Fix a race condition when creating a new G Suite group #141
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
thefirstofthe300
requested review from
aaron-lane,
adrienthebo and
morgante
as code owners
morgante
suggested changes
Feb 20, 2019
thefirstofthe300
force-pushed
the
master
branch
from
bccd7c2 to
6c6090c
Compare
When a new G Suite group is created to manage a project, `core_project_factory` would attempt to assign the group IAM permissions before the group was finished being created by the `gsuite_enabled` module. To fix this condition, an implicit dependency was added to the Terraform using the email attribute from the `gsuite_group` resource. Also, the `google_compute_default_service_account` resource depends on the Compute Engine API being enabled so it is possible for the fetch of the data resource to fail because it attempts to query the Compute Engine API before it is fully enabled. Adding an explicit dependency on the services being enabled fixes this issue.
thefirstofthe300
force-pushed
the
master
branch
from
6c6090c to
b709706
Compare
aaron-lane
approved these changes
Feb 20, 2019
morgante
approved these changes
Feb 21, 2019
thefirstofthe300
added a commit
to thefirstofthe300/terraform-google-project-factory
that referenced
this pull request
Feb 27, 2019
The default service account data resource currently uses a depends_on flag added to prevent a race condition in terraform-google-modules#141 Due to the way that Terraform refreshes data resources, Terraform thinks that the data resource has changed when in actuality it hasn't: hashicorp/terraform#11806 (comment) By changing to use a null data resource that interpolates the default service account email, the data resource will only change when the project number does.
thefirstofthe300
added a commit
to thefirstofthe300/terraform-google-project-factory
that referenced
this pull request
Feb 27, 2019
The default service account data resource currently uses a depends_on flag added to prevent a race condition in terraform-google-modules#141 Due to the way that Terraform refreshes data resources, Terraform thinks that the data resource has changed when in actuality it hasn't: hashicorp/terraform#11806 (comment) By changing to use a null data resource that interpolates the default service account email, the data resource will only change when the project number does.
thefirstofthe300
added a commit
to thefirstofthe300/terraform-google-project-factory
that referenced
this pull request
Feb 28, 2019
The default service account data resource currently uses a depends_on flag added to prevent a race condition in terraform-google-modules#141 Due to the way that Terraform refreshes data resources, Terraform thinks that the data resource has changed when in actuality it hasn't: hashicorp/terraform#11806 (comment) By changing to use a null data resource that interpolates the default service account email, the data resource will only change when the project number does.
thefirstofthe300
added a commit
to thefirstofthe300/terraform-google-project-factory
that referenced
this pull request
Feb 28, 2019
The default service account data resource currently uses a depends_on flag added to prevent a race condition in terraform-google-modules#141 Due to the way that Terraform refreshes data resources, Terraform thinks that the data resource has changed when in actuality it hasn't: hashicorp/terraform#11806 (comment) By changing to use a null data resource that interpolates the default service account email, the data resource will only change when the project number does.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When a new G Suite group is created to manage a project,
core_project_factorywould attempt to assign the group IAM permissions before the group was finished being created by thegsuite_enabledmodule. To fix this condition, an implicit dependency was added to the Terraform using the email attribute from thegsuite_groupresource.Also, the
google_compute_default_service_accountresource depends on the Compute Engine API being enabled so it is possible for the fetch of the data resource to fail because it attempts to query the Compute Engine API before it is fully enabled. Adding an explicit dependency on the services being enabled fixes this issue.