google_workbench_instance keeps on getting updated when pinning container_image

[MBKraus]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.9.2

• provider registry.terraform.io/hashicorp/google v5.38
• provider registry.terraform.io/hashicorp/google-beta v5.38

Affected Resource(s)

google_workbench_instance

Terraform Configuration

resource "google_workbench_instance" "user_workbench" {
  project  = var.gcp_project_id
  name     = "instance-${local.user_name}"
  location = var.workbench_zone

  disable_proxy_access = false

  labels = {
    app  = "vertex-ai"
    type = "vm"
  }

  gce_setup {

    machine_type = "n1-standard-4"

    container_image {
      repository = "gcr.io/deeplearning-platform-release/base-cpu.py310"
      tag        = "m122"
    }

    shielded_instance_config {
      enable_secure_boot          = true
      enable_vtpm                 = true
      enable_integrity_monitoring = true
    }

    service_accounts {
      email = google_service_account.user.email
    }

    network_interfaces {
      network = var.workbench_vpc
      subnet  = var.workbench_subnet
    }

    disable_public_ip = true

    boot_disk {
      disk_size_gb = var.workbench_boot_disk_size
      disk_type    = var.workbench_boot_disk_type
    }

    data_disks {
      disk_size_gb = var.workbench_data_disk_size
    }

    metadata = {
      rclone-mount-buckets       = google_storage_bucket.user.name
      proxy-mode                 = "service_account"
      proxy-user-mail            = var.user_email
      notebook-upgrade-schedule  = "0 2 * * SUN"
      enable-guest-attributes    = true
      report-system-health       = true
      report-notebook-metrics    = true
      enable-oslogin             = "FALSE" 
      serial-port-logging-enable = true
      install-monitoring-agent   = true
      disable-mixer              = "false"
      block-project-ssh-keys     = true   
      startup-script = templatefile("${path.module}/startup_new_workbench/startup_invoker.tftpl", {
        startup_script_gcs_path = "gs://${google_storage_bucket_object.startup_script_new_workbench[0].bucket}/${google_storage_bucket_object.startup_script_new_workbench[0].name}"
      })
      post-startup-script  = "gs://${google_storage_bucket_object.bootstrap_script_new_workbench[0].bucket}/${google_storage_bucket_object.bootstrap_script_new_workbench[0].name}"
      idle-timeout-seconds = "5400"
    }
    tags = ["allow-iap"]
  }

  depends_on = [
    google_service_account_iam_binding.personal_vertex_sa_service_account_user,
    google_service_account_iam_binding.personal_vertex_sa_service_account_token_creator,
    google_service_account_iam_binding.personal_vertex_sa_service_account_admin
  ]
}

Debug Output

The GCE setup of the workbench instances keeps on getting updated at each run(as per the plan below)

~ module.vertex_user['name'].google_workbench_instance.user_workbench id : "asd name : "instance-mike" ~ gce_setup { tags : []

• container_image {
  • repository : "gcr.io/deeplearning-platform-release/base-cpu.py310"
  • tag : "m122" }}

Expected Behavior

When pinning the image and the tag and code, I'd not expect it to be 'updated' and present in the TF plan every time I do a TF run.

I could ignore this through "lifecycle.ignore_changes", but in that case it would quite cumbersome to bump the tag of an workbench_instance

Actual Behavior

Every time I do a TF run, the workbench_instance is in the TF Plan and indicates that the repository and tag are going to be "updated" (even though the actual resources are running at the specified image and tag)

Steps to reproduce

1. terraform apply

Important Factoids

No response

References

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/workbench_instance

b/357693909

[ggtisc]

It looks like a permadiff, in my case I didn't experience a change in the container_image but have a similar behavior with other arguments having the next result even without making any changes:

# google_workbench_instance.gbi_18827 will be updated in-place
  ~ resource "google_workbench_instance" "gbi_18827" {
        id                   = "projects/terraform-dev-gtiscareno-org/locations/us-central1-a/instances/gbi-18827"
        name                 = "gbi-18827"
        # (15 unchanged attributes hidden)

      ~ gce_setup {
          ~ metadata             = {
              - "cos-update-strategy"        = "update_disabled" -> null
              - "google-logging-enabled"     = "true" -> null
              - "service-account-mode"       = "true" -> null
                # (18 unchanged elements hidden)
            }
            tags                 = [
                "deeplearning-vm",
                "notebook-instance",
            ]
            # (3 unchanged attributes hidden)

            # (7 unchanged blocks hidden)
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

[bcreddy-gcp]

https://github.com/GoogleCloudPlatform/magic-modules/pull/11407

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.