Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave +1 or me too comments; they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment.
- If the issue is assigned to a user, that user is claiming responsibility for the issue.
Terraform Validator version
terraform-validator: v0.19.0
Affected Resource(s)
Terraform Plan JSON
{
"format_version": "1.1",
"terraform_version": "1.2.9",
"planned_values": {
"root_module": {
"resources": [
{
"address": "google_folder.folder",
"mode": "managed",
"type": "google_folder",
"name": "folder",
"provider_name": "registry.terraform.io/hashicorp/google",
"schema_version": 0,
"values": {
"display_name": "folder",
"parent": "organizations/1234567890",
"timeouts": null
},
"sensitive_values": {}
},
{
"address": "google_folder_iam_member.folder",
"mode": "managed",
"type": "google_folder_iam_member",
"name": "folder",
"provider_name": "registry.terraform.io/hashicorp/google",
"schema_version": 0,
"values": {
"condition": [],
"member": "user:user@domain.com",
"role": "roles/owner"
},
"sensitive_values": {
"condition": []
}
}
]
}
},
"resource_changes": [
{
"address": "google_folder.folder",
"mode": "managed",
"type": "google_folder",
"name": "folder",
"provider_name": "registry.terraform.io/hashicorp/google",
"change": {
"actions": [
"create"
],
"before": null,
"after": {
"display_name": "folder",
"parent": "organizations/1234567890",
"timeouts": null
},
"after_unknown": {
"create_time": true,
"folder_id": true,
"id": true,
"lifecycle_state": true,
"name": true
},
"before_sensitive": false,
"after_sensitive": {}
}
},
{
"address": "google_folder_iam_member.folder",
"mode": "managed",
"type": "google_folder_iam_member",
"name": "folder",
"provider_name": "registry.terraform.io/hashicorp/google",
"change": {
"actions": [
"create"
],
"before": null,
"after": {
"condition": [],
"member": "user:user@domain.com",
"role": "roles/owner"
},
"after_unknown": {
"condition": [],
"etag": true,
"folder": true,
"id": true
},
"before_sensitive": false,
"after_sensitive": {
"condition": []
}
}
}
],
"configuration": {
"provider_config": {
"google": {
"name": "google",
"full_name": "registry.terraform.io/hashicorp/google"
}
},
"root_module": {
"resources": [
{
"address": "google_folder.folder",
"mode": "managed",
"type": "google_folder",
"name": "folder",
"provider_config_key": "google",
"expressions": {
"display_name": {
"constant_value": "folder"
},
"parent": {
"constant_value": "organizations/1234567890"
}
},
"schema_version": 0
},
{
"address": "google_folder_iam_member.folder",
"mode": "managed",
"type": "google_folder_iam_member",
"name": "folder",
"provider_config_key": "google",
"expressions": {
"folder": {
"references": [
"google_folder.folder.name",
"google_folder.folder"
]
},
"member": {
"constant_value": "user:user@domain.com"
},
"role": {
"constant_value": "roles/owner"
}
},
"schema_version": 0
}
]
}
},
"relevant_attributes": [
{
"resource": "google_folder.folder",
"attribute": [
"name"
]
}
]
}Debug Output
2022-09-27T11:23:01.772078+08:00 info {"version": "v1.0.0", "error_details": {"error": "[INFO] Authenticating using DefaultClient...", "context": ""}}
2022-09-27T11:23:01.772246+08:00 info {"version": "v1.0.0", "error_details": {"error": "[INFO] -- Scopes: [https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.email]", "context": ""}}
2022-09-27T11:23:01.77242+08:00 info {"version": "v1.0.0", "error_details": {"error": "[INFO] Authenticating using DefaultClient...", "context": ""}}
2022-09-27T11:23:01.772427+08:00 info {"version": "v1.0.0", "error_details": {"error": "[INFO] -- Scopes: [https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.email]", "context": ""}}
2022-09-27T11:23:01.772471+08:00 info {"version": "v1.0.0", "error_details": {"error": "[DEBUG] Waiting for state to become: [success]", "context": ""}}
2022-09-27T11:23:01.958249+08:00 info {"version": "v1.0.0", "error_details": {"error": "[INFO] Terraform is using this identity: user@domain.com", "context": ""}}
2022-09-27T11:23:01.958448+08:00 info {"version": "v1.0.0", "error_details": {"error": "[INFO] Instantiating Google Cloud ResourceManager client for path https://cloudresourcemanager.googleapis.com/", "context": ""}}
2022-09-27T11:23:01.958492+08:00 info {"version": "v1.0.0", "error_details": {"error": "[INFO] Instantiating Google Cloud ResourceManager V3 client for path https://cloudresourcemanager.googleapis.com/", "context": ""}}
2022-09-27T11:23:01.973226+08:00 info {"version": "v1.0.0", "error_details": {"error": "[INFO] Instantiating Google Cloud ResourceManager V3 client for path https://cloudresourcemanager.googleapis.com/", "context": ""}}
2022-09-27T11:23:01.973561+08:00 info {"version": "v1.0.0", "error_details": {"error": "[DEBUG] Retry Transport: starting RoundTrip retry loop", "context": ""}}
2022-09-27T11:23:01.973589+08:00 info {"version": "v1.0.0", "error_details": {"error": "[DEBUG] Retry Transport: request attempt 0", "context": ""}}
2022-09-27T11:23:03.258275+08:00 info {"version": "v1.0.0", "error_details": {"error": "[DEBUG] Retry Transport: Stopping retries, last request failed with non-retryable error: googleapi: got HTTP response code 404 with body: HTTP/2.0 404 Not Found\r\nContent-Length: 1616\r\nAlt-Svc: h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000,h3-Q050=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"\r\nContent-Type: text/html; charset=UTF-8\r\nDate: Tue, 27 Sep 2022 03:23:03 GMT\r\nServer: ESF\r\nX-Content-Type-Options: nosniff\r\nX-Frame-Options: SAMEORIGIN\r\nX-Xss-Protection: 0\r\n\r\n<!DOCTYPE html>\n<html lang=en>\n <meta charset=utf-8>\n <meta name=viewport content=\"initial-scale=1, minimum-scale=1, width=device-width\">\n <title>Error 404 (Not Found)!!1</title>\n <style>\n *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}\n </style>\n <a href=//www.google.com/><span id=logo aria-label=Google></span></a>\n <p><b>404.</b> <ins>That’s an error.</ins>\n <p>The requested URL <code>/v3/folders/:getIamPolicy?alt=json&prettyPrint=false</code> was not found on this server. <ins>That’s all we know.</ins>", "context": ""}}
2022-09-27T11:23:03.259054+08:00 info {"version": "v1.0.0", "error_details": {"error": "[DEBUG] Retry Transport: Returning after 1 attempts", "context": ""}}
2022-09-27T11:23:03.259096+08:00 warn {"version": "v1.0.0", "error_details": {"error": "google_folder_iam_member.folder: Fetching cloudresourcemanager.googleapis.com/Folder//cloudresourcemanager.googleapis.com/placeholder-c2WD8F2q for merge failed due to not existing or insufficient permission.", "context": "github.com/GoogleCloudPlatform/terraform-validator/converters/google.(*Converter).addCreateOrUpdateOrNoop\n\t/Users/user/git/omg/policy/test/terraform-validator/converters/google/convert.go:311\ngithub.com/GoogleCloudPlatform/terraform-validator/converters/google.(*Converter).AddResourceChanges\n\t/Users/user/git/omg/policy/test/terraform-validator/converters/google/convert.go:210\ngithub.com/GoogleCloudPlatform/terraform-validator/tfgcv.ReadPlannedAssets\n\t/Users/user/git/omg/policy/test/terraform-validator/tfgcv/planned_assets.go:56\ngithub.com/GoogleCloudPlatform/terraform-validator/cmd.(*convertOptions).run\n\t/Users/user/git/omg/policy/test/terraform-validator/cmd/convert.go:123\ngithub.com/GoogleCloudPlatform/terraform-validator/cmd.newConvertCmd.func2\n\t/Users/user/git/omg/policy/test/terraform-validator/cmd/convert.go:81\ngithub.com/spf13/cobra.(*Command).execute\n\t/Users/user/go/pkg/mod/github.com/spf13/cobra@v1.3.0/command.go:856\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\t/Users/user/go/pkg/mod/github.com/spf13/cobra@v1.3.0/command.go:974\ngithub.com/spf13/cobra.(*Command).Execute\n\t/Users/user/go/pkg/mod/github.com/spf13/cobra@v1.3.0/command.go:902\ngithub.com/GoogleCloudPlatform/terraform-validator/cmd.Execute\n\t/Users/user/git/omg/policy/test/terraform-validator/cmd/root.go:101\nmain.main\n\t/Users/user/git/omg/policy/test/terraform-validator/main.go:30\nruntime.main\n\t/opt/homebrew/Cellar/go/1.19.1/libexec/src/runtime/proc.go:250"}}
2022-09-27T11:23:03.261464+08:00 info {"version": "v1.0.0", "error_details": {"error": "Retrieving ancestry from resource (type=cloudresourcemanager.googleapis.com/Folder)", "context": ""}}
2022-09-27T11:23:03.261531+08:00 error {"version": "v1.0.0", "error_details": {"error": "google_folder_iam_member.folder: converting TF resource to CAI: getting resource ancestry or parent failed: folder id not found in terraform data", "context": "github.com/GoogleCloudPlatform/terraform-validator/cmd.Execute\n\t/Users/user/git/omg/policy/test/terraform-validator/cmd/root.go:111\nmain.main\n\t/Users/user/git/omg/policy/test/terraform-validator/main.go:30\nruntime.main\n\t/opt/homebrew/Cellar/go/1.19.1/libexec/src/runtime/proc.go:250"}}
Expected Behavior
Terraform plan should be converted to CAI format (folder id should be mocked somehow?).
Actual Behavior
Fails with error that folder ID is not defined in plan
Steps to Reproduce
terraform-validator convert tfplan.json
Important Factoids
This issue can be reproduced only if folder creation and policy assignment are done within the same terraform plan (folder doesn't exist prior). If the folder exists, and only policy changes are applied - it works as expected.
Initially, the issue was spotted in terraform-tools v0.7.0 (gcloud beta terraform vet from gcloud sdk), but it also reproduces with the latest terraform-validator (v0.19.0).
References
none
Community Note
Terraform Validator version
terraform-validator: v0.19.0
Affected Resource(s)
Terraform Plan JSON
{ "format_version": "1.1", "terraform_version": "1.2.9", "planned_values": { "root_module": { "resources": [ { "address": "google_folder.folder", "mode": "managed", "type": "google_folder", "name": "folder", "provider_name": "registry.terraform.io/hashicorp/google", "schema_version": 0, "values": { "display_name": "folder", "parent": "organizations/1234567890", "timeouts": null }, "sensitive_values": {} }, { "address": "google_folder_iam_member.folder", "mode": "managed", "type": "google_folder_iam_member", "name": "folder", "provider_name": "registry.terraform.io/hashicorp/google", "schema_version": 0, "values": { "condition": [], "member": "user:user@domain.com", "role": "roles/owner" }, "sensitive_values": { "condition": [] } } ] } }, "resource_changes": [ { "address": "google_folder.folder", "mode": "managed", "type": "google_folder", "name": "folder", "provider_name": "registry.terraform.io/hashicorp/google", "change": { "actions": [ "create" ], "before": null, "after": { "display_name": "folder", "parent": "organizations/1234567890", "timeouts": null }, "after_unknown": { "create_time": true, "folder_id": true, "id": true, "lifecycle_state": true, "name": true }, "before_sensitive": false, "after_sensitive": {} } }, { "address": "google_folder_iam_member.folder", "mode": "managed", "type": "google_folder_iam_member", "name": "folder", "provider_name": "registry.terraform.io/hashicorp/google", "change": { "actions": [ "create" ], "before": null, "after": { "condition": [], "member": "user:user@domain.com", "role": "roles/owner" }, "after_unknown": { "condition": [], "etag": true, "folder": true, "id": true }, "before_sensitive": false, "after_sensitive": { "condition": [] } } } ], "configuration": { "provider_config": { "google": { "name": "google", "full_name": "registry.terraform.io/hashicorp/google" } }, "root_module": { "resources": [ { "address": "google_folder.folder", "mode": "managed", "type": "google_folder", "name": "folder", "provider_config_key": "google", "expressions": { "display_name": { "constant_value": "folder" }, "parent": { "constant_value": "organizations/1234567890" } }, "schema_version": 0 }, { "address": "google_folder_iam_member.folder", "mode": "managed", "type": "google_folder_iam_member", "name": "folder", "provider_config_key": "google", "expressions": { "folder": { "references": [ "google_folder.folder.name", "google_folder.folder" ] }, "member": { "constant_value": "user:user@domain.com" }, "role": { "constant_value": "roles/owner" } }, "schema_version": 0 } ] } }, "relevant_attributes": [ { "resource": "google_folder.folder", "attribute": [ "name" ] } ] }Debug Output
Expected Behavior
Terraform plan should be converted to CAI format (folder id should be mocked somehow?).
Actual Behavior
Fails with error that folder ID is not defined in plan
Steps to Reproduce
terraform-validator convert tfplan.jsonImportant Factoids
This issue can be reproduced only if folder creation and policy assignment are done within the same terraform plan (folder doesn't exist prior). If the folder exists, and only policy changes are applied - it works as expected.
Initially, the issue was spotted in terraform-tools v0.7.0 (gcloud beta terraform vet from gcloud sdk), but it also reproduces with the latest terraform-validator (v0.19.0).
References
none