Issue when adding labels to existing google_compute_global_address

[suryaincbe]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.3.6

• provider registry.terraform.io/hashicorp/google v5.38.0
• provider registry.terraform.io/hashicorp/google-beta v4.80.0

Affected Resource(s)

google_compute_global_address

Terraform Configuration

PROVIDER DEFINITIONS

terraform { required_version = "=1.3.6" backend "gcs" {

} required_providers { google = { source = "hashicorp/google" } null = { source = "hashicorp/null" version = "3.2.1" } local = { source = "hashicorp/local" version = "2.4.0" } google-beta = { source = "hashicorp/google-beta" version = "4.80.0" } } }

provider "google" { project = var.project region = var.region zone = local.zonea default_labels = { ot_tenant = "xxxx" ot_environment = "xxxx" ot_master_product = "xxxx" } }

resource "google_compute_global_address" "external_ip" { project = var.project name = "xxxx" description = "xxxx" address_type = "EXTERNAL" }

Debug Output

No response

Expected Behavior

Since default_labels are added to google provider block, the labels should be added to google_compute_global_address.external.ip resource.

Terraform plan shows its adding the labels to the resource but terraform apply fails.

But when we declare a separate provider for google-beta and point the external.ip resource to the beta-provider it works

provider "google-beta" { alias = "google-beta" project = "xxxx" region = "xxxx" zone = "xxxx" default_labels = { ot_tenant = var.customer ot_environment = var.env ot_master_product = var.master_product } }

We believe this is occurring due to the label_fingerprint attribute for google_compute_global_address is still in beta.

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_global_address#attributes-reference

We need to know when the label_fingerprint attribute will be present in google provider.

Actual Behavior

terraform apply fails with below message, Error updating GlobalAddress "projects/otc-ems-ce-dryrun1/global/addresses/a001-preprod": googleapi: Error 412: Labels fingerprint either invalid or resource labels have changed, conditionNotMet

Steps to reproduce

1. terraform apply

Important Factoids

No response

References

No response

b/354725806

[ggtisc]

Hi @suryaincbe!

After analyzing your code I noticed that this is not a bug but rather a nomenclature error. As you can see in the API documentation labels are declared with the next format using : instead of =

resource "google_compute_global_address" "cga_18739" {
  name = "cga-18739"
  labels = {
    "example" : "something",
    "otherlabel" : "otherthing"
  }
}

[Maarc-D]

Hi @suryaincbe!

After analyzing your code I noticed that this is not a bug but rather a nomenclature error. As you can see in the API documentation labels are declared with the next format using : instead of =

resource "google_compute_global_address" "cga_18739" {
  name = "cga-18739"
  labels = {
    "example" : "something",
    "otherlabel" : "otherthing"
  }
}

Not in terraform and furthermore on our case we used provider default_labels was totally fine and with the 5.38.0 version it crash with same issue as provided here, so it is a bug ;) As temporary workaround we did stick to 5.37.0 but this change (from 5.37.0 to 5.38.0) must be fix or rollback ;)

[tamipangadil]

Hi @suryaincbe @Maarc-D

I have faced similar issue which blocked our Terraform CI pipeline. Using the google-beta provider in our google_compute_global_address resources worked as you mentioned above.

resource "google_compute_global_address" "external_ip" {
  provider = google-beta
  ...
}

This is clearly a bug which was prematurely being required while it is still in beta.

[JSkimming]

We have the same issue and have reverted back to 5.37.0.

[melinath]

Yeah this looks like a legitimate bug. The label field was updated to GA in https://github.com/GoogleCloudPlatform/magic-modules/pull/11093 but the label fingerprints field was missed. LabelFingerprint is present in the GA API so should be fine to promote as well; that should resolve the issue.

See https://github.com/GoogleCloudPlatform/magic-modules/pull/9159 for the promotion for this field in the regional variant of the resource, and https://github.com/GoogleCloudPlatform/magic-modules/pull/9768 for a similar issue in google_compute_vpn_tunnel

[watsonjm]

This bug is still present in 5.41, we're currently restrained to 5.37 until it gets fixed.