www.terraform.io) Terraform-Plugin-SDK/2.5.0 terraform-provider-google/3.74.0
Content-Length: 163
Content-Type: application/json
Accept-Encoding: gzip

{
 "bucket": "my-bucket",
 "entity": "allUsers",
 "object": "a/b/c",
 "role": "READER"
}

-----------------------------------------------------: timestamp=2021-06-29T10:31:17.980+0200
2021-06-29T10:31:18.162+0200 [INFO]  provider.terraform-provider-google_v3.74.0_x5: 2021/06/29 10:31:18 [DEBUG] Google API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 404 Not Found
Content-Length: 9
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: text/html; charset=UTF-8
Date: Tue, 29 Jun 2021 08:31:18 GMT
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Server: UploadServer
Vary: Origin
Vary: X-Origin
X-Guploader-Uploadid: xxx

Not Found
-----------------------------------------------------: timestamp=2021-06-29T10:31:18.162+0200
2021-06-29T10:31:18.162+0200 [INFO]  provider.terraform-provider-google_v3.74.0_x5: 2021/06/29 10:31:18 [DEBUG] Retry Transport: Stopping retries, last request failed with non-retryable error: googleapi: got HTTP response code 404 with body: ...

Not Found: timestamp=2021-06-29T10:31:18.162+0200
2021-06-29T10:31:18.162+0200 [INFO]  provider.terraform-provider-google_v3.74.0_x5: 2021/06/29 10:31:18 [DEBUG] Retry Transport: Returning after 1 attempts: timestamp=2021-06-29T10:31:18.162+0200
2021-06-29T10:31:18.162+0200 [INFO]  provider.terraform-provider-google_v3.74.0_x5: 2021/06/29 10:31:18 [DEBUG] Unlocking "storage/buckets/my-bucket/a/b/c/default.tfstate": timestamp=2021-06-29T10:31:18.162+0200
2021-06-29T10:31:18.163+0200 [INFO]  provider.terraform-provider-google_v3.74.0_x5: 2021/06/29 10:31:18 [DEBUG] Unlocked "storage/buckets/my-bucket/a/b/c/default.tfstate": timestamp=2021-06-29T10:31:18.162+0200
╷
│ Error: Error creating ObjectAccessControl: googleapi: got HTTP response code 404 with body: Not Found
│ 
│   with google_storage_object_access_control.test,
│   on main.tf line 46, in resource "google_storage_object_access_control" "test":
│   46: resource "google_storage_object_access_control" "test" {
│ 

Expected Behavior

The request should have succeeded.

The POST request to create the ObjectAccessControl resource should have escaped the path according to API Reference.

e.g. POST /storage/v1/b/my-bucket/o/a%2fb%2fc/acl?alt=json

Actual Behavior

terraform-provider-google did not escape the path properly and made a POST request against POST /storage/v1/b/my-bucket/o/a/b/c/acl?alt=json, which does not map to any API endpoint.

Steps to Reproduce

1. Create an empty bucket
2. Create any object with a slash / in its name
3. Set an ACL on the object

References

• This issue was documented here, but was closed without resolving it: Some google_storage_* resources don't encode object names properly #2895
• https://cloud.google.com/storage/docs/json_api/v1/objectAccessControls/insert

[venkykuberan]

@terorie object field takes the object name not the path of the object. The resource is working as expected. Let us if you feel otherwise.

example

resource "google_storage_object_access_control" "public_rule" {
  object = google_storage_bucket_object.object.output_name
  bucket = google_storage_bucket.bucket.name
  role   = "READER"
  entity = "allUsers"
}

resource "google_storage_bucket" "bucket" {
  name = "static-content-bucket"
}

resource "google_storage_bucket_object" "object" {
  name   = "public-object"
  bucket = google_storage_bucket.bucket.name
  source = "../static/img/header-logo.png"
} 

[venkykuberan]

@terorie talked to my colleague, its indeed bug on our end. We will work on it.

[riptl]

@venkykuberan Thanks! This bug might affect more resources by the way. google_storage_object_access_control is the only one I have tested with. The original bug report indicates that more resources use the same path encoding logic.

[paparuco]

Hello All, having this same issue!
In order to get my use case to work I have tried using the resource google_storage_object_acl and it works, don't know if it's usable in the use case that you have, but it worked for me.
Best Regards

[melinath]

It looks like google_storage_object_acl is handwritten & uses a client wrapper that presumably handles this conversion internally.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.