Modifying google_compute_subnetwork Private Google Access fails with 'resource.fingerprint' not specified

[suckowbiz]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

# terraform -v
Terraform v0.14.4

Affected Resource(s)

• google_compute_subnetwork

Terraform Configuration Files

# START OF FIRST VERSION of the config before the change. This succeeds.
resource "google_compute_network" "p01vpc01" {
  auto_create_subnetworks = false
  description             = "terraform managed"
  mtu                     = 1460
  name                    = "vpc1"
  project                 = module.1611315897.project_id
  routing_mode            = "GLOBAL"
}
resource "google_compute_subnetwork" "s210221144" {
  name          = "sub1"
  description   = "terraform managed"
  ip_cidr_range = "192.168.0.0/16"
  region        = "europe-west3"
  network       = google_compute_network.p01vpc01.id
  project       = module.1611315897.project_id
}
# END OF FIRST VERSION

# START OF SECOND VERSION of the config after the change. This fails.
resource "google_compute_network" "p01vpc01" {
  auto_create_subnetworks = false
  description             = "terraform managed"
  mtu                     = 1460
  name                    = "vpc1"
  project                 = module.1611315897.project_id
  routing_mode            = "GLOBAL"
}
resource "google_compute_subnetwork" "s210221144" {
  name          = "sub1"
  description   = "terraform managed"
  ip_cidr_range = "192.168.0.0/24"
  region        = "europe-west3"
  network       = google_compute_network.p01vpc01.id
  project       = module.1611315897.project_id

  private_ip_google_access   = true
  private_ipv6_google_access = false
}
# END OF SECOND VERSION

Console Output

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place
Terraform will perform the following actions:
  # module.generator.google_compute_subnetwork.s210221144 will be updated in-place
  ~ resource "google_compute_subnetwork" "s210221144" {
        id                         = "projects/1611315897/regions/europe-west3/subnetworks/sub1"
      ~ ip_cidr_range              = "192.168.10.0/24" -> "192.168.0.0/16"
        name                       = "sub1"
      ~ private_ip_google_access   = false -> true
      ~ private_ipv6_google_access = "DISABLE_GOOGLE_ACCESS" -> "true"
        # (8 unchanged attributes hidden)
    }
Plan: 0 to add, 1 to change, 0 to destroy.
[terragrunt] [/builds/cloud-integration-development/infra/gcp-int/terraform] 2021/01/22 12:13:11 Running command: terraform --version
[terragrunt] 2021/01/22 12:13:11 Terraform version: 0.14.4
[terragrunt] 2021/01/22 12:13:11 Reading Terragrunt config file at /builds/cloud-integration-development/infra/gcp-int/terraform/terragrunt.hcl
[terragrunt] 2021/01/22 12:13:11 Running command: terraform apply -auto-approve plan.tfplan
module.generator.google_compute_subnetwork.s210221144: Modifying... [id=projects/1611315897/regions/europe-west3/subnetworks/sub1]
module.generator.google_compute_subnetwork.s210221144: Still modifying... [id=projects/1611315897/regions/europe-west3/subnetworks/sub1, 10s elapsed]
module.generator.google_compute_subnetwork.s210221144: Still modifying... [id=projects/1611315897/regions/europe-west3/subnetworks/sub1, 20s elapsed]
module.generator.google_compute_subnetwork.s210221144: Still modifying... [id=projects/1611315897/regions/europe-west3/subnetworks/sub1, 30s elapsed]
Error: Error updating Subnetwork "projects/1611315897/regions/europe-west3/subnetworks/sub1": googleapi: Error 400: Required field 'resource.fingerprint' not specified, required

Debug Output

https://gist.github.com/suckowbiz/d6f031657c98736f9bc99b821f41c885

Panic Output

See Console Output.

Expected Behavior

The subnet modification of:

  ip_cidr_range = "192.168.0.0/24"
  private_ip_google_access   = true
  private_ipv6_google_access = false

should have been applied without error.

Actual Behavior

Modification of the subnet resulted in error: Required field 'resource.fingerprint' not specified, required

Steps to Reproduce

1. Run terraform apply for your gcp project (adoption required) using the "First Version (above)" of the subnet config.
2. Run terraform apply for your gcp project (adoption requjired) using the "Second Version (above)" of the subnet config.

Important Factoids

None.

References

None.

• 0000

[suckowbiz]

Hi @edwardmedia ,

thanks you assigned the issued to yourself! Please let me know if I can support you in any way.

[suckowbiz]

I figured out that removing any explicit change to private_ipv6_google_access leads to terraform apply succeed.

[edwardmedia]

@suckowbiz do you want to close the issue then? You can always reopen it if the issue is not resolved

[suckowbiz]

@edwardmedia I am not sure if closing is the right thing to do because regarding to the documentation https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork#private_ipv6_google_access the module should support modifying private_ipv6_google_access. What do you think?

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!