Provider produced inconsistent result after apply -- GoogleCloudPlatform/artifact-registry module

[clearclaw]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.4.7
on linux_amd64

• provider registry.terraform.io/hashicorp/google v5.34.0
• provider registry.terraform.io/hashicorp/google-beta v5.34.0

Affected Resource(s)

Artifact registry creation.

Terraform Configuration

terraform {
  required_version = "1.4.7"

  backend "gcs" {
    bucket = "XXX-terraform-state"
    prefix = "gcp/XXX/us-central1/knative-service-service"
  }

  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "5.34.0"
    }
    google-beta = {
      source  = "hashicorp/google-beta"
      version = "5.34.0"
    }
  }
}

provider "google" {
  project = "XXX"
  region  = "us-central1"
}

provider "google-beta" {
  project = "XXX"
  region  = "us-central1"
}

resource "google_kms_crypto_key" "containers-local-dev" {
  key_ring = "projects/XXX/locations/us-central1/keyRings/artifacts_us-central1"
  lifecycle {
    prevent_destroy = true
  }
  name            = "containers-local-dev"
  purpose         = "ENCRYPT_DECRYPT"
  rotation_period = "345600s"
}

resource "google_kms_crypto_key_iam_member" "containers-local-dev" {
  crypto_key_id = google_kms_crypto_key.containers-local-dev.id
  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
  member        = "serviceAccount:service-${data.google_project.current.number}@gcp-sa-artifactregistry.iam.gserviceaccount.com"
}

module "artifact_registry" {
  depends_on = [google_kms_crypto_key.containers-local-dev, google_kms_crypto_key_iam_member.containers-local-dev, ]
  source     = "GoogleCloudPlatform/artifact-registry/google"
  version    = "~> 0.2"

  description   = "Container registry for local/laptop development/testing."
  docker_config = { immutable_tags : true }
  # https://cloud.google.com/artifact-registry/docs/supported-formats
  format       = "docker"
  kms_key_name = google_kms_crypto_key.containers-local-dev.id
  location     = "us-central1"

  # Standard format: user:foo@bar, serviceAccount:blah@etc and so forth
  # https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/artifact_registry_repository_iam
  members = {
    writers = [
      "group:engineering-team@XXX",
    ]
  }
  mode          = "STANDARD_REPOSITORY"
  project_id    = "XXX"
  repository_id = "containers-local-dev"
}

Debug Output

https://gist.github.com/clearclaw/af66c63412752c6986fe4dc7da71d4f6

Expected Behavior

Successful artifact registry creation.

Actual Behavior

Failed with message claiming provider bug:

╷
│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to
│ module.artifact_registry.google_artifact_registry_repository_iam_member.writers["group:engineering-team@XXX"],
│ provider "provider[\"registry.terraform.io/hashicorp/google\"]" produced an unexpected new value: Root resource was present,
│ but now absent.
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Steps to reproduce

1. terraform apply

Important Factoids

No response

References

No response

[ggtisc]

Hi @clearclaw!

After trying to replicate this issue the result was successfully without errors. I suggest you to check your private configurations and try the next configuration if you are using google and Google beta providers, or check this provider guide and this terraform registry example:

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google-beta"
      version = "5.34.0"
    }
  }
}

resource "google_kms_key_ring" "kms_key_ring_18500" {
  name     = "kms-key-ring-18500"
  location = "us-central1"
}

resource "google_kms_crypto_key" "kms_crypto_key_18500" {
  key_ring = google_kms_key_ring.kms_key_ring_18500.id
  lifecycle {
    prevent_destroy = false
  }
  name            = "kms-crypto-key-18500"
  purpose         = "ENCRYPT_DECRYPT"
  rotation_period = "345600s"
}

resource "google_kms_crypto_key_iam_member" "kms_crypto_key_iam_member_18500" {
  crypto_key_id = google_kms_crypto_key.kms_crypto_key_18500.id
  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
  member        = "user:[email protected]"
}

module "artifact_registry_18500" {
  depends_on = [google_kms_crypto_key.kms_crypto_key_18500, google_kms_crypto_key_iam_member.kms_crypto_key_iam_member_18500]
  source     = "GoogleCloudPlatform/artifact-registry/google"
  version    = "~> 0.2"

  description   = "Container registry for local/laptop development/testing."
  docker_config = { immutable_tags : true }
  # https://cloud.google.com/artifact-registry/docs/supported-formats
  format       = "docker"
  kms_key_name = google_kms_crypto_key.kms_crypto_key_18500.id
  location     = "us-central1"

  # Standard format: user:foo@bar, serviceAccount:blah@etc and so forth
  # https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/artifact_registry_repository_iam
  members = {
    writers = [
      "group:engineering-team@XXX",
    ]
  }
  mode          = "STANDARD_REPOSITORY"
  project_id    = "terraform-dev-gtiscareno-org"
  repository_id = "containers-local-dev"
}