From a7e3b677ec38b0a76a7bf545be717528f902f101 Mon Sep 17 00:00:00 2001
From: Anjali <anjali30malik@gmail.com>
Date: Wed, 18 Mar 2026 17:27:11 -0700
Subject: [PATCH] Adds update mask for changes to
 identity_config.user_service_account_mapping to properly handle updates to
 cluster security identity config.

---
 .../services/dataproc/resource_dataproc_cluster.go    | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/mmv1/third_party/terraform/services/dataproc/resource_dataproc_cluster.go b/mmv1/third_party/terraform/services/dataproc/resource_dataproc_cluster.go
index 3dd07a67ab75..1f2ea9be0a74 100644
--- a/mmv1/third_party/terraform/services/dataproc/resource_dataproc_cluster.go
+++ b/mmv1/third_party/terraform/services/dataproc/resource_dataproc_cluster.go
@@ -3011,6 +3011,17 @@ func resourceDataprocClusterUpdate(d *schema.ResourceData, meta interface{}) err
 		updMask = append(updMask, "config.lifecycle_config.auto_stop_time")
 	}
 
+	if d.HasChange("cluster_config.0.security_config.0.identity_config.0.user_service_account_mapping") {
+		if icfg, ok := configOptions(d, "cluster_config.0.security_config.0.identity_config"); ok {
+			if cluster.Config.SecurityConfig == nil {
+				cluster.Config.SecurityConfig = &dataproc.SecurityConfig{}
+			}
+			cluster.Config.SecurityConfig.IdentityConfig = expandIdentityConfig(icfg)
+
+			updMask = append(updMask, "config.security_config.identity_config.user_service_account_mapping")
+		}
+	}
+
 	if len(updMask) > 0 {
 		gracefulDecommissionTimeout := d.Get("graceful_decommission_timeout").(string)