Open shumak80 opened 2 weeks ago
For reference, this was a breaking change from the 6.0.0 release, but it seems like it is not behaving as expected here. Per the guide, iap.enabled
is now required, but I think it should still be an option for the iap
block itself to be omitted.
Previously iap {enabled = false}
was added by default to the terraform request when iap
was not added in the terraform configuration. This was causing issues with custom org constraints where any IAP usage is prohibited b/310147789. We changed the behavior so that no IAP object is added to the request (This will behave the same from API perspective) and made iap.enabled
required whenever IAP object is configured https://github.com/GoogleCloudPlatform/magic-modules/pull/9581.
When iap {enabled = false}
is manually added to a google_compute_backend_service
resource and the iap block later removed from the resource block. The same behavior could be observed.
- iap {
- enabled = false -> null
- oauth2_client_secret_sha256 = (sensitive value) -> null
# (2 unchanged attributes hidden)
}
But the IAP config seems to be never removed from the backend service. Every future terraform plan
shows the same change.
A different behavior but maybe related issue is when iap {enabled = true}
is set.
Changing it to iap {enabled = false}
results in
~ iap {
~ enabled = true -> false
# (3 unchanged attributes hidden)
}
but the IAP config is not set to false / IAP is not disabled. Every future terraform plan
shows the same change. Same when the IAP block is removed.
- iap {
- enabled = true -> null
- oauth2_client_secret_sha256 = (sensitive value) -> null
# (2 unchanged attributes hidden)
}
the IAP config is not removed from the backend service / IAP is not disabled. Every future terraform plan
shows the same change.
is it safe to add IAP to lifecycle.ignore_changes until this is fixed?
is it safe to add IAP to lifecycle.ignore_changes until this is fixed?
yes, please add to lifecycle.ignore_changes until we get the fix out
@c2thorn Do you have any ETA for the fix?
Community Note
Terraform Version & Provider Version(s)
Terraform v1.9.5-dev on linux_amd64
Affected Resource(s)
Terraform Configuration
Debug Output
Expected Behavior
The "iap" parameter should be optional and shouldn't cause any changes to state if it's not mentioned in terraform manifest.
Actual Behavior
"iap" parameter is enforced to changed from default "false" to null value. Even if it's not declared in terraform configuration
Steps to reproduce
terraform apply
Important Factoids
The issue is in version 6.0.0 and 6.0.1
References
Bug fix which enforce optional parameter --> https://github.com/hashicorp/terraform-provider-google/pull/18772
b/362477127