failed to apply google_dns_managed_zone

fawaf commented 7 months ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.
If an issue is assigned to a user, that user is claiming responsibility for the issue.
Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version

Terraform v1.7.5
on darwin_arm64
+ provider registry.terraform.io/hashicorp/google v5.21.0

Affected Resource(s)

google_dns_managed_zone

Terraform Configuration

#tfsec:ignore:google-dns-enable-dnssec
resource "google_dns_managed_zone" "dns_managed_zone" {
  project     = "blah"
  name        = "foo-com
  dns_name    = "foo.com."
  description = "Managed by Terraform"
  labels      = {}

  visibility = "public"

  dynamic "private_visibility_config" {
    for_each = "public" == "public" ? toset([]) : toset([1])

    content {
      networks {
        network_url = data.google_compute_network.main_vpc.self_link
      }
    }
  }
}

Debug Output

https://gist.github.com/fawaf/38d1633ef38e8a37867a24cedd054190

Expected Behavior

tf should have applied successfully if the zone already exists previously

Actual Behavior

error produced:

Error: Error updating ManagedZone "projects/blah/managedZones/foo" googleapi: Error 400: The 'entity.managedZone.dnssecConfig' parameter is required but was missing., required

Steps to reproduce

zone already exists in gcp project
terraform apply

Important Factoids

No response

References

No response

b/332515087

ggtisc commented 7 months ago

Hi @fawaf could you be more specific on what are you trying to update or it can be any property like the description? For example:

Initial value: description = "Managed by Terraform"

Updated value: description = "Managed by Terraform 2.0"

fawaf commented 7 months ago

ahh for sure. I'm not updating anything. it works on initial creation and then immediately fails the second time the apply is run. the plan shows tf tries to remove the dnssec config.

orm used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
  ~ update in-place

Terraform will perform the following actions:

  # google_dns_managed_zone.dns_managed_zone will be updated in-place
  ~ resource "google_dns_managed_zone" "dns_managed_zone" {
        id               = "projects/blah/managedZones/blah"
        name             = "blah"
        # (11 unchanged attributes hidden)

      - dnssec_config {
          - kind          = "dns#managedZoneDnsSecConfig" -> null
          - non_existence = "nsec3" -> null
          - state         = "off" -> null

          - default_key_specs {
              - algorithm  = "rsasha256" -> null
              - key_length = 2048 -> null
              - key_type   = "keySigning" -> null
              - kind       = "dns#dnsKeySpec" -> null
            }
          - default_key_specs {
              - algorithm  = "rsasha256" -> null
              - key_length = 1024 -> null
              - key_type   = "zoneSigning" -> null
              - kind       = "dns#dnsKeySpec" -> null
            }
        }

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to per

roaks3 commented 7 months ago

I was not able to reproduce the issue following your steps. I noticed that the GET /dns/v1/projects/... API call for me did not return a dnssecConfig field (as expected), but your API call did return a dnssecConfig field, and is responsible for the diff you're seeing.

Is there any chance this managed zone was modified outside of Terraform (like through the console or gcloud)?

fawaf commented 7 months ago

i tested it on both types of zones that you mentioned. modifying outside of tf causes the error, and directly creating with tf and not touching it afterwards also produces the same error. i'll double check again if there's something funky going on.

roaks3 commented 7 months ago

I looked into this a bit more (reading our docs and some internal source), and it looks to me like there are ways for DNSSEC to be configured elsewhere that could be applied to a newly created zone, even when a dnssec_config is not explicitly specified. However, I'm not an expert on these features, so I'm going to forward to the service team to have a look.

If this is a default that is applied to the zone on the backend, I believe we would need to add a default_from_api: true line to this field to avoid this diff.

Samir-Cit commented 2 months ago

Hello @fawaf This is still happening?

I created a code and use the same providers you mention but for me it worked fine! It creates as expected and when trying to update it shows no diffs.

fawaf commented 2 months ago

yeah, this should still be happening, but we worked around it for now. so i haven't checked it out recently.

PetrPhilipp commented 1 month ago

Hi, Im having a similar issue, after a change unrelated to any of these fields dnssec_config block of a "google_dns_managed_zone" is getting set to null and failing apply

roaks3 commented 1 month ago

This should actually be fixed as of v6.4.0. Are you still seeing issues with that version of the provider?

hashicorp / terraform-provider-google