Resource `google_compute_target_https_proxy` fails to provision with `certificate_manager_certificates` attribute

adamstrawson commented 7 months ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.
If an issue is assigned to a user, that user is claiming responsibility for the issue.
Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version

1.7.2.

Affected Resource(s)

google_compute_target_https_proxy

Terraform Configuration


resource "google_certificate_manager_dns_authorization" "default" {
  name     = "example-com"
  domain   = "example.com"
}

resource "google_certificate_manager_certificate" "default" {
  name     = "example-com"
  scope    = "EDGE_CACHE"
  managed {
    domains = [
      google_certificate_manager_dns_authorization.default.domain,
    ]
    dns_authorizations = [
      google_certificate_manager_dns_authorization.default.id,
    ]
  }
}

resource "google_compute_target_https_proxy" "default" {
  name             = "https-proxy"
  url_map          = google_compute_url_map.default.id # Not included in example
  certificate_manager_certificates = [  google_certificate_manager_certificate.default.id ]
}

Debug Output

No response

Expected Behavior

The target proxy is created, with the example.com certificate.

Actual Behavior

The creation of google_compute_target_https_proxy fails as the use of managed cloud certificates isn't supported.

google_compute_target_https_proxy.default: Creating...
╷
│ Error: Error creating TargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/{project}/locations/global/certificates/{resource}. Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid
│
│   with google_compute_target_https_proxy.default,
│   on loadbalancer.tf line 55, in resource "google_compute_target_https_proxy" "default":
│   55: resource "google_compute_target_https_proxy" "default" {

Steps to reproduce

terraform apply

Important Factoids

Using google provider version 5.14.0

References

The above terraform configuration is based on the documented example in the provider documentation: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_target_https_proxy#example-usage---target-https-proxy-certificate-manager-certificate

b/324044382

edwardmedia commented 7 months ago

@adamstrawson I noticed below error which is from the api. Where did you see it is supported? Can you share the full debug log that contains the requests and responses to the api?

Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid

adamstrawson commented 7 months ago

@adamstrawson I noticed below error which is from the api. Where did you see it is supported? Can you share the full debug log that contains the requests and responses to the api?
Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid

Hi @edwardmedia, Support for Certificate manager is shown within the Google Provider documentation, and has listed examples of its use - See https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_target_https_proxy#example-usage---target-https-proxy-certificate-manager-certificate

From a load balancer perspective, it's also shown here: https://cloud.google.com/load-balancing/docs/ssl-certificates#certificate-summary Note under Global external Application Load Balancer Certificate Manager is supported for both self-managed and Google-managed`

I'll need to do a small POC to be able to supply debug logs, as these resources are part of a larger module, but I'll get that put together shortly.

edwardmedia commented 7 months ago

@adamstrawson thanks for the info, and preparing the logs. Waiting for that.

adamstrawson commented 7 months ago

Okay, from a bit further digging, this does appear to be an API issue, rather than terraform.

I can recreate the same issue via gcloud, following this documentation https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth.

Do you know the best way to raise API issues, or should I go through our TAM?

edwardmedia commented 7 months ago

it is mentioned in the doc that below format is accepted.

Accepted format is

//certificatemanager.googleapis.com/projects/{project}/locations/{location}/certificates/{resourceName}
or just the self_link projects/{project}/locations/{location}/certificates/{resourceName}

From the error below, it seems the format does match what it asks. Forward the issue to the service team for taking a look at its behind

Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/{project}/locations/global/certificates/{resource}. Cloud certificate reference is not supported for TargetHttpsProxy creation

adamstrawson commented 7 months ago

Yeah, I tried both formats as per the docs, both have the same error.

google_certificate_manager_certificate.default.id is the same as projects/{project}/locations/{location}/certificates/{resourceName}

resource "google_compute_target_https_proxy" "default" {
  name             = "https-proxy"
  url_map          = google_compute_url_map.default.id # Not included in example
  certificate_manager_certificates = [  google_certificate_manager_certificate.default.id ]
}

and I tried

resource "google_compute_target_https_proxy" "default" {
  name             = "https-proxy"
  url_map          = google_compute_url_map.default.id # Not included in example
  certificate_manager_certificates = [  "//certificatemanager.googleapis.com/${google_certificate_manager_certificate.default.id}" ]
}

My theory above that it's an API issue, rather than the Terraform provider is because gcloud has the same error, despite this being a documented step in guide for this specific use case (Ref: https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth#att-cert-target-proxy)

gcloud compute target-https-proxies create foobar \
    --url-map=<snip> \
    --global \
    --certificate-manager-certificates=<snip>

ERROR: (gcloud.compute.target-https-proxies.create) Could not fetch resource:
 - Invalid value for field 'resource.sslCertificates[0]': 'https://certificatemanager.googleapis.com/v1/projects/<snip>/locations/global/certificates/<snip>'. Cloud certificate reference is not supported for TargetHttpsProxy creation.

adamstrawson commented 7 months ago

After some further digging, and chatting with GCP support, the recommended(?) way is to use Certificate Maps instead

resource "google_compute_target_https_proxy" "default" {
  name            = "https-proxy"
  url_map         = google_compute_url_map.default.id
  certificate_map = "//certificatemanager.googleapis.com/${google_certificate_manager_certificate_map.default.id}"
}

It would be great to confirmation if that's the case, and whether the use of the attribute certificate_manager_certificates should be removed in favour of certificate_map? Or if there is a downstream API error and it should be possible to use certificate_manager_certificates

In the mean time, I'm unblocked as I can use certificate_map instead for now.

Daniel-I-Am commented 5 months ago

This issue also affects the google_compute_region_target_https_proxy, which does not have a similar workaround unfortunately as it does not support the use of a certificate_map. Any resolution is greatly appreciated.

pawelJas commented 3 months ago

Without full configuration it is hard to do a proper analysis. At this point certificate_manager_certificates are not supported by Global External Application Load Balancer. certificate_map only works with Global External Application Load Balancer so I can guess that your configuration is not supported yet. google_compute_region_target_https_proxy should not have the same problem as all regional products support certificate_manager_certificates.

Daniel-I-Am commented 3 months ago

When I posted my message I had assumed the information above would be sufficient. Here's all the information I would post if I would have opened this as a new report, in case it helps any. This is quite similar to some things above, but for the google_compute_region_target_https_proxy and associated regional resources, instead of global ones.

The documentation mentions certificate_manager_certificates can be configured, but doing so according to the documentation leads to failures from the API.

The documentation mentions two formats being accepted. I attempted both.

Terraform output full URI

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1 will be created + resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1" { + certificate_manager_certificates = [ + "//certificatemanager.googleapis.com/projects//locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1", ] + creation_timestamp = (known after apply) + id = (known after apply) + name = "cloud-run-internal-https-proxy-ccm-west1-new" + project = "" + proxy_id = (known after apply) + region = "europe-west1" + self_link = (known after apply) + url_map = "projects//regions/europe-west1/urlMaps/cloud-run-internal-west1" } Plan: 1 to add, 0 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1: Creating... ╷ │ Error: Error creating RegionTargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects//locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid │ │ with google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1, │ on ilb.tf line 35, in resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1": │ 35: resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1" { ```

Terraform output self_link

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1 will be created + resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1" { + certificate_manager_certificates = [ + "projects//locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1", ] + creation_timestamp = (known after apply) + id = (known after apply) + name = "cloud-run-internal-https-proxy-ccm-west1-new" + project = "" + proxy_id = (known after apply) + region = "europe-west1" + self_link = (known after apply) + url_map = "projects//regions/europe-west1/urlMaps/cloud-run-internal-west1" } Plan: 1 to add, 0 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1: Creating... ╷ │ Error: Error creating RegionTargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates[0]': 'https://certificatemanager.googleapis.com/v1/projects//locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid │ │ with google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1, │ on ilb.tf line 35, in resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1": │ 35: resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1" { ```

Terraform configuration

``` resource "google_compute_region_url_map" "cloud_run_internal_url_map_west1" { name = "cloud-run-internal-west1" region = var.region_west1 default_url_redirect { https_redirect = true host_redirect = "www.example.com" path_redirect = "/" strip_query = true redirect_response_code = "FOUND" } } resource "google_certificate_manager_dns_authorization" "internal_load_balancer_domain_west1" { name = "internal-load-balancer-dns-auth-${var.environment}-west1" location = var.region_west1 description = "The internal load-balancer dns auth (${var.region_west1})" domain = "" depends_on = [google_project_service.certificatemanager] } resource "google_certificate_manager_certificate" "wildcard_internal_load_balancer_domain_west1" { name = "wildcard-internal-load-balancer-${var.environment}-west1" location = var.region_west1 description = "The wildcard cert for *. (${var.region_west1})" managed { domains = [ "", "*." ] dns_authorizations = [ google_certificate_manager_dns_authorization.internal_load_balancer_domain_west1.id ] } } resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1" { name = "cloud-run-internal-https-proxy-ccm-west1-new" region = var.region_west1 url_map = google_compute_region_url_map.cloud_run_internal_url_map_west1.id certificate_manager_certificates = [ "//certificatemanager.googleapis.com/${google_certificate_manager_certificate.wildcard_internal_load_balancer_domain_west1.id}", # Or use the self_link format (which matches the id attribute) #google_certificate_manager_certificate.wildcard_internal_load_balancer_domain_west1.id, ] } ```

Relevant debug output

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1 will be created + resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1" { + certificate_manager_certificates = [ + "//certificatemanager.googleapis.com/projects//locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1", ] + creation_timestamp = (known after apply) + id = (known after apply) + name = "cloud-run-internal-https-proxy-ccm-west1-new" + project = "" + proxy_id = (known after apply) + region = "europe-west1" + self_link = (known after apply) + url_map = "projects//regions/europe-west1/urlMaps/cloud-run-internal-west1" } Plan: 1 to add, 0 to change, 0 to destroy. 2024-05-15T11:40:55.999+0200 [DEBUG] command: asking for input: "\nDo you want to perform these actions?" Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes [CUT irrelevant ProviderTransformer/ReferenceTransformer/pruneUnusedNodes log lines] google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1: Creating... 2024-05-15T11:41:00.428+0200 [INFO] Starting apply for google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1 2024-05-15T11:41:00.431+0200 [DEBUG] google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1: applying the planned Create change 2024-05-15T11:41:00.432+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:00 [DEBUG] converting the field CertificateManagerCertificates to sslCertificates before sending the request 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:00 [DEBUG] Creating new RegionTargetHttpsProxy: map[string]interface {}{"name":"cloud-run-internal-https-proxy-ccm-west1-new", "region":"projects//global/regions/europe-west1", "sslCertificates":[]interface {}{"//certificatemanager.googleapis.com/projects//locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1"}, "urlMap":"projects//regions/europe-west1/urlMaps/cloud-run-internal-west1"} 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:00 [DEBUG] Waiting for state to become: [success] 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:00 [DEBUG] Retry Transport: starting RoundTrip retry loop 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:00 [DEBUG] Retry Transport: request attempt 0 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:00 [DEBUG] Google API Request Details: 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: ---[ REQUEST ]--------------------------------------- 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: POST /compute/v1/projects//regions/europe-west1/targetHttpsProxies?alt=json HTTP/1.1 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Host: compute.googleapis.com 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: User-Agent: Terraform/1.7.5 (+https://www.terraform.io) Terraform-Plugin-SDK/2.31.0 terraform-provider-google/5.21.0 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Content-Length: 374 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Content-Type: application/json 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: X-Goog-User-Project: 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Accept-Encoding: gzip 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: { 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "name": "cloud-run-internal-https-proxy-ccm-west1-new", 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "region": "projects//global/regions/europe-west1", 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "sslCertificates": [ 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "//certificatemanager.googleapis.com/projects//locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1" 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: ], 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "urlMap": "projects//regions/europe-west1/urlMaps/cloud-run-internal-west1" 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: } 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5 2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: ----------------------------------------------------- 2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:01 [DEBUG] Google API Response Details: 2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: ---[ RESPONSE ]-------------------------------------- 2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: HTTP/2.0 400 Bad Request 2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Cache-Control: private 2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Content-Type: application/json; charset=UTF-8 2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Date: Wed, 15 May 2024 09:41:01 GMT 2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Server: ESF 2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Vary: Origin 2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Vary: X-Origin 2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Vary: Referer 2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: X-Content-Type-Options: nosniff 2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: X-Frame-Options: SAMEORIGIN 2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: X-Xss-Protection: 0 2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: { 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "error": { 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "code": 400, 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "message": "Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects//locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation.", 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "errors": [ 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: { 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "message": "Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects//locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation.", 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "domain": "global", 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "reason": "invalid" 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: } 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: ] 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: } 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: } 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: ----------------------------------------------------- 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:01 [DEBUG] Retry Transport: Stopping retries, last request failed with non-retryable error: googleapi: got HTTP response code 400 with body: HTTP/2.0 400 Bad Request 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Cache-Control: private 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Content-Type: application/json; charset=UTF-8 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Date: Wed, 15 May 2024 09:41:01 GMT 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Server: ESF 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Vary: Origin 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Vary: X-Origin 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Vary: Referer 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: X-Content-Type-Options: nosniff 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: X-Frame-Options: SAMEORIGIN 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: X-Xss-Protection: 0 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: { 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "error": { 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "code": 400, 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "message": "Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects//locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation.", 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "errors": [ 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: { 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "message": "Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects//locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation.", 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "domain": "global", 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: "reason": "invalid" 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: } 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: ] 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: } 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: } 2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:01 [DEBUG] Retry Transport: Returning after 1 attempts 2024-05-15T11:41:01.085+0200 [ERROR] provider.terraform-provider-google_v5.21.0_x5: Response contains error diagnostic: tf_proto_version=5.4 tf_req_id=dcd22c46-a487-a1ec-e8a1-8f8b7f511edc diagnostic_detail="" diagnostic_severity=ERROR diagnostic_summary="Error creating RegionTargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects//locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid" tf_provider_addr=registry.terraform.io/hashicorp/google tf_resource_type=google_compute_region_target_https_proxy tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-plugin-go@v0.20.0/tfprotov5/internal/diag/diagnostics.go:62 @module=sdk.proto timestamp="2024-05-15T11:41:01.085+0200" 2024-05-15T11:41:01.118+0200 [DEBUG] State storage *statemgr.Filesystem declined to persist a state snapshot 2024-05-15T11:41:01.118+0200 [ERROR] vertex "google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1" error: Error creating RegionTargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects//locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid ╷ │ Error: Error creating RegionTargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects//locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid │ │ with google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1, │ on ilb.tf line 35, in resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1": │ 35: resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1" { │ ╵ 2024-05-15T11:41:01.134+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:01 [DEBUG] [transport] [server-transport 0xc0012761a0] Closing: Server.Stop called 2024-05-15T11:41:01.134+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:01 [DEBUG] [transport] [server-transport 0xc0012761a0] loopyWriter exiting with error: transport closed by client 2024-05-15T11:41:01.134+0200 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF" 2024-05-15T11:41:01.136+0200 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/google/5.21.0/linux_amd64/terraform-provider-google_v5.21.0_x5 pid=108696 2024-05-15T11:41:01.136+0200 [DEBUG] provider: plugin exited ```

pawelJas commented 3 months ago

@Daniel-I-Am I agree that documentation is not clear about the support. At the moment the certificate_manager_certificates are not supported for:

Global UrlMaps with External, External_Managed or Internal_Self_Managed BackendServices
Global UrlMaps with BackendBuckets (as those are External or External_Managed only)
Any UrlMaps which have no BackendServices.

The latest is a bug/feature gap which should be fixed that year by allowing LoadBalancingScheme to be set in UrlMap (optional field). As for now the workaround is to add a dummy BackendService in a dummy PatchMatcher in the UrlMap. BackendService does not need to have any Backends, just need to show the scheme.

Daniel-I-Am commented 3 months ago

Oh wow. Now I understand the things I was seeing. I have been able to roll it out once for one load balancer, but not any other. The difference being that the one where it succeeded did have backend services configured and others did not, as they were set up quickly for testing with just a default redirect (I did not realize that this could even cause this oddity). I had opened a ticket with Google Cloud support, but they were unable to tell me what was happening.

Thanks for the explanation, clears up a lot for me :)

This does unblock me for the time being, but still leaves the same questions open for this issue.

bahag-klickst commented 3 months ago

@adamstrawson Thanks for bringing up this issue.

@Daniel-I-Am Thanks for contributing with your terraform output and configuration

@pawelJas Thanks for pointing out the unsupported configurations as of now. As I was stumbling across one of these unsupported combinations yesterday and then decided to go with a certificate map (as pointed out by @adamstrawson), I found that the combination is working Terraform and GCP wise, but unfortunately the GCP UI is not showing the certificate properly afterwards when viewing the details of the global Load Balancer, set up via Terraform. Are there any plans on the roadmap to either allow the certificate_manager_certificates for global Load Balancers or to fix the UI not showing the certificate properly issue?

Thanks to all of you and best regards, Tim.

pawelJas commented 3 months ago

Hi @bahag-klickst,

I have reached out to the UI team and I have confirmed that certificate_map is not supported yet. It is possible to view the certificate_map in the TargetHttpsProxy or TargetSslProxy detailed view but not at the Global Load Balancer view. They are starting to work on that and say that it should be launched by the end of the year.

certificate_manager_certificates for Global External Load Balancer work should also start soon, but might take more time. Probably will be ready some time in 2025.

gemmahou commented 2 months ago

Hey @pawelJas, do we have the different use cases between certificate_manager_certificates and certificate_map documented anywhere in the API/g3 doc? We(Config Connector) also has Cx reporting the same issue. From the log, the error originates from the Google API. Sharing the official API documentation with Cx would be helpful, and we can update our documentation accordingly.

pawelJas commented 2 months ago

Hey @gemmahou. I could not find any dedicated page describing which should be used. What I found is that Public TargetHttpsProxy Resource doc doesn't specify the supported products in the field descriptions. I can fix that. Hamza has corrected Terraform docs already.

pawelJas commented 1 month ago

I have submitted an update for Public TargetHttpsProxy Resource doc, it might take a month before it is out.

re-thc commented 2 weeks ago

@pawelJas does this relate to the scope? I tried creating a certificate with the scope DEFAULT and it works, but not GLOBAL.

pawelJas commented 2 weeks ago

Hey @re-thc, that is a good question. I think the docs should be updated to clarify the Certificate type compatibility.

Regional certificates support only DEFAULT and those work with regional L7 Load Balancers. The only requirement is to be in the same region. For Global Load Balancers the Certificates Type matters.

DEFAULT -> Global External Load Balancers (not supported yet)
ALL_REGIONS -> Global Internal Load Balancer
EDGE_CACHE -> Media CDN

hashicorp / terraform-provider-google