-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CloudSQL] Handle CLOUD_IAM_GROUP username edgecases #10666
base: main
Are you sure you want to change the base?
Conversation
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
Hello! I am a robot. Tests will require approval from a repository maintainer to run. @slevenick, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look. You can help make sure that review is quick by doing a self-review and by running impacted tests locally. |
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are.
Errors
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Failing due to resource_sql_user.go:32:5: undefined: slices
Have you been able to test this change?
Tests analyticsTotal tests: Click here to see the affected service packages
|
@slevenick I'm just an idiot and forgot to migrate the |
@@ -17,12 +18,25 @@ import ( | |||
) | |||
|
|||
func diffSuppressIamUserName(_, old, new string, d *schema.ResourceData) bool { | |||
strippedName := strings.Split(new, "@")[0] | |||
// IAM users of type `CLOUD_IAM_USER` and `CLOUD_IAM_SERVICE_ACCOUNT` are created based on |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this behavior documented somewhere? I want to make sure this is intended behavior and not something that gets changed later and leaves us in a bad spot
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't been able to find this in any documentation—the docs on this are pretty poor overall.
But the (apparent) rule I'm making explicit here is one we already account for on L368: "If the current user type isn't pg or CLOUD_IAM_GROUP, split the domain off the supplied email address." The implication being that the domain is retained by CLOUD_IAM_GROUP. So, we have a precedent, this PR just brings this block into alignment with how we're treating CLOUD_IAM_GROUP elsewhere.
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are.
|
Tests analyticsTotal tests: Click here to see the affected service packages
|
Is there anything else you need me to do here, @slevenick? |
How timely, I was just having a world of pain trying to setup group IAM on a CloudSQL instance. Is there any chance this is likely to be merged/released soon? |
I think this looks good. Can you add a test that uses a CLOUD_IAM_GROUP? |
@GoogleCloudPlatform/terraform-team This PR has been waiting for review for 7 days. Please take a look! Use the label |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a test that uses CLOUD_IAM_GROUP
Although some of the issues surrounding the use of CLOUD_IAM_GROUP users with cloudsql I believe are google's own problems, in this case, I think this PR will address some of the problems with TF not being able to locate CLOUD_IAM_GROUP type resources, as discussed in hashicorp/terraform-provider-google#17040.
The issue, I believe, is that group users retain the domain as a part of their username while standard users and service accounts have the domain stripped. You can see on L369 of the PR that this fact is already accounted for in part, but the same exception wasn't included in the diffSuppress function (L21ff.).
I've also included comments to make some of this explicit, since it's a bit counterintuitive.
Release Note Template for Downstream PRs (will be copied)