search

hashicorp / terraform-provider-google

Terraform Provider for Google Cloud Platform
https://registry.terraform.io/providers/hashicorp/google/latest/docs
Mozilla Public License 2.0
2.33k stars 1.74k forks source link

google_iam_policy with dynamic conditional binding always show diff on plan #16298

Closed theminghuang closed 1 month ago

theminghuang commented 1 year ago

Community Note

Terraform Version

Affected Resource(s)

Terraform Configuration Files

data "google_iam_policy" "policy" {
  binding {
     ...
  }

  dynamic "binding" {
    for_each = lookup(var.viewers, each.key, null) != null ? [lookup(var.viewers, each.key)] : []
    content {
      members = binding.value.members
      role    = "roles/secretmanager.viewer"
      condition {
        expression = binding.value.condition.expression
        title      = binding.value.condition.title
      }
    }
  }
}

resource "google_secret_manager_secret_iam_policy" "policy" {
  project     = var.project_id
  secret_id   = google_secret_manager_secret.secret.secret_id
  policy_data = data.google_iam_policy.policy.policy_data
}

Debug Output

Panic Output

Expected Behavior

Should not show diff on plan after applied.

Actual Behavior

Show diff on every plan

  ~ resource "google_secret_manager_secret_iam_policy" "policy" {
      ...
      ~ policy_data = jsonencode(
          ~ {
              ~ bindings = [
                    # (1 unchanged element hidden)
                  ~ {
                      + condition = {
                          + expression = "some expression"
                          + title      = "some title"
                        }
                      ~ role      = "roles/secretmanager.viewer_withcond_3d5bd4f3d1cd3952fe85" -> "roles/secretmanager.viewer"
                    },
                ]
            }
        )
        # (3 unchanged attributes hidden)
    }

Steps to Reproduce

  1. terraform plan

Important Factoids

References

b/306360761

SarahFrench commented 1 year ago

👋 This is a bit of drive-by input, but I noticed this issue and it's relevant to something I looked at recently.

I think the cause of this might be that the google_secret_manager_secret_iam_policy resource doesn't support conditions. For example google_compute_instance_iam _* resources support conditions and the docs include information about conditions there, but the google_secret_manager_secretiam* documentation doesn't mention conditions.

This section of YAML is used to generate the IAM resources for the Secret Manager Secret resource, but it doesn't include the iam_conditions_request_type property which is needed to enable use of conditions

melinath commented 1 year ago

This is likely an issue with the API not supporting conditions (or rejecting requests that include conditions) rather than an issue with the Terraform resource.

abheda-crest commented 1 month ago

In the google_secret_manager_secret_iam_* resources, the condition fields were not supported because the iam_conditions_request_type field was missing in the Secret Manager Secret resource. This issue has now been resolved and support for this field has been added as a part of this PR. The condition field was introduced as part of release 5.33.0. The details regarding the condition field are available in the documentation.

melinath commented 1 month ago

Duplicate of https://github.com/hashicorp/terraform-provider-google/issues/11127

melinath commented 1 month ago

@abheda-crest thanks for identifying that this has been resolved!

github-actions[bot] commented 6 days ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.