google_os_config_patch_deployment windows_update staza should allow classifications AND excludes

[ChrisAndrews]

Affected Resource(s)

• google_os_config_patch_deployment

When creating a patch_config for windows servers the windows_update stanza, the terraform config does not match the functionality of the GCP UI.
In the GCP console you can specify classifications, but exclude specific KB's.
I've created my Terraform config like so:

` patch_config {
reboot_config = "NEVER"

windows_update {
  classifications = ["CRITICAL", "SECURITY"]
  excludes = ["5012170"]
}`

However the terraform plan fails:

Error: Invalid combination of arguments
on compute-web.tf line 95, in resource "google_os_config_patch_deployment" "patch_deployer_web":
95: classifications = ["CRITICAL", "SECURITY"]
"patch_config.0.windows_update.0.classifications": only one of
patch_config.0.windows_update.0.classifications,patch_config.0.windows_update.0.excludes,patch_config.0.windows_update.0.exclusive_patches
can be specified, but
patch_config.0.windows_update.0.classifications,patch_config.0.windows_update.0.excludes
were specified.

Expected outcome:
This stanza should allow a combination of 'classifications' and/or 'excludes', or 'exclusive_patches', but NOT 'exclusive_patches' and either 'classifications' or 'excludes'.

b/300238108

[edwardmedia]

@ChrisAndrews why do you think they should be allowed? Can you share the related documents? Can you also share your config?

[ChrisAndrews]

To replicate what the GCP UI allows:

This makes sense when you have a scheduled patch configured in Terraform where you want to apply all updates of certain classifications (in our case Critical and Security), but you've encountered problems installing a particular Windows Update, so you wish to Exclude that particle KB to avoid issues when applying the Updates (in our case KB5012170).
Having a problematic Windows Update prevents the rest of the Windows Updates from installing, as our servers are stuck in an Apply/Restart/Roll-back loop.

[edwardmedia]

@ChrisAndrews can you share your code and the debug log?

[ChrisAndrews]

Here's the complete resource code; I put the log of the error above:
`resource "google_os_config_patch_deployment" "patch_deployer_web" {
patch_deployment_id = "patch-deployer-web"

instance_filter {
instances = [for i in google_compute_instance.web_server_instance : i.id]
}

patch_config {
reboot_config = "NEVER"

windows_update {
  classifications = ["CRITICAL", "SECURITY"]
  excludes = ["5012170"]
}`

post_step {
  windows_exec_step_config {
    interpreter = "POWERSHELL"
    local_path = "C:/scripts/os_patch_post_script.ps1"
  }
}

}

recurring_schedule {
time_zone {
id = "Pacific/Auckland"
}

time_of_day {
  hours   = var.hour_of_day_to_apply_patches
  minutes = 0
  seconds = 0
  nanos   = 0
}

weekly {
  day_of_week  = var.day_of_week_to_apply_patches
}

}
}`

[edwardmedia]

It appears the API has updated its behavior for windows_update, no such restriction any more from the API doc

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.