Removing value from ssl_certificate in google_compute_target_https_proxy results in "inconsistent final plan"

[jordi-t]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v0.13.3
provider.google v3.40.0
provider.google-beta v3.40.0

Affected Resource(s)

• google_compute_target_https_proxy

Terraform Configuration Files

provider "google" {
  project = "project-id"
  version = "3.40.0"
}

provider "google-beta" {
  project = "project-id"
  version = "3.40.0"
}

locals {
  san_certificates = {
    "cert1" = ["test1.example.com"]
    "cert2" = ["test2.example.com"]
  }
}

resource "google_compute_target_https_proxy" "default" {
  name             = "lb-https-proxy"
  url_map          = google_compute_url_map.url_map.self_link
  ssl_certificates = [for c in google_compute_managed_ssl_certificate.cert : c.self_link]
}

resource "random_id" "cert" {
  for_each    = local.san_certificates
  byte_length = 4
  prefix      = "redirect-lb-"
}

# Managed Certs
resource "google_compute_managed_ssl_certificate" "cert" {
  for_each = local.san_certificates
  provider = google-beta
  name     = random_id.cert[each.key].hex

  lifecycle {
    create_before_destroy = true
  }

  managed {
    domains = each.value
  }
}

resource "google_compute_url_map" "url_map" {
  name        = "urlmap"
  description = "URL map"

  default_url_redirect {
    host_redirect          = "www.google.com"
    https_redirect         = true
    redirect_response_code = "MOVED_PERMANENTLY_DEFAULT"
    strip_query            = false
  }
}

Debug Output

https://gist.github.com/jseris/2ab077abaf59ca83a5144be6cc1638da

Expected Behavior

When removing "cert2" = ["test2.example.com"] from san_certificates, the plan should be successfully executed, i.e. detaching cert2 from the target-https-proxy and deleting the certificate itself.

Actual Behavior

The plan looks as expected. However, when applying, the following error is thrown:

Error: Provider produced inconsistent final plan

When expanding the plan for google_compute_target_https_proxy.default to
include new values learned so far during apply, provider
"registry.terraform.io/hashicorp/google" produced an invalid new value for
.ssl_certificates: new element 1 has appeared.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

Steps to Reproduce

1. terraform apply for given Terraform config
2. remove "cert2" = ["test2.example.com"] from locals.san_certificates.
3. terraform plan will give the expected plan
4. terraform apply will give the error

Important Factoids

I am able to work around this by explicitly defining the certificates in separate resources and interpolating the self_links directly in google_compute_target_https_proxy.default.ssl_certificates, like this:

resource "google_compute_target_https_proxy" "default" {
  name             = "lb-https-proxy"
  url_map          = google_compute_url_map.url_map.self_link
  ssl_certificates = [google_compute_managed_ssl_certificate.cert1.self_link,
                      google_compute_managed_ssl_certificate.cert2.self_link]
}

resource "google_compute_managed_ssl_certificate" "cert1" {
  provider = google-beta
  name     = "cert1"

  lifecycle {
    create_before_destroy = true
  }

  managed {
    domains = ["test1.example.com"]
  }
}

resource "google_compute_managed_ssl_certificate" "cert2" {
  provider = google-beta
  name     = "cert2"

  lifecycle {
    create_before_destroy = true
  }

  managed {
    domains = ["test2.example.com"]
  }
}

In this setup, when removing google_compute_managed_ssl_certificate.cert2 and google_compute_managed_ssl_certificate.cert2.self_link from ssl_certificates, it works as expected: cert2 is detached from the target_https_proxy and deleted.

However, in my actual project I have modularised the google_compute_target_https_proxy and google_compute_managed_ssl_certificate, so I would to use the implementation as configured in the given TF configuration.

References

N/A

[slevenick]

Interesting... This looks like an issue with Terraform itself. I'm able to reproduce this with Terraform version 0.13, but it does not appear as a inconsistent plan when using 0.12

I'll file an upstream bug, as this isn't fixable in the provider

[slevenick]

This looks like it is caused by this bug: hashicorp/terraform#25631

Marking upstream-terraform for now

[upodroid]

@slevenick we can close this issue. The upstream issue has been fixed.

https://github.com/hashicorp/terraform/commits/v0.14?after=f4b686b5f3db28f09d2561eb2aee3e1c3a9bf270+104&branch=v0.14 ( pr 26470)

It is in v0.14 but no mention in the changelog.

[slevenick]

Closing, thanks for the follow-up @upodroid

[jordi-t]

@upodroid @slevenick Thanks for your investigations.

However, I have tested this with v0.14.0-rc1 and I am still encountering the same issue. You should be able to reproduce it again with the exact same code as I described in this issue.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

[slevenick]

Reopening to allow comments, will immediately close again.

@jseris if you are still seeing the same issue with 0.14.0 you may want to raise this issue with the Terraform core team. I believe this issue is due to the interaction between for_each and create_before_destroy as described in the linked issue. This issue is not unique to this provider or to the resources you are using, so there's not much we can do to fix it