Terraform-provider-google: Changing SSL certificates in google_compute_target_https_proxy results in inconsistent final plan from .proxy_id

Created on 8 Dec 2020  路  14Comments  路  Source: hashicorp/terraform-provider-google


Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave _+1_ or _me too_ comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v0.14.0
+ provider registry.terraform.io/banzaicloud/k8s v0.8.4
+ provider registry.terraform.io/hashicorp/google v3.50.0
+ provider registry.terraform.io/hashicorp/google-beta v3.50.0
+ provider registry.terraform.io/hashicorp/kubernetes v1.13.3
+ provider registry.terraform.io/hashicorp/random v3.0.0

Affected Resource(s)

  • google_compute_target_https_proxy

Terraform Configuration Files

resource "google_compute_target_https_proxy" "app" {
  name    = "proxy-https"
  url_map = google_compute_url_map.app_https.id
  ssl_certificates = [
    google_compute_managed_ssl_certificate.app_main.id,
    google_compute_ssl_certificate.default.id,
  ]
  ssl_policy = google_compute_ssl_policy.app.name
}

# This bit is basically straight out of the docs
# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_ssl_certificate#example-usage---ssl-certificate-random-provider
resource "google_compute_ssl_certificate" "default" {
  name        = random_id.certificate.hex
  private_key = file("path/to/private.key")
  certificate = file("path/to/certificate.crt")

  lifecycle {
    create_before_destroy = true
  }
}

resource "random_id" "certificate" {
  byte_length = 4
  prefix      = "my-certificate-"

  keepers = {
    private_key = filebase64sha256("path/to/private.key")
    certificate = filebase64sha256("path/to/certificate.crt")
  }
}

Debug Output

Error: Provider produced inconsistent final plan

When expanding the plan for google_compute_target_https_proxy.app to include
new values learned so far during apply, provider
"registry.terraform.io/hashicorp/google" produced an invalid new value for
.proxy_id: was cty.NumberIntVal(5.111896384539344861e+18), but now
cty.NumberIntVal(5.111896384539345e+18).

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

Full debug output
https://gist.github.com/mcfedr/fa680a84e1db9786042fcb0b56cc07f7

Panic Output

N/A

Expected Behavior

Terraform describes itself:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # google_compute_ssl_certificate.app_external (deposed object 3c82c66f) will be destroyed
  - resource "google_compute_ssl_certificate" "app_external" {
      - certificate        = (sensitive value)
      - certificate_id     = 2853599161514436000 -> null
      - creation_timestamp = "2020-12-01T02:17:29.041-08:00" -> null
      - id                 = "projects/some-google-project/global/sslCertificates/kt-proxy-develop-external-77f6a1a6" -> null
      - name               = "kt-proxy-develop-external-77f6a1a6" -> null
      - private_key        = (sensitive value)
      - project            = "some-google-project" -> null
      - self_link          = "https://www.googleapis.com/compute/v1/projects/some-google-project/global/sslCertificates/kt-proxy-develop-external-77f6a1a6" -> null
    }

  # google_compute_target_https_proxy.app will be updated in-place
  ~ resource "google_compute_target_https_proxy" "app" {
        id                 = "projects/some-google-project/global/targetHttpsProxies/kt-proxy-develop-https"
        name               = "kt-proxy-develop-https"
      ~ ssl_certificates   = [
            "https://www.googleapis.com/compute/v1/projects/some-google-project/global/sslCertificates/kt-proxy-develop-main",
          - "https://www.googleapis.com/compute/v1/projects/some-google-project/global/sslCertificates/kt-proxy-develop-external-77f6a1a6",
          + "projects/some-google-project/global/sslCertificates/kt-proxy-develop-external-1d4b44ec",
        ]
        # (7 unchanged attributes hidden)
    }

  # random_id.app_external_name (deposed object 692b7d2f) will be destroyed
  - resource "random_id" "app_external_name" {
      - b64_std     = "kt-proxy-develop-external-d/ahpg==" -> null
      - b64_url     = "kt-proxy-develop-external-d_ahpg" -> null
      - byte_length = 4 -> null
      - dec         = "kt-proxy-develop-external-2012651942" -> null
      - hex         = "kt-proxy-develop-external-77f6a1a6" -> null
      - id          = "d_ahpg" -> null
      - keepers     = {
          - "certificate" = "amo20s8LRi3C5x5JFmV9SNQ927vrOK+yavGsqzcTU4A="
          - "private_key" = "ZpCxCMCSMf0/JX1+3S2/vAGjwMXOdcBpchAzN2p4KLM="
        } -> null
      - prefix      = "kt-proxy-develop-external-" -> null
    }


Plan: 0 to add, 1 to change, 4 to destroy.

Do you want to perform these actions in workspace "develop"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes


Error: Provider produced inconsistent final plan

When expanding the plan for google_compute_target_https_proxy.app to include
new values learned so far during apply, provider
"registry.terraform.io/hashicorp/google" produced an invalid new value for
.proxy_id: was cty.NumberIntVal(5.111896384539344861e+18), but now
cty.NumberIntVal(5.111896384539345e+18).

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

Actual Behavior

Crash

Steps to Reproduce

  1. terraform apply

Important Factoids

The certificates files themselves are read out of kubernetes secrets, but i'm pretty sure this is nothing to do with anything.

References

There is a similar sounding issue, that was supposedly fixed in terraform 0.14, but its also different, this seems to be a google specific issue, but i may be wrong...

bug upstream-terraform
Source
picture mcfedr
👍15

Most helpful comment

This should be available in 3.51.1

picture slevenick on 8 Jan 2021
👍2

All 14 comments

Appears to be similar to https://github.com/hashicorp/terraform-provider-google/issues/7945

mcfedr picture mcfedr on 8 Dec 2020

And https://github.com/hashicorp/terraform-provider-google/issues/7944

mcfedr picture mcfedr on 8 Dec 2020

Ok I am glad to see I was not crazy :D

Sytten picture Sytten on 8 Dec 2020
👍1

This looks like a problem in 0.14.0 rather than the provider. I have filed https://github.com/hashicorp/terraform/issues/27208

I would recommend downgrading to 0.13.x if possible as we track down what the fix should be

slevenick picture slevenick on 8 Dec 2020

Ha so my guess was correct but not the source of the problem. It is a core issue and not a resource issue.
Thanks @slevenick

Sytten picture Sytten on 9 Dec 2020

Yes, so the issue in my example is with proxy_id field, that is represented by an TypeInt in the provider (https://github.com/hashicorp/terraform-provider-google/blob/master/google/resource_compute_target_https_proxy.go#L106) , but the documentation of the API defines the id as a string - https://cloud.google.com/compute/docs/reference/rest/v1/targetHttpsProxies - so maybe there is a problem with the int handling in terraform upstream, but also the wrong type is being used in the provider.

mcfedr picture mcfedr on 10 Dec 2020

I think this could be fixed by changing the types to strings - this is the change in the upstream magic modules, https://github.com/GoogleCloudPlatform/magic-modules/pull/4307

mcfedr picture mcfedr on 10 Dec 2020

That seems to be the recommended way in https://github.com/hashicorp/terraform-plugin-sdk/issues/655, but it would not fix #7945, so I think it would be better to have an upstream fix by the plugin SDK because other similar errors will pop up in this provider I am pretty sure.

Sytten picture Sytten on 10 Dec 2020

I think the change to strings would fix #7945 as the map_id you have a problem with is also caused by rounding errors, that wouldnt happen if it was a string.

mcfedr picture mcfedr on 10 Dec 2020
👍1

This looks like a problem in 0.14.0 rather than the provider. I have filed https://github.com/hashicorp/terraform/issues/27208

@slevenick The upstream bug has been fixed, does this mean that a fix can be applied in the provider as well?

marcus-kempe picture marcus-kempe on 20 Dec 2020

We have a fix for this using the new version of the SDK. This should be in the release expected to go out next week.

slevenick picture slevenick on 30 Dec 2020
👍2

This should be available in 3.51.1

slevenick picture slevenick on 8 Jan 2021
👍2

Thanks, fix worked for us

liqwid picture liqwid on 9 Jan 2021

Thanks for prompt fix, works here as well!

marcus-kempe picture marcus-kempe on 11 Jan 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

kaifresh picture kaifresh  路  4Comments
mumblez picture mumblez  路  4Comments
nthypes picture nthypes  路  4Comments
Zhann picture Zhann  路  3Comments
pdecat picture pdecat  路  3Comments