search

terraform-google-modules / terraform-google-group

Manages Google Groups
https://registry.terraform.io/modules/terraform-google-modules/group/google
Apache License 2.0
43 stars 27 forks source link

Account deleted from org. Terraform fails. #29

Closed b-pison closed 2 years ago

b-pison commented 3 years ago

TL;DR

Org with accounts, groups, etc, managed through Terraform (terraform apply working fine)

An user had his account removed from the organization (through Admin panel). This user was in a group managed through Terraform, using this module.

Terraform fails with:

│ Error: Error when reading or editing CloudIdentityGroupMembership "groups/xxxxxxx/memberships/1231233333333331123123": googleapi: Error 403: Error(2028): Permission denied for resource groups/xxxxxx/memberships/12312312321 (or it may not exist).

Expected behavior

Terraform (and this module) identify the missing resource and offer to recreate or remove from the state file.

Observed behavior

Terraform fails and blocks the module usage.

Terraform Configuration

module "group" {
  source  = "terraform-google-modules/group/google"
  version = "~> 0.3"

  id           = var.iam_group.group_id
  display_name = var.iam_group.display_name
  description  = var.iam_group.description
  domain       = var.groups_domain
  owners       = var.iam_group.owners
  managers     = var.iam_group.managers
  members      = var.iam_group.members
}

   team_xpto = {
     group_id     = "tf-team-xpto@domain.com",
     display_name = "(TF) Team XPTO Team",
     description  = "Terraform managed group for Team XPTO team",
     owners       = [],
     managers     = [],
     members      = [
                      "macron@domain.com",     
                      "biden@domain.com",    
                      "merkel@domain.com",       
                      "boris@domain.com",        <<<--- user removed, for example
                    ],
   },

variable "group_obj"{
  type = map(object({
    group_id     = string
    display_name = string
    description  = string
    owners       = list(string)
    managers     = list(string)
    members      = list(string)
  })) 
}

Terraform Version

Terraform v1.0.9
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v3.90.1
+ provider registry.terraform.io/hashicorp/google-beta v3.90.1
+ provider registry.terraform.io/hashicorp/null v3.1.0

and

source  = "terraform-google-modules/group/google"
version = "~> 0.3"

Additional information

No response

xingao267 commented 3 years ago

@bruno-pison have you opened an issue in the provider repo (https://github.com/hashicorp/terraform-provider-google)? It looks like additional logic needs to be implemented for the google_cloud_identity_group_membership resource to handle this error when refreshing the terraform states.

b-pison commented 3 years ago

Hello @xingao267 , I've not.

Right now, I'm trying to migrate from terraform-google-group to google_cloud_identity_group_membership and will check how it work there.

github-actions[bot] commented 2 years ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days