fix(iam-admin): remove redundant IAM project service to prevent state conflict#13016
fix(iam-admin): remove redundant IAM project service to prevent state conflict#13016
Conversation
blakeli0
changed the title
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a 90-second delay using a time_sleep resource after enabling the IAM API to ensure it is fully operational before the service account is created. Feedback suggests adding a conditional count to the time_sleep resource so the delay only occurs when the API is actually being enabled by the Terraform configuration, preventing unnecessary wait times when the API is already active.
| resource "time_sleep" "for_90s_allowIamToFullyEnable" { | ||
| depends_on = [google_project_service.iam] | ||
| create_duration = "90s" | ||
| } |
There was a problem hiding this comment.
The time_sleep resource should only be active when the IAM API is being enabled by this Terraform configuration. As currently implemented, it will introduce a 90-second delay during the initial terraform apply even if should_enable_apis_on_apply is set to false. Adding a count to match the google_project_service.iam resource ensures the delay only occurs when the API is actually being managed and enabled here.
resource "time_sleep" "for_90s_allowIamToFullyEnable" {
count = var.inputs.should_enable_apis_on_apply ? 1 : 0
depends_on = [google_project_service.iam]
create_duration = "90s"
}
9d1b9de to
96390cc
Compare
blakeli0
force-pushed
the
fix/iam-admin-terraform-race
branch
from
96390cc to
424d2d8
Compare
blakeli0
changed the title
2 participants
Summary
This PR addresses a Terraform state conflict in the
java-iam-adminmodule's integration setup.Previously, both the root
.cloudmodule and thejava-iam-adminsubmodule were managing theiam.googleapis.comservice activation on the same project. In Terraform, managing the exact same physical cloud resource in multiple places within the state tree causes resource conflicts/fighting. This conflict was the root cause of the transient"Provider produced inconsistent result after apply"failures duringterraform apply.Since the root
.cloudmodule already managesiam.googleapis.comand introduces a 1-minute warmup sleep before applying any submodules,java-iam-admindoes not need to manage this API.This fix removes the redundant
google_project_service.iamactivation and its associated sleeps from the submodule, simplifying it to the minimum required resources to successfully and stably create the service account.Verification
java-iam-adminintegration setup faster.