Issue adding role cloudsql.admin & cloudscheduler.admin to a service account ( produced an unexpected new value: Root object was present, │ but now absent.)

[f-triquet]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.9.5 on ubuntu 22.04

• provider registry.terraform.io/hashicorp/google v6.12.0
• provider registry.terraform.io/hashicorp/google-beta v6.12.0

Affected Resource(s)

google_project_iam_member

Terraform Configuration

variable "cicd_sac_roles_env_prj" {
  description = "Set of roles assigned to CICD SAC used for terraform actions for SP env project"
  type        = set(string)
  default     = [
    "roles/cloudsql.admin",
    "roles/compute.instanceAdmin.v1",
    "roles/compute.loadBalancerAdmin",
    "roles/iam.roleViewer",
    "roles/iam.serviceAccountAdmin",
    "roles/iam.serviceAccountUser",
    "roles/redis.admin",
    "roles/secretmanager.secretAccessor",
    "roles/secretmanager.viewer",
    "roles/storage.admin",
    "roles/compute.viewer",
    "roles/compute.networkUser",
    "roles/cloudscheduler.admin"
  ]
}

### CICD SAC and roles

# CICD SAC for this project
resource "google_service_account" "cicd" {
  account_id   = "cli-app-${var.env}-sac-cicd"
  display_name = "cli-app-${var.env}-sac-cicd"
  description  = "SAC used by CICD for Terraform jobs"
  project      = var.project_id
}
# roles on SP env projects
resource "google_project_iam_member" "cicd_env_prj" {
  project  = var.project_id
  for_each = var.cicd_sac_roles_env_prj
  role     = each.value
  member   = "serviceAccount:${google_service_account.cicd.email}"
}

Debug Output

No response

Expected Behavior

Terraform output this for cloudsql.admin and cloudscheduler.admin adding roles

│ Error: Provider produced inconsistent result after apply │ │ When applying changes to google_project_iam_member.cicd_env_prj["roles/cloudsql.admin"], provider │ "provider[\"registry.terraform.io/hashicorp/google\"]" produced an unexpected new value: Root object was present, │ but now absent. │ │ This is a bug in the provider, which should be reported in the provider's own issue tracker. ╵

Actual Behavior

No response

Steps to reproduce

Just implement new roles on the variable list and then apply cause the failure. remove other oldest roles, apply, re-add and re-apply don't failed

Important Factoids

No response

References

No response

[ggtisc]

Hi @f-triquet!

I tried to replicate this issue assigning only the cloudsql.admin role and then cloudscheduler.admin separately, then I executed the code you share and no error was returned. Could you check your environment, permissions and variables, do normal troubleshooting (restart your environment, check authentication, etc) and try again?