Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BigqueryTableIamMember doesn't support IAM conditions #18645

Closed
kvudata opened this issue Jul 3, 2024 · 6 comments · Fixed by GoogleCloudPlatform/magic-modules#11405, hashicorp/terraform-provider-google-beta#7983, #19155 or GoogleCloudPlatform/terraform-google-conversion#2674
Closed

BigqueryTableIamMember doesn't support IAM conditions #18645

kvudata opened this issue Jul 3, 2024 · 6 comments · Fixed by GoogleCloudPlatform/magic-modules#11405, hashicorp/terraform-provider-google-beta#7983, #19155 or GoogleCloudPlatform/terraform-google-conversion#2674
Labels
bug forward/linked service/bigquery

Comments

@kvudata
Copy link

kvudata commented Jul 3, 2024
edited by modular-magician
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to a user, that user is claiming responsibility for the issue.
  • Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.6.3
on linux_amd64

  • provider registry.terraform.io/hashicorp/google v13.14.0
  • provider registry.terraform.io/hashicorp/google-beta v13.14.0

Affected Resource(s)

google_bigquery_table_iam_member

Terraform Configuration

(slightly modified)

resource "google_bigquery_table_iam_member" "member" {
  project = google_bigquery_table.test.project
  dataset_id = google_bigquery_table.test.dataset_id
  table_id = google_bigquery_table.test.table_id
  role = "roles/bigquery.dataEditor"
  member = "user:jane@example.com"

  condition {
    title       = "expires_on_7_15"
    description = "Limit to business hours and expire on 7-15"
    expression  = "request.time < timestamp(\"2024-07-15T00:00:00-05:00\") && request.time.getHours('-05:00') >= 8 && request.time.getHours('-05:00') < 20 && request.time.getDayOfWeek('-05:00') >= 1 && request.time.getDayOfWeek('-05:00') <= 5"
  }
}

Debug Output

No response

Expected Behavior

The resource should've been created successfully

Actual Behavior

Fails with an error

Error: Error applying IAM policy for bigquery table "projects/redacted/datasets/test/tables/test": Error setting IAM policy for bigquery table "projects/redacted/datasets/test/tables/test": googleapi: Error 400: IAM setPolicy failed for Table redacted:test.test: Can't set conditional policy on this resource

Steps to reproduce

  1. terraform apply

Important Factoids

No response

References

Per https://cloud.google.com/iam/docs/resource-types-with-conditional-roles, it looks like BigQuery tables do not support conditions so it seems like a bug for the provider to provide that in the API.

b/351528828
@kvudata kvudata added the bug label Jul 3, 2024
@github-actions github-actions bot added forward/review In review; remove label to forward service/bigquery labels Jul 3, 2024
@ggtisc ggtisc self-assigned this Jul 6, 2024
@ggtisc
Copy link
Collaborator

ggtisc commented Jul 6, 2024

Confirmed issue!

When trying to create the resource google_bigquery_table_iam_member with the shared code or even with the terraform registry example it returns the following message:

Error: Error applying IAM policy for bigquery table "projects/redacted/datasets/test/tables/test": Error setting IAM policy for bigquery table "projects/redacted/datasets/test/tables/test": googleapi: Error 400: IAM setPolicy failed for Table redacted:test.test: Can't set conditional policy on this resource

@ggtisc ggtisc removed their assignment Jul 6, 2024
@ggtisc ggtisc removed the forward/review In review; remove label to forward label Jul 6, 2024
@wj-chen
Copy link

wj-chen commented Jul 8, 2024

Confirmed as well. Thanks for reporting the issue, I will forward the internal version of this issue to the Table/IAM API team.

@wj-chen
Copy link

wj-chen commented Aug 5, 2024

@kvudata and others impacted - I received the following guidance from the BigQuery Security and Governance team:

IAM Conditions are only supported at the project, folder, and organization level.

Please see https://cloud.google.com/bigquery/docs/conditions.

Could you try setting the condition on e.g. google_project_iam_member and setting resource.name and resource.type in expression (see examples) to scope the grant to a specific Table?

In terms of documentations, I double checked that https://cloud.google.com/iam/docs/resource-types-with-conditional-roles doesn't mention BigQuery, but we'll update https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/bigquery_table_iam#google_bigquery_table_iam_member to remove the example config since it's invalid.

@kvudata
Copy link
Author

kvudata commented Aug 6, 2024

Yes, I've managed to workaround this by using google_project_iam_member.

@wj-chen
Copy link

wj-chen commented Aug 6, 2024

Thank you for confirming. We'll be removing the misleading example on the Terraform resource documentations about setting IAM conditions on Table and others.

@wj-chen wj-chen mentioned this issue Aug 8, 2024
Merged
This was referenced Aug 15, 2024
Merged
Merged
Merged
@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug forward/linked service/bigquery
Projects
None yet
Milestone
No milestone
4 participants
@kvudata @modular-magician @wj-chen @ggtisc