Use updated policy to update, not empty policy for DEPRIVILEGE (#4293) (#2771)

modular-magician · web-flow · commit c78d1c35f284 · 2020-12-10T10:09:05.000-08:00
Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/4293.txt b/.changelog/4293.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+project: fixed a bug where `google_project_default_service_accounts` would delete all IAM bindings on a project when run with `action = "DEPRIVILEGE"`
+```
diff --git a/google-beta/resource_google_project_default_service_accounts.go b/google-beta/resource_google_project_default_service_accounts.go
@@ -119,7 +119,11 @@ func resourceGoogleProjectDefaultServiceAccountsDoAction(d *schema.ResourceData,
 			}
 			bind.Members = newMembers
 		}
-		_, err = config.NewResourceManagerClient(userAgent).Projects.SetIamPolicy(project, &cloudresourcemanager.SetIamPolicyRequest{}).Do()
+		updateRequest := &cloudresourcemanager.SetIamPolicyRequest{
+			Policy:     iamPolicy,
+			UpdateMask: "bindings,etag,auditConfigs",
+		}
+		_, err = config.NewResourceManagerClient(userAgent).Projects.SetIamPolicy(project, updateRequest).Do()
 		if err != nil {
 			return fmt.Errorf("cannot update IAM policy on project %s: %v", project, err)
 		}
@@ -139,7 +143,7 @@ func resourceGoogleProjectDefaultServiceAccountsCreate(d *schema.ResourceData, m
 	pid := d.Get("project").(string)
 	action := d.Get("action").(string)
 
-	serviceAccounts, err := resourceGoogleProjectDefaultServiceAccountsList(config, d, userAgent)
+	serviceAccounts, err := listServiceAccounts(config, d, userAgent)
 	if err != nil {
 		return fmt.Errorf("error listing service accounts on project %s: %v", pid, err)
 	}
@@ -164,7 +168,7 @@ func resourceGoogleProjectDefaultServiceAccountsCreate(d *schema.ResourceData, m
 	return nil
 }
 
-func resourceGoogleProjectDefaultServiceAccountsList(config *Config, d *schema.ResourceData, userAgent string) ([]*iam.ServiceAccount, error) {
+func listServiceAccounts(config *Config, d *schema.ResourceData, userAgent string) ([]*iam.ServiceAccount, error) {
 	pid := d.Get("project").(string)
 	response, err := config.NewIamClient(userAgent).Projects.ServiceAccounts.List(prefixedProject(pid)).Do()
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:bug
	`2`	+project: fixed a bug where `google_project_default_service_accounts` would delete all IAM bindings on a project when run with `action = "DEPRIVILEGE"`
	`3`	+```
Original file line number	Diff line number	Diff line change
`@@ -119,7 +119,11 @@ func resourceGoogleProjectDefaultServiceAccountsDoAction(d *schema.ResourceData,`
`119`	`119`	`}`
`120`	`120`	`bind.Members = newMembers`
`121`	`121`	`}`
`122`		`- _, err = config.NewResourceManagerClient(userAgent).Projects.SetIamPolicy(project, &cloudresourcemanager.SetIamPolicyRequest{}).Do()`
	`122`	`+ updateRequest := &cloudresourcemanager.SetIamPolicyRequest{`
	`123`	`+ Policy: iamPolicy,`
	`124`	`+ UpdateMask: "bindings,etag,auditConfigs",`
	`125`	`+ }`
	`126`	`+ _, err = config.NewResourceManagerClient(userAgent).Projects.SetIamPolicy(project, updateRequest).Do()`
`123`	`127`	`if err != nil {`
`124`	`128`	`return fmt.Errorf("cannot update IAM policy on project %s: %v", project, err)`
`125`	`129`	`}`
`@@ -139,7 +143,7 @@ func resourceGoogleProjectDefaultServiceAccountsCreate(d *schema.ResourceData, m`
`139`	`143`	`pid := d.Get("project").(string)`
`140`	`144`	`action := d.Get("action").(string)`
`141`	`145`
`142`		`- serviceAccounts, err := resourceGoogleProjectDefaultServiceAccountsList(config, d, userAgent)`
	`146`	`+ serviceAccounts, err := listServiceAccounts(config, d, userAgent)`
`143`	`147`	`if err != nil {`
`144`	`148`	`return fmt.Errorf("error listing service accounts on project %s: %v", pid, err)`
`145`	`149`	`}`
`@@ -164,7 +168,7 @@ func resourceGoogleProjectDefaultServiceAccountsCreate(d *schema.ResourceData, m`
`164`	`168`	`return nil`
`165`	`169`	`}`
`166`	`170`
`167`		`-func resourceGoogleProjectDefaultServiceAccountsList(config Config, d schema.ResourceData, userAgent string) ([]*iam.ServiceAccount, error) {`
	`171`	`+func listServiceAccounts(config Config, d schema.ResourceData, userAgent string) ([]*iam.ServiceAccount, error) {`
`168`	`172`	`pid := d.Get("project").(string)`
`169`	`173`	`response, err := config.NewIamClient(userAgent).Projects.ServiceAccounts.List(prefixedProject(pid)).Do()`
`170`	`174`	`if err != nil {`