terraform-provider-google: Changing SSL certificates in google_compute_target_https_proxy results in inconsistent final plan from .proxy_id

Community Note

  • Please vote on this issue by adding a πŸ‘ reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v0.14.0
+ provider registry.terraform.io/banzaicloud/k8s v0.8.4
+ provider registry.terraform.io/hashicorp/google v3.50.0
+ provider registry.terraform.io/hashicorp/google-beta v3.50.0
+ provider registry.terraform.io/hashicorp/kubernetes v1.13.3
+ provider registry.terraform.io/hashicorp/random v3.0.0

Affected Resource(s)

  • google_compute_target_https_proxy

Terraform Configuration Files

resource "google_compute_target_https_proxy" "app" {
  name    = "proxy-https"
  url_map = google_compute_url_map.app_https.id
  ssl_certificates = [
    google_compute_managed_ssl_certificate.app_main.id,
    google_compute_ssl_certificate.default.id,
  ]
  ssl_policy = google_compute_ssl_policy.app.name
}

# This bit is basically straight out of the docs
# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_ssl_certificate#example-usage---ssl-certificate-random-provider
resource "google_compute_ssl_certificate" "default" {
  name        = random_id.certificate.hex
  private_key = file("path/to/private.key")
  certificate = file("path/to/certificate.crt")

  lifecycle {
    create_before_destroy = true
  }
}

resource "random_id" "certificate" {
  byte_length = 4
  prefix      = "my-certificate-"

  keepers = {
    private_key = filebase64sha256("path/to/private.key")
    certificate = filebase64sha256("path/to/certificate.crt")
  }
}

Debug Output

Error: Provider produced inconsistent final plan

When expanding the plan for google_compute_target_https_proxy.app to include
new values learned so far during apply, provider
"registry.terraform.io/hashicorp/google" produced an invalid new value for
.proxy_id: was cty.NumberIntVal(5.111896384539344861e+18), but now
cty.NumberIntVal(5.111896384539345e+18).

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

Full debug output https://gist.github.com/mcfedr/fa680a84e1db9786042fcb0b56cc07f7

Panic Output

N/A

Expected Behavior

Terraform describes itself:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # google_compute_ssl_certificate.app_external (deposed object 3c82c66f) will be destroyed
  - resource "google_compute_ssl_certificate" "app_external" {
      - certificate        = (sensitive value)
      - certificate_id     = 2853599161514436000 -> null
      - creation_timestamp = "2020-12-01T02:17:29.041-08:00" -> null
      - id                 = "projects/some-google-project/global/sslCertificates/kt-proxy-develop-external-77f6a1a6" -> null
      - name               = "kt-proxy-develop-external-77f6a1a6" -> null
      - private_key        = (sensitive value)
      - project            = "some-google-project" -> null
      - self_link          = "https://www.googleapis.com/compute/v1/projects/some-google-project/global/sslCertificates/kt-proxy-develop-external-77f6a1a6" -> null
    }

  # google_compute_target_https_proxy.app will be updated in-place
  ~ resource "google_compute_target_https_proxy" "app" {
        id                 = "projects/some-google-project/global/targetHttpsProxies/kt-proxy-develop-https"
        name               = "kt-proxy-develop-https"
      ~ ssl_certificates   = [
            "https://www.googleapis.com/compute/v1/projects/some-google-project/global/sslCertificates/kt-proxy-develop-main",
          - "https://www.googleapis.com/compute/v1/projects/some-google-project/global/sslCertificates/kt-proxy-develop-external-77f6a1a6",
          + "projects/some-google-project/global/sslCertificates/kt-proxy-develop-external-1d4b44ec",
        ]
        # (7 unchanged attributes hidden)
    }

  # random_id.app_external_name (deposed object 692b7d2f) will be destroyed
  - resource "random_id" "app_external_name" {
      - b64_std     = "kt-proxy-develop-external-d/ahpg==" -> null
      - b64_url     = "kt-proxy-develop-external-d_ahpg" -> null
      - byte_length = 4 -> null
      - dec         = "kt-proxy-develop-external-2012651942" -> null
      - hex         = "kt-proxy-develop-external-77f6a1a6" -> null
      - id          = "d_ahpg" -> null
      - keepers     = {
          - "certificate" = "amo20s8LRi3C5x5JFmV9SNQ927vrOK+yavGsqzcTU4A="
          - "private_key" = "ZpCxCMCSMf0/JX1+3S2/vAGjwMXOdcBpchAzN2p4KLM="
        } -> null
      - prefix      = "kt-proxy-develop-external-" -> null
    }


Plan: 0 to add, 1 to change, 4 to destroy.

Do you want to perform these actions in workspace "develop"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes


Error: Provider produced inconsistent final plan

When expanding the plan for google_compute_target_https_proxy.app to include
new values learned so far during apply, provider
"registry.terraform.io/hashicorp/google" produced an invalid new value for
.proxy_id: was cty.NumberIntVal(5.111896384539344861e+18), but now
cty.NumberIntVal(5.111896384539345e+18).

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

Actual Behavior

Crash

Steps to Reproduce

  1. terraform apply

Important Factoids

The certificates files themselves are read out of kubernetes secrets, but i’m pretty sure this is nothing to do with anything.

References

There is a similar sounding issue, that was supposedly fixed in terraform 0.14, but its also different, this seems to be a google specific issue, but i may be wrong…

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 15
  • Comments: 15

Most upvoted comments

This should be available in 3.51.1

+2
slevenick on Jan 8, 2021

We have a fix for this using the new version of the SDK. This should be in the release expected to go out next week.

+2
slevenick on Dec 30, 2020

I think the change to strings would fix #7945 as the map_id you have a problem with is also caused by rounding errors, that wouldnt happen if it was a string.

+1
mcfedr on Dec 10, 2020

Ok I am glad to see I was not crazy πŸ˜„

+1
Sytten on Dec 8, 2020
Read more comments on GitHub
← terraform-provider-google: Cannot delete instance group because it's being used by a backend service
terraform-provider-google: Cloud Function deployment is Flaky: Error code 3, message: Failed to retrieve function source code →