googleworkspace_group loop over wrong state

[noamgreen]

Hi there,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

Terraform Version

Terraform v1.3.4 on darwin_arm64

• provider registry.terraform.io/hashicorp/aws v4.66.1
• provider registry.terraform.io/hashicorp/googleworkspace v0.7.0

Affected Resource(s)

Please list the resources as a list, for example:

• googleworkspace_group

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource "googleworkspace_group" "google_groups" {
  count      = length(var.goole_groups)
  email       = lookup(var.goole_groups[count.index], "email")
  name        = lookup(var.goole_groups[count.index], "group_name")
  description = lookup(var.goole_groups[count.index], "description")

variable "goole_groups" {
  default = [
    {
      group_name ="Sso Client Account Admin"
      email ="sso-clientaccount-admin@mymail.io"
      description ="ClientAccount account Admin Full permission"
      sso_permission_set_name: "ClientAccount-Admin"
    },
    {
      group_name ="Sso Client Account PowerUsers"
      email ="sso-clientaccount-powerusers@mymail.io"
      description ="ClientAccount account Power Users permission"
      sso_permission_set_name: "ClientAccount-PowerUsers"

    },
    {
      group_name ="Sso Client Account Users"
      email ="sso-clientaccount-users@mymail.io"
      description ="ClientAccount account all users permission"
      sso_permission_set_name: "ClientAccount-Users"
    },
}
  ]
}

Expected Behavior

create the groups in google account as Expected and working ! the issues is after change the list

Actual Behavior

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply

   
   # googleworkspace_group.google_groups[0] will be created
   + resource "googleworkspace_group" "google_groups" {
     + admin_created        = (known after apply)
     + description          = "ClientAccount account Admin Full permission"
     + direct_members_count = (known after apply)
     + email                = "sso-clientaccount-admin@mymail.io"
     + etag                 = (known after apply)
     + id                   = (known after apply)
     + name                 = "Sso Client Account Admin"
     + non_editable_aliases = (known after apply)
   }
   
   # googleworkspace_group.google_groups[1] will be created
   + resource "googleworkspace_group" "google_groups" {
     + admin_created        = (known after apply)
     + description          = "ClientAccount account Power Users permission"
     + direct_members_count = (known after apply)
     + email                = "sso-clientaccount-powerusers@mymail.io"
     + etag                 = (known after apply)
     + id                   = (known after apply)
     + name                 = "Sso Client Account PowerUsers"
     + non_editable_aliases = (known after apply)
   }

   googleworkspace_group.google_groups[1]: Creating... googleworkspace_group.google_groups[0]: Creating... googleworkspace_group.google_groups[1]: Still creating... [10s elapsed] googleworkspace_group.google_groups[0]: Still creating... [10s elapsed]

this will work and the group will be created i will remove group fron the list and i get this .....

variable "goole_groups" {
  default = [
    {
      group_name ="Sso Client Account Admin"
      email ="sso-clientaccount-admin@mymail.io"
      description ="ClientAccount account Admin Full permission"
      sso_permission_set_name: "ClientAccount-Admin"
    },
#    {
#      group_name ="Sso Client Account PowerUsers"
#      email ="sso-clientaccount-powerusers@mymail.io"
#      description ="ClientAccount account Power Users permission"
#      sso_permission_set_name: "ClientAccount-PowerUsers"
#
#    },
    {
      group_name ="Sso Client Account Users"
      email ="sso-clientaccount-users@mymail.io"
      description ="ClientAccount account all users permission"
      sso_permission_set_name: "ClientAccount-Users"
    }
  ]
}

1. `terraform apply`
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # googleworkspace_group.google_groups[1] will be updated in-place
  ~ resource "googleworkspace_group" "google_groups" {
      ~ description          = "ClientAccount account Power Users permission" -> "ClientAccount account all users permission"
      ~ email                = "sso-clientaccount-powerusers@mymail.io" -> "sso-clientaccount-users@mymail.io"
        id                   = "XXXXXXXXXX"
      ~ name                 = "Sso Client Account PowerUsers" -> "Sso Client Account Users"
        # (5 unchanged attributes hidden)
    }

  # googleworkspace_group.google_groups[2] will be destroyed
  # (because index [2] is out of range for count)
  - resource "googleworkspace_group" "google_groups" {
      - admin_created        = true -> null
      - aliases              = [] -> null
      - description          = "ClientAccount account all users permission" -> null
      - direct_members_count = 0 -> null
      - email                = "sso-clientaccount-users@mymail.io" -> null
      - etag                 = "\"/\"" -> null
      - id                   = "
      - " -> null
      - name                 = "Sso Client Account Users" -> null
      - non_editable_aliases = [
          - "sso-clientaccount-users@mymail.ac",
          - "sso-clientaccount-users@mymail.cloud",
          - "sso-clientaccount-users@mymail.io.test-google-a.com",
          - "sso-clientaccount-users@mymail.xyz",
          - "sso-clientaccount-users@mymail.io",
        ] -> null
    }

BUT if you add the the list new group or change as you can see ~ email = "sso-clientaccount-powerusers@mymail.io" -> "sso-clientaccount-users@mymail.io" Plan: 0 to add, 1 to change, 1 to destroy.

googleworkspace_group.google_groups[2]: Destroying... [id=XXXXXXXXX]
googleworkspace_group.google_groups[1]: Modifying... [id=XXXXXXX]
googleworkspace_group.google_groups[2]: Destruction complete after 2s
╷
│ Error: googleapi: Error 409: Entity already exists., duplicate
│
│   with googleworkspace_group.google_groups[1],
│   on aws_mgmt_account.tf line 25, in resource "googleworkspace_group" "google_groups":
│   25: resource "googleworkspace_group" "google_groups" {
│
╵

why its working like this i dont understand but i understated why i get duplicated i think the issue in the api

Thanks Noam