Updating image_family of bastion host results in a diff for iap_tunnel_instance_iam_binding
bharathkkb opened this issue · 4 comments
From #93
There is an issue with current iam_binding
for IAP tunnel
Setup
A simple bastion module
Step to reproduce the issue
Update the image_family
of the bastion and run terraform apply
Expected behavior
Run terraform apply
once should make all necessary changes
Actual behavior
We need need to run terraform apply
twice.
- In the first
apply
run: terraform recreates resources, but then we receive an error when trying to connect to the bastion
ERROR: (gcloud.compute.start-iap-tunnel) Error while connecting [4033: 'not authorized'].
kex_exchange_identification: Connection closed by remote host
ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].
- Thus we need to run
terraform apply
again and now we see a change to the resource
# ... google_iap_tunnel_instance_iam_binding.enable_iap["foo-bastion us-central1-a"] will be updated in-place
~ resource "google_iap_tunnel_instance_iam_binding" "enable_iap" {
id = "projects/my-project/iap_tunnel/zones/us-central1-a/instances/foo-bastion/roles/iap.tunnelResourceAccessor"
~ members = [
+ "group:devs@example.com",
]
# (5 unchanged attributes hidden)
}
After this apply
, we can connect to the bastion again, evidently.
Summary
I tested with iam_member
and it seems to solve the bug.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days
We're facing the same issue.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days