google_iam_testable_permissions missing permssions without stage

brs commented 4 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.
If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v0.13.5

Affected Resource(s)

google_iam_testable_permissions

Terraform Configuration Files

data "google_iam_testable_permissions" "non_supported_perms" {
    full_resource_name = "//cloudresourcemanager.googleapis.com/organizations/123456789"
    #stages             = ["GA", "BETA", "ALPHA", "DEPRECATED"]
    custom_support_level = "NOT_SUPPORTED"
}

Debug Output

n/a

Panic Output

n/a

Expected Behavior

All permissions that have a custom_support_level of NOT_SUPPORTED should be returned.

Actual Behavior

We are building custom iam roles based off permissions of predefined roles. In doing so, we try to filter out any permissions that are not supported in custom roles. This has been working well but it appears Google has introduced some permissions that do not have a value for stage.

A couple of permissions in this state are:

customRolesSupportLevel: NOT_SUPPORTED
description: This permission is managed by Dell EMC, not Google.
name: dellemccloudonefs.clusters.get
onlyInPredefinedRoles: true
primaryPermission: cloudonefs.isiloncloud.com/clusters.get
title: Get cluster
---
customRolesSupportLevel: NOT_SUPPORTED
description: This permission is managed by Dell EMC, not Google.
name: dellemccloudonefs.clusters.list
onlyInPredefinedRoles: true
primaryPermission: cloudonefs.isiloncloud.com/clusters.list

Steps to Reproduce

terraform apply

Important Factoids

References

0000

b/329648533

edwardmedia commented 4 years ago

@brs from provider's perspective, there is no change since it was released 6 months ago. I am not sure what you had and what you see now. We don't have control over how API behaves. Below is its API doc and it seems all those parameters are supported. Are there anything we can help?

https://cloud.google.com/iam/docs/reference/rest/v1/permissions/queryTestablePermissions

brs commented 4 years ago

@edwardmedia The issue is that in the data source code, if the user does not specifiy a stage, the code defaults to GA. I have not dug through all of the code for the data source but I see the stage is not part of the call to the API so I assume the data source is doing filtering based on the stage, it seems there needs to be a way to not do that.

I just checked with the API (I had been using gcloud commands) and the example permissions I provided earlier are included in the results.

{
      "name": "cloudonefs.isiloncloud.com/clusters.list",
      "title": "List clusters",
      "description": "This permission is managed by Dell EMC, not Google.",
      "onlyInPredefinedRoles": true,
      "customRolesSupportLevel": "NOT_SUPPORTED"
    },

edwardmedia commented 4 years ago

@brs Please take a look at the request-body schema from below link. It appears API does not take stage as you wanted. Does this make sense?

but I see the stage is not part of the call to the API

https://cloud.google.com/iam/docs/reference/rest/v1/permissions/queryTestablePermissions#request-body

brs commented 4 years ago

Thank you for your response. I think I am not communicating the issue clearly enough. I am NOT asking to send the stage in the API call, I'm actually asking for the option to not use stage at all as there are permissions that don't have this attribute.

edwardmedia commented 4 years ago

@brs the default is set to ["GA"]. To change the behavior, I update the label to enhancement to have it triaged

https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/iam_testable_permissions#stages

roaks3 commented 8 months ago

Confirmed also that stages = [] does not send the field at all in the API request, which leads to GA being used as a server-side default.

We might be able to solve this by forcing [] or [""] to be sent to the API, but otherwise this could require an API change to support an empty value.

hashicorp / terraform-provider-google