HTTPS Target proxy / SSL certificate - allow for certificate deletion

[bkoochin-clgx]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• If an issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to "hashibot", a community member has claimed the issue already.

Terraform Version

terraform - v0.12.0
terraform-provider-google - v2.7.0

Affected Resource(s)

google_compute_ssl_certificate
google_compute_target_https_proxy

Description

There are currently two certificates loaded on a GCP load balancer. I would like to delete one. Removing the cert from google_compute_ssl_compute creates a plan that shows it will delete that certificate and then update google_compute_target_https_proxy in place to not include the removed certificate. This fails because it attempts the destroy first, while the certificate is still in use by the proxy.

This behaviour was noted in issue # 216 but in that case using create_before_destroy was an acceptable workaround because the goal was to update a cert, not remove one.

Terraform Configuration Files

resource "google_compute_ssl_certificate" "web" {
count = length(var.path_to_private_key)
project = var.project
name_prefix = "${var.cust_id}-certificate"
private_key = file(var.path_to_private_key[count.index])
certificate = file(var.path_to_certificate[count.index])
lifecycle {
create_before_destroy = true
}
}
resource "google_compute_target_https_proxy" "web" {
project = var.project
name = "${var.environment}-${var.cust_id}-httpsweb-v${var.revision_number}"
url_map = google_compute_url_map.httpsweb.self_link
ssl_certificates = google_compute_ssl_certificate.web.*.self_link
}

Expected Behavior

Terraform should edit the proxy config to not include the cert it is removing and then remove the certificate.

Actual Behavior

The apply fails because Terraform attempts to remove the certificate while it is still in use by the proxy.

References

https://github.com/terraform-providers/terraform-provider-google/issues/216

[bkoochin-clgx]

I just read this in the google_compute_target_https_proxy documentation:

ssl_certificates - (Required) A list of SslCertificate resources that are used to authenticate connections between users and the load balancer. Currently, exactly one SSL certificate must be specified.

So even though "ssl_certificates" is a list the last sentence states that I should never specify more than one certificate here. Since there is never supposed to be more than a single certificate the ability to delete one doesn't really make sense. (Although I suppose that theoretically someone may want to delete the sole certificate on their HTTPS load balancer.)

The word "currently" seems to indicate that multiple certs will be supported at some point, at which time I would assume the ability to delete on via Terraform will be integrated.

This ticket can probably be closed unless I am misunderstanding what the documentation is indicating.

[rileykarson]

The documentation listed there is out of date, up to 15 are supported. Can you share a more full config (including variables), the error message you received, and the debug logs when you attempt to apply the change? Doing this succeeded when I attempted to reproduce the issue.

[bkoochin-clgx]

I've since worked around this by separating out my certificate creation to another module (this makes more sense for my workflow anyways) so I don't have the original configuration to post. To help track this down, here is a simple configuration that allows me to reproduce the behaviour:

provider "google" { }

locals {
	path_to_private_key = ["certificates/test1.key","certificates/test2.key"]
	path_to_certificate = ["certificates/test1.crt","certificates/test2.crt"]
}

resource "google_compute_ssl_certificate" "web" {
  count                   = length(local.path_to_private_key)
  project                 = "myproject"
  name_prefix         = "testcert1234"
  private_key           = file(local.path_to_private_key[count.index])
  certificate             = file(local.path_to_certificate[count.index])
  lifecycle {
    create_before_destroy = true
    }
  }

resource "google_compute_target_https_proxy" "web" {
  project           = "myproject"
  name              = "testproxy1234"
  url_map           = google_compute_url_map.httpsweb.self_link
  ssl_certificates  = google_compute_ssl_certificate.web.*.self_link

  }

resource "google_compute_url_map" "httpsweb" {
  name              = "testurlmap1234"
  project           = "myproject"
  default_service = google_compute_backend_service.default.self_link
  }

resource "google_compute_backend_service" "default" {
  name          = "testbackend-service"
  health_checks = ["${google_compute_health_check.default.self_link}"]
  project       = "myproject"
}

resource "google_compute_health_check" "default" {
  name                = "testhealth"
  check_interval_sec  = 10
  timeout_sec         = 5
  healthy_threshold   = 3
  unhealthy_threshold = 3
  project             = "myproject"
  http_health_check {
    request_path      = "/"
    port              = "80"
    }
}

When I remove "test2.key" and "test2.crt" from the local variables the plan shows:

Terraform will perform the following actions:

  # google_compute_ssl_certificate.web[1] will be destroyed
  - resource "google_compute_ssl_certificate" "web" {
      - certificate        = (sensitive value)
      - certificate_id     = 8867264704141885000 -> null
      - creation_timestamp = "2019-06-24T14:17:54.946-07:00" -> null
      - id                 = "testcert123420190624211752823100000001" -> null
      - name               = "testcert123420190624211752823100000001" -> null
      - name_prefix        = "testcert1234" -> null
      - private_key        = (sensitive value)
      - project            = "myproject" -> null
      - self_link          = "https://www.googleapis.com/compute/v1/projects/myproject/global/sslCertificates/testcert123420190624211752823100000001" -> null
    }

  # google_compute_target_https_proxy.web will be updated in-place
  ~ resource "google_compute_target_https_proxy" "web" {
        creation_timestamp = "2019-06-24T14:24:44.221-07:00"
        id                 = "testproxy1234"
        name               = "testproxy1234"
        project            = "myproject"
        proxy_id           = 6820512332884247000
        self_link          = "https://www.googleapis.com/compute/v1/projects/myproject/global/targetHttpsProxies/testproxy1234"
      ~ ssl_certificates   = [
            "https://www.googleapis.com/compute/v1/projects/myproject/global/sslCertificates/testcert123420190624211752823100000002",
          - "https://www.googleapis.com/compute/v1/projects/myproject/global/sslCertificates/testcert123420190624211752823100000001",
        ]
        url_map            = "https://www.googleapis.com/compute/v1/projects/myproject/global/urlMaps/testurlmap1234"
    }

Plan: 0 to add, 1 to change, 1 to destroy.

But the delete operation fails. Here is the debug output which includes the error text:

2019/06/24 14:25:46 [DEBUG] google_compute_ssl_certificate.web[1]: applying the planned Delete change
2019/06/24 14:25:46 [TRACE] GRPCProvider: ApplyResourceChange
2019-06-24T14:25:46.637-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: 2019/06/24 14:25:46 [DEBUG] Deleting SslCertificate "testcert123420190624211752823100000001"
g2019-06-24T14:25:46.647-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: 2019/06/24 14:25:46 [DEBUG] Waiting for state to become: [success]
2019-06-24T14:25:46.647-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: 2019/06/24 14:25:46 [DEBUG] Google API Request Details:
2019-06-24T14:25:46.647-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: ---[ REQUEST ]---------------------------------------
2019-06-24T14:25:46.647-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: DELETE /compute/v1/projects/myproject/global/sslCertificates/testcert123420190624211752823100000001?alt=json HTTP/1.1
2019-06-24T14:25:46.647-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: Host: www.googleapis.com
2019-06-24T14:25:46.647-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: User-Agent: Terraform/0.12.2 (+https://www.terraform.io) terraform-provider-google/2.9.1
2019-06-24T14:25:46.647-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: Content-Type: application/json
2019-06-24T14:25:46.647-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: Accept-Encoding: gzip
2019-06-24T14:25:46.647-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe:
2019-06-24T14:25:46.647-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe:
2019-06-24T14:25:46.647-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: -----------------------------------------------------
google_compute_ssl_certificate.web[1]: Destroying... [id=testcert123420190624211752823100000001]
2019-06-24T14:25:47.586-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: 2019/06/24 14:25:47 [DEBUG] Google API Response Details:
2019-06-24T14:25:47.586-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: ---[ RESPONSE ]--------------------------------------
2019-06-24T14:25:47.586-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: HTTP/2.0 400 Bad Request
2019-06-24T14:25:47.586-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: Alt-Svc: quic=":443"; ma=2592000; v="46,44,43,39"
2019-06-24T14:25:47.586-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: Cache-Control: private, max-age=0
2019-06-24T14:25:47.586-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: Content-Type: application/json; charset=UTF-8
2019-06-24T14:25:47.586-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: Date: Mon, 24 Jun 2019 21:25:47 GMT
2019-06-24T14:25:47.586-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: Expires: Mon, 24 Jun 2019 21:25:47 GMT
2019-06-24T14:25:47.586-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: Server: GSE
2019-06-24T14:25:47.586-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: Vary: Origin
2019-06-24T14:25:47.586-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: Vary: X-Origin
2019-06-24T14:25:47.586-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: X-Content-Type-Options: nosniff
2019-06-24T14:25:47.586-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: X-Frame-Options: SAMEORIGIN
2019-06-24T14:25:47.586-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: X-Xss-Protection: 1; mode=block
2019-06-24T14:25:47.586-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe:
2019-06-24T14:25:47.587-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: {
2019-06-24T14:25:47.587-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe:  "error": {
2019-06-24T14:25:47.587-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe:   "errors": [
2019-06-24T14:25:47.587-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe:    {
2019-06-24T14:25:47.587-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe:     "domain": "global",
2019-06-24T14:25:47.587-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe:     "reason": "resourceInUseByAnotherResource",
2019-06-24T14:25:47.587-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe:     "message": "The ssl_certificate resource 'projects/myproject/global/sslCertificates/testcert123420190624211752823100000001' is already being used by 'projects/myproject/global/targetHttpsProxies/testproxy1234'"
2019-06-24T14:25:47.587-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe:    }
2019-06-24T14:25:47.587-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe:   ],
2019-06-24T14:25:47.587-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe:   "code": 400,
2019-06-24T14:25:47.587-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe:   "message": "The ssl_certificate resource 'projects/myproject/global/sslCertificates/testcert123420190624211752823100000001' is already being used by 'projects/myproject/global/targetHttpsProxies/testproxy1234'"
2019-06-24T14:25:47.587-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe:  }
2019-06-24T14:25:47.587-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: }
2019-06-24T14:25:47.587-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe:
2019-06-24T14:25:47.587-0700 [DEBUG] plugin.terraform-provider-google_v2.9.1_x4.exe: -----------------------------------------------------

[rileykarson]

This is happening because Terraform core is processing operations in an impossible order, and the provider has no control here / no means to mitigate this case. Unfortunately, Core has decided that the deletion of the cert needs to happen before updating the target proxy. I'm not sure why that's the case- maybe deletes are processed before updates?

I'd suggest filing against https://github.com/hashicorp/terraform, linking to this issue so they don't just re-open it in the provider repo.

[rileykarson]

Also, this is the same underlying problem as #1883

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!