search

hashicorp / terraform-provider-google

Terraform Provider for Google Cloud Platform
https://registry.terraform.io/providers/hashicorp/google/latest/docs
Mozilla Public License 2.0
2.26k stars 1.7k forks source link

google_bigquery_dataset clobbers google_bigquery_dataset_access when run without refresh #17900

Open iwahbe opened 3 months ago

iwahbe commented 3 months ago

Community Note

Terraform Version

Terraform v1.8.1 on darwin_arm64

Affected Resource(s)

google_bigquery_dataset google_bigquery_dataset_access

Terraform Configuration

Step 1 terraform apply:

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google-beta"
      version = ">= 5"
    }
  }

  required_version = ">= 1.2.0"
}

provider "google" {
  region  = "us-west1"
  project = "<project-id>"
}

resource "google_bigquery_dataset" "dataset_test" {
  dataset_id  = "test_dataset_access"
  description = "Test Dataset"
  location    = "eu"
}

resource "google_bigquery_dataset_access" "datasetaccess_test" {
  dataset_id = google_bigquery_dataset.dataset_test.dataset_id

  role          = "roles/bigquery.dataEditor"
  user_by_email = "user@domain.com"
}

Step 2 terraform apply --refresh=false:

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google-beta"
      version = ">= 5"
    }
  }

  required_version = ">= 1.2.0"
}

provider "google" {
  region  = "us-west1"
  project = "<project-id>"
}

resource "google_bigquery_dataset" "dataset_test" {
  dataset_id  = "test_dataset_access"
  description = "Test Dataset (this line changed)"
  location    = "eu"
}

resource "google_bigquery_dataset_access" "datasetaccess_test" {
  dataset_id = google_bigquery_dataset.dataset_test.dataset_id

  role          = "roles/bigquery.dataEditor"
  user_by_email = "user@domain.com"
}

Debug Output

https://gist.github.com/iwahbe/4ec36b6133e3f4fce8267395ff684244

Expected Behavior

Terraform should change the description on my BigQuery Dataset and do nothing else.

Actual Behavior

Terraform changes the description and deletes user@domain.com from the dataset's editor list.

Steps to reproduce

  1. terraform apply on the initial config.
  2. terraform apply --refresh=false on the secondary config.

Important Factoids

No response

References

No response

b/336356226

ggtisc commented 3 months ago

Hi @iwahbe!

The scenario was replicated with the provided specifications many times successfully and without errors, also the shared debug output was checked but nothing indicates that the user@domain.com was deleted from the dataset's editor list

iwahbe commented 3 months ago

Hi @iwahbe!

The scenario was replicated with the provided specifications many times successfully and without errors, also the shared debug output was checked but nothing indicates that the user@domain.com was deleted from the dataset's editor list

Hi @ggtisc. Thanks for taking a look. Can you clarify what you mean "without errors". The provider doesn't error and I don't think the provider ever tries to delete user@domain.com from the dataset's editor list (so I don't think it would show up in debug input).

user@domain.com does get removed from the editor list (it certainly did when I build the repro). How are you checking if the delete happened. I used this from google's cloud console:

bq show <project_id>:test_dataset_access
ggtisc commented 3 months ago

Scenario confirmed with the following steps:

  1. Create resources with terraform apply
  2. Check the users with bq show <project_id>:dataset_test (the user@domain.com will be there)
  3. Change only the dataset_test.description and run a terraform apply --refresh=false
  4. Check the users with bq show <project_id>:dataset_test (the user@domain.com will be deleted)

But if in the step 4 you run a terrafom apply the user@domain.com won't be deleted