terraform-provider-google: Error 400: Requested policy version (1) cannot be less than the existing policy version (3)
[issue-type:bug-report]
Community Note
- Please vote on this issue by adding a đź‘Ť reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
- If an issue is assigned to the “modular-magician” user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to “hashibot”, a community member has claimed the issue already.
Terraform Version
Terraform v0.12.18
- provider.google v2.20.1
- provider.google-beta v2.20.1
Affected Resource(s)
One of
- google_project_iam_member
- google_project_iam_binding
Terraform Configuration Files
module "projects_iam_bindings" {
source = "terraform-google-modules/iam/google//modules/projects_iam"
version = "~> 5.0"
project = "XXX"
mode = "additive"
bindings = {
"roles/errorreporting.user" = [
"group:XXX@YYY",
]
}
}
Debug Output
Error: Error reading Resource "project \"XXX\"" with IAM Member:
Role "roles/errorreporting.writer"
Member "serviceAccount:XXX@XXX.iam.gserviceaccount.com":
Error retrieving IAM policy for project "XXX":
googleapi: Error 400: Requested policy version (1) cannot be less than the existing policy version (3).
For more information, please refer to https://cloud.google.com/iam/docs/policies#versions., badRequest
Expected Behavior
Succesful plan
Actual Behavior
Error 400: Requested policy version (1) cannot be less than the existing policy version (3).
Steps to Reproduce
terraform plan
Important Factoids
Since I didn’t manually alter any IAM setting I think that there is a different issue.
It may be connected with the new condition feature, which uses IAM policy version 3.
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 9
- Comments: 33 (10 by maintainers)
I think the complication is that IAM for a resource (particularly an org or project) isn’t necessarily managed all in a single Terraform config. If that were the case, I think it’d be easy to simply upgrade to TPGB. However, there are definitely cases where some memberships are managed elsewhere.
I agree that clobbering is an issue though. Maybe we can leave this open for a bit and see who else reports it?
Would it be possible to simply not touch the condition from TPG? ie. if a condition exists simply leave it as is (but don’t support adding/updating conditions)?
Hmm, it seems like a rather severe bug that a working Terraform resource (
google_project_iam_member) would start failing unpredictable and forcing users to migrate tobetaeven when they are not using permissions.This should make sense now.
The exact error I got is listed in documentation -
Scenario 2: Requesting a policy with an insufficient version(https://cloud.google.com/iam/docs/policies#specifying-version)When I display version of bugged IAM policy, I get
version: 1.The error log says
Requested policy version (1) cannot be less than the existing policy version (3).. That means it is requesting correct policy version (1). But fails… (if the log is OK)I tried to use beta-provider 2.20.1 again and IT WORKS! (my bad I must have made some mistake before).
There must be a bug somewhere I guess.
@morgante Just like you said. Conditions were tested in UI for some temporary account and all other iam policies / members in terraform got broken.
@Lirt I am glad you have found the reason. I am closing this issue now. You may reopen it if you feel a need for more help. Thanks