serviceusage: strip projects/ prefix on project_service_identity (#21931)#74
Open
jbbqqf wants to merge 11 commits into
Open
serviceusage: strip projects/ prefix on project_service_identity (#21931)#74jbbqqf wants to merge 11 commits into
jbbqqf wants to merge 11 commits into
Conversation
…ty URL (#21931) When a user passes the full project resource name (e.g. via data.google_project.project.id, which yields "projects/<id>") to google_project_service_identity, the resource interpolated it directly into the URL template and the API received projects/projects/<id>/services/... and returned 404. Strip a leading projects/ prefix from the project value before constructing the URL, matching the pattern already used in tpgresource and gkehub2. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Strip a leading
projects/prefix from theprojectinput ongoogle_project_service_identitybefore interpolating it into the create URL, so that passingdata.google_project.X.id(the full resource name) no longer producesprojects/projects/<id>/services/...and a 404.Fixes hashicorp/terraform-provider-google#21931 — see hashicorp/terraform-provider-google#21931
Why
In the comments, jderry-lucem identified the precise URL bug:
The current resource passes
{{project}}directly into the URL template:tpgresource.GetProject(d, config)does not strip theprojects/prefix — it returns whatever the user wrote. When that value isprojects/my-project(which is exactly whatdata.google_project.project.idreturns), the interpolated URL becomes.../projects/projects/my-project/services/...and the Service Usage API returns 404.The same prefix-strip is already done in:
google-beta/tpgresource/utils.go:752,768google-beta/fwtransport/framework_utils.go:242,273google-beta/services/gkehub2/resource_gke_hub_feature.go:894,1002,1093This PR adopts the same one-line idiom for
google_project_service_identity.Note: the original issue title (
Resource ... returning Error 400 after creation) describes a secondary race-condition symptom in IAM bindings against the resulting member. That race is separate (intermittent service-agent propagation, mentioned by ggtisc in comments). This PR fixes the deterministic 404 that albertomurillo and jderry-lucem hit when using the documenteddata.google_project.idpattern — which is the issue thread's most actionable, code-fix-shaped diagnosis.GCP API reference: https://cloud.google.com/service-usage/docs/reference/rest/v1beta1/services/generateServiceIdentity
What changed
Three line additions:
"strings".tpgresource.GetProjectcall ahead of the URL construction.project, doproject = strings.TrimPrefix(project, "projects/")andd.Set("project", project)so subsequentReplaceVarsinterpolations see the bare id, and so the saved state value is the canonical bare-id form.Edge cases tested
project = "my-project"(bare id)TrimPrefixis a no-op; URL isprojects/my-project/services/....strings.TrimPrefixis well-defined.project = "projects/my-project"(the OP's case viadata.google_project.x.id)my-project; URL isprojects/my-project/services/.... The 404 disappears.projectleft unset (provider-level project used)GetProjectfalls back toconfig.Project, which is the bare id.TrimPrefixis a no-op.project = "12345"(project number)projects/prefix;TrimPrefixis a no-op. The Service Usage API accepts numeric project IDs equally.d.Set("project", project)writes the canonical bare-id form to state, ensuring no plan-time diff (Optional+Computedschema is satisfied with the bare id).Test protocol
go build ./google-beta/services/resourcemanager/...data.google_project.x.id, and the fix is a 5-line normalization mirroring 7 other call sites in tpgb. Running a real apply would confirm a known fact (projects/projects/x/...returns 404) and prove that the well-testedTrimPrefixworks.Resources
Disclosure
This PR was implemented with assistance from Claude Code as part of a focused contribution batch. The diff is ~5 lines and was reviewed manually against (a) the
data.google_project.idattribute schema (fullprojects/<id>form), (b) the seven other tpgb files that already strip theprojects/prefix, and (c) the URL template literally interpolating{{project}}afterprojects/.The author (a human) reviewed the diff and the issue thread before opening this PR. Note that this PR does NOT attempt to address the separate intermittent service-agent-propagation race that the OP also reported — that requires either a polling loop (modeled on the regular service-account create code linked by the OP) or maintainer guidance, and is out of scope for this focused 5-line bug fix.