Issue with google_bigquery_dataset in Terraform state

Terraform Providers Google
1

Hello,

I’ve created a dataset on GCP using the Terraform resource google_bigquery_dataset.
On the GCP console, I can see some permissions were given but I don’t know where do they come from.
So, I’ve inspected the Terraform state, and I can see these permissions in the access list of the google_bigquery_dataset resource :

“module”: “module.MY_MODULE”,
“mode”: “managed”,
“type”: “google_bigquery_dataset”,
“name”: “dataset”,
“provider”: “provider["registry.terraform.io/hashicorp/google"]”,
“instances”: [
{
“schema_version”: 0,
“attributes”: {
“access”: [
{
“dataset”: ,
“domain”: “”,
“group_by_email”: “”,
“iam_member”: “My_User_1”,
“role”: “My_Role_1”,
“routine”: ,
“special_group”: “”,
“user_by_email”: “”,
“view”:
},
{
“dataset”: ,
“domain”: “”,
“group_by_email”: “”,
“iam_member”: “My_User_2”,
“role”: “My_Role_2”,
“routine”: ,
“special_group”: “”,
“user_by_email”: “”,
“view”:
}

I’ve tried to remove the block containing My_User_2 from the state and push it back (to keep only permissions of My_User_1).
When I try to run a new plan on the workspace, it’s detecting a drift in the dataset :

{“@ level”:“info”,“@ message”:“module.MY_MODULE.google_bigquery_dataset.dataset: Drift detected (update)”,“@ module”:“terraform.ui”,“@timestamp”:“2024-12-16T13:59:15.236917Z”,“change”:{“resource”:{“addr”:“module.MY_MODULE.google_bigquery_dataset.dataset”,“module”:“module.MY_DATASET”,“resource”:“google_bigquery_dataset.dataset”,“implied_provider”:“google”,“resource_type”:“google_bigquery_dataset”,“resource_name”:“dataset”,“resource_key”:null},“action”:“update”},“type”:“resource_drift”}

But in the end it’s not making any changes to the resource :

{“@ level”:“info”,“@ message”:“Plan: 0 to add, 0 to change, 0 to destroy.”,“@module”:“terraform.ui”,“@ timestamp”:“2024-12-16T13:59:15.237064Z”,“changes”:{“add”:0,“change”:0,“remove”:0,“operation”:“plan”},“type”:“change_summary”}

I was expecting Terraform to change the resource in order to remove the permission on GCP.

Am I wrong or am I missing something ?

Thank you in advance,
Regards

2

You removed from the state, or from the code?

When the state is refreshed, it will get whatever permissions are actually defined in GCP.

BQ permissions are a little wacky, especially because there are usually permissions granted to whomever created a dataset (for any manually created ones), and some other special group type permissions for project level roles.

I would personally take the approach of defining all the (non-inherited or project wide) permissions you need for the dataset in the Terraform code, and letting Terraform do whatever it wants to get reality to match that. Sometimes the plan may be a bit hard to read, but it should get you to the right end result eventually.