Terraform plan fails when a table resource that is parent of a DataCatalogTag is deleted outside of terraform.

[I-m-Nobody]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.10.3

Affected Resource(s)

google_data_catalog_tag

Terraform Configuration

resource "google_data_catalog_tag" "fixed_tag" {

  tag = "my-project.project_events.table_s_some_id"

  parent   = "projects/my-project/locations/us/entryGroups/@bigquery/entries/id-code-entry",
  template = "projects/my-project/locations/us-east4/tagTemplates/my_tag"

  column = "s_some_id"
}

Debug Output

Planning failed. Terraform encountered an error while generating this plan.
╷
│ Error: Error when reading or editing DataCatalogTag "projects/my-project/locations/us/entryGroups/@bigquery/entries/id-code-entry/tags/id-code-tag": googleapi: Error 403: Permission denied or tag parent does not exist.
│

Expected Behavior

As the permission are definitely there, Terraform should output a WARN statement indicating there was no action needed on the resource and continue to next resource.

Actual Behavior

The first run (to create them) worked fine, but if the table is deleted outside of Terraform it output this error and fails.

Steps to reproduce

1. Run terraform plan and apply to add a new tag to the table's column.
2. Delete the table in bigquery
3. Run terraform plan
4. Watch the run fails

Important Factoids

No response

References

The authorisations are correct as plan/apply are working in this project outsidee of this behavior.

I found other similar issue but for AWS that apparently were fixed.
hashicorp/terraform-provider-aws#3184
hashicorp/terraform-provider-aws#19932

[ggtisc]

Hi @I-m-Nobody

I noticed the following inconsistencies in this issue:

1. There isn't any argument called tag for google_data_catalog_tag as you can see in this link

2. As you can see in this other link the argument parent just accept resources of type google_data_catalog_entry or google_data_catalog_entry_group not big query tables

3. Finally you can update your Terraform state file when changes are made outside of Terraform on the Google Cloud Console using the terraform refresh command

You can find more information and examples of how to use google_data_catalog_tag and many other resources in this link

Note: If you've made significant changes manually in the console, terraform refresh might not always accurately capture all the modifications. For complex or collaborative projects, consider using a remote state backend (like Terraform Cloud or an S3 bucket) for better versioning, collaboration, and security.

To replicate this issue we need more information, please share with us the code of all resources involved like google_data_catalog_entry_group, google_data_catalog_entry, google_data_catalog_tag_template, etc.