resource `google_cloud_scheduler_job` fails with "Error: Provider produced inconsistent final plan"

[gsouf]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.9.6 on linux_amd64

• provider registry.terraform.io/hashicorp/google v6.4.0

Affected Resource(s)

google_cloud_scheduler_job

Terraform Configuration

resource "google_cloud_scheduler_job" "scheduler_job" {
  name        = "scheduler-job"
  description = "Triggers the Cloud Function scheduler"
  region      = var.region

  schedule  = "*/1 * * * *"
  time_zone = "UTC"

  retry_config {
    retry_count = 1
  }

  http_target {
    http_method = "GET"
    uri         = google_cloudfunctions_function.scheduler_function.https_trigger_url

    oidc_token {
      service_account_email = var.service_account_email
    }
  }

  depends_on = [google_cloudfunctions_function_iam_member.member]
}

Debug Output

No response

Expected Behavior

No response

Actual Behavior

Got error "which should be reported in the provider's own issue tracker" after re-applying terraform:

│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for module.scheduler.google_cloud_scheduler_job.scheduler_job to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/google" produced an
│ invalid new value for .http_target[0].oidc_token[0].audience: was null, but now cty.StringVal("https://us-central1-{*****}").
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Steps to reproduce

1. terraform apply

Important Factoids

No response

References

No response

[ggtisc]

Hi @gsouf!

I have noticed that the code you share lacks several elements and has some errors. I'm sharing with you a correct configuration that works without errors. Please try it and if you still continue with issues share with us your full code as the last example to see what is happening.

resource "google_storage_bucket" "bucket_19681" {
  name     = "bucket-19681"
  location = "US"
}

resource "google_storage_bucket_object" "bucket_object_19681" {
  name   = "index19681.zip"
  bucket = google_storage_bucket.bucket_19681.name
  source = "./utils/google_cloud_repository/index.zip"
}

resource "google_cloudfunctions_function" "function_19681" {
  name        = "function-19681"
  description = "something"
  runtime     = "nodejs16"

  available_memory_mb   = 128
  source_archive_bucket = google_storage_bucket.bucket_19681.name
  source_archive_object = google_storage_bucket_object.bucket_object_19681.name
  trigger_http          = true
  entry_point           = "helloGET"
}

data "google_compute_default_service_account" "default_sa_19681" {}

resource "google_cloudfunctions_function_iam_member" "cf_function_iam_member_19681" {
  project = "my-project"
  region = "us-central1"
  cloud_function = google_cloudfunctions_function.function_19681.name
  role = "roles/viewer"
  member = "user:my-example-user@my-example-domain.com"
}

resource "google_cloud_scheduler_job" "c_shceduler_job_19681" {
  name        = "c-shceduler-job-19681"
  description = "something"
  region      = "us-central1"

  schedule  = "*/1 * * * *"
  time_zone = "UTC"

  retry_config {
    retry_count = 1
  }

  http_target {
    http_method = "GET"
    uri         = google_cloudfunctions_function.function_19681.https_trigger_url

    oidc_token {
      service_account_email = data.google_compute_default_service_account.default_sa_19681.email
    }
  }
  depends_on = [google_cloudfunctions_function_iam_member.cf_function_iam_member_19681]
}

Example function:

exports.helloGET = (req, res) => {
    res.status(200).send('Hello world2!');
};

IMPORTANT: We can't check your function code since it goes beyond our scope this is just a simple example to test the last code.

[gsouf]

@ggtisc I think my provided example has no error, except that I haven't communicated the other dependent resources to make it more re-readable, I assumed you would understand the origin of the issue by looking at the error message.

Have you tried to modify the cloud function google_cloudfunctions_function" "function_19681, for example by modifying the zip, and re-run terraform apply?

This issue occurs only when re-redeploying. Initial deployment works well, when I redeploy, I get the error, but everything is well deployed regardless of that. I think that the value .http_target[0].oidc_token[0].audience is set automatically somewhere and when we re-deploy it conflicts with what terraform expects. As I have only a vague understanding of how terraform works internally that's just a guess, but it seems like something internal to the google provider and not from the configuration itself.