Updating a google_cloud_identity_group_membership to remove a role fails with an error

[sruffilli]

Terraform Version

$ terraform -v
Terraform v0.13.4

Affected Resource(s)

• google_cloud_identity_group_membership

Terraform Configuration Files (if applicable)

resource "google_cloud_identity_group" "group" {
  provider     = google-beta
  display_name = "google_cloud_identity_group test"

  parent = "customers/CXXXXXXXX"

  group_key {
    id = "[email protected]"
  }

  labels = {
    "cloudidentity.googleapis.com/groups.discussion_forum" = ""
  }
}

resource "google_cloud_identity_group_membership" "group_memberships" {
  provider = google-beta
  group    = google_cloud_identity_group.group.id

  member_key {
    id = "[email protected]"
  }

  roles {
    name = "MEMBER"
  }

  roles {
    name = "MANAGER"
  }

}

First apply this configuration then change it to what follows (notice that the block that defines the MANAGER membership has been removed) and apply again.

resource "google_cloud_identity_group" "group" {
  provider     = google-beta
  display_name = "google_cloud_identity_group test"

  parent = "customers/CXXXXXXXX"

  group_key {
    id = "[email protected]"
  }

  labels = {
    "cloudidentity.googleapis.com/groups.discussion_forum" = ""
  }
}

resource "google_cloud_identity_group_membership" "group_memberships" {
  provider = google-beta
  group    = google_cloud_identity_group.group.id

  member_key {
    id = "[email protected]"
  }

  roles {
    name = "MEMBER"
  }
}

Issue Description

Changing a user membership (specifically downgrading a member from MANAGER to MEMBER) triggers the following error:

Error: Error updating GroupMembership "groups/xxxxxxxxxxxxxxx/memberships/NNNNNNNNNNNNNNNNNNNNNNNN": googleapi: got HTTP response code 404 with body:

<html lang=en>
  <meta charset=utf-8>
  <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
  <title>Error 404 (Not Found)!!1</title>
  <style>
    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
  </style>
  <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
  <p><b>404.</b> <ins>That’s an error.</ins>
  <p>The requested URL <code>/v1beta1/groups/xxxxxxxxxxxxxxx/memberships/NNNNNNNNNNNNNNNNNNNNNNNN?alt=json</code> was not found on this server.  <ins>That’s all we know.</ins>```

[edwardmedia]

modifyMembershipRoles may follow below call

https://cloud.google.com/identity/docs/reference/rest/v1beta1/groups.memberships/modifyMembershipRoles

[nat-henderson]

Got it. This resource is largely not implemented with update support, adding our "large bug" tag because this needs a lot of work. I'll try to get around to this one later this week, but it could be that this will have to wait for a migration we're planning on in early 2021 to a new way of managing resources which is more compatible with odd resources like this one.

[ghost]

Hi,

I’m facing a similar error, in a similar situation:

• I need to assign an existing group to a new user

I think it may be related to this issue, and hopefully it can be fix at the same time in the same release. It could be even a reason to speed-up the effort of solving the problem.
Otherwise I’ll open a new issue.

This requirement is critical, as it is the mechanism that we can use to grant roles to a project of a different organisation. The external organisation grant the roles to our group, and we add users and services accounts to that group.

ERROR:

Error: Error creating GroupMembership: googleapi: got HTTP response code 404 with body: <!DOCTYPE html>
<html lang=en>
  <meta charset=utf-8>
  <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
  <title>Error 404 (Not Found)!!1</title>
  <style>
    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
  </style>
  <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
  <p><b>404.</b> <ins>That’s an error.</ins>
  <p>The requested URL <code>/v1beta1/xxxxxxxxxxxxxxxxxxxxx/memberships?alt=json</code> was not found on this server.  <ins>That’s all we know.</ins>

resource "google_cloud_identity_group_membership" "cloud_identity_group_membership_basic" {
  count = var.function_service_account_email == "None" ? 1 : 0
  provider = google-beta
  group    = var.function_service_account_group

  member_key {
    id = module.cloud-function-service-accounts[0].email
  }

  roles {
    name = "MEMBER"
  }
}

provider "google" {
  credentials = file(var.terraform_credentials_file)
  scopes = ["https://www.googleapis.com/auth/drive",
    "https://www.googleapis.com/auth/cloud-platform",
    "https://www.googleapis.com/auth/admin.directory.group",
    "https://www.googleapis.com/auth/pubsub"
  ]
  project = var.project_id
  region  = var.region
  version = "~> 3.46"
}

Terraform v0.13.4

The group exist in the server, I have tried using both the name and the email of the group.

[xingao267]

@ndmckinley any updates on this?

[xingao267]

I had an issue with this resource which might be related to the update method as well. When I re-apply the same config without any changes. It shows the following plan:

Terraform will perform the following actions:

  # module.child_group.google_cloud_identity_group_membership.managers["xxxxxxxxxxxxxxxxxxxxxx"] will be updated in-place
  ~ resource "google_cloud_identity_group_membership" "managers" {
        create_time = "2020-12-10T20:24:42.663827Z"
        group       = "groups/xxx"
        id          = "groups/xxx"
        name        = "groups/xxx"
        type        = "SERVICE_ACCOUNT"
        update_time = "2020-12-10T20:24:42.663827Z"

        preferred_member_key {
            id = "xxxxxxxxxxxxxxxxxxxxxx"
        }

      ~ roles {
          ~ name = "MEMBER" -> "MANAGER"
        }
      ~ roles {
          ~ name = "MANAGER" -> "MEMBER"
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

[xingao267]

I can work around the above issue by switching the order of the two roles in the resource, i.e.

From

  roles { name = "MANAGER" }
  roles { name = "MEMBER" }

to

  roles { name = "MEMBER" }
  roles { name = "MANAGER" }

[nat-henderson]

Interesting, it looks like those are meant to be a set rather than a list.

As for updates, this is in our "Goals" milestone, which means that we agree it should be done, but don't currently have the resources to do it and also don't think we will have the resources soon (by contrast with "Near Term Goals").

We would love to accept a community PR that fixes this issue - otherwise it may be quite some time. We re-prioritize based on issue thumbs-ups - if many people give the issue a thumbs-up, we'll get around to it sooner. "Many people" here depends on how hard the issue is - 30+ for sure, but could be as low as 10+ if the issue is an easy one.

[tmshn]

@ndmckinley I filed a PR to fix this: GoogleCloudPlatform/magic-modules#4658, so I would be happy if you (or other maintainer) could review it.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!