deleted service accounts cause `google_storage_bucket_access_control` reads to fail

[kibbles-n-bytes]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Affected Resource(s)

• google_storage_bucket_access_control

Expected Behavior

When a google_storage_bucket_access_control's entity refers to a service account (i.e. a value of user-[GSA_EMAIL]), when the service account is deleted, the bucket access control should also be considered gone as it no longer exists on the underlying API.

Actual Behavior

The BucketAccessControl.get call in the resourceStorageBucketAccessControlRead function returns a 400 with an error message "Unknown user email address [...]". This is handled differently than a 404, though conceptually it is the same.

[venkykuberan]

@kibbles-n-bytes , the service account you are using in google_storage_bucket_access_control resource is created in the same config or its created outside ?

[kibbles-n-bytes]

@venkykuberan The issue is most apparent when you created the service account outside of the same config, but could happen as part of the same config. Basically, if as part of whatever ordering you happen to delete the service account first, the bucket access control becomes stuck due to the storage API now returning 400s, not 404s.

[venkykuberan]

With the following config i see terraform destroys the resources without any errors based on the dependency graph it created.

sample config

resource "google_storage_bucket" "bucket" {
  name     = "ventest-tf-bucket-deleteme"
  project  = var.project_id
  location = "US"
}

resource "google_storage_bucket_access_control" "public_bucket_rule" {
  bucket = google_storage_bucket.bucket.name
  role   = "READER"
  entity = "user-${google_service_account.service_account.email}"
}

resource "google_service_account" "service_account" {
  account_id = "test-cfg-sa"
  display_name = "test-cfg-sa"
}

Please let me know if it helps, if not i would like to your config to understand better

[kibbles-n-bytes]

Hey @venkykuberan ; sorry, when I said "it could be part of the same config", I meant theoretically you could manually populate the entity field as user-test-cfg-sa@my-project-id.iam.gserviceaccount.com, but realistically yes it's when the service account is created out-of-band.

To reproduce:

• Create the service account using gcloud: gcloud iam service-accounts create test-cfg-sa
• Apply the config:

  
  resource "google_storage_bucket" "bucket" {
  name     = "ventest-tf-bucket-deleteme"
  project  = var.project_id
  location = "US"
  }

resource "google_storage_bucket_access_control" "public_bucket_rule" { bucket = google_storage_bucket.bucket.name role = "READER" entity = "user-user-test-cfg-sa@my-project-id.iam.gserviceaccount.com" }

- Delete the service account using `gcloud`:
  `gcloud iam service-accounts delete test-cfg-sa@my-project-id.iam.gserviceaccount.com`
- Remove the bucket access control from the config and apply.

[venkykuberan]

Hi @kibbles-n-bytes, API returns the following response for an non-existent email address. Terraform provider have no control of API response code, it just passes back to the client. As we can't do much on this issue, i am closing this issue.

If you would like to raise an issue against the API, please do https://cloud.google.com/support/docs/issue-trackers#trackers-list

{
  "error": {
    "code": 400,
    "message": "Unknown user email address: test1-serviceaccount-delete@xxx.iam.gserviceaccount.com",
    "errors": [
      {
        "message": "Unknown user email address: test1-serviceaccount-delete@xxx.iam.gserviceaccount.com",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!