GCP - terraform removed all policies, how can I revert

Question

I run following terraform. I made a mistake of using google_storage_bucket_iam_policy instead of google_storage_bucket_iam_binding so instead of adding new policy, it replaced all of existing policy.

data "google_iam_policy" "deploy-script-admin-policy" {
  binding {
    role = "roles/storage.objectAdmin"
    members = [
      "serviceAccount:${google_service_account.deploy-script.email}",
    ]
  }
}
# deploy script can read/write to a bucket
resource "google_storage_bucket_iam_policy" "policy" {
  bucket      = "my-bucket"
  policy_data = data.google_iam_policy.deploy-script-admin-policy.policy_data
}

Now I cannot run terraform plan because I lost access to my own bucket. I get error message like <my email> does not have storage.buckets.get access to the Google Cloud Storage bucket., forbidden.

I went to GCP console and tried to either delete or update permission of this bucket but it won't work either since bucket permission doesn't allow it (I have owner and storage.admin role).

How can I recover from this situation? I don't mind deleting the bucket if that's the only option.

EDIT: I don't know what happened, but maybe GCP has some way of auto-recover from such situation. For some reason I was able to edit bucket again from console after a while...

You cannot. because this operation is an authoritative operation. Hence its advised to save current configuration and then build on top of it — Prashant

grenmester grenmester · Accepted Answer · 2021-05-16T21:40:20

If you have Project IAM Admin or some other role that enables you to edit IAM permissions, you can run terraform destroy on your google_storage_bucket_iam_policy.policy resource and that should restore the permissions to be permissions inherited from the project IAM permissions. This means that if you have the Storage Admin permission, you should be able to modify the bucket permissions again.

GCP - terraform removed all policies, how can I revert

2 Answers