Handle email casing in google_bigquery_dataset access (#15792) (#11139)

modular-magician · web-flow · commit 7d1261756e75 · 2025-11-25T14:24:23.000-08:00
[upstream:d5a72e8bc4be1d9d998b62c49280c4cdc6e34423]

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/15792.txt b/.changelog/15792.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+bigquery: fixed the permadiff when email field values contain non-lower-case characters in `access` in `google_bigquery_dataset`
+```
diff --git a/google-beta/services/bigquery/resource_bigquery_dataset.go b/google-beta/services/bigquery/resource_bigquery_dataset.go
@@ -87,8 +87,10 @@ func validateDefaultTableExpirationMs(v interface{}, k string) (ws []string, err
 }
 
 // bigqueryDatasetAccessHash is a custom hash function for the access block.
-// It normalizes the 'role' field before hashing, treating legacy roles
-// and their modern IAM equivalents as the same.
+// It normalizes
+// 1) the 'role' field before hashing, treating legacy roles
+// and their modern IAM equivalents as the same,
+// 2) the 'user_by_email' and 'group_by_email' fields to be case-insensitive.
 func resourceBigqueryDatasetAccessHash(v interface{}) int {
 	m, ok := v.(map[string]interface{})
 	if !ok {
@@ -100,6 +102,14 @@ func resourceBigqueryDatasetAccessHash(v interface{}) int {
 		copy[k] = val
 	}
 
+	// Normalize user_by_email and group_by_email to be case-insensitive
+	if email, ok := copy["user_by_email"].(string); ok && email != "" {
+		copy["user_by_email"] = strings.ToLower(email)
+	}
+	if email, ok := copy["group_by_email"].(string); ok && email != "" {
+		copy["group_by_email"] = strings.ToLower(email)
+	}
+
 	// Normalize the role if it exists and matches a legacy role.
 	if role, ok := copy["role"].(string); ok {
 		if newRole, ok := bigqueryDatasetAccessPrimitiveToRoleMap[role]; ok {
@@ -1142,7 +1152,11 @@ func flattenBigQueryDatasetAccessDomain(v interface{}, d *schema.ResourceData, c
 }
 
 func flattenBigQueryDatasetAccessGroupByEmail(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
-	return v
+	if v == nil {
+		return nil
+	}
+
+	return strings.ToLower(v.(string))
 }
 
 func flattenBigQueryDatasetAccessRole(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
@@ -1158,7 +1172,11 @@ func flattenBigQueryDatasetAccessIamMember(v interface{}, d *schema.ResourceData
 }
 
 func flattenBigQueryDatasetAccessUserByEmail(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
-	return v
+	if v == nil {
+		return nil
+	}
+
+	return strings.ToLower(v.(string))
 }
 
 func flattenBigQueryDatasetAccessView(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
@@ -1614,7 +1632,11 @@ func expandBigQueryDatasetAccessDomain(v interface{}, d tpgresource.TerraformRes
 }
 
 func expandBigQueryDatasetAccessGroupByEmail(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
-	return v, nil
+	if v == nil {
+		return nil, nil
+	}
+
+	return strings.ToLower(v.(string)), nil
 }
 
 func expandBigQueryDatasetAccessRole(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
@@ -1630,7 +1652,11 @@ func expandBigQueryDatasetAccessIamMember(v interface{}, d tpgresource.Terraform
 }
 
 func expandBigQueryDatasetAccessUserByEmail(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
-	return v, nil
+	if v == nil {
+		return nil, nil
+	}
+
+	return strings.ToLower(v.(string)), nil
 }
 
 func expandBigQueryDatasetAccessView(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
diff --git a/google-beta/services/bigquery/resource_bigquery_dataset_test.go b/google-beta/services/bigquery/resource_bigquery_dataset_test.go
@@ -20,15 +20,14 @@ package bigquery_test
 
 import (
 	"fmt"
-	"regexp"
-	"strings"
-	"testing"
-
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
 	"github.com/hashicorp/terraform-provider-google-beta/google-beta/acctest"
 	"github.com/hashicorp/terraform-provider-google-beta/google-beta/envvar"
 	"google.golang.org/api/bigquery/v2"
+	"regexp"
+	"strings"
+	"testing"
 )
 
 func TestAccBigQueryDataset_basic(t *testing.T) {
@@ -335,6 +334,52 @@ func TestAccBigQueryDataset_access(t *testing.T) {
 	})
 }
 
+func TestAccBigQueryDataset_accessMixedCase_userByEmail(t *testing.T) {
+	t.Parallel()
+
+	datasetID := fmt.Sprintf("tf_test_access_%s", acctest.RandString(t, 10))
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckBigQueryDatasetDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccBigQueryDataset_accessMixedCase(datasetID, "user_by_email", "alicE@google.COM"),
+			},
+			{
+				ResourceName:            "google_bigquery_dataset.access_test",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
+			},
+		},
+	})
+}
+
+func TestAccBigQueryDataset_accessMixedCase_groupByEmail(t *testing.T) {
+	t.Parallel()
+
+	datasetID := fmt.Sprintf("tf_test_access_%s", acctest.RandString(t, 10))
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckBigQueryDatasetDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccBigQueryDataset_accessMixedCase(datasetID, "group_by_email", "MAGIC-MODULES@gOOgle.com"),
+			},
+			{
+				ResourceName:            "google_bigquery_dataset.access_test",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
+			},
+		},
+	})
+}
+
 func TestAccBigQueryDataset_regionalLocation(t *testing.T) {
 	t.Parallel()
 
@@ -855,6 +900,19 @@ resource "google_bigquery_dataset" "access_test" {
 `, otherDatasetID, otherTableID, datasetID)
 }
 
+func testAccBigQueryDataset_accessMixedCase(datasetID, accessType, email string) string {
+	return fmt.Sprintf(`
+resource "google_bigquery_dataset" "access_test" {
+  dataset_id = "%s"
+
+  access {
+    role   = "OWNER"
+    %s = "%s"
+  }
+}
+`, datasetID, accessType, email)
+}
+
 func testAccBigQueryDataset_cmek(pid, datasetID, kmsKey string) string {
 	return fmt.Sprintf(`
 data "google_project" "project" {

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:bug
	`2`	+bigquery: fixed the permadiff when email field values contain non-lower-case characters in `access` in `google_bigquery_dataset`
	`3`	+```