google_project_iam_binding replaces existing permissions. IAM to be removed are not shown in tf-plan

[thnitendra]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v0.12.20

Affected Resource(s)

google_project_iam_binding

Terraform Configuration Files

resource "google_project_iam_binding" "network-users" {
  project    = "my-gcp-project"
  role       = "roles/compute.networkUser"
  members = [
    "serviceAccount:000000000@cloudservices.gserviceaccount.com"
  ]
}

Expected Behavior

terraform plan should either show the IAM permissions which will be replaced after apply (which happens only if the resource is explicitly imported before apply). Or, terraform apply should fail stating that the existing permissions for this roles on this project must be imported before applying.

Actual Behavior

terraform plan only shows about addition of members as part of addition of the new resource.
terraform apply silently replaces all existing permissions; unless explicitly imported beforehand.

Steps to Reproduce

1. Assign User1 "Compute Network User" permissions to gcp project
2. Add a new HCL code section in a tf file for google_project_iam_binding. Add "roles/compute.networkUser" permissions to User2
3. terraform plan
4. terraform apply

User1 permissions are gone after apply.

[edwardmedia]

@thnitendra how did you add the 2nd user? When I try adding the 2nd user, it seems to be fine. I got the plan below and verify both users are fine after applied. Did I miss something? Please let me know how I can repro your issue. Thanks

Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # google_project_iam_binding.network-users will be updated in-place
  ~ resource "google_project_iam_binding" "network-users" {
        etag    = "BwWfbFBdThg="
        id      = "myproject/roles/compute.networkUser"
      ~ members = [
          + "serviceAccount:fake-223@myproject.iam.gserviceaccount.com",
            "serviceAccount:private-cluster-0-ko@myproject.iam.gserviceaccount.com",
        ]
        project = "myproject"
        role    = "roles/compute.networkUser"
    }

Plan: 0 to add, 1 to change, 0 to destroy.

[thnitendra]

User2 was added through terrafrom. User1 was added from GCP IAM UI, before the terrafrom resource was applied.
The plan you shared, I see that only after this resource "google_project_iam_binding" is present in the state file - either through terrafrom import or if it has been applied at least once before.
The issue can be reproduced when this resource is newly added. You can remove the state file and try applying again with new set of users.

[edwardmedia]

@thnitendra can you try to use below resource instead to see if that help your use case?

resource "google_project_iam_member" "project" {
  project = "your-project-id"
  role    = "roles/editor"
  member  = "user:jane@example.com"
}

[thnitendra]

@edwardmedia
Thanks for looking into this.
Yes, google_project_iam_member is safe. Unlike iam_binding; it does not replace existing IAMs when applied for the first time.
We do now understand that we must run a terraform import when adding a new iam_binding for a role. But, I guess It would useful to document this behavior at least. What do you think?
We ended up losing all our network user permissions last week. Fortunately, we had some backup of those permissions and were able to recover them back eventually.

[edwardmedia]

@thnitendra the difference between these two resources are authoritative vs non-authoritative. That are mentioned by the resources in the doc. You are right. You need to update the states before you can apply if you want to use the authoritative resources. I am closing the issue now. Please reopen the issue if you still need further assistance. Thank you

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!