search

hashicorp / terraform-provider-google

Terraform Provider for Google Cloud Platform
https://registry.terraform.io/providers/hashicorp/google/latest/docs
Mozilla Public License 2.0
2.33k stars 1.73k forks source link

`google_organization_iam_policy` ignores `audit_config` #4080

Closed drebes closed 5 years ago

drebes commented 5 years ago

Community Note

Terraform Version

$ terraform -v Terraform v0.12.3

Affected Resource(s)

Terraform Configuration Files

data "google_iam_policy" "org" {
  binding {
    role = "roles/accesscontextmanager.policyAdmin"

    members = [
      "group:${gsuite_group.admins.email}",
      "serviceAccount:${module.project-admin.sa}",
    ]
  }
  [... other bindings ...]
  }
  audit_config {
    service = "storage.googleapis.com"
    audit_log_configs {
      log_type = "DATA_READ"
      #exempted_members = ["user:you@domain.com"]
    }

    audit_log_configs {
      log_type = "DATA_WRITE"
    }

    audit_log_configs {
      log_type = "ADMIN_READ"
    }
  }
}

resource "google_organization_iam_policy" "org" {
  org_id      = data.google_organization.org.id
  policy_data = data.google_iam_policy.org.policy_data
}

Debug Output

2019-07-23T15:09:57.247Z [DEBUG]: ---[ REQUEST ]---------------------------------------
2019-07-23T15:09:57.247Z [DEBUG]: POST /v1/organizations/928204348109:setIamPolicy?alt=json&prettyPrint=false HTTP/1.1
2019-07-23T15:09:57.247Z [DEBUG]: Host: cloudresourcemanager.googleapis.com
2019-07-23T15:09:57.247Z [DEBUG]: User-Agent: google-api-go-client/0.5 Terraform/0.12.2 (+https://www.terraform.io) terraform-provider-google/2.10.0
2019-07-23T15:09:57.247Z [DEBUG]: Content-Length: 3651
2019-07-23T15:09:57.247Z [DEBUG]: Content-Type: application/json
2019-07-23T15:09:57.247Z [DEBUG]: Accept-Encoding: gzip
2019-07-23T15:09:57.247Z [DEBUG]: 
2019-07-23T15:09:57.247Z [DEBUG]: {
2019-07-23T15:09:57.247Z [DEBUG]:  "policy": {
2019-07-23T15:09:57.247Z [DEBUG]:   "auditConfigs": [
2019-07-23T15:09:57.247Z [DEBUG]:    {
2019-07-23T15:09:57.247Z [DEBUG]:     "auditLogConfigs": [
2019-07-23T15:09:57.247Z [DEBUG]:      {
2019-07-23T15:09:57.247Z [DEBUG]:       "logType": "DATA_WRITE"
2019-07-23T15:09:57.247Z [DEBUG]:      },
2019-07-23T15:09:57.247Z [DEBUG]:      {
2019-07-23T15:09:57.247Z [DEBUG]:       "logType": "DATA_READ"
2019-07-23T15:09:57.247Z [DEBUG]:      },
2019-07-23T15:09:57.247Z [DEBUG]:      {
2019-07-23T15:09:57.247Z [DEBUG]:       "logType": "ADMIN_READ"
2019-07-23T15:09:57.247Z [DEBUG]:      }
2019-07-23T15:09:57.247Z [DEBUG]:     ],
2019-07-23T15:09:57.247Z [DEBUG]:     "service": "storage.googleapis.com"
2019-07-23T15:09:57.247Z [DEBUG]:    }
2019-07-23T15:09:57.247Z [DEBUG]:   ],
2019-07-23T15:09:57.247Z [DEBUG]:   "bindings": [
2019-07-23T15:09:57.247Z [DEBUG]:    {
2019-07-23T15:09:57.247Z [DEBUG]:     "members": [
2019-07-23T15:09:57.247Z [DEBUG]:      "group:gcp-admins@play.drebes.co",
2019-07-23T15:09:57.247Z [DEBUG]:      "serviceAccount:terraform@drebes-play-admin-17ec.iam.gserviceaccount.com"
2019-07-23T15:09:57.247Z [DEBUG]:     ],
2019-07-23T15:09:57.247Z [DEBUG]:     "role": "roles/accesscontextmanager.policyAdmin"
2019-07-23T15:09:57.247Z [DEBUG]:    },
[ ... other bindings ...]
2019-07-23T15:09:57.247Z [DEBUG]:   ]
2019-07-23T15:09:57.247Z [DEBUG]:  }
2019-07-23T15:09:57.247Z [DEBUG]: }
2019-07-23T15:09:57.247Z [DEBUG]: 
2019-07-23T15:09:57.247Z [DEBUG]: -----------------------------------------------------
2019-07-23T15:09:58.309Z [DEBUG]: ---[ RESPONSE ]--------------------------------------
2019-07-23T15:09:58.309Z [DEBUG]: HTTP/2.0 200 OK
2019-07-23T15:09:58.309Z [DEBUG]: Cache-Control: private
2019-07-23T15:09:58.309Z [DEBUG]: Content-Type: application/json; charset=UTF-8
2019-07-23T15:09:58.309Z [DEBUG]: Date: Tue, 23 Jul 2019 15:09:58 GMT
2019-07-23T15:09:58.309Z [DEBUG]: Server: ESF
2019-07-23T15:09:58.309Z [DEBUG]: Server-Timing: gfet4t7; dur=957
2019-07-23T15:09:58.309Z [DEBUG]: Vary: Origin
2019-07-23T15:09:58.309Z [DEBUG]: Vary: X-Origin
2019-07-23T15:09:58.309Z [DEBUG]: Vary: Referer
2019-07-23T15:09:58.309Z [DEBUG]: X-Content-Type-Options: nosniff
2019-07-23T15:09:58.310Z [DEBUG]: X-Frame-Options: SAMEORIGIN
2019-07-23T15:09:58.310Z [DEBUG]: X-Xss-Protection: 0
2019-07-23T15:09:58.310Z [DEBUG]: 
2019-07-23T15:09:58.310Z [DEBUG]: {
2019-07-23T15:09:58.310Z [DEBUG]:  "version": 1,
2019-07-23T15:09:58.310Z [DEBUG]:  "etag": "BwWOWpX+W/4=",
2019-07-23T15:09:58.310Z [DEBUG]:  "bindings": [
2019-07-23T15:09:58.310Z [DEBUG]:   {
2019-07-23T15:09:58.310Z [DEBUG]:    "role": "roles/accesscontextmanager.policyAdmin",
2019-07-23T15:09:58.310Z [DEBUG]:    "members": [
2019-07-23T15:09:58.310Z [DEBUG]:     "group:gcp-admins@play.drebes.co",
2019-07-23T15:09:58.310Z [DEBUG]:     "serviceAccount:terraform@drebes-play-admin-17ec.iam.gserviceaccount.com"
2019-07-23T15:09:58.310Z [DEBUG]:    ]
2019-07-23T15:09:58.310Z [DEBUG]:   },
[ ... other bindings ...]
2019-07-23T15:09:58.310Z [DEBUG]:  ]
2019-07-23T15:09:58.310Z [DEBUG]: }

Panic Output

No panic.

Expected Behavior

Audit log configuration is set for the org.

Actual Behavior

Audit log configuration is not changed.

Steps to Reproduce

  1. terraform apply

Important Factoids

References

The issue seems to be related to resourcemanager.organizations.setIamPolicy supporting an updateMask which the provider is not passing (the default mask if omitted is "bindings, etag" according to the API docs, which explains why IAM bindings work:

https://github.com/terraform-providers/terraform-provider-google/blob/master/google/iam_organization.go#L44

ghost commented 5 years ago

I'm going to lock this issue because it has been closed for 30 days โณ. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error ๐Ÿค– ๐Ÿ™‰ , please reach out to my human friends ๐Ÿ‘‰ hashibot-feedback@hashicorp.com. Thanks!