Issue when adding labels to existing google_compute_global_address

[suryaincbe]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.3.6

• provider registry.terraform.io/hashicorp/google v5.38.0
• provider registry.terraform.io/hashicorp/google-beta v4.80.0

Affected Resource(s)

google_compute_global_address

Terraform Configuration

#PROVIDER DEFINITIONS
terraform {
required_version = "=1.3.6"
backend "gcs" {

}
required_providers {
google = {
source = "hashicorp/google"
}
null = {
source = "hashicorp/null"
version = "3.2.1"
}
local = {
source = "hashicorp/local"
version = "2.4.0"
}
google-beta = {
source = "hashicorp/google-beta"
version = "4.80.0"
}
}
}

provider "google" {
project = var.project
region = var.region
zone = local.zonea
default_labels = {
ot_tenant = "xxxx"
ot_environment = "xxxx"
ot_master_product = "xxxx"
}
}

resource "google_compute_global_address" "external_ip" {
project = var.project
name = "xxxx"
description = "xxxx"
address_type = "EXTERNAL"
}

Debug Output

No response

Expected Behavior

Since default_labels are added to google provider block, the labels should be added to google_compute_global_address.external.ip resource.

Terraform plan shows its adding the labels to the resource but terraform apply fails.

But when we declare a separate provider for google-beta and point the external.ip resource to the beta-provider it works

provider "google-beta" {
alias = "google-beta"
project = "xxxx"
region = "xxxx"
zone = "xxxx"
default_labels = {
ot_tenant = var.customer
ot_environment = var.env
ot_master_product = var.master_product
}
}

We believe this is occurring due to the label_fingerprint attribute for google_compute_global_address is still in beta.

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_global_address#attributes-reference

We need to know when the label_fingerprint attribute will be present in google provider.

Actual Behavior

terraform apply fails with below message,
Error updating GlobalAddress "projects/otc-ems-ce-dryrun1/global/addresses/a001-preprod": googleapi: Error 412: Labels fingerprint either invalid or resource labels have changed, conditionNotMet

Steps to reproduce

1. terraform apply

Important Factoids

No response

References

No response

b/354725806

[ggtisc]

Hi @suryaincbe!

After analyzing your code I noticed that this is not a bug but rather a nomenclature error. As you can see in the API documentation labels are declared with the next format using : instead of =

resource "google_compute_global_address" "cga_18739" {
  name = "cga-18739"
  labels = {
    "example" : "something",
    "otherlabel" : "otherthing"
  }
}

[Maarc-D]

Hi @suryaincbe!

After analyzing your code I noticed that this is not a bug but rather a nomenclature error. As you can see in the API documentation labels are declared with the next format using : instead of =

resource "google_compute_global_address" "cga_18739" {
  name = "cga-18739"
  labels = {
    "example" : "something",
    "otherlabel" : "otherthing"
  }
}

Not in terraform and furthermore on our case we used provider default_labels was totally fine and with the 5.38.0 version it crash with same issue as provided here, so it is a bug ;)
As temporary workaround we did stick to 5.37.0 but this change (from 5.37.0 to 5.38.0) must be fix or rollback ;)

[tamipangadil]

Hi @suryaincbe @Maarc-D

I have faced similar issue which blocked our Terraform CI pipeline. Using the google-beta provider in our google_compute_global_address resources worked as you mentioned above.

resource "google_compute_global_address" "external_ip" {
  provider = google-beta
  ...
}

This is clearly a bug which was prematurely being required while it is still in beta.

[JSkimming]

We have the same issue and have reverted back to 5.37.0.

[melinath]

Yeah this looks like a legitimate bug. The label field was updated to GA in GoogleCloudPlatform/magic-modules#11093 but the label fingerprints field was missed. LabelFingerprint is present in the GA API so should be fine to promote as well; that should resolve the issue.

See GoogleCloudPlatform/magic-modules#9159 for the promotion for this field in the regional variant of the resource, and GoogleCloudPlatform/magic-modules#9768 for a similar issue in google_compute_vpn_tunnel

[watsonjm]

This bug is still present in 5.41, we're currently restrained to 5.37 until it gets fixed.