google_assured_workloads_workload - fields missing/unset after resource import

[LPLabrys99]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

OpenTofu 1.7.1 / Terragrunt 0.64.0
on arm64 (MacOS)

• provider registry.terraform.io/hashicorp/google v6.15.0

Affected Resource(s)

google_assured_workloads_workload

Terraform Configuration

resource "google_assured_workloads_workload" "main" {
  compliance_regime = var.compliance_regime
  display_name      = var.project_name
  location          = var.region
  organization      = var.org_id
  billing_account   = "billingAccounts/${var.billing_account_id}"

  provisioned_resources_parent = "folders/${var.parent_id}"

  resource_settings {
    resource_id   = "${var.project_name}-${var.project_number}"
    resource_type = "CONSUMER_PROJECT"
  }

  resource_settings {
    display_name  = "{{name}}"
    resource_type = "CONSUMER_FOLDER"
  }

  resource_settings {
    resource_id   = "cmek-${var.project_name}"
    resource_type = "ENCRYPTION_KEYS_PROJECT"
  }

  # partner_permissions {
  #   assured_workloads_monitoring = true
  #   data_logs_viewer             = true
  #   service_access_approver      = true
  # }

  violation_notifications_enabled = true

  labels = {
    region = local.region_name
    level  = var.compliance_regime
  }
}

Debug Output

No response

Expected Behavior

I expect to be able to locate a GCP assured workload using gcloud assured workloads list --location=... --organization=... and then import the resource into Terraform using terragrunt import <my_resource_id> <assured_workload_name.

After the resource is imported, I should be able to manage it as part of a normal terraform stack.

Actual Behavior

When I import an existing GCP assured workload by name that was created in the GCP UI into Terraform, it is successfully imported into the Terraform state but some of the fields appear to be unset:

• billing_account
• provisioned_resources_parent
• resource_settings blocks
• partner_permissions

All of those fields require the resource to be replaced, meaning that the resource cannot be updated in place or managed via Terraform as normal, as the plan always includes replacement of the assured workload.

Steps to reproduce

1. Create a GCP assured workloads project in the UI
2. Use gcloud assured workloads list command to locate the created project ID / name
3. Import the project into Terraform
4. Generate a plan

Important Factoids

Importing the project into Terraform was difficult - I had to upgrade my provider to 6.15.0 and reconfigure provider settings to include billing_project = ... and user_project_override = true.

Previously I would get this error over and over (with the same project ID as other reporters that isn't in my org):
#17998

References

No response