search

hashicorp / terraform-provider-google

Terraform Provider for Google Cloud Platform
https://registry.terraform.io/providers/hashicorp/google/latest/docs
Mozilla Public License 2.0
2.25k stars 1.7k forks source link

Error when using CLOUD_IAM_GROUP as google_sql_user type #17040

Open haraldhaas opened 5 months ago

haraldhaas commented 5 months ago

The google_sql_user resource in the provider document explains the example of using the the type CLOUD_IAM_GROUP for google_sql_user. However, creating this resource always fails with either of the errors that can be seen below.

Terraform Version

Terraform v1.5.4
on darwin_arm64
+ provider registry.terraform.io/hashicorp/google v5.12.0
+ provider registry.terraform.io/hashicorp/random v3.6.0

Affected Resource(s)

Terraform Configuration Files

resource "google_sql_database_instance" "main" {
  name             = "main-instance"
  project          = "<project-id>"
  region           = "europe-west1"
  database_version = "MYSQL_8_0"

  settings {
    tier = "db-f1-micro"

    database_flags {
      name  = "cloudsql_iam_authentication"
      value = "on"
    }
  }
}

resource "google_sql_user" "iam_group_user" {
  name     = "<group@domain.com>"
  project  = "<project-id>"
  instance = google_sql_database_instance.main.name
  type     = "CLOUD_IAM_GROUP"
}

Debug Output

╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to google_sql_user.iam_group_user, provider
│ "provider[\"registry.terraform.io/hashicorp/google\"]" produced an unexpected new value: Root resource was present,
│ but now absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
google_sql_user.iam_group_user: Creating...
╷
│ Error: Error, failure waiting for insertion of group@domain.com into main-instance-3c1f9de9:
│
│
│   with google_sql_user.iam_group_user,
│   on main.tf line 21, in resource "google_sql_user" "iam_group_user":
│   21: resource "google_sql_user" "iam_group_user" {

Expected Behavior

Group should have been added to the database, as per documentation.

Actual Behavior

Terraform apply failed.

Steps to Reproduce

  1. terraform apply

b/321524487

edwardmedia commented 5 months ago

@haraldhaas can you share the debug log

haraldhaas commented 5 months ago

Of course, @edwardmedia, please find the debug log in this gist.

I have just realized that also the equivalent gcloud command is broken, hence I assume this is a general issue with the recently introduced feature, that is under preview still. Also see the following gist.

There is also no error in Log Explorer at that particular time, but there is a warning visible that I could not connect to any operation or event from a timing perspective, see this gist.

Users, Domains and Project IDs have been redacted.

edwardmedia commented 5 months ago

@haraldhaas I do see the error returned from the api below. 

"error": {
 "kind": "sql#operationErrors",
 "errors": [
  {
   "kind": "sql#operationError",
   "code": "INTERNAL_ERROR"
  }
 ]
},

Your config here is almost identical to the example provided here which is applied in the daily tests. No issue is found.

I am not sure what happened in your case as the api reveals little. I would suggest to apply a fresh example again to see if you can repro. As you discovered by running gcloud, the issue is very likely beyond the hand of terraform provider.

I am forwarding this to the sql team to see if they can explain.

RonaldGalea commented 5 months ago

Just wanted to mention that I got the same error, but happened to me in a more convoluted way. The resource somehow initially became tainted, I couldn't untaint it after. Then I ended up deleting the group from the SQL instance directly - after which is when I got the exact unexpected new value: Root object was present, but now absent. error.

Then I took a break for a couple of hours - nobody touched nothing - and then it just worked again...

RonaldGalea commented 5 months ago

Update: I now know exactly how to reproduce my case. The Google CloudSQL docs say:

"After you've added the IAM user to the database, you need to grant database privileges manually. Use the MySQL GRANT command to grant other database privileges."

(or specifically for groups)

I haven't seen any way of granting the MySQL DB access (not CloudSQL access) via Terraform, which means I must do it manually. But as soon as I do it manually, Terraform no longer recognises the user group.

Am I missing something perhaps?

itspngu commented 4 months ago

This definitely is a Terraform provider issue, as the groups' database users are created and shown in gcloud sql users list despite an error being thrown. Subsequent attempts to import these database users into tfstate as google_sql_user fail with Error: Cannot import non-existent remote object - I tried terraform import google_sql_user.example project-id/instance/example.com/my-group as well as terraform import google_sql_user.example project-id/instance/%/my-group (the latter is how it shows up in gcloud sql users list despite the host being example.com when looking up users via native MySQL tooling).

Is this a possible hint at the underlying problem? Creation works, but subsequent lookup fails, because there's a mismatch in expected hostname?

Edit: Forgot to mention, adding the groups using the gcloud CLI works for me: gcloud sql users create my-group@example.com --instance=instance --project=project-id --type=cloud_iam_group

mario-pany commented 3 months ago

When I try to add a CLOUD_IAM_GROUP I get the following error from Terraform

Error: Provider produced inconsistent result after apply │ │ When applying changes to │ module.shared_cloud_sql_instance.google_sql_user.this_databases_users["gcp-test-group@testdev.at"], │ provider "provider[\"registry.terraform.io/hashicorp/google\"]" produced an unexpected new value: Root │ object was present, but now absent. │ │ This is a bug in the provider, which should be reported in the provider's own issue tracker.

I got the same error with the google provider in version 5.13.0, 5.17.0, 5.19.0 and the current one 5.21.0

k4leung4 commented 3 months ago

here to report the same thing

works in gcloud, failed in terraform.

 Error: Error, failure waiting for insertion of group@testdomain.com into [instance name]: 
│ 
│ 
│   with google_sql_user.cloudsql-group-iam,
│   on test.tf line 1, in resource "google_sql_user" "cloudsql-group-iam":
│    1: resource "google_sql_user" "cloudsql-group-iam" {
ChhajedRonak commented 2 months ago

Getting same error while trying to add SQL user of type CLOUD_IAM_GROUP using google_sql_user resource

│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to google_sql_user.iam_group_user, provider "provider[\"registry.terraform.io/hashicorp/google\"]" produced an unexpected new value: Root resource was present, but now absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Even after getting this error the user is created successfully in the database and can be seen on the console as well.

mike-marcacci commented 5 days ago

I'm seeing this identical behavior using the latest version of terraform and providers:

Terraform v1.9.0
on linux_arm64
+ provider registry.terraform.io/hashicorp/google v5.36.0

The user is successfully created in Google.

Attempting to import the created user fails with:

"module.accounts_service_dev.module.database.google_sql_user.group[\"group:redacted@example.com\"]", the provider detected that no object exists with the given id. Only
│ pre-existing objects can be imported; check that the id is correct and that it is associated with the provider's configured region or endpoint, or use "terraform apply" to create a new remote object for this resource.