[gsuite_group_settings] who_can_moderate_members competing with who_can_approve_members

Question

[gsuite_group_settings] who_can_moderate_members competing with who_can_approve_members

natalysheinin opened this issue 4 years ago · comments

Problem

I think both of these settings manage the same google attributes because if you have one set to something other than the default (default is ALL_MANAGERS_CAN_APPROVE), then the terraform plan attempts to change the other settings to the default.

Steps to Replicate

For example, let's say this is your tf config:

resource "gsuite_group_settings" "gsuite_group_settings" {
  email = gsuite_group.gsuite_group.email
 ...
  who_can_moderate_members = "NONE"
...
}

When you run terraform plan for the first time, it creates the group + group settings.

When you run terraform plan the second time (without making any code changes):

resource "gsuite_group_settings" "gsuite_group_settings" {
    who_can_approve_members        = "NONE_CAN_APPROVE" -> "ALL_MANAGERS_CAN_APPROVE"

When you run terraform plan the third time (without making any code changes):

resource "gsuite_group_settings" "gsuite_group_settings" {
    who_can_moderate_members       = "OWNERS_AND_MANAGERS" -> "NONE"

Proposed Solution

One of these settings should be deprecated.

Shohei "Sion" Koyama · Answer 1 · Fri Oct 23 2020 14:29:58 GMT+0800 (China Standard Time)

According to google-api-go-client, WhoCanApproveMembers is deprecated and merged into whoCanModerateMembers.

Therefore, I think it's better to treat who_can_approve_members as deprecated.

https://github.com/googleapis/google-api-go-client/blob/master/groupssettings/v1/groupssettings-gen.go#L373

Shohei "Sion" Koyama · Answer 2 · Fri Oct 23 2020 14:40:06 GMT+0800 (China Standard Time)

Also, the structs in group_settings have similar deprecated parts, so we need to consider them.