Add warnings about custom role format for IAM bindings (#5345)

* Use more markdown for Bug * Consistently use sentences for each bullet * Rewrite bug reproduction block * Allow domain mapping to succeed if DNS is pending Signed-off-by: Modular Magician <magic-modules@google.com> * Updated google_folder.html (#4149) * Updated google_folder.html The page in the first example shows that you should use organization_id with value of 1234567. In the Import example, it's not clear whether organization_id is user, or folder_id is used. API call behind this import command is only accepting folder_id (can be checked when setting TF_LOG to trace and viewing the API call) * Update website/docs/r/google_folder.html.markdown Co-Authored-By: Dana Hoffman <danahoffman@google.com> Co-authored-by: Dana Hoffman <danahoffman@google.com> * add google_kms_secret_ciphertext resource, deprecate datasource (#5314) Signed-off-by: Modular Magician <magic-modules@google.com> Co-authored-by: Dana Hoffman <danahoffman@google.com> * Allow add/removing Bigtable clusters (#5318) Signed-off-by: Modular Magician <magic-modules@google.com> Co-authored-by: Riley Karson <rileykarson@google.com> * Add bootstrapped test networks for service networking tests (#5316) Signed-off-by: Modular Magician <magic-modules@google.com> Co-authored-by: emily <emilyye@google.com> * Update CHANGELOG.md * fix docs for google_bigquery_default_service_account (#5329) Signed-off-by: Modular Magician <magic-modules@google.com> Co-authored-by: Martin Nowak <code@dawg.eu> * Nil return for absent Bigtable resources (#5331) Signed-off-by: Modular Magician <magic-modules@google.com> Co-authored-by: Brian Hildebrandt <brian3.14159@gmail.com> * add lifecycle_config to dataproc_cluster.cluster_config Signed-off-by: Modular Magician <magic-modules@google.com> * Add warnings about custom role format for IAM bindings (#5335) Signed-off-by: Modular Magician <magic-modules@google.com> Co-authored-by: emily <emilyye@google.com> * Add mutex to peering create (#5338) Signed-off-by: Modular Magician <magic-modules@google.com> Co-authored-by: emily <emilyye@google.com> * Add warnings about custom role format for IAM bindings (#2937) Merged PR #2937. Co-authored-by: Josh Soref <jsoref@users.noreply.github.com> Co-authored-by: Chris Stephens <chrisst@google.com> Co-authored-by: Petar Marinkovic <13387474+marinkovicpetar@users.noreply.github.com> Co-authored-by: Dana Hoffman <danahoffman@google.com> Co-authored-by: megan07 <mbang@hashicorp.com> Co-authored-by: Riley Karson <rileykarson@google.com> Co-authored-by: emily <emilyye@google.com> Co-authored-by: Paddy <paddy@hashicorp.com> Co-authored-by: Martin Nowak <code@dawg.eu> Co-authored-by: Brian Hildebrandt <brian3.14159@gmail.com>
hashicorp · Jan 8, 2020 · e10d99f · e10d99f
1 parent c3b741d
commit e10d99f
Show file tree

Hide file tree

Showing 31 changed files with 90 additions and 0 deletions.
diff --git a/.changelog/2937.txt b/.changelog/2937.txt
diff --git a/google/resource_iam_binding.go b/google/resource_iam_binding.go
@@ -110,6 +110,7 @@ func resourceIamBindingRead(newUpdaterFunc newResourceIamUpdaterFunc) schema.Rea
 		}
 
 		if binding == nil {
+			log.Printf("[WARNING] Binding for role %q not found, assuming it has no members. If you expected existing members bound for this role, make sure your role is correctly formatted.", eBinding.Role)
 			log.Printf("[DEBUG] Binding for role %q and condition %+v not found in policy for %s, assuming it has no members.", eBinding.Role, eCondition, updater.DescribeResource())
 			d.Set("role", eBinding.Role)
 			d.Set("members", nil)

diff --git a/website/docs/r/bigtable_instance_iam.html.markdown b/website/docs/r/bigtable_instance_iam.html.markdown
@@ -107,3 +107,6 @@ $ terraform import google_bigtable_instance_iam_binding.editor "projects/{projec
 
 $ terraform import google_bigtable_instance_iam_member.editor "projects/{project}/instances/{instance} roles/editor user:jane@example.com"
 ```
+
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/binary_authorization_attestor_iam.html.markdown b/website/docs/r/binary_authorization_attestor_iam.html.markdown
@@ -138,6 +138,9 @@ $ terraform import google_binary_authorization_attestor_iam_policy.editor projec
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/cloud_run_service_iam.html.markdown b/website/docs/r/cloud_run_service_iam.html.markdown
@@ -143,6 +143,9 @@ $ terraform import google_cloud_run_service_iam_policy.editor projects/{{project
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/cloudfunctions_cloud_function_iam.html.markdown b/website/docs/r/cloudfunctions_cloud_function_iam.html.markdown
@@ -145,6 +145,9 @@ $ terraform import google_cloudfunctions_function_iam_policy.editor projects/{{p
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/compute_instance_iam.html.markdown b/website/docs/r/compute_instance_iam.html.markdown
@@ -145,6 +145,9 @@ $ terraform import google_compute_instance_iam_policy.editor projects/{{project}
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/compute_subnetwork_iam.html.markdown b/website/docs/r/compute_subnetwork_iam.html.markdown
@@ -146,6 +146,9 @@ $ terraform import google_compute_subnetwork_iam_policy.editor projects/{{projec
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/dataproc_cluster_iam.html.markdown b/website/docs/r/dataproc_cluster_iam.html.markdown
@@ -111,3 +111,6 @@ $ terraform import google_dataproc_cluster_iam_binding.editor "projects/{project
 
 $ terraform import google_dataproc_cluster_iam_member.editor "projects/{project}/regions/{region}/clusters/{cluster} roles/editor user:jane@example.com"
 ```
+
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/dataproc_job_iam.html.markdown b/website/docs/r/dataproc_job_iam.html.markdown
@@ -111,3 +111,6 @@ $ terraform import google_dataproc_job_iam_binding.editor "projects/{project}/re
 
 $ terraform import google_dataproc_job_iam_member.editor "projects/{project}/regions/{region}/jobs/{job_id} roles/editor user:jane@example.com"
 ```
+
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/google_billing_account_iam_member.html.markdown b/website/docs/r/google_billing_account_iam_member.html.markdown
@@ -50,3 +50,6 @@ IAM member imports use space-delimited identifiers; the resource in question, th
 ```
 $ terraform import google_billing_account_iam_member.binding "your-billing-account-id roles/viewer user:foo@example.com"
 ```
+
+-> **Custom Roles**: If you're importing a IAM member with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/google_folder_iam_binding.html.markdown b/website/docs/r/google_folder_iam_binding.html.markdown
@@ -70,3 +70,6 @@ IAM binding imports use space-delimited identifiers; first the resource in quest
 ```
 $ terraform import google_folder_iam_binding.viewer "folder-name roles/viewer"
 ```
+
+-> **Custom Roles**: If you're importing a IAM binding with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/google_folder_iam_member.html.markdown b/website/docs/r/google_folder_iam_member.html.markdown
@@ -62,3 +62,6 @@ IAM member imports use space-delimited identifiers; the resource in question, th
 ```
 $ terraform import google_folder_iam_member.my_project "folder-name roles/viewer user:foo@example.com"
 ```
+
+-> **Custom Roles**: If you're importing a IAM member with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/google_organization_iam_binding.md b/website/docs/r/google_organization_iam_binding.md
@@ -59,3 +59,6 @@ IAM binding imports use space-delimited identifiers; first the resource in quest
 ```
 $ terraform import google_organization_iam_binding.my_org "your-org-id roles/viewer"
 ```
+
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/google_organization_iam_member.html.markdown b/website/docs/r/google_organization_iam_member.html.markdown
@@ -51,3 +51,6 @@ IAM member imports use space-delimited identifiers; the resource in question, th
 ```
 $ terraform import google_organization_iam_member.my_org "your-org-id roles/viewer user:foo@example.com"
 ```
+
+-> **Custom Roles**: If you're importing a IAM member with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/google_project_iam.html.markdown b/website/docs/r/google_project_iam.html.markdown
@@ -235,3 +235,7 @@ IAM audit config imports use the identifier of the resource in question and the
 ```
 terraform import google_project_iam_audit_config.my_project "your-project-id foo.googleapis.com"
 ```
+
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
diff --git a/website/docs/r/google_service_account_iam.html.markdown b/website/docs/r/google_service_account_iam.html.markdown
@@ -189,6 +189,9 @@ $ terraform import google_service_account_iam_binding.admin-account-iam "project
 $ terraform import google_service_account_iam_member.admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} roles/editor user:foo@example.com"
 ```
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 With conditions:
 ```
 $ terraform import -provider=google-beta google_service_account_iam_binding.admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} iam.serviceAccountUser expires_after_2019_12_31"

diff --git a/website/docs/r/healthcare_dataset_iam.html.markdown b/website/docs/r/healthcare_dataset_iam.html.markdown
@@ -115,3 +115,6 @@ IAM policy imports use the identifier of the resource in question.  This policy
 ```
 $ terraform import google_healthcare_dataset_iam_policy.dataset_iam your-project-id/location-name/dataset-name
 ```
+
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/iap_app_engine_service_iam.html.markdown b/website/docs/r/iap_app_engine_service_iam.html.markdown
@@ -143,6 +143,9 @@ $ terraform import google_iap_app_engine_service_iam_policy.editor projects/{{pr
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/iap_app_engine_version_iam.html.markdown b/website/docs/r/iap_app_engine_version_iam.html.markdown
@@ -147,6 +147,9 @@ $ terraform import google_iap_app_engine_version_iam_policy.editor projects/{{pr
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/iap_web_backend_service_iam.html.markdown b/website/docs/r/iap_web_backend_service_iam.html.markdown
@@ -138,6 +138,9 @@ $ terraform import google_iap_web_backend_service_iam_policy.editor projects/{{p
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/iap_web_iam.html.markdown b/website/docs/r/iap_web_iam.html.markdown
@@ -133,6 +133,9 @@ $ terraform import google_iap_web_iam_policy.editor projects/{{project}}/iap_web
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/iap_web_type_app_engine_iam.html.markdown b/website/docs/r/iap_web_type_app_engine_iam.html.markdown
@@ -138,6 +138,9 @@ $ terraform import google_iap_web_type_app_engine_iam_policy.editor projects/{{p
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/iap_web_type_compute_iam.html.markdown b/website/docs/r/iap_web_type_compute_iam.html.markdown
@@ -133,6 +133,9 @@ $ terraform import google_iap_web_type_compute_iam_policy.editor projects/{{proj
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/pubsub_subscription_iam.html.markdown b/website/docs/r/pubsub_subscription_iam.html.markdown
@@ -104,3 +104,6 @@ $ terraform import google_pubsub_subscription_iam_binding.editor "projects/{your
 
 $ terraform import google_pubsub_subscription_iam_member.editor "projects/{your-project-id}/subscriptions/{your-subscription-name} roles/editor jane@example.com"
 ```
+
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/pubsub_topic_iam.html.markdown b/website/docs/r/pubsub_topic_iam.html.markdown
@@ -138,6 +138,9 @@ $ terraform import google_pubsub_topic_iam_policy.editor projects/{{project}}/to
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/runtimeconfig_config_iam.html.markdown b/website/docs/r/runtimeconfig_config_iam.html.markdown
@@ -138,6 +138,9 @@ $ terraform import google_runtimeconfig_config_iam_policy.editor projects/{{proj
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/sourcerepo_repository_iam.html.markdown b/website/docs/r/sourcerepo_repository_iam.html.markdown
@@ -137,6 +137,9 @@ $ terraform import google_sourcerepo_repository_iam_policy.editor projects/{{pro
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/spanner_database_iam.html.markdown b/website/docs/r/spanner_database_iam.html.markdown
@@ -125,3 +125,7 @@ IAM policy imports use the identifier of the resource in question, e.g.
 ```
 $ terraform import google_spanner_database_iam_policy.database project-name/instance-name/database-name
 ```
+
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
diff --git a/website/docs/r/spanner_instance_iam.html.markdown b/website/docs/r/spanner_instance_iam.html.markdown
@@ -120,3 +120,6 @@ IAM policy imports use the identifier of the resource in question, e.g.
 ```
 $ terraform import google_spanner_instance_iam_policy.instance project-name/instance-name
 ```
+
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/storage_bucket_iam.html.markdown b/website/docs/r/storage_bucket_iam.html.markdown
@@ -134,6 +134,9 @@ $ terraform import google_storage_bucket_iam_policy.editor b/{{bucket}}
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).