search

hashicorp / terraform-provider-google

Terraform Provider for Google Cloud Platform
https://registry.terraform.io/providers/hashicorp/google/latest/docs
Mozilla Public License 2.0
2.29k stars 1.72k forks source link

`google_service_networking_vpc_service_controls` Doesn't successfully apply enable/disable #18667

Open nickozilla opened 2 months ago

nickozilla commented 2 months ago

Community Note

Terraform Version & Provider Version(s)

Terraform v1.8.5 on

Affected Resource(s)

google_service_networking_vpc_service_controls

Terraform Configuration

resource "google_service_networking_vpc_service_controls" "sn_network" {
  network    = google_compute_network.network.name
  service    = "servicenetworking.googleapis.com"
  enabled    = true
  depends_on = [google_service_networking_connection.sn_network]
}

Debug Output

No response

Expected Behavior

Setting enabled = true on the resource should have the same effect as:

gcloud services vpc-peerings enable-vpc-service-controls --network=my-network --service=servicenetworking.googleapis.com --project=my-project

or setting enabled = false on the resource should have the same effect as:

gcloud services vpc-peerings disable-vpc-service-controls --network=my-network --service=servicenetworking.googleapis.com --project=my-project

Actual Behavior

In actuality, this seemingly has no effect at all, instead showing a permadiff on the resource:

  # google_service_networking_vpc_service_controls.sn_network will be updated in-place
  ~ resource "google_service_networking_vpc_service_controls" "sn_network" {
      ~ enabled = false -> true
        id      = "services/servicenetworking.googleapis.com/projects/dev/networks/my-network"
        # (2 unchanged attributes hidden)
    }

If the vpc-peerings vpc-service-controls for servicenetworking.googleapis.com starts as disabled and I use terraform to enable it, I get a clean apply, but no actual change, the same is true in reverse

Steps to reproduce

  1. terraform apply

Important Factoids

No response

References

No response

b/365815185

ggtisc commented 2 months ago

Hi @nickozilla

I tried to replicate this issue, but the result was successful without errors. In the tfstate file each time the google_service_networking_vpc_service_controls.enable property changes its value from true to false or false to true. On the other hand where there were not changes to apply the result was:

No changes. Your infrastructure matches the configuration.

bchazalet commented 1 week ago

I'm seeing the same thing. The output of the apply is successful but nothing happens and on the next apply the it tries to do the same thing. In the tf state, it stays false (while I'm trying to set it to true).

Note that the gcloud command behaves the same way: no explicit failure but doesn't enable it either.

Also, I have seen it worked before. It just that it seems it got itself in a state where it doesn't anymore.

bchazalet commented 1 week ago

in the TF logs I see:


2024-09-10T09:56:08.303+0200 [DEBUG] provider.terraform-provider-google_v5.41.0_x5: -----------------------------------------------------
2024-09-10T09:56:08.934+0200 [WARN]  Provider "provider[\"registry.terraform.io/hashicorp/google\"]" produced an unexpected new value for google_service_networking_vpc_service_controls.bridge_service_networking, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .enabled: was cty.True, but now cty.False

and

2024-09-10T09:56:08.936+0200 [DEBUG] State storage *remote.State declined to persist a state snapshot
bchazalet commented 1 week ago

If I delete and recreate the associated google_service_networking_connection, it starts behaving correctly again.

ggtisc commented 1 week ago

After some tries it wasn't possible to replicate the behavior. I'm forwarding this ticket because maybe this is an intermittent issue