group-settings: error 400 if group settings' email value differs in capital/lower-case letters from group email

[jazzlyn]

Hi there,

Terraform Version

Terraform v1.2.1 on linux_amd64

• provider registry.terraform.io/hashicorp/googleworkspace v0.7.0

Affected Resource(s)

• group-settings

Configuration

Group configuration:

resource-a:
  email: "resource-a@example.io"
  name: "RESOURCE-A@example.io"

resource-b:
  email: "resource-b@example.io"
  name: "resource-b@example.io"

Output

Terraform will perform the following actions:

  # module.gworkspace.module.group_settings["resource-a"].googleworkspace_group_settings.group_settings will be updated in-place
  ~ resource "googleworkspace_group_settings" "group_settings" {
      ~ email                                          = "RESOURCE-A@example.io" -> "resource-a@example.io"
        id                                             = "RESOURCE-A@example.io"
        name                                           = "RESOURCE-A@example.io"
        # (23 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.gworkspace.module.group_settings["resource-b"].googleworkspace_group_settings.group_settings will be updated in-place
  ~ resource "googleworkspace_group_settings" "group_settings" {
      ~ email                                          = "reSource-B@example.io" -> "resource-b@example.io"
        id                                             = "reSource-B@example.io"
        name                                           = "resource-b@example.io"
        # (23 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

╷
│ Error: googleapi: Error 400: Required, required
│
│   with module.gworkspace.module.group_settings["resource-a"].googleworkspace_group_settings.group_settings,
│   on modules/group_settings/main.tf line 14, in resource "googleworkspace_group_settings" "group_settings":
│   14: resource "googleworkspace_group_settings" "group_settings" {
│
╵
╷
│ Error: googleapi: Error 400: Required, required
│
│   with module.gworkspace.module.group_settings["resource-b"].googleworkspace_group_settings.group_settings,
│   on modules/group_settings/main.tf line 14, in resource "googleworkspace_group_settings" "group_settings":
│   14: resource "googleworkspace_group_settings" "group_settings" {
│

[jazzlyn]

workaround

lifecycle {
    ignore_changes = [
        email
    ]
}

[SarahFrench]

Hi @jazzlyn, thanks for raising this issue and showing a workaround for others who might have the same issue!

I've found that the underlying cause is that the 2 APIs used to manage Groups (Directory API) and Group Settings (Group Settings API) handle the group's email differently. When groups are made the email is automatically converted to lower case. Group settings are made using the original email with upper case characters, which happens behind the scenes on Google's backend when new groups are made. This mismatch of emails using/not using upper case characters causes issues, and there's no way for the provider to update the group settings to use the lower case email.

As the root cause is inconsistent handling of capitalisation by Google's APIs I'd recommend avoiding putting capital letters in the groups email value. I'm working on a solution for this issue but avoiding it is best, given the restrictions on what the provider can control.

[roboweaver]

Saw this as well, but after destroying and making sure group name was lower case it appears to be fine. I orginally had the name of the group and email in UPPER case.

[jazzlyn]

@SarahFrench any chance that this provider can be adopted by someone still working for hashicorp?

[security-penguin]

workaround

lifecycle {
    ignore_changes = [
        email
    ]
}

@jazzlyn which resource did you put the lifecycle rule in as I am not having any success with that as a workaround.

[jazzlyn]

@security-penguin to resource "googleworkspace_group_settings"

https://github.com/strg-at/terraform-googleworkspace-user-group-management/blob/main/modules/group_settings/main.tf#L22