search

hashicorp / terraform-provider-google

Terraform Provider for Google Cloud Platform
https://registry.terraform.io/providers/hashicorp/google/latest/docs
Mozilla Public License 2.0
2.35k stars 1.75k forks source link

role_id with more than 30 characters doesn't match regexp #3658

Closed pdecat closed 5 years ago

pdecat commented 5 years ago

Terraform Version

# terraform version
Terraform v0.11.14
+ provider.google v2.6.0
+ provider.google-beta v2.6.0

Affected Resource(s)

Please list the resources as a list, for example:

Terraform Configuration Files

resource "google_project_iam_custom_role" "storage_object_creator" {
  role_id     = "myproject.cloudStorageObjectCreator"
  title       = "My Project Cloud Storage Object Creator"
  description = "Role to enable object creation access to a Google Cloud Storage Bucket"

  permissions = [
    "storage.objects.create",
  ]
}

Debug Output

N/A

Panic Output

N/A

Expected Behavior

What should have happened?

Configuration should apply fine like in previous versions up to 2.5.1.

Actual Behavior

What actually happened?

Configuration is rejected:

Error: google_project_iam_custom_role.storage_object_creator: "role_id" ("myproject.cloudStorageObjectCreator") doesn't match regexp "^[a-zA-Z0-9_\\.\\-]{1,30}$"

Steps to Reproduce

  1. terraform plan

Important Factoids

N/A

References

N/A

pdecat commented 5 years ago

This is caused by https://github.com/terraform-providers/terraform-provider-google/commit/bc232a21aadcec78ab3882730757c599d0943164 which was first released in 2.6.0.

Can confirm the issue does not occur with version 2.5.1 of the google and google-beta providers.

pdecat commented 5 years ago

This role id is accepted by gcloud:

# gcloud --project myproject iam roles create myproject.cloudStorageObjectCreator --description "Role to enable object creation access to a Google Cloud Storage Bucket" --title "My Project Cloud Storage Object Creator" --permissions storage.objects.create
Created role [myproject.cloudStorageObjectCreator].
description: Role to enable object creation access to a Google Cloud Storage Bucket
etag: BwWJToUtwUE=
includedPermissions:
- storage.objects.create
name: projects/myproject/roles/myproject.cloudStorageObjectCreator
stage: ALPHA
title: My Project Cloud Storage Object Creator
# gcloud --project myproject iam roles describe myproject.cloudStorageObjectCreator
description: Role to enable object creation access to a Google Cloud Storage Bucket
etag: BwWJToUtwUE=
includedPermissions:
- storage.objects.create
name: projects/myproject/roles/myproject.cloudStorageObjectCreator
stage: ALPHA
title: My Project Cloud Storage Object Creator
rremer commented 5 years ago

"myproject.cloudStorageObjectCreator" is 36 characters, while the documentation the validation function was written from specifies a max of 30 characters. I'll find out what the actual boundary is and update the documentation and validation function.

For reference: https://cloud.google.com/iam/docs/understanding-custom-roles#naming_the_role

pdecat commented 5 years ago

Here's the actual limit:

# gcloud --project myproject iam roles create 01234567890123456789012345678901234567890123456789012345678901234 --description "Role to enable object creation access to a Google Cloud Storage Bucket" --title "My Project Cloud Storage Object Creator" --permissions storage.objects.create
ERROR: (gcloud.iam.roles.create) INVALID_ARGUMENT: The role_id "01234567890123456789012345678901234567890123456789012345678901234" is invalid. It doesn't match pattern "[a-zA-Z0-9_\.]{3,64}". The role_id must be 3 to 64 characters long and can be a mix of uppercase and lowercase English letters, digits, underscores and periods.

This passes:

# gcloud --project myproject iam roles create 0123456789012345678901234567890123456789012345678901234567890123 --description "Role to enable object creation access to a Google Cloud Storage Bucket" --title "My Project Cloud Storage Object Creator" --permissions storage.objects.create
Created role [0123456789012345678901234567890123456789012345678901234567890123].
description: Role to enable object creation access to a Google Cloud Storage Bucket
etag: BwWJU8CI5r0=
includedPermissions:
- storage.objects.create
name: projects/myproject/roles/0123456789012345678901234567890123456789012345678901234567890123
stage: ALPHA
title: My Project Cloud Storage Object Creator
danawillow commented 5 years ago

Thanks for reporting, @pdecat! Next time, would you mind keeping the lines in the issue template that say to keep them for our automation? That helps HashiBot automatically assign the correct label to the issue, which makes it easier for us to triage. It's also nice to keep the community note too that way people understand how we hope they react to the issue.

pdecat commented 5 years ago

Hi @danawillow, I was actually surprised not to find the usual issue template when I opened this issue this morning. When I clicked on the "New issue" button, I first had a github error message and when I refreshed, I had the default issue template instead: image

pdecat commented 5 years ago

Actually, I had an error when accessing https://github.com/terraform-providers/terraform-provider-google/issues/new/choose, refreshing did not help, then I removed the /choose part from the URL and it worked.

Maybe the default template should also be updated.

danawillow commented 5 years ago

Ah I see, thanks! Will do!

pdecat commented 5 years ago

Thanks @rremer & @danawillow!

pdecat commented 5 years ago

Fix confirmed with provider version 2.7.0, thanks again!

ghost commented 5 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!