IAM members created but not added in state (inconsistent result after apply)

[marcomicera]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.9.7
on darwin_amd64
+ provider registry.terraform.io/1password/onepassword v2.1.2
+ provider registry.terraform.io/hashicorp/google v6.16.0
+ provider registry.terraform.io/hashicorp/google-beta v5.45.0
+ provider registry.terraform.io/hashicorp/null v3.2.3
+ provider registry.terraform.io/hashicorp/random v3.1.0
+ provider registry.terraform.io/hashicorp/time v0.12.

Affected Resource(s)

google_storage_bucket_iam_members

Terraform Configuration

config.tfvars:

user_archive = { environments = [
  { name = "test" },
  { name = "stg" }
]}

main.tf (caller):

terraform {
  required_version = "~> 1.9.0"

  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "~> 6"
    }
  }
}

module "user-archive" {
  source   = "[...] user-archive-module [...]"
  for_each = { for index, env in var.user_archive.environments : env.name => env }
}

The user-archive module:

resource "google_storage_bucket_iam_member" "consumer_access_to_accounts" {
  bucket = google_storage_bucket.accounts.name
  member = "group:team-consumer@example.com"
  role   = "roles/storage.objectUser"
}

resource "google_storage_bucket_iam_member" "consumer_access_to_assessments" {
  bucket = google_storage_bucket.assessments.name
  member = "group:team-consumer@example.com"
  role.  = "roles/storage.objectUser"
}

Debug Output

No response

Can't share details in the debug log.

Expected Behavior

1. The google_storage_bucket_iam_members are created
2. The google_storage_bucket_iam_members get added to the Terraform state

Actual Behavior

1. The google_storage_bucket_iam_members are created
2. The google_storage_bucket_iam_members are not being added to the Terraform state

• terraform apply fails with:

  │ Error: Provider produced inconsistent result after apply
  │ 
  │ When applying changes to
  │ module.user-archive["stg"].google_storage_bucket_iam_member.consumer_access_to_accounts[0],
  │ provider "provider[\"registry.terraform.io/hashicorp/google\"]" produced an
  │ unexpected new value: Root object was present, but now absent.
  │ 
  │ This is a bug in the provider, which should be reported in the provider's
  │ own issue tracker.
  

• terraform imports fail with:

  Error: Cannot find binding for "storage bucket \"b/adahealth_user_archive_accounts_stg\"" with role "roles/storage.objectUser", member "group:team-consumer@example.com", and condition title ""
  

Steps to reproduce

1. terraform plan -var-file=config.tfvars

2. terraform apply

Important Factoids

No response

References

No response

[ggtisc]

Hi @marcomicera

After many tries with the code of the shared resources (consumer_access_to_accounts and consumer_access_to_assessments) everything works fine, even with the examples of terraform registry (link here).

Both resources were created successfully and registered in the tfstate file. I suggest you check the configuration of your module and environment variables because I noticed nomenclature errors like this:

role. = "roles/storage.objectUser" -> needs to be role = "roles/storage.objectUser" without the .