This is regarding deploying GCP Bigquery dataset with Terraform 0.12.19 version CLI command.
While deploying, I found that terraform is removing dataset access from project level if I explicitly allow access to another user at dataset level through terraform CLI. The same is not happening with GCP Console CLI.
I am describing the scenario below.
I have a GCP project named “X” and under that I have below users/service Account with project level roles assigned in IAM.
- Ist user email address with Project OWNER role assigned.
- 2nd user email address with Project Viewer role assigned.
- A Service Account with OWNER role assigned.
I am using the same SA which has OWNER role at project level to delpoy the dataset from Terraform CLI.
I observed that once the below code executed and deployed, the 2nd user with project level Viewer role lost the access to the dataset. That user cannot see any tables under the deployed dataset. Only the assigned user/SA can access the dataset/tables.
I am using “bigquery.googleapis.com” GCP API here.
Is this any bug in Terraform/GCP Bigquery API? Kindly check and confirm. This is impacting my production deployment as I am stuck here.
Here is a sample Code I am following:
resource “google_bigquery_dataset” “my-bigquery-dataset” {
project = “X”
dataset_id = “my_ds”
friendly_name = “dataset:my_ds”
description = “This is the dataset:my_ds”
location = “US”
labels = {
airid = “111”
env = “prod”
}
access {
role = “roles/bigquery.admin”
user_by_email = “${data.google_service_account.admin_sa.email}” # Assigning bigquery admin role to SA
}
access {
role = “roles/bigquery.dataViewer”
user_by_email = “1st_user_email_addess” # Assigning dataset level Viewer access to 1st user who already has a OWNER access at project level
}
}