[CloudSQL] Handle CLOUD_IAM_GROUP username edgecases #10666
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
Hello! I am a robot. Tests will require approval from a repository maintainer to run. @slevenick, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look. You can help make sure that review is quick by doing a self-review and by running impacted tests locally. |
modular-magician
added
the
awaiting-approval
modular-magician
added
service/sqladmin-infra
and removed
awaiting-approval
|
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are.
Errors
|
Tests analyticsTotal tests: Click here to see the affected service packages
|
modular-magician
added
the
awaiting-approval
|
@slevenick I'm just an idiot and forgot to migrate the |
| @@ -17,12 +18,25 @@ import ( | |||
| ) | |||
|
|
|||
| func diffSuppressIamUserName(_, old, new string, d *schema.ResourceData) bool { | |||
| strippedName := strings.Split(new, "@")[0] | |||
| // IAM users of type `CLOUD_IAM_USER` and `CLOUD_IAM_SERVICE_ACCOUNT` are created based on | |||
There was a problem hiding this comment.
Is this behavior documented somewhere? I want to make sure this is intended behavior and not something that gets changed later and leaves us in a bad spot
There was a problem hiding this comment.
I haven't been able to find this in any documentation—the docs on this are pretty poor overall.
But the (apparent) rule I'm making explicit here is one we already account for on L368: "If the current user type isn't pg or CLOUD_IAM_GROUP, split the domain off the supplied email address." The implication being that the domain is retained by CLOUD_IAM_GROUP. So, we have a precedent, this PR just brings this block into alignment with how we're treating CLOUD_IAM_GROUP elsewhere.
modular-magician
removed
the
awaiting-approval
|
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are.
|
Tests analyticsTotal tests: Click here to see the affected service packages
|
|
Is there anything else you need me to do here, @slevenick? |
|
How timely, I was just having a world of pain trying to setup group IAM on a CloudSQL instance. Is there any chance this is likely to be merged/released soon? |
|
I think this looks good. Can you add a test that uses a CLOUD_IAM_GROUP? |
|
@GoogleCloudPlatform/terraform-team This PR has been waiting for review for 7 days. Please take a look! Use the label |
Although some of the issues surrounding the use of CLOUD_IAM_GROUP users with cloudsql I believe are google's own problems, in this case, I think this PR will address some of the problems with TF not being able to locate CLOUD_IAM_GROUP type resources, as discussed in hashicorp/terraform-provider-google#17040.
The issue, I believe, is that group users retain the domain as a part of their username while standard users and service accounts have the domain stripped. You can see on L369 of the PR that this fact is already accounted for in part, but the same exception wasn't included in the diffSuppress function (L21ff.).
I've also included comments to make some of this explicit, since it's a bit counterintuitive.
Release Note Template for Downstream PRs (will be copied)