terraform-provider-google: Folder level audit configs don't work.

resource "google_folder_iam_policy" "audit_logs" {
  folder = "${google_folder.enironment.id}"
  policy_data = "${data.google_iam_policy.audit_log_configs.policy_data}"
}

data "google_iam_policy" "audit_log_configs" {

  binding {
    role = "roles/owner"

    members = [
      "${var.service_account_role}"
    ]
  }

  audit_config {
    service = "cloudkms.googleapis.com"

    audit_log_configs {
      log_type = "DATA_READ"
    }

    audit_log_configs {
      log_type = "DATA_WRITE"
    }

    audit_log_configs {
      log_type = "ADMIN_READ"
    }
  }
}

After the template is run the cloudkms service does not have audit configs turn on in the GCP Web console. On subsequent runs, the change is detected and tried to be applied but it never succeeds.

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
  • If an issue is assigned to the “modular-magician” user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to “hashibot”, a community member has claimed the issue already.

Terraform Version

Affected Resource(s)

  • google_XXXXX

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://www.hashicorp.com/security
# If reproducing the bug involves modifying the config file (e.g., apply a config,
# change a value, apply the config again, see the bug) then please include both the
# version of the config before the change, and the version of the config after the change.

Debug Output

Panic Output

Expected Behavior

Actual Behavior

Steps to Reproduce

  1. terraform apply

Important Factoids

References

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 5
  • Comments: 19 (2 by maintainers)

Most upvoted comments

I would consider this as a bug, as by GCPs docs auditConfig is supported on org, folder and project level. If those ressources (org and folder mainly) do not yet support them yet, this should be added.

I also tried to enforce some “global” audit logging today and ran into this. I just want to set it on a folder level, to avoid project owners to disable it again 😉

+2
cschroer on Jul 25, 2019

I think the google_folder_iam_policy resource was missed when google_project_iam_policy was updated to support audit config. See this PR https://github.com/terraform-providers/terraform-provider-google/pull/2731

+1
emailbob on Jun 14, 2019
Read more comments on GitHub
← terraform-provider-google: False positive diff in `google_cloud_tasks_queue` resources on field `app_engine_routing_override`
terraform-provider-google: GCP secret when destroy manually terraform goes on 400 request as secret already destroyed. →