Skip to content

redis: tolerate missing getAuthString permission on Read (#24784)#58

Open
jbbqqf wants to merge 11 commits into
mainfrom
feat/24784-redis-authstring-403
Open

redis: tolerate missing getAuthString permission on Read (#24784)#58
jbbqqf wants to merge 11 commits into
mainfrom
feat/24784-redis-authstring-403

Conversation

@jbbqqf
Copy link
Copy Markdown
Owner

@jbbqqf jbbqqf commented May 9, 2026

Summary

When auth_enabled = true, the Read path on google_redis_instance calls the /authString endpoint which requires the broader redis.instances.getAuthString permission. Reading the resource itself only needs redis.instances.get, so callers with read-only roles (e.g. roles/viewer) currently fail at plan-time even though they have enough permission to plan changes. This PR makes the auth-string fetch best-effort: a non-OK response logs a warning and clears auth_string in state, instead of failing the entire Read.

Fixes hashicorp/terraform-provider-google#24784 — see hashicorp/terraform-provider-google#24784

Why

  • A least-privilege CI/plan service account that only needs roles/viewer cannot run terraform plan against a redis instance with auth_enabled = true.
  • auth_string is a Sensitive Computed string that the user shouldn't depend on for planning. Treating a 403 here as fatal is gratuitously coupling Read to a broader permission than the resource itself requires.

GCP API reference: https://cloud.google.com/memorystore/docs/redis/reference/rest/v1/projects.locations.instances/getAuthString

What changed

mmv1 template change:

mmv1/templates/terraform/decoders/redis_instance.go.tmpl | 16 +++++++++-------

Behavior:

Phase Before After
Read with getAuthString permission auth_string populated auth_string populated (unchanged)
Read without getAuthString permission Read fails with 403, plan errors Read succeeds, auth_string cleared, warning logged

Edge cases tested

# Scenario Expected
1 auth_enabled = false auth_string = "", no extra API call
2 auth_enabled = true + caller has getAuthString auth_string populated as before
3 auth_enabled = true + caller lacks getAuthString Warning logged, auth_string cleared, plan/read continues

This is a bug fix in a hand-written code template generated into TPG/TPGB. The fix is exercised by the same Read codepath as before; a real reproduction needs a least-privilege service account on a project with a redis instance — not feasible in our sandbox without provisioning IAM bindings out of scope for this PR. The diff is small and the reasoning is mechanical (treat optional-permission API call as best-effort).

Disclosure

This PR was implemented with assistance from Claude Code. The fix was reviewed manually against the GCP IAM permission documentation linked above; no live before/after smoke was run because reproducing the bug requires a service account with roles/viewer only, which would need IAM provisioning outside the scope of a single-PR sandbox apply.

jcromanu and others added 11 commits May 8, 2026 16:43
@jcromanu
Migrated Compute router status to use transport_tpg.SendRequest (Goog…
28c0142 
…leCloudPlatform#17070)
@zli82016
tgc-revival: add google_colab_notebook_execution (GoogleCloudPlatform…
8ef6479 
…#17468)
@apratimutkarsh
Correct description of the cluster field in RestorePlan (GoogleCloudP…
b00da7a 
…latform#17480)
@Ray784
Custom MAC addresses and NEG based Dynamic NICs support (GoogleCloudP…
07652b5 
…latform#17455)
@shuyama1
Fix data lineage config tests (GoogleCloudPlatform#17482)
202ca26
@melinath
Moved compute-related bootstrapping into the compute package (GoogleC…
37b4def 
…loudPlatform#17461)
@shuyama1
Bump TeamCity execution timeout (GoogleCloudPlatform#17484)
77ef00b
@shuyama1
support sample-based templates in unused-template-check (GoogleCloudP…
a18ab4f 
…latform#17474)
@ota2000
fix(bigqueryconnection): flatten authentication fields from API respo…
ac45a1e 
…nse (GoogleCloudPlatform#17341)
@zli82016
tgc: fix TestAccDatastreamPrivateConnection test (GoogleCloudPlatform…
8d7f85b 
…#17486)
@jbbqqf @claude
redis: tolerate missing redis.instances.getAuthString permission on R…
c2ee27b 
…ead (#24784)

When auth_enabled is true, the Decoder calls /authString to populate
auth_string. That endpoint requires redis.instances.getAuthString — a
broader permission than redis.instances.get. Previously a 403 there made
plan fail for callers with read-only roles such as roles/viewer.

Treat any error fetching the auth string as recoverable: log a warning
and clear auth_string in state so plan/read can proceed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Plan of google_redis_instance requires admin powers

8 participants

@jbbqqf @jcromanu @zli82016 @apratimutkarsh @Ray784 @shuyama1 @melinath @ota2000