Unable to create google_dns_record_set with failover

[nicku1]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.9.5 on linux_amd64

• provider registry.terraform.io/hashicorp/google v5.42.0
• provider registry.terraform.io/hashicorp/google-beta v5.42.0

Affected Resource(s)

google_dns_record_set

Terraform Configuration

resource "google_dns_record_set" "a" {
  name         = "backend.${google_dns_managed_zone.prod.dns_name}"
  managed_zone = google_dns_managed_zone.prod.name
  type         = "A"
  ttl          = 300
  project = var.project

  routing_policy {
    primary_backup {
      trickle_ratio = 0.1

      primary {
        internal_load_balancers {
          load_balancer_type = "regionalL4ilb"
          ip_address         = google_compute_forwarding_rule.prod.ip_address
          port               = "80"
          ip_protocol        = "tcp"
          network_url        = google_compute_network.prod.id
          project            = google_compute_forwarding_rule.prod.project
          region             = google_compute_forwarding_rule.prod.region
        }
      }

      backup_geo {
        location = "asia-east1"
        rrdatas  = ["10.128.1.1"]
      }

      backup_geo {
        location = "us-west1"
        rrdatas  = ["10.130.1.1"]
      }
    }
  }
}

resource "google_dns_managed_zone" "prod" {
  name     = "prod-zone"
  dns_name = "prod.nicu.pl."
  project = var.project
}

resource "google_compute_forwarding_rule" "prod" {
  name   = "prod-ilb"
  region = "us-central1"
  project = var.project

  load_balancing_scheme = "INTERNAL"
  backend_service       = google_compute_region_backend_service.prod.id
  all_ports             = true
  network               = google_compute_network.prod.name
  allow_global_access   = true
}

resource "google_compute_region_backend_service" "prod" {
  name   = "prod-backend"
  region = "us-central1"
  project = var.project
}

resource "google_compute_network" "prod" {
  name = "prod-network"
  project = var.project
}

Debug Output

https://gist.github.com/nicku1/d911aede54ac832e0552d798e17f64af

Expected Behavior

Example provided in https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/dns_record_set should end up with successful provisioning of DNS rule.

Actual Behavior

Error message:

╷
│ Error: Error creating DNS RecordSet: googleapi: Error 400: Routing policies referencing internal load balancers cannot be added to public zones, internalLoadBalancerDisallowedInPublicZone
│ 
│   with module.network.google_dns_record_set.a,
│   on network/dns_test.tf line 1, in resource "google_dns_record_set" "a":
│    1: resource "google_dns_record_set" "a" {
│ 
╵

Steps to reproduce

1. terraform apply

Important Factoids

I'm using default application authentication instead of service account.

References

https://github.com/hashicorp/terraform-provider-google/issues/13269

b/363269342

[ggtisc]

Confirmed issue!

The error appears when using the failover terraform registry example.