google_storage_bucket_acl role_entities don't work #10612
Comments
|
Seeing this in Terraform v0.8.4 as well. the additional roles for service accounts are actually created for the bucket, but the apply command fails: or this if I try to put OWNER:project-owners-XXX in the list of roles: |
|
I'm seeing a different but related issue with updating ACLs - specifically: I'm trying to set the OWNER to an email representing the GCP project owner and a READER to an email representing a previously terraformed service account which has viewer access to the project. I get a 400 Invalid value, invalid also. |
|
I'm getting Adding these service accounts via the Cloud Console works. |
|
Same issue with Terraform v0.8.7. |
|
Same here with 0.8.8, trying to set the exact same ACL as the one already applied (default, created with Terraform) fails : resource "google_storage_bucket_acl" "public-read-acl" {
bucket = "${google_storage_bucket.public.name}"
role_entity = [
"OWNER:project-owners-123456",
"OWNER:project-editors-123456",
"READER:project-viewers-123456",
]
}Current ACLs: |
|
I just tried to only give rights to a new entity and it worked: resource "google_storage_bucket_acl" "read-acl" {
bucket = "${google_storage_bucket.public.name}"
role_entity = [
"WRITER:user-${google_service_account.sa.email}",
]
}Result: It looks like the original 3 ACLs applied to a bucket (for project owners, editors and viewers) cant be modified by terraform and are ignored. |
|
For a 0.9.5 example, this basically applies, but only applies one role entity: provider "google" {
region = "us-central1"
project = "${var.project}"
credentials = "${file(pathexpand("~/.config/gcloud/${var.project}.json"))}"
}
variable "project" {}
resource "google_storage_bucket" "main" {
name = "matschaffer-test-bucket"
location = "us-central1"
storage_class = "regional"
}
resource "google_service_account" "main" {
account_id = "matschaffer-test-storage-user"
display_name = "matschaffer-test-storage-user"
}
resource "google_storage_bucket_acl" "main" {
depends_on = ["google_service_account.main"]
bucket = "${google_storage_bucket.main.name}"
role_entity = [
"READER:user-${google_service_account.main.email}",
"WRITER:user-${google_service_account.main.email}",
]
}(additionally that ❯ gsutil acl get gs://matschaffer-test-bucket
[
{
"entity": "project-owners-REDACTED",
"projectTeam": {
"projectNumber": "REDACTED",
"team": "owners"
},
"role": "OWNER"
},
{
"entity": "project-editors-REDACTED",
"projectTeam": {
"projectNumber": "REDACTED",
"team": "editors"
},
"role": "OWNER"
},
{
"entity": "project-viewers-REDACTED",
"projectTeam": {
"projectNumber": "REDACTED",
"team": "viewers"
},
"role": "READER"
},
{
"email": "[email protected]",
"entity": "user-matschaffer-test-storage-user@REDACTED.iam.gserviceaccount.com",
"role": "WRITER"
}
]And as a result, a TF plan or apply will always try to make changes. ❯ terraform apply
google_service_account.main: Refreshing state... (ID: projects/REDACTED/ser...REDACTED.iam.gserviceaccount.com)
google_storage_bucket.main: Refreshing state... (ID: matschaffer-test-bucket)
google_storage_bucket_acl.main: Refreshing state... (ID: matschaffer-test-bucket-acl)
google_storage_bucket_acl.main: Modifying... (ID: matschaffer-test-bucket-acl)
role_entity.#: "1" => "2"
role_entity.0: "WRITER:user-matschaffer-test-storage-user@REDACTED.iam.gserviceaccount.com" => "READER:user-matschaffer-test-storage-user@REDACTED.iam.gserviceaccount.com"
role_entity.1: "" => "WRITER:user-matschaffer-test-storage-user@REDACTED.iam.gserviceaccount.com"
google_storage_bucket_acl.main: Modifications complete (ID: matschaffer-test-bucket-acl)
Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
The state of your infrastructure has been saved to the path
below. This state is required to modify and destroy your
infrastructure, so keep it safe. To inspect the complete state
use the `terraform show` command.
State path:
❯ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
google_service_account.main: Refreshing state... (ID: projects/REDACTED/REDACTED.iam.gserviceaccount.com)
google_storage_bucket.main: Refreshing state... (ID: matschaffer-test-bucket)
google_storage_bucket_acl.main: Refreshing state... (ID: matschaffer-test-bucket-acl)
The Terraform execution plan has been generated and is shown below.
Resources are shown in alphabetical order for quick scanning. Green resources
will be created (or destroyed and then created if an existing resource
exists), yellow resources are being changed in-place, and red resources
will be destroyed. Cyan entries are data sources to be read.
Note: You didn't specify an "-out" parameter to save this plan, so when
"apply" is called, Terraform can't guarantee this is what will execute.
~ google_storage_bucket_acl.main
role_entity.#: "1" => "2"
role_entity.0: "WRITER:user-matschaffer-test-storage-user@REDACTED.iam.gserviceaccount.com" => "READER:user-matschaffer-test-storage-user@REDACTED.iam.gserviceaccount.com"
role_entity.1: "" => "WRITER:user-matschaffer-test-storage-user@REDACTED.iam.gserviceaccount.com"
Plan: 0 to add, 1 to change, 0 to destroy. |
|
Any update on this one? not being able to provision bucket acls makes this resource unusable |
|
@rileykarson FYI 👍 |
|
Having the same issue as @matschaffer . acls getting applied on every single run for storage buckets. Hi Matt! This is James from Netflix |
|
Hi @jamesbot9000! After the Terraform 0.10 Provider split, this issue has been copied to the separate Google Provider as hashicorp/terraform-provider-google#50. If you bump it there, it will probably be noticed sooner by the provider maintainers. There's a bit more context on the issue there as well I think! Alternatively, you'll probably get a faster response if you open a separate issue in that repository instead; preferably including a minimal repro, or |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
Terraform Version
Terraform v0.7.13
Affected Resource(s)
Terraform Configuration Files
Debug Output
https://gist.github.com/mikemcrill/b43cb01767812985338b9bb890da4a9b
Expected Behavior
ACL should be applied without errors
Actual Behavior
ACL tries to delete owner and fails
Steps to Reproduce
Apply terraform with the above state
Important Factoids
I tried with and without referencing the OWNER entity, same effect. Terraform keeps trying to destroy the OWNER permission.
The text was updated successfully, but these errors were encountered: