Open haraldhaas opened 5 months ago
@haraldhaas can you share the debug log
Of course, @edwardmedia, please find the debug log in this gist.
I have just realized that also the equivalent gcloud command is broken, hence I assume this is a general issue with the recently introduced feature, that is under preview still. Also see the following gist.
There is also no error in Log Explorer at that particular time, but there is a warning visible that I could not connect to any operation or event from a timing perspective, see this gist.
Users, Domains and Project IDs have been redacted.
@haraldhaas I do see the error returned from the api below.
"error": {
"kind": "sql#operationErrors",
"errors": [
{
"kind": "sql#operationError",
"code": "INTERNAL_ERROR"
}
]
},
Your config here is almost identical to the example provided here which is applied in the daily tests. No issue is found.
I am not sure what happened in your case as the api reveals little. I would suggest to apply a fresh example again to see if you can repro. As you discovered by running gcloud, the issue is very likely beyond the hand of terraform provider.
I am forwarding this to the sql team to see if they can explain.
Just wanted to mention that I got the same error, but happened to me in a more convoluted way. The resource somehow initially became tainted, I couldn't untaint it after. Then I ended up deleting the group from the SQL instance directly - after which is when I got the exact unexpected new value: Root object was present, but now absent.
error.
Then I took a break for a couple of hours - nobody touched nothing - and then it just worked again...
Update: I now know exactly how to reproduce my case. The Google CloudSQL docs say:
"After you've added the IAM user to the database, you need to grant database privileges manually. Use the MySQL GRANT command to grant other database privileges."
(or specifically for groups)
I haven't seen any way of granting the MySQL DB access (not CloudSQL access) via Terraform, which means I must do it manually. But as soon as I do it manually, Terraform no longer recognises the user group.
Am I missing something perhaps?
This definitely is a Terraform provider issue, as the groups' database users are created and shown in gcloud sql users list
despite an error being thrown. Subsequent attempts to import these database users into tfstate as google_sql_user
fail with Error: Cannot import non-existent remote object
- I tried terraform import google_sql_user.example project-id/instance/example.com/my-group
as well as terraform import google_sql_user.example project-id/instance/%/my-group
(the latter is how it shows up in gcloud sql users list
despite the host
being example.com
when looking up users via native MySQL tooling).
Is this a possible hint at the underlying problem? Creation works, but subsequent lookup fails, because there's a mismatch in expected hostname?
Edit: Forgot to mention, adding the groups using the gcloud
CLI works for me: gcloud sql users create my-group@example.com --instance=instance --project=project-id --type=cloud_iam_group
When I try to add a CLOUD_IAM_GROUP
I get the following error from Terraform
Error: Provider produced inconsistent result after apply │ │ When applying changes to │ module.shared_cloud_sql_instance.google_sql_user.this_databases_users["gcp-test-group@testdev.at"], │ provider "provider[\"registry.terraform.io/hashicorp/google\"]" produced an unexpected new value: Root │ object was present, but now absent. │ │ This is a bug in the provider, which should be reported in the provider's own issue tracker.
I got the same error with the google provider in version 5.13.0, 5.17.0, 5.19.0 and the current one 5.21.0
here to report the same thing
works in gcloud, failed in terraform.
Error: Error, failure waiting for insertion of group@testdomain.com into [instance name]:
│
│
│ with google_sql_user.cloudsql-group-iam,
│ on test.tf line 1, in resource "google_sql_user" "cloudsql-group-iam":
│ 1: resource "google_sql_user" "cloudsql-group-iam" {
Getting same error while trying to add SQL user of type CLOUD_IAM_GROUP using google_sql_user resource
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to google_sql_user.iam_group_user, provider "provider[\"registry.terraform.io/hashicorp/google\"]" produced an unexpected new value: Root resource was present, but now absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
Even after getting this error the user is created successfully in the database and can be seen on the console as well.
I'm seeing this identical behavior using the latest version of terraform and providers:
Terraform v1.9.0
on linux_arm64
+ provider registry.terraform.io/hashicorp/google v5.36.0
The user is successfully created in Google.
Attempting to import the created user fails with:
"module.accounts_service_dev.module.database.google_sql_user.group[\"group:redacted@example.com\"]", the provider detected that no object exists with the given id. Only
│ pre-existing objects can be imported; check that the id is correct and that it is associated with the provider's configured region or endpoint, or use "terraform apply" to create a new remote object for this resource.
The google_sql_user resource in the provider document explains the example of using the the type CLOUD_IAM_GROUP for google_sql_user. However, creating this resource always fails with either of the errors that can be seen below.
Terraform Version
Affected Resource(s)
Terraform Configuration Files
Debug Output
Expected Behavior
Group should have been added to the database, as per documentation.
Actual Behavior
Terraform apply failed.
Steps to Reproduce
terraform apply
b/321524487