Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix inconsistencies in how IAM policies are stored in state #4722

Merged
merged 1 commit into from
Sep 27, 2022
Merged

Fix inconsistencies in how IAM policies are stored in state #4722

merged 1 commit into from
Sep 27, 2022

Conversation

modular-magician
Copy link
Collaborator

Description

Partially fixes hashicorp/terraform-provider-google#8701

This PR changes how the google_iam_policy data source stores the user-entered data in its computed policy_data attribute. It is addressing the first issue I describe in this comment on the original issue.

I've updated how the google_iam_policy data source processes its binding blocks into a JSON string which it stores as the policy_data attribute. I've made this processing resemble what happens in the API, so there should not be a mismatch between the JSON of the policy in the data source's state and the resource's state.

Manual tests

Using the config I describe in this comment I apply the first plan to create everything and then make this small edit

-    description = "This one has a description"
+    description = "This one has a description and I edited it"

When I generate a plan with the latest provider version I see lots of unnecessary diffs as reported in the original issue:

Screenshot 2022-08-25 at 17 10 03

When I generate a plan using this PR's changes the diff is much smaller:

Screenshot 2022-08-25 at 17 20 06

👆 The extra diffs for setting an empty description are another issue I'm thinking of handling in a separate PR to this one

Checklist

If this PR is for Terraform, I acknowledge that I have:

  • Searched through the issue tracker for an open issue that this either resolves or contributes to, commented on it to claim it, and written "fixes {url}" or "part of {url}" in this PR description. If there were no relevant open issues, I opened one and commented that I would like to work on it (not necessary for very small changes).
  • Generated Terraform, and ran make test and make lint to ensure it passes unit and linter tests.
  • Ensured that all new fields I added that can be set by a user appear in at least one example (for generated resources) or third_party test (for handwritten resources or update tests). N/A
  • Ran relevant acceptance tests (If the acceptance tests do not yet pass or you are unable to run them, please let your reviewer know).
    • I ran the TestAccArtifactRegistryRepositoryIamPolicyGenerated acceptance test that uses the google_iam_policy data source and it passed ok
  • Read the Release Notes Guide before writing my release note below.

Release Note Template for Downstream PRs (will be copied)

iam: fixed diffs between `policy_data` from `google_iam_policy` data source and policy data in API responses

Derived from GoogleCloudPlatform/magic-modules#6466

@modular-magician
Fix inconsistencies in how IAM policies are stored in state (hashicor…
5f50745 
…p#6466)

* Add tests for existing `dataSourceGoogleIamPolicyRead` function behaviour

* Add red (non-passing) tests for new `dataSourceGoogleIamPolicyRead` behaviour

* Update tests to check both numbers of bindings from config vs in policy_data output

This is necessary because policy_data will need to consolidate bindings, and state for binding{} blocks needs to keep data separate

* Update function to pass uncommented tests

* Refactor test setup

* Change structure of test input data to minimise processing in the test function + add and update test cases

Need to check if test assumptions like `bindings on the same role with different conditions, with the same title, are next sorted by condition expression` is correct or not

* WIP: Update sorting of bindings to include: role, condition presence, condition fields.

* Formatting changes to make .erb match output .go file

* Update tests to match the sorting behaviour of the API, update sorting function to pass tests

* Refactor existing tests for clarity

* Add tests for deduplication and complex sorting scenario

* Fix sorting bug where 'lesser' roles is incorrectly sorted to a later index in a list if it has a condition

* Refactor `dataSourceGoogleIamPolicyRead` to reduce looping and pull sorting function out into a named function

* Make binding map use human-readable keys

Signed-off-by: Modular Magician <[email protected]>
@modular-magician modular-magician merged commit bbb1378 into hashicorp:main Sep 27, 2022
@modular-magician modular-magician deleted the downstream-pr-63d44e19599ce79a9400d5aec9b9b1c1b397bf0c branch November 16, 2024 03:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

google_iam_policy with multiple bindings show changes on every plan
1 participant
@modular-magician