Can't add ssl policy to existing google_compute_region_target_https_proxy

[khtelus]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v1.5.2
on linux_amd64
+ provider registry.terraform.io/elastic/ec v0.5.1
+ provider registry.terraform.io/hashicorp/archive v2.4.1
+ provider registry.terraform.io/hashicorp/google v5.11.0
+ provider registry.terraform.io/hashicorp/google-beta v5.11.0
+ provider registry.terraform.io/hashicorp/random v3.6.0
+ provider registry.terraform.io/hashicorp/tls v4.0.5

Affected Resource(s)

google_compute_region_target_https_proxy

Terraform Configuration Files

resource "google_compute_forwarding_rule" "default-https" {
  project               = var.project_id
  region                = var.region
  name                  = "https-frwd-rule"
  network               = var.network
  subnetwork            = var.subnet
  load_balancing_scheme = "INTERNAL_MANAGED"
  target                = google_compute_region_target_https_proxy.default-https.self_link
  ip_address            = var.lb_ip_address
  ip_protocol           = "TCP"
  port_range            = "443"
  network_tier          = "PREMIUM"
  allow_global_access   = "true"
}

resource "google_compute_region_backend_service" "default" {
  project               = var.project_id
  region                = var.region
  name                  = "backend-service"
  protocol              = "HTTPS"
  port_name             = "https-server"
  load_balancing_scheme = "INTERNAL_MANAGED"
  session_affinity      = "HTTP_COOKIE"
  health_checks         = [google_compute_region_health_check.default.self_link]
  locality_lb_policy    = "RING_HASH"

  # webscoket handling: https://stackoverflow.com/questions/63822612/websocket-connection-being-closed-on-google-compute-engine
  timeout_sec = 600

  backend {
    balancing_mode        = "RATE"
    capacity_scaler       = "1.0"
    max_rate_per_instance = "10"
    group                 = var.instance_group
  }

  consistent_hash {
    http_cookie {
      ttl {
        # 24hr cookie ttl
        seconds = 86400
        nanos   = null
      }
      name = "X-CLIENT-SESSION"
      path = null
    }
    http_header_name  = null
    minimum_ring_size = 1024
  }

  log_config {
    enable      = true
    sample_rate = 1.0
  }
}

resource "google_compute_region_health_check" "default" {
  project             = var.project_id
  region              = var.region
  name                = "hc"
  timeout_sec         = 5
  check_interval_sec  = 30
  healthy_threshold   = 3
  unhealthy_threshold = 3

  https_health_check {
    port         = 443
    request_path = "/health"
  }
}

resource "google_compute_region_target_https_proxy" "default-https" {
  project          = var.project_id
  region           = var.region
  name             = "https-proxy"
  url_map          = google_compute_region_url_map.default-https.self_link
  ssl_certificates = [var.lb_cert]
  ssl_policy       = google_compute_region_ssl_policy.default.id

  lifecycle {
    create_before_destroy = true
  }
}

resource "google_compute_region_url_map" "default-https" {
  project         = var.project_id
  region          = var.region
  name            = "lb"
  default_service = google_compute_region_backend_service.default.id
}

resource "google_compute_region_ssl_policy" "default" {
  project = var.project_id
  region  = var.region
  name    = "ssl-policy"

  # https://cloud.google.com/load-balancing/docs/ssl-policies-concepts#defining_an_ssl_policy
  profile         = "RESTRICTED"
  min_tls_version = "TLS_1_2"
}

Expected Behavior

Terraform creates the new ssl policy object.
Terraform creates a new target_https_proxy with the ssl policy attached, then deletes the previous/old/deposed resource.

Actual Behavior

Error: Error when reading or editing RegionTargetHttpsProxy: googleapi: Error 400: The target_https_proxy resource 'projects/the-project/regions/northamerica-northeast1/targetHttpsProxies/https-proxy' is already being used by 'projects/the-project/regions/northamerica-northeast1/forwardingRules/https-frwd-rule', resourceInUseByAnotherResource

Steps to Reproduce

1. terraform apply

b/319998354

[khtelus]

Perhaps not a bug, but maybe a combo of properly using a random id added to the name of the proxy resource and use of keepers might be what is required to make this behave as intended? Thx!

[edwardmedia]

@khtelus adding ssl_policy is fine. There is a test that shows it is working.

Besides ssl_policy, did you change anything else?

[khtelus]

Thanks @edwardmedia - yes the only change introduced in this case was adding the ssl policy. Looking back at the run output, it does also seem to want to change the ssl certificate reference as well from what looks like self link to id type of format:

Step #1 - "terraform-apply":   # module.my_module.module.lb.google_compute_region_target_https_proxy.default-https must be replaced
Step #1 - "terraform-apply": -/+ resource "google_compute_region_target_https_proxy" "default-https" {
Step #1 - "terraform-apply":       ~ creation_timestamp = "2023-03-14T14:10:37.152-07:00" -> (known after apply)
Step #1 - "terraform-apply":       ~ id                 = "projects/the-project/regions/northamerica-northeast1/targetHttpsProxies/https-proxy" -> (known after apply)
Step #1 - "terraform-apply":         name               = "https-proxy"
Step #1 - "terraform-apply":       ~ proxy_id           = 4360695795003776000 -> (known after apply)
Step #1 - "terraform-apply":       ~ self_link          = "https://www.googleapis.com/compute/v1/projects/the-project/regions/northamerica-northeast1/targetHttpsProxies/https-proxy" -> (known after apply)
Step #1 - "terraform-apply":       ~ ssl_certificates   = [
Step #1 - "terraform-apply":           - "https://www.googleapis.com/compute/v1/projects/the-project/regions/northamerica-northeast1/sslCertificates/the-cert",
Step #1 - "terraform-apply":           + "projects/the-project/regions/northamerica-northeast1/sslCertificates/the-cert",
Step #1 - "terraform-apply":         ]
Step #1 - "terraform-apply":       + ssl_policy         = (known after apply) # forces replacement
Step #1 - "terraform-apply":         # (3 unchanged attributes hidden)
Step #1 - "terraform-apply":     }

This run also was using the 5.3.0 version of the google provider at the time vs 5.11.0.

[edwardmedia]

I see where the problem is

[khtelus]

@edwardmedia it looks like the region https_proxy resource does not have a method to update the ssl policy where the global/non-regional https_proxy does?

Hence our run wants to recreate our proxy (which it can't - in use) vs update in place.

terraform-provider-google/google/services/compute/resource_compute_target_https_proxy.go

Line 573 in b8818a7

if d.HasChange("ssl_policy") {

https://github.com/hashicorp/terraform-provider-google/blob/main/google/services/compute/resource_compute_region_target_https_proxy.go

[edwardmedia]

setting ssl_policy ForceNew() seems wrong as update is supported by the api PATCH method

[khtelus]

As a workaround I am adding a second google_compute_region_target_https_proxy resource with the ssl policy and updating my forwarding rule to point to this new proxy. A subsequent change will then be req'd to delete the old https_proxy resource without the ssl policy.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.