Open thinhlng-3444 opened 7 months ago
ggtisc
commented
6 months ago Hi @thinhlng-3444!
Are you using any specific certificates for this example like in this link?
If that is the case, please provide more information to replicate this issue (avoiding any sensitive information with comments like provided value or something similar)
thinhlng-3444
commented
6 months ago Hi @ggtisc , Is this what you need ?
terraform {
required_version = ">= 1.3.4"
required_providers {
google = {
source = "hashicorp/google"
version = "5.20.0"
}
}
}resource "google_certificate_manager_dns_authorization" "default" {
for_each = var.dns_auth_config != null ? { for idx, value in var.dns_auth_config : value.name => value } : {}
project = var.project_id
location = var.region
name = each.value.name
domain = each.value.domain
}resource "google_certificate_manager_certificate" "default" {
for_each = var.manager_cer_config != null ? { for idx, value in var.manager_cer_config : value.name => value } : {}
name = "${each.value.name}-${each.value.type_ssl}-ssl"
project = var.project_id
location = var.region
managed {
domains = [each.value.domain, each.value.wildcard_domain]
dns_authorizations = [
each.value.dns_authorization_id
]
}
}You are sharing your configuration with many unknown variables. So please check the next configuration and confirm if it is correct as an example taking into account that these are generic values:
provider "google" {}
variable "targets_config" {
type = map(object({
name = string
lb_self_link = string
ssl_wildcard_id = string
}))
default = null
}
resource "google_certificate_manager_dns_authorization" "google_certificate_manager_dns_authorization_17802A" {
name = "google-certificate-manager-dns-authorization-17802A"
domain = "subdomain.example17802A.com"
}
resource "google_certificate_manager_dns_authorization" "google_certificate_manager_dns_authorization_17802B" {
name = "google-certificate-manager-dns-authorization-17802B"
domain = "subdomain.example17802B.com"
}
resource "google_certificate_manager_dns_authorization" "google_certificate_manager_dns_authorization_17802C" {
name = "google-certificate-manager-dns-authorization-17802C"
domain = "subdomain.example17802C.com"
}
resource "google_certificate_manager_dns_authorization" "google_certificate_manager_dns_authorization_17802D" {
name = "google-certificate-manager-dns-authorization-17802D"
domain = "subdomain.example17802D.com"
}
resource "google_certificate_manager_certificate" "google_certificate_manager_certificate_17802A" {
name = "google-certificate-manager-certificate-17802A"
managed {
domains = [
google_certificate_manager_dns_authorization.google_certificate_manager_dns_authorization_17802A.domain,
google_certificate_manager_dns_authorization.google_certificate_manager_dns_authorization_17802B.domain
]
dns_authorizations = [
google_certificate_manager_dns_authorization.google_certificate_manager_dns_authorization_17802A.id,
google_certificate_manager_dns_authorization.google_certificate_manager_dns_authorization_17802A.id
]
}
}
resource "google_certificate_manager_certificate" "google_certificate_manager_certificate_17802B" {
name = "google-certificate-manager-certificate-17802B"
managed {
domains = [
google_certificate_manager_dns_authorization.google_certificate_manager_dns_authorization_17802C.domain,
google_certificate_manager_dns_authorization.google_certificate_manager_dns_authorization_17802D.domain
]
dns_authorizations = [
google_certificate_manager_dns_authorization.google_certificate_manager_dns_authorization_17802C.id,
google_certificate_manager_dns_authorization.google_certificate_manager_dns_authorization_17802D.id
]
}
}
resource "google_compute_region_target_https_proxy" "google_compute_region_target_https_proxy_17802" {
for_each = var.targets_config != null ? { for idx, value in var.targets_config : value.name => value } : {}
name = "${each.value.name}-https"
url_map = each.value.lb_self_link
certificate_manager_certificates = [
"//certificatemanager.googleapis.com/${each.value.ssl_wildcard_id}"
]
timeouts {
create = "5m"
}
}
Finally, please let me know the way you are introducing the variables.
thinhlng-3444
commented
6 months ago @ggtisc This is how I introduce and use variables.
Variable:
variable "project_id" {
type = string
}
variable "env" {
type = string
}
variable "region" {
type = string
}
variable "dns_auth_config" {
type = list(object({
name = string
domain = string # *.abc.com => abc.com
}))
default = []
}Logic
resource "google_certificate_manager_dns_authorization" "default" {
for_each = var.dns_auth_config != null ? { for idx, value in var.dns_auth_config : value.name => value } : {}
project = var.project_id
location = var.region
name = each.value.name
domain = each.value.domain
}Output:
output "dns_auth" {
value = google_certificate_manager_dns_authorization.default
}
output "dns_auth_id" {
value = { for key, value in google_certificate_manager_dns_authorization.default : key => value.id }
}Variable
variable "manager_cer_config" {
type = list(object({
name = string
domain = string # *.abc.com => abc.com
wildcard_domain = string
dns_authorization_id = string
type_ssl = optional(string, "wildcard")
}))
default = []
}
variable "project_id" {
type = string
}
variable "env" {
type = string
}
variable "region" {
type = string
}Logic
resource "google_certificate_manager_certificate" "default" {
for_each = var.manager_cer_config != null ? { for idx, value in var.manager_cer_config : value.name => value } : {}
name = "${each.value.name}-${each.value.type_ssl}-ssl"
project = var.project_id
location = var.region
managed {
domains = [each.value.domain, each.value.wildcard_domain]
dns_authorizations = [
each.value.dns_authorization_id
]
}
}Output:
output "manager" {
value = google_certificate_manager_certificate.default
}
output "manager_id" {
value = { for key, value in google_certificate_manager_certificate.default : key => value.id }
}Variable:
variable "project_id" {
type = string
}
variable "region" {
type = string
}
variable "env" {
type = string
}
variable "targets_config" {
type = list(object({
name = string
lb_self_link = string
ssl_wildcard_id = optional(string, null)
}))
default = []
}Logic:
resource "google_compute_region_target_https_proxy" "default" {
for_each = var.targets_config != null ? { for idx, value in var.targets_config : value.name => value } : {}
project = var.project_id
region = var.region
name = "${each.value.name}-https"
url_map = each.value.lb_self_link
certificate_manager_certificates = [
"//certificatemanager.googleapis.com/${each.value.ssl_wildcard_id}",
# "//certificatemanager.googleapis.com/projects/test-dev-xxxxxx/locations/asia-northeast1/certificates/test-dev-asia-northeast1-test-wildcard-ssl"
]
timeouts {
create = "5m"
}
}module "dns_auth" {
source = "../../../modules/ssl/dns-auth"
project_id = var.project_id
env = var.env
region = var.region
dns_auth_config = [{
name = "${var.project}-${var.env}-${var.region}-test"
domain = "abc.com"
}]
}
module "manager_cer" {
source = "../../../modules/ssl/manager"
project_id = var.project_id
env = var.env
region = var.region
manager_cer_config = [{
name = "${var.project}-${var.env}-${var.region}-test"
domain = "abc.com"
wildcard_domain = "*.abc.com"
dns_authorization_id = module.dns_auth.dns_auth_id["${var.project}-${var.env}-${var.region}-test"]
}]
}
module "targets_https_test" {
source = "../../../modules/lb/targets/https"
project_id = var.project_id
region = var.region
env = var.env
targets_config = [{
name = "${var.project}-${var.env}-${var.region}-run-test"
lb_self_link = module.lb_test.regional_alb_self_link["${var.project}-${var.env}-${var.region}-run-test"]
ssl_wildcard_id = data.terraform_remote_state.general.outputs.cer_manager
}]
}The issue was replicated successfully without errors with the next configuration:
resource "google_certificate_manager_dns_authorization" "google_certificate_manager_dns_authorization_17802" {
name = "myproject-test-us-central1-test"
location = "us-central1"
domain = "abc17802.com"
}
resource "google_certificate_manager_dns_authorization" "google_certificate_manager_dns_authorization_17802B" {
name = "myproject-testb-us-central1-test"
location = "us-central1"
domain = "abc17802b.com"
}
resource "google_certificate_manager_certificate" "google_certificate_manager_certificate_17802" {
name = "myproject-test-us-central1-test-wildcard-ssl"
location = "us-central1"
depends_on = [
google_certificate_manager_dns_authorization.google_certificate_manager_dns_authorization_17802
]
managed {
domains = ["abc17802.com", "*.abc17802.com"]
dns_authorizations = [
google_certificate_manager_dns_authorization.google_certificate_manager_dns_authorization_17802.id
]
}
}
resource "google_certificate_manager_certificate" "google_certificate_manager_certificate_17802B" {
name = "myproject-testb-us-central1-test-wildcard-ssl"
location = "us-central1"
depends_on = [
google_certificate_manager_dns_authorization.google_certificate_manager_dns_authorization_17802B
]
managed {
domains = ["abc17802b.com", "*.abc17802b.com"]
dns_authorizations = [
google_certificate_manager_dns_authorization.google_certificate_manager_dns_authorization_17802B.id
]
}
}
resource "google_compute_region_target_https_proxy" "google_compute_region_target_https_proxy_17802" {
name = "myproject-test-us-central1-run-test-https"
url_map = google_compute_region_url_map.google_compute_region_url_map_17802.id
certificate_manager_certificates = [
"//certificatemanager.googleapis.com/${google_certificate_manager_certificate.google_certificate_manager_certificate_17802.id}",
"//certificatemanager.googleapis.com/${google_certificate_manager_certificate.google_certificate_manager_certificate_17802B.id}"
]
timeouts {
create = "5m"
}
}
resource "google_compute_region_url_map" "google_compute_region_url_map_17802" {
name = "url-map-17802"
default_service = google_compute_region_backend_service.google_compute_region_backend_service_17802.id
region = "us-central1"
}
resource "google_compute_region_backend_service" "google_compute_region_backend_service_17802" {
name = "backend-service-17802"
region = "us-central1"
protocol = "HTTPS"
timeout_sec = 30
load_balancing_scheme = "INTERNAL_MANAGED"
}After the resources were created there was applied a change on the google_compute_region_target_https_proxy_17802 resource as follows (removing 1 SSL certificate):
resource "google_compute_region_target_https_proxy" "google_compute_region_target_https_proxy_17802" {
name = "myproject-test-us-central1-run-test-https"
url_map = google_compute_region_url_map.google_compute_region_url_map_17802.id
certificate_manager_certificates = [
"//certificatemanager.googleapis.com/${google_certificate_manager_certificate.google_certificate_manager_certificate_17802.id}"
]
timeouts {
create = "5m"
}
}The result again was successful and without errors. I suggest you simplify your configuration removing variables, modules and outputs and check 1 by 1 what is causing the issue.
thinhlng-3444
commented
6 months ago @ggtisc it's so unusual, I used your code and deploy into myself
resource "google_compute_region_target_https_proxy" "google_compute_region_target_https_proxy_17802" {
name = "myproject-test-asia-northeast1-run-test-https"
url_map = google_compute_region_url_map.google_compute_region_url_map_17802.id
certificate_manager_certificates = [
"//certificatemanager.googleapis.com/projects/test-dev-xxxxxx/locations/asia-northeast1/certificates/test-dev-asia-northeast1-wildcard-ssl"
# "//certificatemanager.googleapis.com/projects/test-dev-xxxxxx/locations/asia-northeast1/certificates/test-dev-asia-northeast1-test-wildcard-ssl",
]
timeouts {
create = "5m"
}
project = "test-dev-xxxxxx"
region = "asia-northeast1"
}
resource "google_compute_region_url_map" "google_compute_region_url_map_17802" {
name = "url-map-17802"
default_service = google_compute_region_backend_service.google_compute_region_backend_service_17802.id
region = "asia-northeast1"
project = "test-dev-xxxxxx"
}
resource "google_compute_region_backend_service" "google_compute_region_backend_service_17802" {
name = "backend-service-17802"
region = "asia-northeast1"
protocol = "HTTPS"
timeout_sec = 30
load_balancing_scheme = "INTERNAL_MANAGED"
project = "test-dev-xxxxxx"
}The error on above, it is still happen.
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# google_compute_region_target_https_proxy.google_compute_region_target_https_proxy_17802 will be updated in-place
~ resource "google_compute_region_target_https_proxy" "google_compute_region_target_https_proxy_17802" {
~ certificate_manager_certificates = [
"//certificatemanager.googleapis.com/projects/test-dev-xxxxxx/locations/asia-northeast1/certificates/test-dev-asia-northeast1-wildcard-ssl",
- "//certificatemanager.googleapis.com/projects/test-dev-xxxxxx/locations/asia-northeast1/certificates/test-dev-asia-northeast1-test-wildcard-ssl",
]
id = "projects/test-dev-xxxxxx/regions/asia-northeast1/targetHttpsProxies/myproject-test-asia-northeast1-run-test-https"
name = "myproject-test-asia-northeast1-run-test-https"
# (7 unchanged attributes hidden)
# (1 unchanged block hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
google_compute_region_target_https_proxy.google_compute_region_target_https_proxy_17802: Modifying... [id=projects/test-dev-xxxxxx/regions/asia-northeast1/targetHttpsProxies/myproject-test-asia-northeast1-run-test-https]
╷
│ Error: Error updating RegionTargetHttpsProxy "projects/test-dev-xxxxxx/regions/asia-northeast1/targetHttpsProxies/myproject-test-asia-northeast1-run-test-https": googleapi: Error 400: Invalid value for field 'resource': ''. At least 1 SSL certificate must be specified for setting SSL certificates in TargetHttpsProxy., invalid
│
│ with google_compute_region_target_https_proxy.google_compute_region_target_https_proxy_17802,
│ on test-ssl.tf line 1, in resource "google_compute_region_target_https_proxy" "google_compute_region_target_https_proxy_17802":
│ 1: resource "google_compute_region_target_https_proxy" "google_compute_region_target_https_proxy_17802" {
The issue was replicated again with asia-northeast1 location successfully without errors. This looks more like troubleshooting than a bug, you need to check your permissions, roles, and make a terraform init -upgrade, and be sure that google_certificate_manager_dns_authorization have the same location as your certificates. If you have environment variables declared in a file or another source do the same.
thinhlng-3444
commented
6 months ago @ggtisc Currently I am using the Owner role to implement the above. Also, I checked the google_certificate_manager_dns_authorization resource, it's in the same region as Certificate Manager. In the your code you are using, I don't see the code of provider version so could you give me to check again.
ggtisc
commented
6 months ago It was replicated initially with version 1.7.5, but a after the first 2 replications, today was made a 3rd one of this scenario with the version 1.3.4 and it was again successfully without errors.
thinhlng-3444
commented
6 months ago @ggtisc How about your Providers version, I am using Providers with version is "5.20.0"
terraform {
required_version = ">= 1.3.4"
required_providers {
google = {
source = "hashicorp/google"
version = "5.20.0"
}
}
}Confirmed issue with the last shared providers it returns the message:
│ Error: Error updating RegionTargetHttpsProxy "projects/ryanoaksnightly2/regions/us-central1/targetHttpsProxies/myproject-test-us-central1-run-test-https": googleapi: Error 400: Invalid value for field 'resource': ''. At least 1 SSL certificate must be specified for setting SSL certificates in TargetHttpsProxy., invalid
│
│ with google_compute_region_target_https_proxy.google_compute_region_target_https_proxy_17802,
│ on main.tf line 54, in resource "google_compute_region_target_https_proxy" "google_compute_region_target_https_proxy_17802":
│ 54: resource "google_compute_region_target_https_proxy" "google_compute_region_target_https_proxy_17802" {
Hamzawy63
commented
3 months ago Is the issue encountered in the latest provider versions?
If I understand properly, the issue happens when certificate_manager_certificates is updated. That's the same issue as https://github.com/hashicorp/terraform-provider-google/issues/17641 which was fixed in https://github.com/GoogleCloudPlatform/magic-modules/pull/10261
I also tested it locally and did not encounter any errors. Am I missing something?
Community Note
Terraform Version
Terraform v1.3.4
Affected Resource(s)
google_compute_region_target_https_proxy
Terraform Configuration
Debug Output
Expected Behavior
Remove value "//certificatemanager.googleapis.com/projects/test-dev-xxxxxx/locations/asia-northeast1/certificates/test-dev-asia-northeast1-test-wildcard-ssl" into https targer proxy .
Actual Behavior
Error updating RegionTargetHttpsProxy "projects/demo/regions/asia-northeast1/targetHttpsProxies/demo-dev-asia-northeast1-run-api-xxxxx-https": googleapi: Error 400: Invalid value for field 'resource': ''. At least 1 SSL certificate must be specified for setting SSL certificates in TargetHttpsProxy., invalid
Steps to reproduce
terraform applyImportant Factoids
No response
References
No response
b/336318785