fail to parse terraform 1.1.9 plan with `google_folder_iam_member` in a new folder

[daniel-cit]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave +1 or me too comments; they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If the issue is assigned to a user, that user is claiming responsibility for the issue.

Terraform Validator version

terraform-validator: v0.12.5
terraform-validator: v0.13.0
gcloud beta terraform vet: 2022.05.06

Affected Resource(s)

• google_folder_iam_member

Terraform Plan JSON

resource "google_folder" "example" {
  display_name = "example"
  parent       = "folders/173181153785" # any valid folder or organization
}

resource "google_folder_iam_member" "editor" {
  folder  = google_folder.example.id
  role    = "roles/editor"
  member  = "user:john.doe@example.com"
}

{
    "format_version": "1.0",
    "terraform_version": "1.1.9",
    "planned_values": {
        "root_module": {
            "resources": [
                {
                    "address": "google_folder.example",
                    "mode": "managed",
                    "type": "google_folder",
                    "name": "example",
                    "provider_name": "registry.terraform.io/hashicorp/google",
                    "schema_version": 0,
                    "values": {
                        "display_name": "example",
                        "parent": "folders/173181153785",
                        "timeouts": null
                    },
                    "sensitive_values": {}
                },
                {
                    "address": "google_folder_iam_member.editor",
                    "mode": "managed",
                    "type": "google_folder_iam_member",
                    "name": "editor",
                    "provider_name": "registry.terraform.io/hashicorp/google",
                    "schema_version": 0,
                    "values": {
                        "condition": [],
                        "member": "user:john.doe@example.com",
                        "role": "roles/editor"
                    },
                    "sensitive_values": {
                        "condition": []
                    }
                }
            ]
        }
    },
    "resource_changes": [
        {
            "address": "google_folder.example",
            "mode": "managed",
            "type": "google_folder",
            "name": "example",
            "provider_name": "registry.terraform.io/hashicorp/google",
            "change": {
                "actions": [
                    "create"
                ],
                "before": null,
                "after": {
                    "display_name": "example",
                    "parent": "folders/173181153785",
                    "timeouts": null
                },
                "after_unknown": {
                    "create_time": true,
                    "folder_id": true,
                    "id": true,
                    "lifecycle_state": true,
                    "name": true
                },
                "before_sensitive": false,
                "after_sensitive": {}
            }
        },
        {
            "address": "google_folder_iam_member.editor",
            "mode": "managed",
            "type": "google_folder_iam_member",
            "name": "editor",
            "provider_name": "registry.terraform.io/hashicorp/google",
            "change": {
                "actions": [
                    "create"
                ],
                "before": null,
                "after": {
                    "condition": [],
                    "member": "user:john.doe@example.com",
                    "role": "roles/editor"
                },
                "after_unknown": {
                    "condition": [],
                    "etag": true,
                    "folder": true,
                    "id": true
                },
                "before_sensitive": false,
                "after_sensitive": {
                    "condition": []
                }
            }
        }
    ],
    "configuration": {
        "root_module": {
            "resources": [
                {
                    "address": "google_folder.example",
                    "mode": "managed",
                    "type": "google_folder",
                    "name": "example",
                    "provider_config_key": "google",
                    "expressions": {
                        "display_name": {
                            "constant_value": "example"
                        },
                        "parent": {
                            "constant_value": "folders/173181153785"
                        }
                    },
                    "schema_version": 0
                },
                {
                    "address": "google_folder_iam_member.editor",
                    "mode": "managed",
                    "type": "google_folder_iam_member",
                    "name": "editor",
                    "provider_config_key": "google",
                    "expressions": {
                        "folder": {
                            "references": [
                                "google_folder.example.id",
                                "google_folder.example"
                            ]
                        },
                        "member": {
                            "constant_value": "user:john.doe@example.com"
                        },
                        "role": {
                            "constant_value": "roles/editor"
                        }
                    },
                    "schema_version": 0
                }
            ]
        }
    }
}

Debug Output

unknown flag: --verbose

Expected Behavior

plan to be parsed without violations

Actual Behavior

panic: interface conversion: interface {} is nil, not string

goroutine 1 [running]:
github.com/GoogleCloudPlatform/terraform-validator/converters/google/resources.NewProjectIamUpdater(0x4474578, 0xc0009615c0, 0xc00072c700, 0xc0004c5a40, 0x1100000000000002, 0xc00007a800, 0x0)
        /Users/stephenrlewis/projects/terraform-validator/converters/google/resources/iam_project.go:28 +0x145
github.com/GoogleCloudPlatform/terraform-validator/converters/google/resources.fetchIamPolicy(0x3fecb18, 0x4474578, 0xc0009615c0, 0xc00072c700, 0x3e61286, 0x30, 0x3e46179, 0x2a, 0x0, 0x0, ...)
        /Users/stephenrlewis/projects/terraform-validator/converters/google/resources/iam_helpers.go:199 +0x94
github.com/GoogleCloudPlatform/terraform-validator/converters/google/resources.FetchFolderIamPolicy(0x4474578, 0xc0009615c0, 0xc00072c700, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
        /Users/stephenrlewis/projects/terraform-validator/converters/google/resources/folder_iam.go:92 +0xee
github.com/GoogleCloudPlatform/terraform-validator/converters/google.(*Converter).addCreateOrUpdateOrNoop(0xc000b66000, 0xc00077f950, 0x1b, 0x0)
        /Users/stephenrlewis/projects/terraform-validator/converters/google/convert.go:311 +0x8b3
github.com/GoogleCloudPlatform/terraform-validator/converters/google.(*Converter).AddResourceChanges(0xc000b66000, 0xc000176480, 0x69, 0x8d, 0x69, 0x8d)
        /Users/stephenrlewis/projects/terraform-validator/converters/google/convert.go:214 +0x538
github.com/GoogleCloudPlatform/terraform-validator/tfgcv.ReadPlannedAssets(0x4430d78, 0xc00004e068, 0x7ffdd08d7cad, 0xe, 0x7ffdd08d7ce7, 0x16, 0x0, 0x0, 0x1ffffffffff0000, 0xc00011a840, ...)
        /Users/stephenrlewis/projects/terraform-validator/tfgcv/planned_assets.go:58 +0x16a
github.com/GoogleCloudPlatform/terraform-validator/cmd.(*validateOptions).run(0xc00011a6c0, 0x7ffdd08d7cad, 0xe, 0x0, 0x0)
        /Users/stephenrlewis/projects/terraform-validator/cmd/validate.go:115 +0x7fa
github.com/GoogleCloudPlatform/terraform-validator/cmd.newValidateCmd.func2(0xc000631400, 0xc0007296e0, 0x1, 0x3, 0x0, 0x0)
        /Users/stephenrlewis/projects/terraform-validator/cmd/validate.go:78 +0x50
github.com/spf13/cobra.(*Command).execute(0xc000631400, 0xc000729650, 0x3, 0x3, 0xc000631400, 0xc000729650)
        /Users/stephenrlewis/go/pkg/mod/github.com/spf13/cobra@v1.3.0/command.go:856 +0x472
github.com/spf13/cobra.(*Command).ExecuteC(0xc000630a00, 0xc0007292c0, 0x0, 0x0)
        /Users/stephenrlewis/go/pkg/mod/github.com/spf13/cobra@v1.3.0/command.go:974 +0x375
github.com/spf13/cobra.(*Command).Execute(...)
        /Users/stephenrlewis/go/pkg/mod/github.com/spf13/cobra@v1.3.0/command.go:902
github.com/GoogleCloudPlatform/terraform-validator/cmd.Execute()
        /Users/stephenrlewis/projects/terraform-validator/cmd/root.go:101 +0xf4
main.main()
        /Users/stephenrlewis/projects/terraform-validator/main.go:30 +0xa6

Steps to Reproduce

1. terraform plan -out example.tfplan
2. terraform show -json example.tfplan > example.json
3. terraform-validator validate example.json --policy-path=<path-to-policy-library> --project=<VALID-EXISTING-PROJECT>

Important Factoids

Plan generated with terraform 1.1.9

References

• #0000

[melinath]

I'm not sure this is related to TF 1.1.9 - panic: interface conversion: interface {} is nil, not string usually indicates a mismatch between provider and TFV expected schema for a resource - what provider version are you using?

[daniel-cit]

tested with

provider "registry.terraform.io/hashicorp/google" {
  version     = "3.90.1"

and

provider "registry.terraform.io/hashicorp/google" {
  version     = "4.21.0"

[daniel-cit]

@melinath
in line 65 https://github.com/GoogleCloudPlatform/terraform-google-conversion/blob/542d60abac29dc1d76d3a186f9612447aba06c75/google/folder_iam.go#L65

  NewProjectIamUpdater,

func FetchFolderIamPolicy(d TerraformResourceData, config *Config) (Asset, error) {
	return fetchIamPolicy(
		NewProjectIamUpdater,
		d,
		config,
		"//cloudresourcemanager.googleapis.com/{{folder}}",
		"cloudresourcemanager.googleapis.com/Folder",
	)
}

shouldn't the Updater to be used to be the NewFolderIamUpdater ?

https://github.com/GoogleCloudPlatform/terraform-google-conversion/blob/542d60abac29dc1d76d3a186f9612447aba06c75/google/iam_folder.go#L27

func NewFolderIamUpdater(d TerraformResourceData, config *Config) (ResourceIamUpdater, error) {
	return &FolderIamUpdater{
		folderId: canonicalFolderId(d.Get("folder").(string)),
		d:        d,
		Config:   config,
	}, nil
}

instead of the NewProjectIamUpdater

https://github.com/GoogleCloudPlatform/terraform-google-conversion/blob/542d60abac29dc1d76d3a186f9612447aba06c75/google/iam_project.go#L38

func NewProjectIamUpdater(d TerraformResourceData, config *Config) (ResourceIamUpdater, error) {
	pid, err := getProject(d, config)
	if err != nil {
		return nil, err
	}

	if err := d.Set("project", pid); err != nil {
		return nil, fmt.Errorf("Error setting project: %s", err)
	}

	return &ProjectIamUpdater{
		resourceId: pid,
		d:          d,
		Config:     config,
	}, nil
}

[melinath]

@daniel-cit yeah that's probably the issue, thanks! It looks like we don't have tests for google_folder_iam_* so this has probably been broken for a while. We'll need to make a Magic Modules PR to add tests and update FetchFolderIamPolicy