google_container_registry.container_registry must be replaced

shpml commented 11 months ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.
If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

terraform -v                                                        
Terraform v1.6.1
on darwin_amd64
+ provider registry.terraform.io/hashicorp/google v5.2.0
+ provider registry.terraform.io/hashicorp/google-beta v5.2.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.23.0

Affected Resource(s)

google_container_registry
google_storage_bucket_iam_member

Terraform Configuration Files

resource "google_container_registry" "container_registry" {
  location = "ASIA"
}

Debug Output

Expected Behavior

The resources should not be replaced.

Actual Behavior

   # google_container_registry.container_registry must be replaced
-/+ resource "google_container_registry" "container_registry" {
      ~ bucket_self_link = "https://www.googleapis.com/storage/v1/b/asia.artifacts.my_project.appspot.com" -> (known after apply)
      ~ id               = "asia.artifacts.my_project.appspot.com" -> (known after apply)
      + project          = "my-project" # forces replacement
        # (1 unchanged attribute hidden)
    }

# google_storage_bucket_iam_member.bitbucket_pipelines_gcr_admin must be replaced
-/+ resource "google_storage_bucket_iam_member" "pipelines_gcr_admin" {
      ~ bucket = "b/asia.artifacts.my-project.appspot.com" # forces replacement -> (known after apply) # forces replacement
      ~ etag   = "CEI=" -> (known after apply)
      ~ id     = "b/asia.artifacts.my-project.appspot.com/roles/storage.admin/serviceaccount:pipelines@my-project.iam.gserviceaccount.com" -> (known after apply)
        # (2 unchanged attributes hidden)
    }

  # google_storage_bucket_iam_member.container_registry_pull must be replaced
-/+ resource "google_storage_bucket_iam_member" "container_registry_pull" {
      ~ bucket = "b/asia.artifacts.my-project.appspot.com" # forces replacement -> (known after apply) # forces replacement
      ~ etag   = "CEI=" -> (known after apply)
      ~ id     = "b/asia.artifacts.my-project.appspot.com/roles/storage.objectViewer/serviceAccount:devops-k8s-default-svc@my-project.iam.gserviceaccount.com" -> (known after apply)
        # (2 unchanged attributes hidden)
    }

  # google_storage_bucket_iam_member.gcr_read_only_binding must be replaced
-/+ resource "google_storage_bucket_iam_member" "gcr_read_only_binding" {
      ~ bucket = "b/asia.artifacts.my-project.appspot.com" # forces replacement -> (known after apply) # forces replacement
      ~ etag   = "CEI=" -> (known after apply)
      ~ id     = "b/asia.artifacts.my-project.appspot.com/roles/storage.objectViewer/serviceaccount:registry-reader@my-project.iam.gserviceaccount.com" -> (known after apply)
        # (2 unchanged attributes hidden)
    }

Steps to Reproduce

terraform apply

Important Factoids

References

0000

b/306360857

aleks-m commented 10 months ago

I slso encountered this. As a workaround you can manually edit the TF state and add project to a list of google_container_registry resource attributes. Like this:

"attributes": {
  "location": "some_location",
  "project": "project_foobar"   # <== added this one

shpml commented 10 months ago

I slso encountered this. As a workaround you can manually edit the TF state and add project to a list of google_container_registry resource attributes. Like this:
"attributes": {
  "location": "some_location",
  "project": "project_foobar"   # <== added this one

Thanks for the workaround @aleks-m

For those working with remote state:

terraform state pull > default.tfstate
cp default.tfstate ../somewhere_else
Edit the resource as mentioned by @aleks-m
terraform state push -force default.tfstate

roaks3 commented 1 week ago

Note that Container Registry is now deprecated in favor of Artifact Registry https://github.com/hashicorp/terraform-provider-google/issues/19661. FWIW, this looks like a bug in how the project field is handled by google_container_registry specifically, but moving forward, I don't think this type of bucket management is needed at all.

Per https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr:

In Artifact Registry, there are no Cloud Storage buckets to manage in your Google Cloud projects. You perform image management actions directly on a repository.

hashicorp / terraform-provider-google