From 1958f176e4ce0f33a50ddcbeb5b534174d160509 Mon Sep 17 00:00:00 2001 From: Daniel Seymour Date: Fri, 15 Feb 2019 00:37:41 -0800 Subject: [PATCH] Fix two race conditions When a new G Suite group is created to manage a project, `core_project_factory` would attempt to assign the group IAM permissions before the group was finished being created by the `gsuite_enabled` module. To fix this condition, an implicit dependency was added to the Terraform using the email attribute from the `gsuite_group` resource. Also, the `google_compute_default_service_account` resource depends on the Compute Engine API being enabled so it is possible for the fetch of the data resource to fail because it attempts to query the Compute Engine API before it is fully enabled. Adding an explicit dependency on the services being enabled fixes this issue. --- modules/gsuite_enabled/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/gsuite_enabled/main.tf b/modules/gsuite_enabled/main.tf index 0a4801836..e6b02268f 100644 --- a/modules/gsuite_enabled/main.tf +++ b/modules/gsuite_enabled/main.tf @@ -55,7 +55,7 @@ resource "gsuite_group_member" "api_s_account_api_sa_group_member" { module "project-factory" { source = "../core_project_factory/" - group_email = "${module.gsuite_group.email}" + group_email = "${gsuite_group.group.email}" group_role = "${var.group_role}" lien = "${var.lien}" manage_group = "${var.group_name != "" || var.create_group}"