Add warnings about custom role format for IAM bindings (#1605)

* Allow domain mapping to succeed if DNS is pending Signed-off-by: Modular Magician <[email protected]> * Update google_folder import description (#1592) Signed-off-by: Modular Magician <[email protected]> Co-authored-by: Dana Hoffman <[email protected]> * add google_kms_secret_ciphertext resource, deprecate datasource (#1586) Signed-off-by: Modular Magician <[email protected]> Co-authored-by: Dana Hoffman <[email protected]> * Allow add/removing Bigtable clusters (#1589) Signed-off-by: Modular Magician <[email protected]> Co-authored-by: Riley Karson <[email protected]> * Add bootstrapped test networks for service networking tests (#1588) Signed-off-by: Modular Magician <[email protected]> Co-authored-by: emily <[email protected]> * Update CHANGELOG.md * fix docs for google_bigquery_default_service_account (#1596) Signed-off-by: Modular Magician <[email protected]> Co-authored-by: Martin Nowak <[email protected]> * Nil return for absent Bigtable resources (#1597) Signed-off-by: Modular Magician <[email protected]> Co-authored-by: Brian Hildebrandt <[email protected]> * add lifecycle_config to dataproc_cluster.cluster_config Signed-off-by: Modular Magician <[email protected]> * Add warnings about custom role format for IAM bindings (#1600) Signed-off-by: Modular Magician <[email protected]> Co-authored-by: emily <[email protected]> * Add mutex to peering create (#1601) Signed-off-by: Modular Magician <[email protected]> Co-authored-by: emily <[email protected]> * Add warnings about custom role format for IAM bindings (#2937) Merged PR #2937. Co-authored-by: Chris Stephens <[email protected]> Co-authored-by: Dana Hoffman <[email protected]> Co-authored-by: Riley Karson <[email protected]> Co-authored-by: emily <[email protected]> Co-authored-by: Paddy <[email protected]> Co-authored-by: Martin Nowak <[email protected]> Co-authored-by: Brian Hildebrandt <[email protected]> Co-authored-by: megan07 <[email protected]>
hashicorp · Jan 8, 2020 · cd448e9 · cd448e9
1 parent e587732
commit cd448e9
Show file tree

Hide file tree

Showing 31 changed files with 90 additions and 0 deletions.
diff --git a/.changelog/2937.txt b/.changelog/2937.txt
diff --git a/google-beta/resource_iam_binding.go b/google-beta/resource_iam_binding.go
@@ -139,6 +139,7 @@ func resourceIamBindingRead(newUpdaterFunc newResourceIamUpdaterFunc) schema.Rea
 		}
 
 		if binding == nil {
+			log.Printf("[WARNING] Binding for role %q not found, assuming it has no members. If you expected existing members bound for this role, make sure your role is correctly formatted.", eBinding.Role)
 			log.Printf("[DEBUG] Binding for role %q and condition %+v not found in policy for %s, assuming it has no members.", eBinding.Role, eCondition, updater.DescribeResource())
 			d.Set("role", eBinding.Role)
 			d.Set("members", nil)

diff --git a/website/docs/r/bigtable_instance_iam.html.markdown b/website/docs/r/bigtable_instance_iam.html.markdown
@@ -107,3 +107,6 @@ $ terraform import google_bigtable_instance_iam_binding.editor "projects/{projec
 
 $ terraform import google_bigtable_instance_iam_member.editor "projects/{project}/instances/{instance} roles/editor user:[email protected]"
 ```
+
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/binary_authorization_attestor_iam.html.markdown b/website/docs/r/binary_authorization_attestor_iam.html.markdown
@@ -138,6 +138,9 @@ $ terraform import google_binary_authorization_attestor_iam_policy.editor projec
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/cloud_run_service_iam.html.markdown b/website/docs/r/cloud_run_service_iam.html.markdown
@@ -143,6 +143,9 @@ $ terraform import google_cloud_run_service_iam_policy.editor projects/{{project
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/cloudfunctions_cloud_function_iam.html.markdown b/website/docs/r/cloudfunctions_cloud_function_iam.html.markdown
@@ -145,6 +145,9 @@ $ terraform import google_cloudfunctions_function_iam_policy.editor projects/{{p
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/compute_instance_iam.html.markdown b/website/docs/r/compute_instance_iam.html.markdown
@@ -222,6 +222,9 @@ $ terraform import google_compute_instance_iam_policy.editor projects/{{project}
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/compute_subnetwork_iam.html.markdown b/website/docs/r/compute_subnetwork_iam.html.markdown
@@ -146,6 +146,9 @@ $ terraform import google_compute_subnetwork_iam_policy.editor projects/{{projec
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/dataproc_cluster_iam.html.markdown b/website/docs/r/dataproc_cluster_iam.html.markdown
@@ -111,3 +111,6 @@ $ terraform import google_dataproc_cluster_iam_binding.editor "projects/{project
 
 $ terraform import google_dataproc_cluster_iam_member.editor "projects/{project}/regions/{region}/clusters/{cluster} roles/editor user:[email protected]"
 ```
+
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/dataproc_job_iam.html.markdown b/website/docs/r/dataproc_job_iam.html.markdown
@@ -111,3 +111,6 @@ $ terraform import google_dataproc_job_iam_binding.editor "projects/{project}/re
 
 $ terraform import google_dataproc_job_iam_member.editor "projects/{project}/regions/{region}/jobs/{job_id} roles/editor user:[email protected]"
 ```
+
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/google_billing_account_iam_member.html.markdown b/website/docs/r/google_billing_account_iam_member.html.markdown
@@ -50,3 +50,6 @@ IAM member imports use space-delimited identifiers; the resource in question, th
 ```
 $ terraform import google_billing_account_iam_member.binding "your-billing-account-id roles/viewer user:[email protected]"
 ```
+
+-> **Custom Roles**: If you're importing a IAM member with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/google_folder_iam_binding.html.markdown b/website/docs/r/google_folder_iam_binding.html.markdown
@@ -70,3 +70,6 @@ IAM binding imports use space-delimited identifiers; first the resource in quest
 ```
 $ terraform import google_folder_iam_binding.viewer "folder-name roles/viewer"
 ```
+
+-> **Custom Roles**: If you're importing a IAM binding with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/google_folder_iam_member.html.markdown b/website/docs/r/google_folder_iam_member.html.markdown
@@ -62,3 +62,6 @@ IAM member imports use space-delimited identifiers; the resource in question, th
 ```
 $ terraform import google_folder_iam_member.my_project "folder-name roles/viewer user:[email protected]"
 ```
+
+-> **Custom Roles**: If you're importing a IAM member with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/google_organization_iam_binding.md b/website/docs/r/google_organization_iam_binding.md
@@ -59,3 +59,6 @@ IAM binding imports use space-delimited identifiers; first the resource in quest
 ```
 $ terraform import google_organization_iam_binding.my_org "your-org-id roles/viewer"
 ```
+
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/google_organization_iam_member.html.markdown b/website/docs/r/google_organization_iam_member.html.markdown
@@ -51,3 +51,6 @@ IAM member imports use space-delimited identifiers; the resource in question, th
 ```
 $ terraform import google_organization_iam_member.my_org "your-org-id roles/viewer user:[email protected]"
 ```
+
+-> **Custom Roles**: If you're importing a IAM member with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/google_project_iam.html.markdown b/website/docs/r/google_project_iam.html.markdown
@@ -235,3 +235,7 @@ IAM audit config imports use the identifier of the resource in question and the
 ```
 terraform import google_project_iam_audit_config.my_project "your-project-id foo.googleapis.com"
 ```
+
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
diff --git a/website/docs/r/google_service_account_iam.html.markdown b/website/docs/r/google_service_account_iam.html.markdown
@@ -189,6 +189,9 @@ $ terraform import google_service_account_iam_binding.admin-account-iam "project
 $ terraform import google_service_account_iam_member.admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} roles/editor user:[email protected]"
 ```
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 With conditions:
 ```
 $ terraform import -provider=google-beta google_service_account_iam_binding.admin-account-iam "projects/{your-project-id}/serviceAccounts/{your-service-account-email} iam.serviceAccountUser expires_after_2019_12_31"

diff --git a/website/docs/r/healthcare_dataset_iam.html.markdown b/website/docs/r/healthcare_dataset_iam.html.markdown
@@ -115,3 +115,6 @@ IAM policy imports use the identifier of the resource in question.  This policy
 ```
 $ terraform import google_healthcare_dataset_iam_policy.dataset_iam your-project-id/location-name/dataset-name
 ```
+
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/iap_app_engine_service_iam.html.markdown b/website/docs/r/iap_app_engine_service_iam.html.markdown
@@ -220,6 +220,9 @@ $ terraform import google_iap_app_engine_service_iam_policy.editor projects/{{pr
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/iap_app_engine_version_iam.html.markdown b/website/docs/r/iap_app_engine_version_iam.html.markdown
@@ -227,6 +227,9 @@ $ terraform import google_iap_app_engine_version_iam_policy.editor projects/{{pr
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/iap_web_backend_service_iam.html.markdown b/website/docs/r/iap_web_backend_service_iam.html.markdown
@@ -212,6 +212,9 @@ $ terraform import google_iap_web_backend_service_iam_policy.editor projects/{{p
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/iap_web_iam.html.markdown b/website/docs/r/iap_web_iam.html.markdown
@@ -204,6 +204,9 @@ $ terraform import google_iap_web_iam_policy.editor projects/{{project}}/iap_web
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/iap_web_type_app_engine_iam.html.markdown b/website/docs/r/iap_web_type_app_engine_iam.html.markdown
@@ -212,6 +212,9 @@ $ terraform import google_iap_web_type_app_engine_iam_policy.editor projects/{{p
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/iap_web_type_compute_iam.html.markdown b/website/docs/r/iap_web_type_compute_iam.html.markdown
@@ -204,6 +204,9 @@ $ terraform import google_iap_web_type_compute_iam_policy.editor projects/{{proj
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/pubsub_subscription_iam.html.markdown b/website/docs/r/pubsub_subscription_iam.html.markdown
@@ -104,3 +104,6 @@ $ terraform import google_pubsub_subscription_iam_binding.editor "projects/{your
 
 $ terraform import google_pubsub_subscription_iam_member.editor "projects/{your-project-id}/subscriptions/{your-subscription-name} roles/editor [email protected]"
 ```
+
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/pubsub_topic_iam.html.markdown b/website/docs/r/pubsub_topic_iam.html.markdown
@@ -138,6 +138,9 @@ $ terraform import google_pubsub_topic_iam_policy.editor projects/{{project}}/to
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/runtimeconfig_config_iam.html.markdown b/website/docs/r/runtimeconfig_config_iam.html.markdown
@@ -138,6 +138,9 @@ $ terraform import google_runtimeconfig_config_iam_policy.editor projects/{{proj
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/sourcerepo_repository_iam.html.markdown b/website/docs/r/sourcerepo_repository_iam.html.markdown
@@ -137,6 +137,9 @@ $ terraform import google_sourcerepo_repository_iam_policy.editor projects/{{pro
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
diff --git a/website/docs/r/spanner_database_iam.html.markdown b/website/docs/r/spanner_database_iam.html.markdown
@@ -125,3 +125,7 @@ IAM policy imports use the identifier of the resource in question, e.g.
 ```
 $ terraform import google_spanner_database_iam_policy.database project-name/instance-name/database-name
 ```
+
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
diff --git a/website/docs/r/spanner_instance_iam.html.markdown b/website/docs/r/spanner_instance_iam.html.markdown
@@ -120,3 +120,6 @@ IAM policy imports use the identifier of the resource in question, e.g.
 ```
 $ terraform import google_spanner_instance_iam_policy.instance project-name/instance-name
 ```
+
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
diff --git a/website/docs/r/storage_bucket_iam.html.markdown b/website/docs/r/storage_bucket_iam.html.markdown
@@ -205,6 +205,9 @@ $ terraform import google_storage_bucket_iam_policy.editor b/{{bucket}}
 -> If you're importing a resource with beta features, make sure to include `-provider=google-beta`
 as an argument so that Terraform uses the correct provider to import your resource.
 
+-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the
+ full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.
+
 ## User Project Overrides
 
 This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).