Permadiff on google_org_policy_policy resource

[matalo33]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

1.2.6

Affected Resource(s)

• google_org_policy_policy

Terraform Configuration Files

resource "google_org_policy_policy" "vm_external_ip_access" {
  name   = "organizations/${local.google_organization_id}/policies/constraints/compute.vmExternalIpAccess"
  parent = "organizations/${local.google_organization_id}"

  spec {
    rules {
      deny_all = "TRUE"
    }

    rules {
      allow_all = "TRUE"
      condition {
        expression = "resource.matchTagId('tagKeys/123', 'tagValues/456')"
        title      = "Allow when compute-external-ip tag is set to allowed"
      }
    }
  }
}

Expected behaviour

No changes

Actual behaviour

permadiff - the ordering of the two rules are continuously swapped in each plan & apply

  # google_org_policy_policy.vm_external_ip_access will be updated in-place
  ~ resource "google_org_policy_policy" "vm_external_ip_access" {
        id     = "organizations/999/policies/compute.vmExternalIpAccess"
        name   = "organizations/999/policies/constraints/compute.vmExternalIpAccess"
        # (1 unchanged attribute hidden)

      ~ spec {
            # (4 unchanged attributes hidden)

          ~ rules {
              - allow_all = "TRUE" -> null
              + deny_all  = "TRUE"

              - condition {
                  - expression = "resource.matchTagId('tagKeys/123', 'tagValues/456')" -> null
                  - title      = "Allow when compute-external-ip tag is set to allowed" -> null
                }
            }
          ~ rules {
              + allow_all = "TRUE"
              - deny_all  = "TRUE" -> null

              + condition {
                  + expression = "resource.matchTagId('tagKeys/123', 'tagValues/456')"
                  + title      = "Allow when compute-external-ip tag is set to allowed"
                }
            }
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to Reproduce

1. terraform plan
2. terraform apply

b/300616619

[matalo33]

I slept on this and realised I can get the same result with only one rule. This will apply the deny rule UNLESS the tag is present.

resource "google_org_policy_policy" "vm_external_ip_access" {
  name   = "organizations/${local.google_organization_id}/policies/constraints/compute.vmExternalIpAccess"
  parent = "organizations/${local.google_organization_id}"

  spec {
    rules {
      deny_all = "TRUE"
      condition {
        expression = "!resource.matchTagId('tagKeys/123', 'tagValues/456')"
        title      = "Deny unless compute-external-ip tag is set to allowed"
      }
    }
  }
}

But unless I was doing something very wrong beforehand this still feels like a possible bug in the resource. Having multiple rules is permitted and their ordering should not matter, so far as I understand it

[slevenick]

Filed b/244225718

[nphilbrook]

Can confirm we have started noticing this on our policies as well.

[LiuVII]

Does the condition for this policy constraint even work for you?
With a policy defined like that (well, I have a different id and value for tag ofc), I'm getting errors for VMs that have the tag defined when trying to assign an external IP that says that the policy denies external IP and also checking the effective policy there are no conditions mentioned.

[gm-ons]

I've seen this issue recently when testing tag based conditional policy on boolean org constraints.
Terraform Version 1.9.7
GCP provider 6.7.0

[Ludovic-Emo-Pyl-Tech]

@gm-ons We are also encountering the issue with permadiff when using tag-based conditional policies on boolean organization constraints. Terraform consistently attempts to add an empty condition block to the non-tag rule, which causes unexpected behavior.

Looking forward to any insights or potential workarounds.

~ rules {
# (1 unchanged attribute hidden
+ condition {}
}