Terraform 0.12.x dynamic group members
drobakowski opened this issue · comments
Hi there,
I was trying to use terraforms dynamic resource creation functionality and include our group members dynamically, which basically works fine for creation:
resource "gsuite_group_members" "developer_team_members" {
group_email = "${gsuite_group.developer.email}"
dynamic member {
for_each = local.developers
content {
email = "${member.value.first_name}.${member.value.last_name}@${gsuite_domain.root_domain.domain_name}"
role = "MEMBER"
}
}
depends_on = [gsuite_user.team]
}The alternative version with nested resource also works:
resource "gsuite_group_members" "developer_team_members" {
for_each = local.developers
group_email = "${gsuite_group.developer.email}"
member {
email = "${each.value.first_name}.${each.value.last_name}@${gsuite_domain.root_domain.domain_name}"
role = "MEMBER"
}
depends_on = [gsuite_user.team]
}The problem occurs after the successful creation when running terraform plan or apply afterwards. There I do get every time a update_in_place with a following error on apply:
> terraform apply
...
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# gsuite_group_members.developer_team_members will be updated in-place
~ resource "gsuite_group_members" "developer_team_members" {
group_email = "developer@xxx.xxx"
id = "developer@xxx.xxx"
- member {
- email = "user.name@xxx.xxx" -> null
- etag = "\"xyz\"" -> null
- kind = "admin#directory#member" -> null
- role = "MEMBER" -> null
- status = "ACTIVE" -> null
- type = "USER" -> null
}
+ member {
+ email = "user.name@xxx.xxx"
+ etag = (known after apply)
+ kind = (known after apply)
+ role = "MEMBER"
+ status = (known after apply)
+ type = (known after apply)
}
}
Plan: 0 to add, 1 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
gsuite_group_members.developer_team_members: Modifying... [id=developer@xxx.xxx]
Error: [ERROR] Error updating memberships: [ERROR] Error updating groupMember (user.name@xxx.xxx): nested groups should be role MEMBER
on gsuite_groups.tf line 55, in resource "gsuite_group_members" "developer_team_members":
55: resource "gsuite_group_members" "developer_team_members" {> terraform version
Terraform v0.12.8
+ provider.gsuite v0.1.34Any idea how to fix this?
Hello @drobakowski,
I'm using something similar but haven't ran into this issue.
I think you might want to verify/double check what role that person has within that group.
The error suggests you're trying to add a group with a role different than member.
I use something like the following:
resource "gsuite_group_members" "group_members" {
for_each = local.groups_to_users_map
group_email = gsuite_group.group[each.key].email
dynamic "member" {
for_each = local.groups_to_users_map[each.value]
content {
email = member.value
role = "MEMBER"
}
}
depends_on = [ gsuite_group.group ]
}
And then using something like this for the definition of groups_to_users_map:
locals {
groups_to_users_map = {
"developer" = [
"awesome.dev@domain.com",
]
}
}
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
I ran into the same issue and I can't figure out how to prevent this either.
resource "gsuite_group" "a_team" {
email = "${var.group_email}@${var.org_domain_name}"
name = "${var.group_email}@${var.org_domain_name}"
description = "Some team"
}
resource "gsuite_group_members" "a_team_members" {
group_email = gsuite_group.a_team.email
member {
email = var.owner_email
role = "OWNER"
}
# womp
# https://github.com/DeviaVir/terraform-provider-gsuite/issues/108
dynamic "member" {
for_each = var.members
content {
email = member.value
role = "MEMBER"
}
}
}
In my case the problem was that there were 2 users with the OWNER role which isn't possible.