Fix permadiff when schema is unchanged for a google_bigquery_table with row access policies (#15764)

Author: wj-chen

mmv1/third_party/terraform/services/bigquery/resource_bigquery_table.go.tmpl

@@ -351,20 +351,19 @@ func resourceBigQueryTableSchemaIsChangeable(old, new interface{}, isExternalTab
 				sameNameColumns += 1
 			}
 		}
-		// in-place column dropping alongside column additions is not allowed
-		// as of now because user intention can be ambiguous (e.g. column renaming)
-		newColumns := len(arrayNew) - sameNameColumns
-		isSchemaChangeable := (droppedColumns == 0) || (newColumns == 0)
-		if isSchemaChangeable && topLevel {
+		// In-place column dropping is not supported when there are row access
+		// policies on the table.
+		hasDroppedColumns := droppedColumns > 0
+		if hasDroppedColumns && topLevel {
 			hasRowAccessPolicy, err := hasRowAccessPolicyFunc()
-			if err != nil {
-				// Default behavior when we can't get row access policies data.
-				return isSchemaChangeable, nil
-			}
-			if hasRowAccessPolicy {
-				isSchemaChangeable = false
+			if err == nil && hasRowAccessPolicy {
+				return false, nil
 			}
 		}
+		// In-place column dropping alongside column additions is not allowed
+		// as of now because user intention can be ambiguous (e.g. column renaming)
+		newColumns := len(arrayNew) - sameNameColumns
+		isSchemaChangeable := (droppedColumns == 0) || (newColumns == 0)
 		return isSchemaChangeable, nil
 	case map[string]interface{}:
 		objectOld := old.(map[string]interface{})

mmv1/third_party/terraform/services/bigquery/resource_bigquery_table_test.go

@@ -1802,6 +1802,34 @@ func TestAccBigQueryTable_invalidSchemas(t *testing.T) {
 	})
 }
 
+func TestAccBigQueryTable_schemaUnchangedWithRowAccessPolicy(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"project_id": envvar.GetTestProjectFromEnv(),
+		"dataset_id": fmt.Sprintf("tf_test_dataset_%s", acctest.RandString(t, 10)),
+		"table_id":   fmt.Sprintf("tf_test_table_%s", acctest.RandString(t, 10)),
+		"policy_id":  fmt.Sprintf("tf_test_policy_%s", acctest.RandString(t, 10)),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckBigQueryTableDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccBigQueryTableWithSchemaAndRowAccessPolicy(context),
+			},
+			{
+				ResourceName:            "google_bigquery_table.test",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"deletion_protection", "ignore_auto_generated_schema", "generated_schema_columns"},
+			},
+		},
+	})
+}
+
 func TestAccBigQueryTable_schemaColumnDropWithRowAccessPolicy(t *testing.T) {
 	t.Parallel()