Destroying a google_cloud_identity_group resource that has at least one OWNER member fails

[sruffilli]

Terraform Version

$ terraform -v
Terraform v0.13.4

Affected Resource(s)

• google_cloud_identity_group
• google_cloud_identity_group_membership

Terraform Configuration Files (if applicable)

resource "google_cloud_identity_group" "group" {
  provider     = google-beta
  display_name = "google_cloud_identity_group test"

  parent = "customers/CXXXXXXXX"

  group_key {
    id = "[email protected]"
  }

  labels = {
    "cloudidentity.googleapis.com/groups.discussion_forum" = ""
  }
}

resource "google_cloud_identity_group_membership" "group_memberships" {
  provider = google-beta
  group    = google_cloud_identity_group.group.id

  member_key {
    id = "[email protected]"
  }

  roles {
    name = "MEMBER"
  }

  roles {
    name = "OWNER"
  }

}

Issue Description

Destroying a group that has at least one OWNER member fails with the following error

Error: Error when reading or editing GroupMembership: googleapi: Error 400: Error(4007): Cannot remove the OWNER role in membership 'groups/xxxxxxxxxxxxxx/memberships/NNNNNNNNNNNNNNNNNN' becuase it's the last OWNER role in the Google Groups.

This happens because terraform tries to deprovision all the google_cloud_identity_group_membership resources that depend on google_cloud_identity_group first - however APIs prevent deleting the last OWNER member. Note that this doesn't happen if a group has no OWNER members.

[edwardmedia]

@sruffilli the error message seems clear. It is blocked by API. The provider has nothing to do with it. To workaround, can you update the role to non OWNER first and then apply destroy?

[sruffilli]

APIs prevent the last OWNER of a group to be downgraded or deleted.
I'm wondering whether it's possible, when destroying a group, to avoid deleting the memberships (which would be effectively deleted when the group gets deleted).

[edwardmedia]

Let's see if there is anything the provider can do to match the API's behavior

[nat-henderson]

Similar to #7616, this resource is not implemented as well as it could be - it seems there were some API changes since we implemented it. We should revisit this entire resource.

[stevenproctor]

I see GoogleCloudPlatform/cloud-foundation-fabric#182 referenced above was merged 18 days ago this comment.

What would the timing be for this to be taken advantage of by this provider, to know what version would need to be targeted to get this working.