Updating image_family of bastion host results in a diff for iap_tunnel_instance_iam_binding
bharathkkb opened this issue · 4 comments
From #93
There is an issue with current iam_binding for IAP tunnel
Setup
A simple bastion module
Step to reproduce the issue
Update the image_family of the bastion and run terraform apply
Expected behavior
Run terraform apply once should make all necessary changes
Actual behavior
We need need to run terraform apply twice.
- In the first
applyrun: terraform recreates resources, but then we receive an error when trying to connect to the bastion
ERROR: (gcloud.compute.start-iap-tunnel) Error while connecting [4033: 'not authorized'].
kex_exchange_identification: Connection closed by remote host
ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].
- Thus we need to run
terraform applyagain and now we see a change to the resource
# ... google_iap_tunnel_instance_iam_binding.enable_iap["foo-bastion us-central1-a"] will be updated in-place
~ resource "google_iap_tunnel_instance_iam_binding" "enable_iap" {
id = "projects/my-project/iap_tunnel/zones/us-central1-a/instances/foo-bastion/roles/iap.tunnelResourceAccessor"
~ members = [
+ "group:devs@example.com",
]
# (5 unchanged attributes hidden)
}After this apply, we can connect to the bastion again, evidently.
Summary
I tested with iam_member and it seems to solve the bug.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days
We're facing the same issue.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days