Modifying values during SchemaSetFunc modifies values provided to provider

[rileykarson]

Terraform Version

$ terraform -v
Terraform v0.12.0
+ provider.google-beta v2.7.0

Terraform Configuration Files

resource "google_binary_authorization_policy" "policy" {
  project = "tf-test-etts1nfeap"

  admission_whitelist_patterns {
    name_pattern= "gcr.io/google_containers/*"
  }

  default_admission_rule {
    evaluation_mode = "ALWAYS_ALLOW"
    enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
  }

  cluster_admission_rules {
    cluster = "us-central1-a.prod-cluster"
    evaluation_mode = "REQUIRE_ATTESTATION"
    enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
    require_attestations_by = ["projects/graphite-test-rileykarson/attestors/${google_binary_authorization_attestor.attestor.name}"]
  }
}

This set func is the cause of the error: https://github.com/terraform-providers/terraform-provider-google-beta/blob/master/google-beta/resource_binary_authorization_policy.go#L133-L149

Debug Output

---[ RESPONSE ]--------------------------------------
HTTP/2.0 200 OK
Alt-Svc: quic=":443"; ma=2592000; v="46,44,43,39"
Cache-Control: private
Content-Type: application/json; charset=UTF-8
Date: Tue, 28 May 2019 20:38:34 GMT
Server: ESF
Vary: Origin
Vary: X-Origin
Vary: Referer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Google-Backends: [::1]:4067,/bns/jx/borg/jx/bns/binauthz-policy-manager/prod-global.binauthz-policy-manager/3.esf,phds7:9867,/bns/ph/borg/ph/bns/traffic-prod/shared-layer2-gfe/68,acseao8-v6:443
X-Google-Dos-Service-Trace: main:prisec-binauthz-policy-manager-api-prod-global,main:shared-layer2-gfe
X-Google-Esf-Cloud-Client-Params: backend_service_name: "binaryauthorization.googleapis.com" backend_fully_qualified_method: "google.cloud.binaryauthorization.v1beta1.BinauthzManagementServiceV1Beta1.GetAttestor"
X-Google-Gfe-Request-Trace: acseao8-v6:443,phds7:9867,/bns/jx/borg/jx/bns/binauthz-policy-manager/prod-global.binauthz-policy-manager/3.esf,phds7:9867,acseao8-v6:443
X-Google-Gfe-Response-Body-Transformations: chunked
X-Google-Gfe-Response-Code-Details-Trace: response_code_set_by_backend,response_code_set_by_backend
X-Google-Gfe-Service-Trace: prisec-binauthz-policy-manager-api-prod-global,shared-layer2-grpc-aggregate
X-Google-Gslb-Service: prisec-binauthz-policy-manager-api-prod-global
X-Google-Netmon-Label: /bns/jx/borg/jx/bns/binauthz-policy-manager/prod-global.binauthz-policy-manager/3
X-Google-Security-Signals: FRAMEWORK=HTTPSERVER2
X-Google-Service: prisec-binauthz-policy-manager-api-prod-global,shared-layer2-grpc-aggregate
X-Google-Session-Info: CNb76pfAHhoEGBAoCygBOkISImJpbmFyeWF1dGhvcml6YXRpb24uZ29vZ2xlYXBpcy5jb20Yydmm7oYOIhUxMDc5NTExNzM5MTQ5NzM3NDE3OTlKGDoWTk9UX0FfUEVSU0lTVEVOVF9UT0tFTg
X-Google-Shellfish-Status: CA0gBEBG
X-Xss-Protection: 0

{
  "name": "projects/graphite-test-rileykarson/attestors/tf-test-bco7gmi38f",
  "userOwnedDrydockNote": {
    "noteReference": "projects/graphite-test-rileykarson/notes/tf-test-k66eeyeqd7",
    "delegationServiceAccountEmail": "service-482878270665@gcp-sa-binaryauthorization.iam.gserviceaccount.com"
  },
  "updateTime": "2019-05-28T20:38:33.937235Z",
  "description": "my description"
}

-----------------------------------------------------
2019/05/28 13:38:34 [WARN] Provider "google" produced an unexpected new value for google_binary_authorization_attestor.attestor, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .attestation_authority_note[0].note_reference: was cty.StringVal("tf-test-k66eeyeqd7"), but now cty.StringVal("projects/graphite-test-rileykarson/notes/tf-test-k66eeyeqd7")
2019/05/28 13:38:34 [DEBUG] google_binary_authorization_policy.policy: applying the planned Create change
2019/05/28 13:38:34 [DEBUG] Saw tf-test-bco7gmi38f
2019/05/28 13:38:34 [DEBUG] tf-test-bco7gmi38f did not match pattern
2019/05/28 13:38:34 [DEBUG] Converting tf-test-bco7gmi38f
2019/05/28 13:38:34 [DEBUG] Returning projects/tf-test-etts1nfeap/attestors/tf-test-bco7gmi38f
2019/05/28 13:38:34 [DEBUG] Saw tf-test-bco7gmi38f
2019/05/28 13:38:34 [DEBUG] tf-test-bco7gmi38f did not match pattern
2019/05/28 13:38:34 [DEBUG] Converting tf-test-bco7gmi38f
2019/05/28 13:38:34 [DEBUG] Returning projects/tf-test-etts1nfeap/attestors/tf-test-bco7gmi38f
2019/05/28 13:38:34 [DEBUG] Saw tf-test-bco7gmi38f
2019/05/28 13:38:34 [DEBUG] tf-test-bco7gmi38f did not match pattern
2019/05/28 13:38:34 [DEBUG] Converting tf-test-bco7gmi38f
2019/05/28 13:38:34 [DEBUG] Returning projects/tf-test-etts1nfeap/attestors/tf-test-bco7gmi38f
2019/05/28 13:38:34 [DEBUG] Saw tf-test-bco7gmi38f
2019/05/28 13:38:34 [DEBUG] tf-test-bco7gmi38f did not match pattern
2019/05/28 13:38:34 [DEBUG] Converting tf-test-bco7gmi38f
2019/05/28 13:38:34 [DEBUG] Returning projects/tf-test-etts1nfeap/attestors/tf-test-bco7gmi38f
2019/05/28 13:38:34 [DEBUG] Creating new Policy: map[string]interface {}{"admissionWhitelistPatterns":[]interface {}{map[string]interface {}{"namePattern":"gcr.io/google_containers/*"}}, "clusterAdmissionRules":map[string]interface {}{"us-central1-a.prod-cluster":map[string]interface {}{"enforcementMode":"ENFORCED_BLOCK_AND_AUDIT_LOG", "evaluationMode":"REQUIRE_ATTESTATION", "requireAttestationsBy":[]string{"projects/tf-test-etts1nfeap/attestors/tf-test-bco7gmi38f"}}}, "defaultAdmissionRule":map[string]interface {}{"enforcementMode":"ENFORCED_BLOCK_AND_AUDIT_LOG", "evaluationMode":"ALWAYS_ALLOW"}}
2019/05/28 13:38:34 [DEBUG] Waiting for state to become: [success]
2019/05/28 13:38:34 [DEBUG] Google API Request Details:
---[ REQUEST ]---------------------------------------
PUT /v1beta1/projects/tf-test-etts1nfeap/policy?alt=json HTTP/1.1
Host: binaryauthorization.googleapis.com
User-Agent: Terraform/0.12.0 (+https://www.terraform.io) terraform-provider-google-beta/acc
Content-Length: 434
Content-Type: application/json
Accept-Encoding: gzip

{
 "admissionWhitelistPatterns": [
  {
   "namePattern": "gcr.io/google_containers/*"
  }
 ],
 "clusterAdmissionRules": {
  "us-central1-a.prod-cluster": {
   "enforcementMode": "ENFORCED_BLOCK_AND_AUDIT_LOG",
   "evaluationMode": "REQUIRE_ATTESTATION",
   "requireAttestationsBy": [
    "projects/tf-test-etts1nfeap/attestors/tf-test-bco7gmi38f"
   ]
  }
 },
 "defaultAdmissionRule": {
  "enforcementMode": "ENFORCED_BLOCK_AND_AUDIT_LOG",
  "evaluationMode": "ALWAYS_ALLOW"
 }
}

-----------------------------------------------------
2019/05/28 13:38:34 [DEBUG] Google API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 404 Not Found
Alt-Svc: quic=":443"; ma=2592000; v="46,44,43,39"
Cache-Control: private
Content-Type: application/json; charset=UTF-8
Date: Tue, 28 May 2019 20:38:34 GMT
Server: ESF
Vary: Origin
Vary: X-Origin
Vary: Referer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Google-Backends: [::1]:4067,/bns/jx/borg/jx/bns/binauthz-policy-manager/prod-global.binauthz-policy-manager/3.esf,phgs5:9873,/bns/ph/borg/ph/bns/traffic-prod/shared-layer2-gfe/15,acseao8-v6:443
X-Google-Dos-Service-Trace: main:prisec-binauthz-policy-manager-api-prod-global,main:shared-layer2-gfe
X-Google-Esf-Cloud-Client-Params: backend_service_name: "binaryauthorization.googleapis.com" backend_fully_qualified_method: "google.cloud.binaryauthorization.v1beta1.BinauthzManagementServiceV1Beta1.UpdatePolicy"
X-Google-Gfe-Request-Trace: acseao8-v6:443,phgs5:9873,/bns/jx/borg/jx/bns/binauthz-policy-manager/prod-global.binauthz-policy-manager/3.esf,phgs5:9873,acseao8-v6:443
X-Google-Gfe-Response-Body-Transformations: chunked
X-Google-Gfe-Response-Code-Details-Trace: response_code_set_by_backend,response_code_set_by_backend
X-Google-Gfe-Service-Trace: prisec-binauthz-policy-manager-api-prod-global,shared-layer2-grpc-aggregate
X-Google-Gslb-Service: prisec-binauthz-policy-manager-api-prod-global
X-Google-Netmon-Label: /bns/jx/borg/jx/bns/binauthz-policy-manager/prod-global.binauthz-policy-manager/3
X-Google-Security-Signals: FRAMEWORK=HTTPSERVER2
X-Google-Service: prisec-binauthz-policy-manager-api-prod-global,shared-layer2-grpc-aggregate
X-Google-Session-Info: CNb76pfAHhoEGBAoCygBOkISImJpbmFyeWF1dGhvcml6YXRpb24uZ29vZ2xlYXBpcy5jb20Yydmm7oYOIhUxMDc5NTExNzM5MTQ5NzM3NDE3OTlKGDoWTk9UX0FfUEVSU0lTVEVOVF9UT0tFTg
X-Google-Shellfish-Status: CA0gBEBG
X-Xss-Protection: 0

{
  "error": {
    "code": 404,
    "message": "Resource projects/tf-test-etts1nfeap/attestors/tf-test-bco7gmi38f does not exist.",
    "status": "NOT_FOUND",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.DebugInfo",
        "detail": "[ORIGINAL ERROR] generic::not_found: Resource projects/tf-test-etts1nfeap/attestors/tf-test-bco7gmi38f does not exist. [google.rpc.error_details_ext] { message: \"Resource projects/tf-test-etts1nfeap/attestors/tf-test-bco7gmi38f does not exist.\" }"
      }
    ]
  }

Expected Behavior

Terraform supplies the real attestor name to the provider

Actual Behavior

Terraform returns the name modified by the set func

Steps to Reproduce

terraform apply

Additional Context

As stated above- see https://github.com/terraform-providers/terraform-provider-google-beta/blob/master/google-beta/resource_binary_authorization_policy.go#L133-L149 for where the Set is modified.

References

[rileykarson]

This occurred with 0.11.14 and 2.4.1 as well.