Network_endpoint_group update problem

[ghpu]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Description

Network_endpoint_group seems to have its subnetwork content changing adter deployment, which make terraform apply fails when run for update.

Terraform Version

Terraform v1.0.9
on linux_amd64

• provider registry.terraform.io/hashicorp/google v3.89.0
• provider registry.terraform.io/hashicorp/kubernetes v2.6.0
• provider registry.terraform.io/hashicorp/random v3.1.0
  ghpu@dataguile:~/api$

Affected Resource(s)

google_compute_network_endpoint_group

Terraform Configuration Files

# Copy-paste your Terraform configurations here.
#

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "3.89.0"
    }
  }
}

provider "google" {
  credentials = file("credentials.json")
  project     = var.project
  region      = var.region
  zone        = var.zone
}

data "google_client_config" "current" {}

provider "kubernetes" {
  host                   = google_container_cluster.primary.endpoint
  token                  = data.google_client_config.current.access_token
  cluster_ca_certificate = base64decode(google_container_cluster.primary.master_auth[0].cluster_ca_certificate)
}

resource "google_compute_network" "vpc_network" {
  name = "terraform-network"
}

resource "google_compute_global_address" "default" {
  name = "terraform-loadbalancer-entry-ip"
}

resource "google_compute_managed_ssl_certificate" "default" {
  name = "test-cert"
  managed {
    domains = ["${google_compute_global_address.default.address}.nip.io"]
  }
}

resource "google_compute_global_forwarding_rule" "EXTERNAL_FWD_RULE_HTTPS" {
  name       = "terraform-frontend-443"
  provider   = google
  target     = google_compute_target_https_proxy.default.self_link
  port_range = "443"
  ip_address = google_compute_global_address.default.id
}

resource "google_compute_target_https_proxy" "default" {
  name             = "terraform-urlmap"
  url_map          = google_compute_url_map.default.self_link
  ssl_certificates = [google_compute_managed_ssl_certificate.default.id]
}

resource "google_compute_url_map" "default" {
  name            = "terraform-urlmap"
  default_service = google_compute_backend_service.test.id
  host_rule {
    hosts        = ["${google_compute_global_address.default.address}.nip.io"]
    path_matcher = "allpaths"
  }
  path_matcher {
    name            = "allpaths"
    default_service = google_compute_backend_service.test.id
  }
}
resource "google_compute_backend_service" "test" {
  name          = "terraform-test"
  port_name     = "http"
  protocol      = "HTTP"
  health_checks = [google_compute_health_check.default.id]
  backend {
    group          = google_compute_network_endpoint_group.default.id
    balancing_mode = "RATE"
    max_rate       = 100
  }
}

resource "google_compute_health_check" "default" {
  name               = "terraform-healthcheck"
  check_interval_sec = 30
  timeout_sec        = 10
  tcp_health_check {
    port = "80"
  }
}

resource "google_compute_network_endpoint_group" "default" {
  name         = "terraform-neg"
  network      = google_compute_network.vpc_network.id
  subnetwork = google_compute_network.vpc_network.id

  default_port = "443"
  zone         = "europe-west1-b"
}

resource "google_container_cluster" "primary" {
  name                  = "api-cluster"
  location              = "europe-west1-b"
  initial_node_count    = 1
  enable_shielded_nodes = true
  node_config {
    preemptible  = false
    machine_type = "e2-medium"
    shielded_instance_config {
      enable_secure_boot = true
    }
  }
  network = google_compute_network.vpc_network.id
  ip_allocation_policy {
  }
  private_cluster_config {
    enable_private_nodes    = true
    enable_private_endpoint = false
    master_ipv4_cidr_block  = "192.168.0.0/28"
  }
  master_authorized_networks_config {
    cidr_blocks {
      cidr_block   = "0.0.0.0/0"
      display_name = "internet"
    }
  }
}
resource "random_string" "project_random_string" {
  length  = 8
  special = false
  upper   = false
}

resource "google_endpoints_service" "test-api" {
  service_name   = "test-api-${random_string.project_random_string.result}.endpoints.${var.project}.cloud.goog"
  openapi_config = templatefile("openapi_spec.yml", { service_name = "test-api-${random_string.project_random_string.result}.endpoints.${var.project}.cloud.goog" })
}

Debug Output

-/+ resource "google_compute_network_endpoint_group" "default" {
      ~ id                    = "projects/ino-ols-semafor-api-dev/zones/europe-west1-b/networkEndpointGroups/terraform-neg" -> (known after apply)
        name                  = "terraform-neg"
      ~ network               = "https://www.googleapis.com/compute/v1/projects/ino-ols-semafor-api-dev/global/networks/terraform-network" -> "projects/ino-ols-semafor-api-dev/global/networks/terraform-network"
      ~ project               = "ino-ols-semafor-api-dev" -> (known after apply)
      ~ self_link             = "https://www.googleapis.com/compute/v1/projects/ino-ols-semafor-api-dev/zones/europe-west1-b/networkEndpointGroups/terraform-neg" -> (known after apply)
      ~ size                  = 0 -> (known after apply)
      ~ subnetwork            = "https://www.googleapis.com/compute/v1/projects/ino-ols-semafor-api-dev/regions/europe-west1/subnetworks/terraform-network" -> "projects/ino-ols-semafor-api-dev/global/networks/terraform-network" # forces replacement
      ~ zone                  = "https://www.googleapis.com/compute/v1/projects/ino-ols-semafor-api-dev/zones/europe-west1-b" -> "europe-west1-b"
        # (2 unchanged attributes hidden)
    }

see https://gist.github.com/ghpu/0a8c8998b06c6add2924825e2f42e9e2

Expected Behavior

Apply succeeds , google_compute_network_endpoint_group.default replaced or not changed.

Actual Behavior

Apply fails because google_compute_network_endpoint_group.default already exists. The second call to "terraform apply" has a "forces replacement" for subnetwork

Steps to Reproduce

1. terraform apply
2. terraform apply -> fails the second time at update

Important Factoids

References

• #0000

[ghpu]

Work-around : add the prefix "https://www.googleapis.com/compute/v1/" inside the google_network_endpoint_group.default subnetwork field .

[edwardmedia]

@ghpu looking at below line in the plan, did you try to provide network to replace subnetwork?

  ~ subnetwork            = "https://www.googleapis.com/compute/v1/projects/ino-ols-semafor-api-dev/regions/europe-west1/subnetworks/terraform-network" -> "projects/ino-ols-semafor-api-dev/global/networks/terraform-network" # forces replacement

[ghpu]

@edwardmedia , I tried to reference the same content in network and subnetwork.
My first attempt was without specifying a subnetwork. In this case, terraform was doing this during the update :
~ subnetwork = "https://www.googleapis.com/compute/v1/projects/ino-ols-semafor-api-dev/regions/europe-west1/subnetworks/terraform-network" -> null # forces replacement

[edwardmedia]

@ghpu I don't understand what you mean below. The following config does not make sense to me. Network endpoint groups (NEGs) are zonal resources that represent collections of IP address and port combinations for GCP resources within a single subnet. The Network is global. Can you take a look at google_compute_subnetwork?

I tried to reference the same content in network and subnetwork.

  network      = google_compute_network.vpc_network.id
  subnetwork = google_compute_network.vpc_network.id

[ghpu]

@edwardmedia : My bad, I am not interested in declaring subnetwork. However, if I don"t fill the subnetwork field, the deployment autocompletes it with the same value "https://www.googleapis.com/compute/v1/projects/ino-ols-semafor-api-dev/regions/europe-west1/subnetworks/terraform-network" as found in the expansion of the network field, and so terraform "update" fails because it wants to force "null" value.

[edwardmedia]

@ghpu I am not quite sure if I understand what you said here If this is still an issue to you, could you be clear what is expected and what you see and the steps how to repro the issue?

[ghpu]

@edwardmedia You are right, I propose to close this bug in favor of #10408 .

[edwardmedia]

Closing this as below PR is opened

GoogleCloudPlatform/magic-modules#5369

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.