Failing test(s): TestAccWorkstationsWorkstationConfig_workstationConfigEncryptionKeyExample

[roaks3]

NOTE: This is a failure in VCR tests only.

This test is consistently failing on PRs during REPLAYING mode, but then succeeds during RECORDING mode. The main impact is that it creates noise on many PRs each time VCR tests are run.

Impacted tests

• TestAccWorkstationsWorkstationConfig_workstationConfigEncryptionKeyExample

Affected Resource(s)

• google_workstations_workstation_config

[roaks3]

I'm seeing rotation_period being used in this test, so I assume the solution will be very similar to GoogleCloudPlatform/magic-modules#7020

[roaks3]

We are now seeing this error, which I was able to reproduce locally. I expect we'll start to see it in nightly tests soon as well:

=== RUN   TestAccWorkstationsWorkstationConfig_workstationConfigEncryptionKeyExample
=== PAUSE TestAccWorkstationsWorkstationConfig_workstationConfigEncryptionKeyExample
=== CONT  TestAccWorkstationsWorkstationConfig_workstationConfigEncryptionKeyExample
    provider_test.go:319: Step 1/2 error: After applying this test step, the plan was not empty.
        stdout:
        
        
        Terraform used the selected providers to generate the following execution
        plan. Resource actions are indicated with the following symbols:
        -/+ destroy and then create replacement
        
        Terraform will perform the following actions:
        
          # google_workstations_workstation_config.default must be replaced
        -/+ resource "google_workstations_workstation_config" "default" {
              ~ conditions             = [] -> (known after apply)
              ~ create_time            = "2023-03-07T17:06:03.460734712Z" -> (known after apply)
              ~ degraded               = false -> (known after apply)
              ~ etag                   = "U4dyushfjxduw7q6UB-GkgO3UqDF0QP-7A0r_BoaajA" -> (known after apply)
              ~ id                     = "projects/ci-test-project-188019/locations/us-central1/workstationClusters/tf-test-workstation-clusternnvljj9niv/workstationConfigs/tf-test-workstation-confignnvljj9niv" -> (known after apply)
              ~ name                   = "projects/ci-test-project-188019/locations/us-central1/workstationClusters/tf-test-workstation-clusternnvljj9niv/workstationConfigs/tf-test-workstation-confignnvljj9niv" -> (known after apply)
              ~ project                = "ci-test-project-188019" -> (known after apply)
              ~ uid                    = "306bf4e3-a681-4469-a971-14f398bd13c2" -> (known after apply)
                # (3 unchanged attributes hidden)
        
              ~ container {
                  ~ args        = [] -> (known after apply)
                  ~ command     = [] -> (known after apply)
                  ~ env         = {} -> (known after apply)
                  ~ image       = "us-central1-docker.pkg.dev/cloud-workstations-images/predefined/code-oss:latest" -> (known after apply)
                  ~ run_as_user = 0 -> (known after apply)
                  + working_dir = (known after apply)
                }
        
        
              ~ host {
                  ~ gce_instance {
                      ~ pool_size                   = 0 -> (known after apply)
                      - service_account             = "service-1067888929963@gcp-sa-workstationsvm.iam.gserviceaccount.com" -> null # forces replacement
                        # (3 unchanged attributes hidden)
        
                      ~ shielded_instance_config {
                          - enable_integrity_monitoring = false -> null
                            # (2 unchanged attributes hidden)
                        }
                    }
                }
        
              + persistent_directories {
                  + mount_path = (known after apply)
        
                  + gce_pd {
                      + disk_type      = (known after apply)
                      + fs_type        = (known after apply)
                      + reclaim_policy = (known after apply)
                      + size_gb        = (known after apply)
                    }
                }
                # (1 unchanged block hidden)
            }
        
        Plan: 1 to add, 0 to change, 1 to destroy.
--- FAIL: TestAccWorkstationsWorkstationConfig_workstationConfigEncryptionKeyExample (3200.11s)
FAIL
FAIL	github.com/hashicorp/terraform-provider-google-beta/google-beta	3200.150s
FAIL

[roaks3]

It appears to me that the host. gce_instance. service_account is set to ForceNew, and unspecified in the test, but the API is returning the service agent as a default value.

[roaks3]

@bschaatsbergen would you by any chance be willing to look into this one? I saw that you had introduced this test, so you might have more context. Note that this does look like a new issue that came up, so it's possible the API behavior was changed since the test was introduced.

[bschaatsbergen]

Hmm that's odd, @roaks3 - we took a stab at fixing this test last week. I'll take a look at it tomorrow morning (10PM here currently).

Though the service account should be specified in the test from the top of my head..

I had specifically raised this PR last week: GoogleCloudPlatform/magic-modules#7362 cc @rileykarson

Perhaps the API changed this week indeed 😅

[roaks3]

Oh no worries! I've skipped the test in the meantime, so no rush on this, but thanks for taking a look.

[bschaatsbergen]

@roaks3, I suppose we simply need to remove input:true from the gceInstance.serviceAccount in the WorkstationConfig.yaml ?

It looks like we set a lot of default_from_api on the host.gceInstance (looking at the terraform.yaml), but in the WorkstationConfig.yaml we have input:true on a lot of the same gceInstance attributes, I think that this is conflicting?

[bschaatsbergen]

@roaks3 can we reopen this issue, it's mentioned as a TODO

[roaks3]

Ah yea, that was unfortunate wording in my PR description. Sorry about that.

And good point about the default_from_api + input: true, that does seem like a pattern that could cause issues, but I'm also not sure of how we typically handle immutable fields where a default is provided server-side.

[rileykarson]

default_from_api and input can both be set at once- that just means that a value will adopt a complex default if unset or may be set by the user, but is immutable once set. Until #11339 nearly every resource has at least one field like that, the project field.

[roaks3]

Ok cool, so in that case my guess is that we would need default_from_api on host.gceInstance.serviceAccount

[roaks3]

Fixed by GoogleCloudPlatform/magic-modules#7428

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.