Skip to content

IAM: fix resource identity imports for parents with multi-segment URIs#17652

Merged
BBBmau merged 3 commits into
GoogleCloudPlatform:mainfrom
BBBmau:fix-iam-resourceURI-identity-imports
May 22, 2026
Merged

IAM: fix resource identity imports for parents with multi-segment URIs#17652
BBBmau merged 3 commits into
GoogleCloudPlatform:mainfrom
BBBmau:fix-iam-resourceURI-identity-imports

Conversation

@BBBmau

@BBBmau BBBmau commented May 20, 2026

Copy link
Copy Markdown
Collaborator

Resource-identity imports for IAM resources (google_*_iam_member, etc.) were broken whenever the parent resource's identity attribute carried the full URI (e.g. projects/my-proj/locations/us-central1/instances/foo) rather than a bare name.

Explanation

Resource: google_cloud_run_v2_service_iam_member
UriFormat = "projects/%s/locations/%s/services/%s" (params: project, location, name).

Before

User runs:

import {
  to = google_cloud_run_v2_service_iam_member.foo
  identity = {
    name = "projects/my-proj/locations/us-central1/services/svc-42"
  }
}

ParseIamResourceIdentity applied GetResourceNameFromSelfLink to the last param, collapsing "projects/my-proj/locations/us-central1/services/svc-42""svc-42". project and location were empty, so import failed with "import identity is missing attribute \"project\"" even though the value was right there in the URI.

After

The function builds a regex from UriFormat:

^projects/(.+?)/locations/(.+?)/services/(.+)$

and matches it against any non-empty identity value. The full URI in name matches → captures ["my-proj", "us-central1", "svc-42"], which back-fill the empty project and location slots. Import succeeds.

Non-greedy detail

Non-final captures use (.+?) so they stop at the first literal separator that follows. Greedy (.+) would match the last occurrence and mis-split paths like organizations/123/sources/abc (where the parent itself contains /).

Release Note Template for Downstream PRs (will be copied)

See Write release notes for guidance.


@modular-magician

modular-magician commented May 20, 2026

Copy link
Copy Markdown
Collaborator

Hi there, I'm the Modular magician. I've detected the following information about your changes for commit dba3be1:

Diff report

Your PR generated the following diffs in downstream repositories:

Repository Diff Link Changes
google provider View Diff 1 file changed, 50 insertions(+), 6 deletions(-)
google-beta provider View Diff 1 file changed, 50 insertions(+), 6 deletions(-)

Test report

Analytics

Total Tests Passed Skipped Affected
6444 5771 657 16
Affected Service Packages
  • All service packages are affected

Learn how VCR tests work


Step 1: Replaying Mode

Action taken

Found 16 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit.

Click here to see the affected tests
  • TestAccApigeeEnvironmentIamMemberGenerated
  • TestAccBeyondcorpAppConnection_beyondcorpAppConnectionBasicExample
  • TestAccCloudRunService_cloudRunServiceGpuExample
  • TestAccContainerNodePool_withHostMaintenancePolicy
  • TestAccDataformConfig_update
  • TestAccDataformRepository_dataformRepositoryWithCloudsourceRepoAndSshExample
  • TestAccDataprocMetastoreService_dataprocMetastoreServicePrivateServiceConnectExample
  • TestAccDiscoveryEngineDataStore_discoveryengineDatastoreKmsKeyNameExample
  • TestAccEphemeralServiceAccountKey_create
  • TestAccEphemeralServiceAccountKey_upload
  • TestAccHealthcareConsentStoreIamMemberGenerated
  • TestAccIapWebTypeAppEngineIamMemberGenerated
  • TestAccManagedKafkaConnector_managedkafkaConnectorBasicExample
  • TestAccPubsubSubscription_pubsubSubscriptionTagsExample
  • TestAccSourceRepoRepositoryIamMemberGenerated
  • TestAccVertexAIFeaturestoreEntitytypeIamMemberGenerated

View the replaying VCR build log


Step 2: Recording Mode

Recording Mode Replaying Rerun Test Name
✅ Log TestAccIapWebTypeAppEngineIamMemberGenerated
✅ Log TestAccSourceRepoRepositoryIamMemberGenerated
✅ Log ❌ Error · Log TestAccDataformConfig_update
✅ Log ❌ Error · Log TestAccEphemeralServiceAccountKey_create
✅ Log ❌ Error · Log TestAccEphemeralServiceAccountKey_upload
❌ Error · Log - TestAccApigeeEnvironmentIamMemberGenerated
❌ Error · Log - TestAccBeyondcorpAppConnection_beyondcorpAppConnectionBasicExample
❌ Error · Log - TestAccCloudRunService_cloudRunServiceGpuExample
❌ Error · Log - TestAccContainerNodePool_withHostMaintenancePolicy
❌ Error · Log - TestAccDataformRepository_dataformRepositoryWithCloudsourceRepoAndSshExample
❌ Error · Log - TestAccDataprocMetastoreService_dataprocMetastoreServicePrivateServiceConnectExample
❌ Error · Log - TestAccDiscoveryEngineDataStore_discoveryengineDatastoreKmsKeyNameExample
❌ Error · Log - TestAccHealthcareConsentStoreIamMemberGenerated
❌ Error · Log - TestAccManagedKafkaConnector_managedkafkaConnectorBasicExample
❌ Error · Log - TestAccPubsubSubscription_pubsubSubscriptionTagsExample
❌ Error · Log - TestAccVertexAIFeaturestoreEntitytypeIamMemberGenerated

Caution

Issues requiring attention before PR completion

🔴 Initial Recording Failed: Some tests failed during the recording step. See the table above for details.

🔴 Replaying Rerun Failed: Some tests failed due to non-determinism when VCR replayed the response. See the table above for details.

Please address these issues to complete your PR. If you believe these detections are incorrect or unrelated to your change, please raise the concern with your reviewer.

View the recording VCR build log or the debug logs folder for detailed results.

@BBBmau VCR tests complete for dba3be1!

@modular-magician

modular-magician commented May 21, 2026

Copy link
Copy Markdown
Collaborator

Hi there, I'm the Modular magician. I've detected the following information about your changes for commit 3c53081:

Diff report

Your PR generated the following diffs in downstream repositories:

Repository Diff Link Changes
google provider View Diff 1 file changed, 53 insertions(+), 6 deletions(-)
google-beta provider View Diff 1 file changed, 53 insertions(+), 6 deletions(-)

Test report

Analytics

Total Tests Passed Skipped Affected
6451 5784 657 10
Affected Service Packages
  • All service packages are affected

Learn how VCR tests work


Step 1: Replaying Mode

Action taken

Found 10 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit.

Click here to see the affected tests
  • TestAccBeyondcorpAppConnection_beyondcorpAppConnectionBasicExample
  • TestAccCloudRunService_cloudRunServiceGpuExample
  • TestAccContainerNodePool_withHostMaintenancePolicy
  • TestAccDataformConfig_update
  • TestAccDataformRepository_dataformRepositoryWithCloudsourceRepoAndSshExample
  • TestAccDataprocMetastoreService_dataprocMetastoreServicePrivateServiceConnectExample
  • TestAccDiscoveryEngineDataStore_discoveryengineDatastoreKmsKeyNameExample
  • TestAccManagedKafkaConnector_managedkafkaConnectorBasicExample
  • TestAccProjectIamMemberRemove_memberInMultipleBindings
  • TestAccPubsubSubscription_pubsubSubscriptionTagsExample

View the replaying VCR build log


Step 2: Recording Mode

Recording Mode Replaying Rerun Test Name
✅ Log TestAccDataformConfig_update
✅ Log ❌ Error · Log TestAccProjectIamMemberRemove_memberInMultipleBindings
❌ Error · Log - TestAccBeyondcorpAppConnection_beyondcorpAppConnectionBasicExample
❌ Error · Log - TestAccCloudRunService_cloudRunServiceGpuExample
❌ Error · Log - TestAccContainerNodePool_withHostMaintenancePolicy
❌ Error · Log - TestAccDataformRepository_dataformRepositoryWithCloudsourceRepoAndSshExample
❌ Error · Log - TestAccDataprocMetastoreService_dataprocMetastoreServicePrivateServiceConnectExample
❌ Error · Log - TestAccDiscoveryEngineDataStore_discoveryengineDatastoreKmsKeyNameExample
❌ Error · Log - TestAccManagedKafkaConnector_managedkafkaConnectorBasicExample
❌ Error · Log - TestAccPubsubSubscription_pubsubSubscriptionTagsExample

Caution

Issues requiring attention before PR completion

🔴 Initial Recording Failed: Some tests failed during the recording step. See the table above for details.

🔴 Replaying Rerun Failed: Some tests failed due to non-determinism when VCR replayed the response. See the table above for details.

Please address these issues to complete your PR. If you believe these detections are incorrect or unrelated to your change, please raise the concern with your reviewer.

View the recording VCR build log or the debug logs folder for detailed results.

@BBBmau VCR tests complete for 3c53081!

@BBBmau BBBmau changed the title IAM: derive regex from UriFormat for resource Identity test fixes IAM: fix resource identity imports for parents with multi-segment URIs May 21, 2026
@BBBmau BBBmau marked this pull request as ready for review May 21, 2026 20:23
@BBBmau BBBmau requested a review from shuyama1 May 21, 2026 20:23
@modular-magician

modular-magician commented May 21, 2026

Copy link
Copy Markdown
Collaborator

Hi there, I'm the Modular magician. I've detected the following information about your changes for commit 7367176:

Diff report

Your PR generated the following diffs in downstream repositories:

Repository Diff Link Changes
google provider View Diff 1 file changed, 50 insertions(+), 6 deletions(-)
google-beta provider View Diff 1 file changed, 50 insertions(+), 6 deletions(-)

Test report

Analytics

Total Tests Passed Skipped Affected
6459 5786 659 14
Affected Service Packages
  • All service packages are affected

Learn how VCR tests work


Step 1: Replaying Mode

Action taken

Found 14 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit.

Click here to see the affected tests
  • TestAccBeyondcorpAppConnection_beyondcorpAppConnectionBasicExample
  • TestAccCloudRunService_cloudRunServiceGpuExample
  • TestAccComputeAutoscaler_autoscalerBasicExample
  • TestAccComputeAutoscaler_autoscalerSingleInstanceExample
  • TestAccComputeRegionAutoscaler_regionAutoscalerBasicExample
  • TestAccComputeRouterPeer_AddMd5AuthenticationKey
  • TestAccContainerNodePool_withHostMaintenancePolicy
  • TestAccDataformRepository_dataformRepositoryWithCloudsourceRepoAndSshExample
  • TestAccDataprocMetastoreService_dataprocMetastoreServicePrivateServiceConnectExample
  • TestAccDiscoveryEngineDataStore_discoveryengineDatastoreKmsKeyNameExample
  • TestAccManagedKafkaConnector_managedkafkaConnectorBasicExample
  • TestAccProjectIamBinding_noMembers
  • TestAccProjectIamMemberRemove_memberInMultipleBindings
  • TestAccPubsubSubscription_pubsubSubscriptionTagsExample

View the replaying VCR build log


Step 2: Recording Mode

Recording Mode Replaying Rerun Test Name
✅ Log TestAccComputeAutoscaler_autoscalerBasicExample
✅ Log TestAccComputeAutoscaler_autoscalerSingleInstanceExample
✅ Log TestAccComputeRegionAutoscaler_regionAutoscalerBasicExample
✅ Log TestAccComputeRouterPeer_AddMd5AuthenticationKey
✅ Log ❌ Error · Log TestAccProjectIamMemberRemove_memberInMultipleBindings
❌ Error · Log - TestAccBeyondcorpAppConnection_beyondcorpAppConnectionBasicExample
❌ Error · Log - TestAccCloudRunService_cloudRunServiceGpuExample
❌ Error · Log - TestAccContainerNodePool_withHostMaintenancePolicy
❌ Error · Log - TestAccDataformRepository_dataformRepositoryWithCloudsourceRepoAndSshExample
❌ Error · Log - TestAccDataprocMetastoreService_dataprocMetastoreServicePrivateServiceConnectExample
❌ Error · Log - TestAccDiscoveryEngineDataStore_discoveryengineDatastoreKmsKeyNameExample
❌ Error · Log - TestAccManagedKafkaConnector_managedkafkaConnectorBasicExample
❌ Error · Log - TestAccProjectIamBinding_noMembers
❌ Error · Log - TestAccPubsubSubscription_pubsubSubscriptionTagsExample

Caution

Issues requiring attention before PR completion

🔴 Initial Recording Failed: Some tests failed during the recording step. See the table above for details.

🔴 Replaying Rerun Failed: Some tests failed due to non-determinism when VCR replayed the response. See the table above for details.

Please address these issues to complete your PR. If you believe these detections are incorrect or unrelated to your change, please raise the concern with your reviewer.

View the recording VCR build log or the debug logs folder for detailed results.

@BBBmau, @shuyama1 VCR tests complete for 7367176!

@shuyama1 shuyama1 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like resource identity failure in TestAccProjectIamBinding_noMembers is addressed by #17672

The rest VCR failures are unrelated.

The re-replaying failure is due to non-determinism, but not introduced by this PR, so non-blocking

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants