Provider tries to incorrectly set `initial_group_config` after import of `google_cloud_identity_group`

[spkane]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v1.3.1
on linux_amd64
+ provider registry.terraform.io/dnsimple/dnsimple v0.5.3
+ provider registry.terraform.io/dopplerhq/doppler v1.1.6
+ provider registry.terraform.io/hashicorp/aws v4.50.0
+ provider registry.terraform.io/hashicorp/external v2.2.3
+ provider registry.terraform.io/hashicorp/google v4.49.0
+ provider registry.terraform.io/hashicorp/googleworkspace v0.7.0
+ provider registry.terraform.io/hashicorp/local v2.2.3
+ provider registry.terraform.io/hashicorp/null v3.1.1
+ provider registry.terraform.io/hashicorp/random v3.4.3
+ provider registry.terraform.io/hashicorp/template v2.2.0
+ provider registry.terraform.io/integrations/github v5.3.0
+ provider registry.terraform.io/spacelift-io/spacelift v0.1.37

Affected Resource(s)

• google_cloud_identity_group

Terraform Configuration Files

resource "google_cloud_identity_group" "everyone" {
  description  = "employees + contractors"
  display_name = "everyone"

  parent               = "customers/${var.customer_id}"

  group_key {
    id = "everyone@${var.domain}"
  }

  labels = {
    "cloudidentity.googleapis.com/groups.discussion_forum" = ""
  }
}

Debug Output

Panic Output

N/A

Expected Behavior

$ terraform import google_cloud_identity_group.everyone groups/99omg42n3sillyf
...
Import successful!

$ terraform apply
...
No changes. Your infrastructure matches the configuration.

Actual Behavior

$ terraform import google_cloud_identity_group.everyone groups/99omg42n3sillyf
...
Import successful!

$ terraform apply
...
Terraform used the selected providers to generate the
following execution plan. Resource actions are indicated with
the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # google_cloud_identity_group.contractors will be updated in-place
  ~ resource "google_cloud_identity_group" "everyone" {
        id                   = "groups/99omg42n3sillyf"
      + initial_group_config = "EMPTY"
        name                 = "groups/99omg42n3sillyf"
        # (6 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

google_cloud_identity_group.contractors: Modifying... [id=groups/02pta16n3woggyf]
╷
│ Error: Error updating Group "groups/02pta16n3woggyf": googleapi: Error 400: Request contains an invalid argument.
│ 
│   with google_cloud_identity_group.contractors,
│   on groups.tf line 40, in resource "google_cloud_identity_group" "contractors":
│   40: resource "google_cloud_identity_group" "contractors" {
│ 
╵
Releasing state lock. This may take a few moments...

• Terraform tries to apply the initial_group_config value which, I believe, I only allowed during initial group creation, and therefore throws an error.
• Re-running terraform immediately after this error returns no changes, and things appear to work fine at this point.

$ terraform apply
...
No changes. Your infrastructure matches the configuration.

Steps to Reproduce

1. terraform import google_cloud_identity_group.everyone groups/99omg42n3sillyf
2. terraform apply
3. terraform apply

Important Factoids

N/A

References

N/A

[edwardmedia]

Likely initial_group_config needs to be set Computed

[rileykarson]

Sending an explicit "EMPTY" to the API on create calls is likely required. Rather than Computed, we could consider setting the value to "EMPTY" in the import function, or in Read when the value is empty ("") or nil. We'd want to state in the docs that imported resources must always specify a value of "EMPTY" in that case (which, given what the field does, feels reasonable).

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

[roaks3]

Re-opening because we now have 2 users claiming that the fix did not stick: https://github.com/GoogleCloudPlatform/magic-modules/pull/7348#issuecomment-1819948732 and https://github.com/GoogleCloudPlatform/magic-modules/pull/7348#issuecomment-2093015603.

cc @dawnbreak @nathou you can add any further details here instead of the PR.