I created App Engine custom domains with my own GCP user account.

If I run this command as that user I see a resourceRecords: field with all the A and AAAA records:

gcloud app domain-mappings describe 'mydom.com'

If I run the SAME command as a different user (one that has app engine admin and viewer roles) I see the resourceRecords: field with only a CNAME record. Why is this?

No permissions errors, no other errors. The SAME command run by different users returns different values from the describe API.

This behavior is unexpected. How/why is this happening?

I run Terraform centrally with a GSA. That GSA is getting different data from the API because of whatever this behavior is doing plans return incorrect info.

CodePudding user response：

Are you sure that you used that same domain both times?

The naked domain (e.g., mydom.com) will return A/AAAA records and a subdomain will return a CNAME record. I just did this with my own domain:

gcloud app domain-mappings describe 'mydom.com' -> A and AAAA records

gcloud app domain-mappings describe 'www.mydom.com' -> CNAME record

CodePudding user response：

I found the reason for this frustratingly bizarre and unhelpful and poorly documented behavior.

I found the issue through this SO post: How to use Terraform `google_app_engine_domain_mapping` with service account?

If you are not an "owner" for the domain as defined here the API will indeed not return the IP address list and also not bother throwing any kind of helpful warning message.

While my question wasn't terraform specific it looks like you might be able to terraform the whole thing with the help of this custom provider: https://github.com/hectorj/terraform-provider-googlesiteverification.

Also, I tried adding the email of a google group as an owner and that did not seem to work. Individual users must be added.