GCP provider and etags

Hi everyone,

I’m facing a subtle but annoying behaviour every time i run a terraform plan.
It keeps modifying etag argument

  ~ resource "google_project_iam_member" "my_iam_member" {
      ~ etag    = "BwXE3hebQlI=" -> "BwXFhX/Yo1g="

this argument is not supported in the doc as it can be seen here:

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#argument-reference

but is exported:

etag - (Computed) The etag of the project’s IAM policy.

Any ideas about how to solve it?

> terraform version
Terraform v1.0.1
on darwin_arm64
                                                                                                                                                         

terraform {
  required_version = "1.0.1"
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "3.74.0"
    }

Thanks in advance

3 Likes

Same here
image

I have been seeing this with multiple providers for a bit now. Makes Atlantis much harder to use with all of the spurious output.

I’m seeing this as well, though I used to use the same resource without this problem happening so consistently.

This problem with nearly constantly changing etags persists for me. This happens with “google_project_iam_member” most often.

resource "google_project_iam_member" "project_roles" {
  # Creat a flat map with keys of the form `<role>=<member>` for use in the for_each
  for_each = { for pair in local.project_roles : "${pair.role}=${pair.member}" => pair }
  project  = var.project
  role     = each.value.role
  member   = each.value.member
}

That code seems to be the culprit computing a new set of roles to compare which may or may not have matching etags. When etags do’t match I get the predictable, and sometimes long string of these:

  ~ resource "google_project_iam_member" "project_roles" {
      ~ etag    = "BwXnKF8Pz8U=" -> "BwXnKLIJRsk="

is there a way to prevent this happening?