data.google_dns_managed_zone always fails with "Post "https://oauth2.googleapis.com/token": context canceled"

[MaWiPPI]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v1.5.2
on darwin_arm64

Affected Resource(s)

• data.google_dns_managed_zone

Terraform Configuration Files

[
  {
    "data": {
      "google_dns_managed_zone": {
        "control-center-svc-sit-ppi-fs-org": {
          "name": "control-center-svc-sit-ppi-fs-org",
          "project": "control-center-sit-q7jby"
        }
      }
    }
  },
  {
    "terraform": {
      "backend": {
        "gcs": {
          "bucket": "bucket",
          "prefix": "prefix"
        }
      },
      "required_providers": {
        "google": {
          "source": "hashicorp/google",
          "version": "=5.9.0"
        },
        "google-beta": {
          "source": "hashicorp/google-beta",
          "version": "=5.9.0"
        },
      }
    }
  }
]

Debug Output

https://gist.github.com/MaWiPPI/03be103b331a0621131ef7c9198e3df5

Panic Output

No Panic happened.

Expected Behavior

Datasource gets read in correctly. No error on plan.

Actual Behavior

│ Error: Error when reading or editing dataSourceDnsManagedZone "control-center-svc-sit-ppi-fs-org"
│
│ with data.google_dns_managed_zone.control-center-svc-sit-ppi-fs-org,
│ on terraform.tf.json line 37, in [3].data.google_dns_managed_zone.control-center-svc-sit-ppi-fs-org:
│ 37: }
│
│ Get "https://dns.googleapis.com/dns/v1/projects/control-center-sit-q7jby/managedZones/control-center-svc-sit-ppi-fs-org?alt=json&prettyPrint=false": Post "https://oauth2.googleapis.com/token": context canceled

Steps to Reproduce

1. terraform apply

Important Factoids

When authenticating with a static token via access_token, it works.
Service-accounts and ADC don't work.

References

• #0000

b/320447681

[roaks3]

We have an acceptance test here that tests this datasource using a service account to authenticate. This test has been passing, so I would expect it is working as expected, and there could be an issue with authentication happening here.

@MaWiPPI Could you please verify that your authentication setup works with a different resource/datasource? That would help us narrow in on a general auth issue, or an issue specific to this resource.

[MaWiPPI]

This exact setup works and has worked with every other datasource we have tested (e.g. google_active_folder, google_billing_account).
This is the first and only source that makes issues. Weirdly enough, the resource google_dns_managed_zone also works for us.
I would look again if it works with a service-account - by default we are using Application-Default Credentials.
In our tests, we have overwritten these with a service-account via environment-variable, but there might have been an issue actually using the variable.

[johanneswuerbach]

I've also encountered this, creating resources like google_dns_record_set works without issues, but this data source always fails with a Post "https://oauth2.googleapis.com/token": context canceled.

We are also using application default credentials.

[edwardmedia]

@johanneswuerbach Using below config along with application default credentials. I can not repro the issue. Are you able to share the debug log so I can take a closer look?

gcloud auth application-default login

resource "google_dns_managed_zone" "example-zone" {
  name        = "issue16832"
  dns_name    = "example-${random_id.rnd.hex}.com."
  description = "issue16832 DNS zone"
  labels = {
    foo = "bar"
  }
}

resource "random_id" "rnd" {
  byte_length = 4
}

data "google_dns_managed_zone" "env_dns_zone" {
  name = "issue16832"
}

@MaWiPPI please share the update if this is still an issue with you

[johanneswuerbach]

@edwardmedia I was able to replicate it using the following tf.

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "~> 5.10"
    }
  }

  required_version = ">= 1.3.0"
}

variable "project" {
  type = string
}

variable "credentials" {
  type = string
}

variable "managed_zone" {
  type = string
}

provider "google" {
  project     = var.project
  credentials = var.credentials
}

# This doesn't work
data "google_dns_managed_zone" "main" {
  name = var.managed_zone
}

output "dns_name" {
  value = data.google_dns_managed_zone.main.dns_name
}

# This works
# data "google_compute_regions" "available" {}

# output "available_zones" {
#   value = data.google_compute_regions.available.names
# }

terraform plan -var 'project=project-XYZ' -var 'managed_zone=zone-XYZ' -var "credentials=$(cat ~/.config/gcloud/application_default_credentials.json)"

When I don't pass the default credentials explicitly, the above command works without issues, but for our use case explicit.

Logs:

TF_LOG=debug

2024-01-15T08:32:33.216+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: 2024/01/15 08:32:33 [DEBUG] Waiting for state to become: [success] 2024-01-15T08:32:33.509+0100 [INFO] provider.terraform-provider-google_v5.11.0_x5: Terraform is using this identity: XYZ: tf_mux_provider=*proto5server.Server tf_rpc=ConfigureProvider @caller=github.com/hashicorp/terraform-provider-google/google/fwtransport/framework_config.go:1571 @module=google tf_provider_addr=registry.terraform.io/hashicorp/google tf_req_id=f93144d8-d58e-48be-61c6-d92904334c06 timestamp=2024-01-15T08:32:33.509+0100 2024-01-15T08:32:33.509+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: Called provider defined Provider Configure: tf_provider_addr=registry.terraform.io/hashicorp/google tf_req_id=f93144d8-d58e-48be-61c6-d92904334c06 @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwserver/server_configureprovider.go:20 @module=sdk.framework tf_mux_provider=*proto5server.Server tf_rpc=ConfigureProvider timestamp=2024-01-15T08:32:33.509+0100 2024-01-15T08:32:33.520+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: 2024/01/15 08:32:33 [INFO] Authenticating using configured Google JSON 'credentials'... 2024-01-15T08:32:33.520+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: 2024/01/15 08:32:33 [INFO] -- Scopes: [https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.email] 2024-01-15T08:32:33.520+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: 2024/01/15 08:32:33 [INFO] Authenticating using configured Google JSON 'credentials'... 2024-01-15T08:32:33.520+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: 2024/01/15 08:32:33 [INFO] -- Scopes: [https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.email] 2024-01-15T08:32:33.520+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: 2024/01/15 08:32:33 [DEBUG] Waiting for state to become: [success] 2024-01-15T08:32:33.649+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: 2024/01/15 08:32:33 [INFO] Terraform is using this identity: XYZ 2024-01-15T08:32:33.649+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: 2024/01/15 08:32:33 [DEBUG] parent context canceled, cleaning up batcher batches 2024-01-15T08:32:33.649+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: 2024/01/15 08:32:33 [DEBUG] Stopping batcher "Service Usage" 2024-01-15T08:32:33.649+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: 2024/01/15 08:32:33 [DEBUG] parent context canceled, cleaning up batcher batches 2024-01-15T08:32:33.649+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: 2024/01/15 08:32:33 [DEBUG] Stopping batcher "IAM" 2024-01-15T08:32:33.651+0100 [DEBUG] Resource instance state not found for node "data.google_dns_managed_zone.main", instance data.google_dns_managed_zone.main 2024-01-15T08:32:33.651+0100 [INFO] ReferenceTransformer: reference not found: "var.managed_zone" 2024-01-15T08:32:33.651+0100 [DEBUG] ReferenceTransformer: "data.google_dns_managed_zone.main" references: [] 2024-01-15T08:32:33.654+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: Calling provider defined DataSource Configure: tf_provider_addr=registry.terraform.io/hashicorp/google @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwserver/server_validatedatasourceconfig.go:39 @module=sdk.framework tf_data_source_type=google_dns_managed_zone tf_mux_provider=*proto5server.Server tf_req_id=43e78a10-0fb6-4ca0-e626-c229fe4964af tf_rpc=ValidateDataSourceConfig timestamp=2024-01-15T08:32:33.654+0100 2024-01-15T08:32:33.654+0100 [INFO] provider.terraform-provider-google_v5.11.0_x5: Instantiating Google Cloud DNS client for path https://dns.googleapis.com: @caller=github.com/hashicorp/terraform-provider-google/google/fwtransport/framework_provider_clients.go:27 @module=google tf_rpc=ConfigureProvider tf_mux_provider=*schema.GRPCProviderServer tf_provider_addr=registry.terraform.io/hashicorp/google tf_req_id=f93144d8-d58e-48be-61c6-d92904334c06 timestamp=2024-01-15T08:32:33.654+0100 2024-01-15T08:32:33.654+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: Called provider defined DataSource Configure: tf_data_source_type=google_dns_managed_zone tf_mux_provider=*proto5server.Server tf_rpc=ValidateDataSourceConfig @module=sdk.framework tf_provider_addr=registry.terraform.io/hashicorp/google tf_req_id=43e78a10-0fb6-4ca0-e626-c229fe4964af @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwserver/server_validatedatasourceconfig.go:41 timestamp=2024-01-15T08:32:33.654+0100 2024-01-15T08:32:33.655+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: Calling provider defined Type Validate: @module=sdk.framework tf_provider_addr=registry.terraform.io/hashicorp/google tf_req_id=43e78a10-0fb6-4ca0-e626-c229fe4964af tf_rpc=ValidateDataSourceConfig @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:78 tf_attribute_path=managed_zone_id tf_data_source_type=google_dns_managed_zone tf_mux_provider=*proto5server.Server timestamp=2024-01-15T08:32:33.654+0100 2024-01-15T08:32:33.655+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: Called provider defined Type Validate: tf_attribute_path=managed_zone_id tf_provider_addr=registry.terraform.io/hashicorp/google tf_rpc=ValidateDataSourceConfig @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:80 tf_data_source_type=google_dns_managed_zone tf_mux_provider=*proto5server.Server tf_req_id=43e78a10-0fb6-4ca0-e626-c229fe4964af @module=sdk.framework timestamp=2024-01-15T08:32:33.654+0100 2024-01-15T08:32:33.655+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: Calling provider defined Type Validate: tf_req_id=43e78a10-0fb6-4ca0-e626-c229fe4964af tf_rpc=ValidateDataSourceConfig @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:78 @module=sdk.framework tf_attribute_path=name_servers tf_data_source_type=google_dns_managed_zone tf_mux_provider=*proto5server.Server tf_provider_addr=registry.terraform.io/hashicorp/google timestamp=2024-01-15T08:32:33.654+0100 2024-01-15T08:32:33.655+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: Called provider defined Type Validate: @module=sdk.framework tf_attribute_path=name_servers tf_data_source_type=google_dns_managed_zone tf_mux_provider=*proto5server.Server tf_req_id=43e78a10-0fb6-4ca0-e626-c229fe4964af tf_rpc=ValidateDataSourceConfig @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwschemadata/data_value.go:80 tf_provider_addr=registry.terraform.io/hashicorp/google timestamp=2024-01-15T08:32:33.655+0100 data.google_dns_managed_zone.main: Reading... 2024-01-15T08:32:33.657+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: Calling provider defined DataSource Configure: tf_mux_provider=*proto5server.Server tf_data_source_type=google_dns_managed_zone tf_provider_addr=registry.terraform.io/hashicorp/google tf_req_id=cd022113-f0cc-3558-022d-2a51966cce40 @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwserver/server_readdatasource.go:43 @module=sdk.framework tf_rpc=ReadDataSource timestamp=2024-01-15T08:32:33.657+0100 2024-01-15T08:32:33.657+0100 [INFO] provider.terraform-provider-google_v5.11.0_x5: Instantiating Google Cloud DNS client for path https://dns.googleapis.com: @caller=github.com/hashicorp/terraform-provider-google/google/fwtransport/framework_provider_clients.go:27 tf_mux_provider=*schema.GRPCProviderServer tf_req_id=f93144d8-d58e-48be-61c6-d92904334c06 @module=google tf_provider_addr=registry.terraform.io/hashicorp/google tf_rpc=ConfigureProvider timestamp=2024-01-15T08:32:33.657+0100 2024-01-15T08:32:33.657+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: Called provider defined DataSource Configure: tf_provider_addr=registry.terraform.io/hashicorp/google tf_mux_provider=*proto5server.Server tf_data_source_type=google_dns_managed_zone tf_req_id=cd022113-f0cc-3558-022d-2a51966cce40 tf_rpc=ReadDataSource @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwserver/server_readdatasource.go:45 @module=sdk.framework timestamp=2024-01-15T08:32:33.657+0100 2024-01-15T08:32:33.657+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: Calling provider defined DataSource Read: tf_mux_provider=*proto5server.Server tf_req_id=cd022113-f0cc-3558-022d-2a51966cce40 tf_rpc=ReadDataSource @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwserver/server_readdatasource.go:74 @module=sdk.framework tf_data_source_type=google_dns_managed_zone tf_provider_addr=registry.terraform.io/hashicorp/google timestamp=2024-01-15T08:32:33.657+0100 2024-01-15T08:32:33.657+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: 2024/01/15 08:32:33 [DEBUG] Retry Transport: starting RoundTrip retry loop 2024-01-15T08:32:33.657+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: 2024/01/15 08:32:33 [DEBUG] Retry Transport: request attempt 0 2024-01-15T08:32:33.657+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: 2024/01/15 08:32:33 [DEBUG] Google API Request Details: 2024-01-15T08:32:33.657+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: ---[ REQUEST ]--------------------------------------- 2024-01-15T08:32:33.657+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: GET /dns/v1/projects/project-XYZ/managedZones/zone-XYZ?alt=json&prettyPrint=false HTTP/1.1 2024-01-15T08:32:33.657+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: Host: dns.googleapis.com 2024-01-15T08:32:33.657+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: User-Agent: google-api-go-client/0.5 Terraform/1.5.7 (+https://www.terraform.io) Terraform-Plugin-SDK/terraform-plugin-framework terraform-provider-google/5.11.0 2024-01-15T08:32:33.657+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: X-Goog-Api-Client: gl-go/1.20.12 gdcl/0.154.0 2024-01-15T08:32:33.657+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: Accept-Encoding: gzip 2024-01-15T08:32:33.657+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: 2024-01-15T08:32:33.657+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: 2024-01-15T08:32:33.658+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: ----------------------------------------------------- 2024-01-15T08:32:33.658+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: 2024/01/15 08:32:33 [DEBUG] Retry Transport: Stopping retries, last request failed with non-retryable error: Post "https://oauth2.googleapis.com/token": context canceled 2024-01-15T08:32:33.658+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: 2024/01/15 08:32:33 [DEBUG] Retry Transport: Returning after 1 attempts 2024-01-15T08:32:33.658+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: Called provider defined DataSource Read: tf_data_source_type=google_dns_managed_zone tf_req_id=cd022113-f0cc-3558-022d-2a51966cce40 @caller=github.com/hashicorp/terraform-plugin-framework@v1.1.1/internal/fwserver/server_readdatasource.go:76 @module=sdk.framework tf_mux_provider=*proto5server.Server tf_provider_addr=registry.terraform.io/hashicorp/google tf_rpc=ReadDataSource timestamp=2024-01-15T08:32:33.657+0100 2024-01-15T08:32:33.658+0100 [ERROR] provider.terraform-provider-google_v5.11.0_x5: Response contains error diagnostic: tf_provider_addr=registry.terraform.io/hashicorp/google tf_req_id=cd022113-f0cc-3558-022d-2a51966cce40 @module=sdk.proto diagnostic_summary="Error when reading or editing dataSourceDnsManagedZone "zone-XYZ"" tf_data_source_type=google_dns_managed_zone tf_proto_version=5.3 tf_rpc=ReadDataSource @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/internal/diag/diagnostics.go:55 diagnostic_detail="Get "https://dns.googleapis.com/dns/v1/projects/project-XYZ/managedZones/zone-XYZ?alt=json&prettyPrint=false": Post "https://oauth2.googleapis.com/token": context canceled" diagnostic_severity=ERROR timestamp=2024-01-15T08:32:33.658+0100 2024-01-15T08:32:33.658+0100 [ERROR] vertex "data.google_dns_managed_zone.main" error: Error when reading or editing dataSourceDnsManagedZone "zone-XYZ" 2024-01-15T08:32:33.658+0100 [ERROR] vertex "data.google_dns_managed_zone.main (expand)" error: Error when reading or editing dataSourceDnsManagedZone "zone-XYZ" 2024-01-15T08:32:33.659+0100 [INFO] backend/local: plan operation completed

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Error when reading or editing dataSourceDnsManagedZone "zone-XYZ"
│
│ with data.google_dns_managed_zone.main,
│ on main.tf line 30, in data "google_dns_managed_zone" "main":
│ 30: data "google_dns_managed_zone" "main" {
│
│ Get "https://dns.googleapis.com/dns/v1/projects/project-XYZ/managedZones/zone-XYZ?alt=json&prettyPrint=false": Post "https://oauth2.googleapis.com/token":
│ context canceled
╵
2024-01-15T08:32:33.683+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: 2024/01/15 08:32:33 [DEBUG] [transport] [server-transport 0x14001779d40] Closing: Server.Stop called
2024-01-15T08:32:33.683+0100 [DEBUG] provider.terraform-provider-google_v5.11.0_x5: 2024/01/15 08:32:33 [DEBUG] [transport] [server-transport 0x14001779d40] loopyWriter exiting with error: transport closed by client
2024-01-15T08:32:33.683+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-01-15T08:32:33.685+0100 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/google/5.11.0/darwin_arm64/terraform-provider-google_v5.11.0_x5 pid=27967
2024-01-15T08:32:33.685+0100 [DEBUG] provider: plugin exited


[SarahFrench]

@edwardmedia I think the underlying reason here could be that the data source is implemented with the plugin-framework. That's why resources behave as expected while data sources experience this error.

[edwardmedia]

Yes I see the diff in the code between its resource and data source. Thanks @SarahFrench for pointing that out

[fulljackz]

Hi there, I also have the same issue here. Any idea about a working provider version or a quick workaround to make it works temporarily ?

Regards,

[MaWiPPI]

What worked for me is instead of naming the environment variable GOOGLE_CREDENTIALS to pass the google application credentials, I would use GOOGLE_APPLICATION_CREDENTIALS instead. We had used GOOGLE_CREDENTIALS before in order to use one environment variable for both the state (in gcs) and the provider.

[fulljackz]

What worked for me is instead of naming the environment variable GOOGLE_CREDENTIALS to pass the google application credentials, I would use GOOGLE_APPLICATION_CREDENTIALS instead. We had used GOOGLE_CREDENTIALS before in order to use one environment variable for both the state (in gcs) and the provider.

It works, thanks for the hint !

[JakeCooper]

Unfortunately that doesn't seem to work

I've added the roles/dns.admin and it still doesn't work either :/

[fulljackz]

@JakeCooper I just had the same problem two month later and I came back here by chance :D

Are you using gcloud cli to authenticate ?
Are you using the GOOGLE_APPLICATION_CREDENTIALS and GOOGLE_CREDENTIALS variables ?

The working solution for me is to unset theses variables if they are set, and try to reconnect using gcloud auth application-default login

[JakeCooper]

Holy hell what are the odds!

I only set GOOGLE_APPLICATION_CREDENTIALS

I point that to the service-account.json file

Then I do gcloud auth activate-service-account --key-file= --quiet

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.