Bigquery dataset access is getting removed and added whenever something is deployed

[Dhanabalan-pop]

Affected Resource(s)

• google_bigquery_dataset

resource "google_bigquery_dataset" "bq_dataset" {
project = var.project_name
dataset_id = var.dataset-id
location = var.location

access {
role = "READER"
group_by_email = var.hr_group_email
}
access {
role = "roles/bigquery.user"
group_by_email = var.hr_group_email
}

access {
role = "WRITER"
special_group = "projectWriters"
}
access {
role = "OWNER"
special_group = "projectOwners"
}
access {
role = "READER"
special_group = "projectReaders"
}

Above is my code, everytime when i deploy, access is getting remove and re-added...what is the issue? Do i need to update anything here in code?

b/301412445

[venkykuberan]

@Dhanabalan-pop config seems right, you shouldn't see any perma diffs. I don't see it happening on my end. Can you please share your plan output and include the terraform version you are using ?

P.S. - In future please follow the template while raising the issue as It helps us to narrow down the problematic area.

[Dhanabalan-pop]

Terraform will perform the following actions:

module.bigquery_test_dataset_module.google_bigquery_dataset.bq_dataset will be updated in-place

~ resource "google_bigquery_dataset" "bq_dataset" {
creation_time = 1576811777338
dataset_id = "test"
default_partition_expiration_ms = 0
default_table_expiration_ms = 0
delete_contents_on_destroy = false
etag = "cop5nCu71BkwSGzOO8EB2A=="
id = "projects/dhana/datasets/test"
labels = {}
last_modified_time = 1605103603129
location = "US"
project = "dhana"
self_link = "https://bigquery.googleapis.com/bigquery/v2/projects/dhana/datasets/test"

• access {
  - group_by_email = "[email protected]" -> null
  - role = "READER" -> null
  }
  + access {
  + group_by_email = "[email protected]"
  + role = "roles/bigquery.dataViewer"
  }

I'm using Gitlab CI[Gitlab runner with docker terraform image] with terraform version is 0.13.5 and google provider version is google v3.47.0

[venkykuberan]

The diff you posted says that terraform identified a change in your config that legacy format is replaced with roles/xx/xx format which isn't recommended approach.

We have a note for this in our doc

You must specify the role field using the legacy format OWNER instead of roles/bigquery.dataOwner. The API does accept both formats but it will always return the legacy format which results in Terraform showing permanent diff on each plan and apply operation. 

[MaximusMcCann]

+1.
Terraform v1.3.7
Hashicorp/google v4.47.0

I have specified the legacy format :(

main.tf

resource "google_bigquery_dataset" "dataset" {
...
...
  access {
    role   = "READER"
    domain = "xyz1.com"
  }

  access {
    role   = "READER"
    domain = "xyz2.com"
  }

  access {
    role          = "OWNER"
    user_by_email = google_service_account.bqowner.email
  }
}

terraform apply yields

...
...
  # google_bigquery_dataset.dataset will be updated in-place
  ~ resource "google_bigquery_dataset" "dataset" {
        id                              = "projects/xyz/datasets/xyz_logs"
        # (13 unchanged attributes hidden)

      - access {
          - role          = "OWNER" -> null
          - user_by_email = "[email protected]" -> null
        }
      - access {
          - domain = "xyz1.com" -> null
          - role   = "READER" -> null
        }
      + access {
          + domain = "xyz1.com"
          + role   = "READER"
        }
      + access {
          + domain = "xyz2.com"
          + role   = "READER"
        }
      + access {
          + role          = "OWNER"
          + user_by_email = "[email protected]"
        }
    }

[wj-chen]

I can't repro the issue when I specify the legacy role format as advised with Terraform version v1.5.6:

Terraform will perform the following actions:

  # google_bigquery_dataset.dataset will be created
  + resource "google_bigquery_dataset" "dataset" {
      + creation_time              = (known after apply)
      + dataset_id                 = "issue_7755"
      + default_collation          = (known after apply)
      + delete_contents_on_destroy = false
      + effective_labels           = (known after apply)
      + etag                       = (known after apply)
      + id                         = (known after apply)
      + is_case_insensitive        = (known after apply)
      + last_modified_time         = (known after apply)
      + location                   = "US"
      + max_time_travel_hours      = (known after apply)
      + project                    = "<project>"
      + self_link                  = (known after apply)
      + storage_billing_model      = (known after apply)
      + terraform_labels           = (known after apply)

      + access {
          + role          = "OWNER"
          + user_by_email = "<email>"
        }
      + access {
          + domain = "google.com"
          + role   = "READER"
        }
    }

If anyone else still sees the problem, could you share a sample config?

[wj-chen]

@ScottSuarez I believe this issue is obsolete. Can we close it?

[ScottSuarez]

@ScottSuarez I believe this issue is obsolete. Can we close it?

No problem we can close. Thanks for your help here 🙏🏻

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.