terraform-google-bigquery
terraform-google-bigquery copied to clipboard
terraform-google-modules
Workaround issue causing permanent diff in access list
Hi Everyone,
For the past few months, my team and I have been suffering from large permanent diffs in our access list when we use this module. Today I finally got sick of it, and went searching for a solution. In my search I encountered this workaround which has solved the problem for us locally. I realize that this isn't a perfect fix for the root cause issue here, but it does make for a much better user experience.
I figured that it would make sense to push this fix upstream so that users of this module won't have to experience this issues.
If it doesn't make sense to you all to merge this into the module itself, here is an uglier workaround that we are using locally:
locals {
default_access = [
{
"role" : "roles/bigquery.dataViewer",
"user_by_email" : "[email protected]",
},
{
"role" : "roles/bigquery.dataViewer",
"group_by_email" : "[email protected]",
},
]
}
module "my_dataset" {
source = "terraform-google-modules/bigquery/google"
...etc...
access = [for entry in local.default_access:
merge({
"user_by_email": "",
"group_by_email": "",
"special_group": "",
"domain": "",
}, entry)]
}
Thanks! Matthew
This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Would someone mind taking a look at this? I believe this workaround would be worthwhile for lots of users of this module.
Thanks for taking a look at this @bharathkkb!
I was able to reproduce the issue using the basic example with Terraform v1.2.3 and the Google provider v4.40.0.
Here's how to do it:
Start with an access list with several entries. Run terraform apply.
module "bigquery" {
source = "../.."
....
access = [
{
role = "OWNER",
special_group = "projectOwners",
},
{
role = "WRITER",
special_group = "projectWriters",
},
{
role = "READER",
special_group = "projectReaders",
},
]
}
Remove one of the entries (I removed the projectReaders), and run terraform plan. The output looks like the following:
Terraform will perform the following actions:
# module.bigquery.google_bigquery_dataset.main will be updated in-place
~ resource "google_bigquery_dataset" "main" {
id = "projects/matthew-test-bq/datasets/foo"
# (13 unchanged attributes hidden)
- access {
- role = "OWNER" -> null
- special_group = "projectOwners" -> null
}
- access {
- role = "READER" -> null
- special_group = "projectReaders" -> null
}
- access {
- role = "WRITER" -> null
- special_group = "projectWriters" -> null
}
+ access {
+ role = "OWNER"
+ special_group = "projectOwners"
}
+ access {
+ role = "WRITER"
+ special_group = "projectWriters"
}
}
With the fix in this pull request, the output looks like this instead:
Terraform will perform the following actions:
# module.bigquery.google_bigquery_dataset.main will be updated in-place
~ resource "google_bigquery_dataset" "main" {
id = "projects/matthew-test-bq/datasets/foo"
# (13 unchanged attributes hidden)
- access {
- role = "READER" -> null
- special_group = "projectReaders" -> null
}
# (2 unchanged blocks hidden)
}
Please let me know if you still have trouble reproducing the issue.
@mwallace582 thanks for the repro! That is indeed an odd issue and your workaround lgtm! Thanks for investigating and patching this!
