-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Non-authoritative policies don't survive updates #11736
Comments
The initial version of google_project_iam_policy would capture an IAM policy that could be restored (for non-authoritative resources), but it would only do this on create. If the policy drifted outside of Terraform after create, the originaly restore_policy would be applied on an update, removing the out-of-band changes. This change makes non-authoritative google_project_iam_policy resources truly non-destructive. The restore_policy is recalculated on update and delete, ensuring that only the policy_data is removed from a project's IAM policy. Fixes hashicorp#11736
The initial version of google_project_iam_policy would capture an IAM policy that could be restored (for non-authoritative resources), but it would only do this on create. If the policy drifted outside of Terraform after create, the originaly restore_policy would be applied on an update, removing the out-of-band changes. This change makes non-authoritative google_project_iam_policy resources truly non-destructive. The restore_policy is recalculated on update and delete, ensuring that only the policy_data is removed from a project's IAM policy. Fixes hashicorp#11736
Off the top of my head, we migrated to However, we were using terraform in a slightly unusual way:
To be able to deprovision test environments without the |
That's definitely not the workflow we want. :( If I understand this correctly, you're using different environments/tfstates in the same project. Is that correct?
This is setting off alarm bells in my head, and I'd love to hear more about it. If I understand correctly, you want to (over time) change what Terraform considers policies it shouldn't change, but which are not in its config. Is that correct? Currently digging into the bug report a bit (I see #11737, so won't code anything, but I want to understand exactly what's happening here). Thanks for breaking it out, @evandbrown. :) |
OK, from what I'm seeing: For @allandrick:
Does that sound accurate? My attempt at reproducing (code here: https://github.com/paddyforan/terraform_11736)
So I've stumbled into another bug, in which semantically equivalent policies are treated as diffs. I'll open another bug to fix that (edit: #11763), a DiffSuppressFunc will take care of it without a problem. But the core problem I'm seeing here is that module state is held separately from root state. When the module reads the policies from the API, it strips out the common ones, but doesn't know to strip out the ones that the root "owns", so it sets them in its own state--even though the root should be responsible for them. Then its config sees them in the state and not in the config, and thinks they're different. That's my understanding of things at the moment. If anyone has any info that proves me wrong, let me know! |
So I've checked in on this, and module state and root state being held separately is a known limitation; because |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Initially reported by @allandrick in #11556:
and
The text was updated successfully, but these errors were encountered: