Organization Custom Role seems to be created with GA stage instead of specified value

[alethenorio]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

0.14.4

Affected Resource(s)

google_organization_iam_custom_role

Terraform Configuration Files

resource "google_organization_iam_custom_role" "spanner_database_creator" {
  role_id     = "spannerDatabaseCreator"
  org_id      = data.google_organization.org.org_id
  title       = "Spanner Database Creator"
  stage       = "ALPHA"
  description = "Allow creating databases in Spanner"
  permissions = ["spanner.databases.create", "spanner.databases.get", "spanner.instances.get"]
}

Terraform apply

Step #4 - "terraform apply": google_organization_iam_custom_role.spanner_database_creator: Creating...
Step #4 - "terraform apply": google_organization_iam_custom_role.spanner_database_creator: Creation complete after 1s [id=organizations/XXXXXXX/roles/spannerDatabaseCreator]

Immediately after applying the above running terraform plan returns the following

# google_organization_iam_custom_role.spanner_database_creator will be updated in-place
  ~ resource "google_organization_iam_custom_role" "spanner_database_creator" {
        id          = "organizations/XXXXXXX/roles/spannerDatabaseCreator"
        name        = "organizations/XXXXXXXX/roles/spannerDatabaseCreator"
      ~ stage       = "GA" -> "ALPHA"
        # (6 unchanged attributes hidden)
    }
``'

### Debug Output

https://gist.github.com/alethenorio/56aea0bc73c38bfbc1beb0f56d03ba38

### Panic Output

### Expected Behavior

When running terraform apply, it should have applied with the right given stage and there should be nothing no planned changes afterwards.

### Actual Behavior

Terraform reports that the organization custom role needs to be changed from GA (Which is not what is/was specified in the terraform config) to the value set in the config

### Steps to Reproduce

1. `terraform apply`
2. `terraform plan`

### Important Factoids

### References

[venkykuberan]

I suspect API is returning GA in the response. Can you please attach your debug log here.

[alethenorio]

@venkykuberan I created a throaway role with debug on and pasted the gist link up there. Eve though there are some 400 responses in that I ended up in the same situation when running plan afterwards where it wanted to change the stage.

The resource in question here is

resource "google_organization_iam_custom_role" "tf_bug_reproducer" {
  role_id = "terraform-org-role-issue-reproducer"
  org_id  = data.google_organization.org.org_id
  title   = "Terraform Org Role Issue Reproducer"
  stage       = "ALPHA"
  description = "Only exists for reproducing terraform issue. Let it be deleted and die"
  permissions = ["spanner.databases.create", "spanner.databases.get", "spanner.instances.get"]
}

[venkykuberan]

@alethenorio per API Doc - https://cloud.google.com/iam/docs/reference/rest/v1/organizations.roles#Role.RoleLaunchStage

ALPHA - The user has indicated this role is currently in an Alpha phase. If this launch stage is selected, the stage field will not be included when requesting the definition for a given role.

Due to that we create the role with default stage GA when ALPHA is used in the config and looks like the diffsuppress function we have isn't working as expected. We will work on the fix

Sample API Request & Response

PATCH /v1/organizations/xxxxx/roles/tfIamCustomRoleiab1rome7s?alt=json&prettyPrint=false HTTP/1.1
Host: iam.googleapis.com
User-Agent: google-api-go-client/0.5 Terraform/0.14.0 (+https://www.terraform.io) Terraform-Plugin-SDK/2.4.2 terraform-provider-google/acc
Content-Length: 163
Content-Type: application/json
X-Goog-Api-Client: gl-go/1.15.6 gdcl/20210128
Accept-Encoding: gzip

{
 "description": "bar",
 "includedPermissions": [
  "resourcemanager.organizations.get",
  "resourcemanager.projects.list"
 ],
 "stage": "ALPHA",
 "title": "My Custom Role Updated"
}

-----------------------------------------------------
2021/02/15 11:13:47 [DEBUG] Google API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 200 OK
{
 "name": "organizations/xxxx/roles/tfIamCustomRoleiab1rome7s",
 "title": "My Custom Role Updated",
 "description": "bar",
 "includedPermissions": [
  "resourcemanager.organizations.get",
  "resourcemanager.projects.list"
 ],
 "etag": "BwW7ZMkDi4Y="
}
-----------------------------------------------------

[alethenorio]

Thank you.

It is a strange API to not return the value if it is set to ALPHA but that does explain it.

[slevenick]

That's actually pretty unusual. What version of the provider are you using? This looks like it was fixed years ago: #1801

[alethenorio]

We are using version 3.54.0 of the Google provider