Read-after-write consistency issue on google_tags_tag_key_iam_member with conditions

[jnahelou]

Description

When applying an IAM binding on a tag key resource (google_tags_tag_key_iam_member) that includes a condition block, the Terraform Google provider throws the following error:

│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to google_tags_tag_key_iam_member.bindings, provider "provider[\"registry.terraform.io/hashicorp/google\"]" produced an unexpected new value: Root object was present, but now absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Root Cause

After investigating the provider traces, the issue stems from a read-after-write inconsistency:

• The resource is written using IAM Policy v3 (which supports conditions)
• The subsequent read is performed using IAM Policy v1 (which does not support conditions)

As a result, the condition block is not returned by the read response (instead a hash is added in role name), causing the provider to consider the resource as absent and throwing an inconsistent state error.

Reproduction case

The error is triggered when a condition block is defined on a google_tags_tag_key_iam_member resource:

resource "google_tags_tag_key_iam_member" "bindings" {
  member  = "serviceAccount:<redacted>"
  role    = "roles/resourcemanager.tagAdmin"
  tag_key = "tagKeys/<redacted>"

  condition {
    description = "Allow the IaC PF data service account to grant the tagUser role to any principal on projects it manages."
    expression  = "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\"roles/resourcemanager.tagUser\"])"
    title       = "only_taguser_delegation"
  }
}

Fix

The fix consists of explicitly requesting IAM Policy v3 in the getIamPolicy read request body, by adding the following payload:

{
  "options": {
    "requestedPolicyVersion": 3
  }
}

tags: fixed iam read-after-write consistency issue with conditions

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[github-actions]

Googlers: For automatic test runs see go/terraform-auto-test-runs.

@trodge, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look.

You can help make sure that review is quick by doing a self-review and by running impacted tests locally.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 5 files changed, 337 insertions(+), 6 deletions(-))
google-beta provider: Diff ( 5 files changed, 337 insertions(+), 6 deletions(-))

[modular-magician]

Tests analytics

Total tests: 13
Passed tests: 12
Skipped tests: 0
Affected tests: 1

Click here to see the affected service packages

• tags

Action taken

Found 1 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

• TestAccTags

Get to know how VCR tests work

[modular-magician]

🟢 Tests passed during RECORDING mode:
TestAccTags__tagBindingBasic [Debug log]
TestAccTags__tagBindingBasicDynamic [Debug log]
TestAccTags__tagBindingNamespaced [Debug log]
TestAccTags__tagKeyBasic [Debug log]
TestAccTags__tagKeyBasicWithAllowedValuesRegex [Debug log]
TestAccTags__tagKeyBasicWithPurposeDataGovernance [Debug log]
TestAccTags__tagKeyBasicWithPurposeGceFirewall [Debug log]
TestAccTags__tagKeyIamBinding [Debug log]
TestAccTags__tagKeyIamMember [Debug log]
TestAccTags__tagKeyIamPolicy [Debug log]
TestAccTags__tagKeyUpdate [Debug log]
TestAccTags__tagKeyUpdateAllowedValuesRegex [Debug log]
TestAccTags__tagValueBasic [Debug log]
TestAccTags__tagValueIamBinding [Debug log]
TestAccTags__tagValueIamMember [Debug log]
TestAccTags__tagValueIamPolicy [Debug log]
TestAccTags__tagValueUpdate [Debug log]
TestAccTags__tagsLocationTagBindingBasic [Debug log]
TestAccTags__tagsLocationTagBindingBasicDynamic [Debug log]
TestAccTags__tagsLocationTagBindingZonal [Debug log]
TestAccTags__tagsLocationTagBindingZonalDynamic [Debug log]
TestAccTags__tagsLocationTagBindingZonalNamespaced [Debug log]

🟢 No issues found for passed tests after REPLAYING rerun.

---

🟢 All tests passed!

View the build log or the debug log for each test

[github-actions]

@trodge This PR has been waiting for review for 3 weekdays. Please take a look! Use the label disable-review-reminders to disable these notifications.