google_compute_region_security_policy showing diff for fingerprint

[imrannayer]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.8.2 on linux_amd64 google = 5.43 google-beta = 5.43

Affected Resource(s)

google_compute_region_security_policy

Terraform Configuration

Debug Output

No response

Expected Behavior

Should not show diff

Actual Behavior

Showing diff for fingerprint

Steps to reproduce

Apply terraform apply twice

1. terraform apply

Important Factoids

No response

References

No response

[rileykarson]

Do you have the terraform plan results? This shouldn't be possible.

[imrannayer]

@rileykarson here is the code

resource "google_compute_security_policy" "default" {
  project     = local.project_id
  name        = "policyruletest"
  description = "basic global security policy"
  type        = "CLOUD_ARMOR"
}

resource "google_compute_security_policy_rule" "policy_rule" {
  project         = local.project_id
  security_policy = google_compute_security_policy.default.name
  description     = "new rule"
  priority        = 100
  match {
    versioned_expr = "SRC_IPS_V1"
    config {
      src_ip_ranges = ["10.10.0.0/16"]
    }
  }
  action  = "allow"
  preview = false
}

output "google_compute_security_policy" {
  value = google_compute_security_policy.default
}

here is the plan

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:

  # google_compute_security_policy.default has changed
  ~ resource "google_compute_security_policy" "default" {
      ~ fingerprint = "tjPR0Q33Y5E=" -> "9GFVC1UlNlU="
        id          = "projects/prj/global/securityPolicies/policyruletest"
        name        = "policyruletest"
        # (4 unchanged attributes hidden)

      + rule {
          + action      = "allow"
          + description = "new rule"
          + preview     = false
          + priority    = 100

          + match {
              + versioned_expr = "SRC_IPS_V1"

              + config {
                  + src_ip_ranges = [
                      + "10.10.0.0/16",
                    ]
                }
            }
        }

        # (1 unchanged block hidden)
    }

[rileykarson]

Ah, that's not quite a plan- that's a newer-0.15.4+ according to this page- feature that shows differences between the state and remote state (i.e. the new state after a refresh). Is a terraform plan actually getting generated that shows this?

This feature can show up with unhelpful changes highlighted a lot in GCP, unfortunately. GCP has lots of big resources with lots of moving parts and optional-with-default fields compared to smaller resources with stricter schemas used in groups in AWS/Azure, and results in messages like this. google_container_cluster is especially bad for it.

Closing since I think that's the only issue here, but I'll reopen if we see a bad terraform plan getting generated too!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.