fix(bigquery_dataset): fixed handling of non-legacy roles for access … (#14569) (#23898)

[upstream:dc6120220bbbc7ec562d19e920333441d3093460]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/14569.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+bigquery: fixed handling of non-legacy roles for access block inside `google_bigquery_dataset`
+```

google/services/bigquery/resource_bigquery_dataset.go

@@ -38,6 +38,12 @@ import (
 
 const datasetIdRegexp = `^[0-9A-Za-z_]+$`
 
+var bigqueryDatasetAccessPrimitiveToRoleMap = map[string]string{
+	"OWNER":  "roles/bigquery.dataOwner",
+	"WRITER": "roles/bigquery.dataEditor",
+	"READER": "roles/bigquery.dataViewer",
+}
+
 func validateDatasetId(v interface{}, k string) (ws []string, errors []error) {
 	value := v.(string)
 	if !regexp.MustCompile(datasetIdRegexp).MatchString(value) {
@@ -62,6 +68,31 @@ func validateDefaultTableExpirationMs(v interface{}, k string) (ws []string, err
 	return
 }
 
+// bigqueryDatasetAccessHash is a custom hash function for the access block.
+// It normalizes the 'role' field before hashing, treating legacy roles
+// and their modern IAM equivalents as the same.
+func resourceBigqueryDatasetAccessHash(v interface{}) int {
+	m, ok := v.(map[string]interface{})
+	if !ok {
+		return 0
+	}
+	// Make a copy of the map to avoid modifying the underlying data.
+	copy := make(map[string]interface{}, len(m))
+	for k, val := range m {
+		copy[k] = val
+	}
+
+	// Normalize the role if it exists and matches a legacy role.
+	if role, ok := copy["role"].(string); ok {
+		if newRole, ok := bigqueryDatasetAccessPrimitiveToRoleMap[role]; ok {
+			copy["role"] = newRole
+		}
+	}
+
+	// Use the default HashResource function on the (potentially modified) copy.
+	return schema.HashResource(bigqueryDatasetAccessSchema())(copy)
+}
+
 func ResourceBigQueryDataset() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceBigQueryDatasetCreate,
@@ -101,7 +132,7 @@ underscores (_). The maximum length is 1,024 characters.`,
 				Optional:    true,
 				Description: `An array of objects that define dataset access for one or more entities.`,
 				Elem:        bigqueryDatasetAccessSchema(),
-				// Default schema.HashSchema is used.
+				Set:         resourceBigqueryDatasetAccessHash,
 			},
 			"default_collation": {
 				Type:     schema.TypeString,
@@ -1034,7 +1065,7 @@ func flattenBigQueryDatasetAccess(v interface{}, d *schema.ResourceData, config
 		return v
 	}
 	l := v.([]interface{})
-	transformed := schema.NewSet(schema.HashResource(bigqueryDatasetAccessSchema()), []interface{}{})
+	transformed := schema.NewSet(resourceBigqueryDatasetAccessHash, []interface{}{})
 	for _, raw := range l {
 		original := raw.(map[string]interface{})
 		if len(original) < 1 {

google/services/bigquery/resource_bigquery_dataset_generated_test.go

@@ -70,7 +70,7 @@ resource "google_bigquery_dataset" "dataset" {
   }
 
   access {
-    role          = "OWNER"
+    role          = "roles/bigquery.dataOwner"
     user_by_email = google_service_account.bqowner.email
   }
 

website/docs/r/bigquery_dataset.html.markdown

@@ -55,7 +55,7 @@ resource "google_bigquery_dataset" "dataset" {
   }
 
   access {
-    role          = "OWNER"
+    role          = "roles/bigquery.dataOwner"
     user_by_email = google_service_account.bqowner.email
   }