search

hashicorp / terraform-provider-google

Terraform Provider for Google Cloud Platform
https://registry.terraform.io/providers/hashicorp/google/latest/docs
Mozilla Public License 2.0
2.29k stars 1.72k forks source link

Permadiff on google_network_services_gateway when address is not specified #19196

Open sruffilli opened 3 weeks ago

sruffilli commented 3 weeks ago

Community Note

Terraform Version & Provider Version(s)

Terraform v1.9.5 on darwin_arm64

Affected Resource(s)

google_network_services_gateway

Terraform Configuration

resource "google_network_services_gateway" "default" {
  provider                             = google
  project                              = var.project_id
  name                                 = var.name
  location                             = var.region
  description                          = var.description
  labels                               = var.labels
  addresses                            = null
  type                                 = "SECURE_WEB_GATEWAY"
  ports                                = var.ports
  scope                                = var.scope != null ? var.scope : ""
  certificate_urls                     = var.certificates
  gateway_security_policy              = google_network_security_gateway_security_policy.default.id
  network                              = var.network
  subnetwork                           = var.subnetwork
  delete_swg_autogen_router_on_destroy = var.delete_swg_autogen_router_on_destroy
}

Debug Output

No response

Expected Behavior

Once a google_network_services_gateway resource is created with no specified addresses, any following terraform apply should not result in a permadiff, causing the gateway to be recreated.

Actual Behavior

A permadiff is generated, where the resource tries to get the first available IP address available on the provided subnetwork

  # module.swp.google_network_services_gateway.default must be replaced
-/+ resource "google_network_services_gateway" "default" {
      ~ addresses                            = [ # forces replacement
          - "10.0.253.4",
        ]
      ~ create_time                          = "2024-08-21T08:41:03.979259090Z" -> (known after apply)
      ~ effective_labels                     = {} -> (known after apply)
      ~ id                                   = "projects/ispncclab0-prod-landing/locations/europe-west12/gateways/swp" -> (known after apply)
        name                                 = "swp"
      ~ self_link                            = "https://networkservices.googleapis.com/v1alpha1/projects/ispncclab0-prod-landing/locations/europe-west12/gateways/swp" -> (known after apply)
      ~ terraform_labels                     = {} -> (known after apply)
      ~ update_time                          = "2024-08-21T08:41:21.947014391Z" -> (known after apply)
        # (12 unchanged attributes hidden)
    }

Steps to reproduce

  1. terraform apply to first create the gateway
  2. terraform apply to see the permadiff

Important Factoids

No response

References

No response

ggtisc commented 3 weeks ago

Hi @sruffilli!

I tried to replicate this issue many times, but the result is successful without errors or permadiff. The provided code contains many variables that I don't have access to, so this is the used code, comment if there are values to be changed to obtain your permadiff result:

resource "google_compute_network" "cn_19196" {
  name                    = "cn-19196"
  routing_mode            = "REGIONAL"
  auto_create_subnetworks = false
}

resource "google_compute_subnetwork" "csn_default_19196" {
  name          = "csn-default-19196"
  purpose       = "PRIVATE"
  ip_cidr_range = "10.128.0.0/20"
  region        = "us-central1"
  network       = google_compute_network.cn_19196.id
  role          = "ACTIVE"
}

resource "google_compute_subnetwork" "proxy_sn_19196" {
  name          = "proxy-sn-19196"
  purpose       = "REGIONAL_MANAGED_PROXY"
  ip_cidr_range = "192.168.0.0/23"
  region        = "us-central1"
  network       = google_compute_network.cn_19196.id
  role          = "ACTIVE"
}

resource "google_network_security_gateway_security_policy" "nsg_sp_19196" {
  name        = "nsg-sp-19196"
  location    = "us-central1"
}

resource "google_network_security_gateway_security_policy_rule" "nsg_spr_19196" {
  name                    = "nsg-spr-19196"
  location                = "us-central1"
  gateway_security_policy = google_network_security_gateway_security_policy.nsg_sp_19196.name
  enabled                 = true  
  priority                = 1
  session_matcher         = "host() == 'example.com'"
  basic_profile           = "ALLOW"
}

resource "google_certificate_manager_certificate" "cmc_19196" {
  name        = "cmc-19196"
  location    = "us-central1"
  self_managed {
    pem_certificate = file("./utils/cert.pem")
    pem_private_key = file("./utils/key.pem")
  }
}

resource "google_network_services_gateway" "nsg_19196" {
  provider = google
  project = "my-project"
  name                                 = "nsg-19196"
  description = "something"

  labels = {
    "mykey" = "value"
  }

  addresses = null
  location                             = "us-central1"
  scope                                = "my-default-scope1"
  type                                 = "SECURE_WEB_GATEWAY"
  ports                                = [443]
  network                              = google_compute_network.cn_19196.id
  subnetwork                           = google_compute_subnetwork.csn_default_19196.id
  gateway_security_policy              = google_network_security_gateway_security_policy.nsg_sp_19196.id
  certificate_urls                     = [google_certificate_manager_certificate.cmc_19196.id]
  delete_swg_autogen_router_on_destroy = true
  depends_on                           = [google_compute_subnetwork.proxy_sn_19196]
}