Changing SSL certificates in google_compute_target_https_proxy results in inconsistent final plan from .proxy_id

[mcfedr]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v0.14.0
+ provider registry.terraform.io/banzaicloud/k8s v0.8.4
+ provider registry.terraform.io/hashicorp/google v3.50.0
+ provider registry.terraform.io/hashicorp/google-beta v3.50.0
+ provider registry.terraform.io/hashicorp/kubernetes v1.13.3
+ provider registry.terraform.io/hashicorp/random v3.0.0

Affected Resource(s)

• google_compute_target_https_proxy

Terraform Configuration Files

resource "google_compute_target_https_proxy" "app" {
  name    = "proxy-https"
  url_map = google_compute_url_map.app_https.id
  ssl_certificates = [
    google_compute_managed_ssl_certificate.app_main.id,
    google_compute_ssl_certificate.default.id,
  ]
  ssl_policy = google_compute_ssl_policy.app.name
}

# This bit is basically straight out of the docs
# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_ssl_certificate#example-usage---ssl-certificate-random-provider
resource "google_compute_ssl_certificate" "default" {
  name        = random_id.certificate.hex
  private_key = file("path/to/private.key")
  certificate = file("path/to/certificate.crt")

  lifecycle {
    create_before_destroy = true
  }
}

resource "random_id" "certificate" {
  byte_length = 4
  prefix      = "my-certificate-"

  keepers = {
    private_key = filebase64sha256("path/to/private.key")
    certificate = filebase64sha256("path/to/certificate.crt")
  }
}

Debug Output

Error: Provider produced inconsistent final plan

When expanding the plan for google_compute_target_https_proxy.app to include
new values learned so far during apply, provider
"registry.terraform.io/hashicorp/google" produced an invalid new value for
.proxy_id: was cty.NumberIntVal(5.111896384539344861e+18), but now
cty.NumberIntVal(5.111896384539345e+18).

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

Full debug output
https://gist.github.com/mcfedr/fa680a84e1db9786042fcb0b56cc07f7

Panic Output

N/A

Expected Behavior

Terraform describes itself:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # google_compute_ssl_certificate.app_external (deposed object 3c82c66f) will be destroyed
  - resource "google_compute_ssl_certificate" "app_external" {
      - certificate        = (sensitive value)
      - certificate_id     = 2853599161514436000 -> null
      - creation_timestamp = "2020-12-01T02:17:29.041-08:00" -> null
      - id                 = "projects/some-google-project/global/sslCertificates/kt-proxy-develop-external-77f6a1a6" -> null
      - name               = "kt-proxy-develop-external-77f6a1a6" -> null
      - private_key        = (sensitive value)
      - project            = "some-google-project" -> null
      - self_link          = "https://www.googleapis.com/compute/v1/projects/some-google-project/global/sslCertificates/kt-proxy-develop-external-77f6a1a6" -> null
    }

  # google_compute_target_https_proxy.app will be updated in-place
  ~ resource "google_compute_target_https_proxy" "app" {
        id                 = "projects/some-google-project/global/targetHttpsProxies/kt-proxy-develop-https"
        name               = "kt-proxy-develop-https"
      ~ ssl_certificates   = [
            "https://www.googleapis.com/compute/v1/projects/some-google-project/global/sslCertificates/kt-proxy-develop-main",
          - "https://www.googleapis.com/compute/v1/projects/some-google-project/global/sslCertificates/kt-proxy-develop-external-77f6a1a6",
          + "projects/some-google-project/global/sslCertificates/kt-proxy-develop-external-1d4b44ec",
        ]
        # (7 unchanged attributes hidden)
    }

  # random_id.app_external_name (deposed object 692b7d2f) will be destroyed
  - resource "random_id" "app_external_name" {
      - b64_std     = "kt-proxy-develop-external-d/ahpg==" -> null
      - b64_url     = "kt-proxy-develop-external-d_ahpg" -> null
      - byte_length = 4 -> null
      - dec         = "kt-proxy-develop-external-2012651942" -> null
      - hex         = "kt-proxy-develop-external-77f6a1a6" -> null
      - id          = "d_ahpg" -> null
      - keepers     = {
          - "certificate" = "amo20s8LRi3C5x5JFmV9SNQ927vrOK+yavGsqzcTU4A="
          - "private_key" = "ZpCxCMCSMf0/JX1+3S2/vAGjwMXOdcBpchAzN2p4KLM="
        } -> null
      - prefix      = "kt-proxy-develop-external-" -> null
    }


Plan: 0 to add, 1 to change, 4 to destroy.

Do you want to perform these actions in workspace "develop"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes


Error: Provider produced inconsistent final plan

When expanding the plan for google_compute_target_https_proxy.app to include
new values learned so far during apply, provider
"registry.terraform.io/hashicorp/google" produced an invalid new value for
.proxy_id: was cty.NumberIntVal(5.111896384539344861e+18), but now
cty.NumberIntVal(5.111896384539345e+18).

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

Actual Behavior

Crash

Steps to Reproduce

1. terraform apply

Important Factoids

The certificates files themselves are read out of kubernetes secrets, but i'm pretty sure this is nothing to do with anything.

References

There is a similar sounding issue, that was supposedly fixed in terraform 0.14, but its also different, this seems to be a google specific issue, but i may be wrong...

• Removing value from ssl_certificate in google_compute_target_https_proxy results in "inconsistent final plan" #7356

[mcfedr]

Appears to be similar to #7945

[mcfedr]

And #7944

[Sytten]

Ok I am glad to see I was not crazy :D

[slevenick]

This looks like a problem in 0.14.0 rather than the provider. I have filed https://github.com/hashicorp/terraform/issues/27208

I would recommend downgrading to 0.13.x if possible as we track down what the fix should be

[Sytten]

Ha so my guess was correct but not the source of the problem. It is a core issue and not a resource issue.
Thanks @slevenick

[mcfedr]

Yes, so the issue in my example is with proxy_id field, that is represented by an TypeInt in the provider (https://github.com/hashicorp/terraform-provider-google/blob/master/google/resource_compute_target_https_proxy.go#L106) , but the documentation of the API defines the id as a string - https://cloud.google.com/compute/docs/reference/rest/v1/targetHttpsProxies - so maybe there is a problem with the int handling in terraform upstream, but also the wrong type is being used in the provider.

[mcfedr]

I think this could be fixed by changing the types to strings - this is the change in the upstream magic modules, GoogleCloudPlatform/magic-modules#4307

[Sytten]

That seems to be the recommended way in hashicorp/terraform-plugin-sdk#655, but it would not fix #7945, so I think it would be better to have an upstream fix by the plugin SDK because other similar errors will pop up in this provider I am pretty sure.

[mcfedr]

I think the change to strings would fix #7945 as the map_id you have a problem with is also caused by rounding errors, that wouldnt happen if it was a string.

[marcus-kempe]

This looks like a problem in 0.14.0 rather than the provider. I have filed https://github.com/hashicorp/terraform/issues/27208

@slevenick The upstream bug has been fixed, does this mean that a fix can be applied in the provider as well?

[slevenick]

We have a fix for this using the new version of the SDK. This should be in the release expected to go out next week.

[slevenick]

This should be available in 3.51.1

[liqwid]

Thanks, fix worked for us

[marcus-kempe]

Thanks for prompt fix, works here as well!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!