Closed kibbles-n-bytes closed 4 years ago
@kibbles-n-bytes , the service account you are using in google_storage_bucket_access_control
resource is created in the same config or its created outside ?
@venkykuberan The issue is most apparent when you created the service account outside of the same config, but could happen as part of the same config. Basically, if as part of whatever ordering you happen to delete the service account first, the bucket access control becomes stuck due to the storage API now returning 400s, not 404s.
With the following config i see terraform destroys the resources without any errors based on the dependency graph it created.
sample config
resource "google_storage_bucket" "bucket" {
name = "ventest-tf-bucket-deleteme"
project = var.project_id
location = "US"
}
resource "google_storage_bucket_access_control" "public_bucket_rule" {
bucket = google_storage_bucket.bucket.name
role = "READER"
entity = "user-${google_service_account.service_account.email}"
}
resource "google_service_account" "service_account" {
account_id = "test-cfg-sa"
display_name = "test-cfg-sa"
}
Please let me know if it helps, if not i would like to your config to understand better
Hey @venkykuberan ; sorry, when I said "it could be part of the same config", I meant theoretically you could manually populate the entity field as user-test-cfg-sa@my-project-id.iam.gserviceaccount.com
, but realistically yes it's when the service account is created out-of-band.
To reproduce:
gcloud iam service-accounts create test-cfg-sa
resource "google_storage_bucket" "bucket" {
name = "ventest-tf-bucket-deleteme"
project = var.project_id
location = "US"
}
resource "google_storage_bucket_access_control" "public_bucket_rule" { bucket = google_storage_bucket.bucket.name role = "READER" entity = "user-user-test-cfg-sa@my-project-id.iam.gserviceaccount.com" }
- Delete the service account using `gcloud`:
`gcloud iam service-accounts delete test-cfg-sa@my-project-id.iam.gserviceaccount.com`
- Remove the bucket access control from the config and apply.
Hi @kibbles-n-bytes, API returns the following response for an non-existent email address. Terraform provider have no control of API response code, it just passes back to the client. As we can't do much on this issue, i am closing this issue.
If you would like to raise an issue against the API, please do https://cloud.google.com/support/docs/issue-trackers#trackers-list
{
"error": {
"code": 400,
"message": "Unknown user email address: test1-serviceaccount-delete@xxx.iam.gserviceaccount.com",
"errors": [
{
"message": "Unknown user email address: test1-serviceaccount-delete@xxx.iam.gserviceaccount.com",
"domain": "global",
"reason": "invalid"
}
]
}
}
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!
Community Note
modular-magician
user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot
, a community member has claimed the issue already.Affected Resource(s)
Expected Behavior
When a
google_storage_bucket_access_control
's entity refers to a service account (i.e. a value ofuser-[GSA_EMAIL]
), when the service account is deleted, the bucket access control should also be considered gone as it no longer exists on the underlying API.Actual Behavior
The
BucketAccessControl.get
call in theresourceStorageBucketAccessControlRead
function returns a 400 with an error message"Unknown user email address [...]"
. This is handled differently than a 404, though conceptually it is the same.