How to give certificate to HTTPS target proxy when creating new beta Internal HTTPS Loadbalancers ?

[marianne-butaye]

I tried to deploy an internal HTTP(S) Loadbalancer on GCP (beta version), as this new feature was recently released in beta.
My deployment worked correctly, until I tried to add an SSL certificate to the HTTPS target proxy.

When I try to add a SSL certificate (that already exists on my account) to a HTTPS target proxy that is already created, I get this error:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ google_compute_target_https_proxy.target_https_proxy
      ssl_certificates.#: "0" => "1"
      ssl_certificates.0: "" => "https://www.googleapis.com/compute/v1/projects/my-project-id/global/sslCertificates/my-domain-com"


Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

google_compute_target_https_proxy.target_https_proxy: Modifying... (ID: tp-https-tf-internal-lb)
  ssl_certificates.#: "0" => "1"
  ssl_certificates.0: "" => "https://www.googleapis.com/compute/v1/projects/my-project-id/global/sslCertificates/my-domain-com"

Error: Error applying plan:

1 error occurred:
        * google_compute_target_https_proxy.target_https_proxy: 1 error occurred:
        * google_compute_target_https_proxy.target_https_proxy: Error updating TargetHttpsProxy "tp-https-tf-internal-lb": googleapi: Error 400: Invalid value for field 'resource': ''. Action (setting SSL certificates in TargetHttpsProxy.) is not supported in Traffic Director., invalid

When I try to add one directly to a HTTPS target proxy that is not yet created, I get this error:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  + google_compute_global_forwarding_rule.https_forwarding_rule
      id:                    <computed>
      ip_address:            "10.10.1.30"
      label_fingerprint:     <computed>
      load_balancing_scheme: "INTERNAL_SELF_MANAGED"
      name:                  "frontend-https-tf-internal-lb"
      network:               "https://www.googleapis.com/compute/v1/projects/my-project-id/global/networks/vpc-main"
      port_range:            "443"
      project:               <computed>
      self_link:             <computed>
      target:                "${google_compute_target_https_proxy.target_https_proxy.self_link}"

  + google_compute_target_https_proxy.target_https_proxy
      id:                    <computed>
      creation_timestamp:    <computed>
      name:                  "tp-https-tf-internal-lb"
      project:               <computed>
      proxy_id:              <computed>
      self_link:             <computed>
      ssl_certificates.#:    "1"
      ssl_certificates.0:    "https://www.googleapis.com/compute/v1/projects/my-project-id/global/sslCertificates/my-domain-com"
      ssl_policy:            "https://www.googleapis.com/compute/v1/projects/my-project-id/global/sslPolicies/sslp-compatible"
      url_map:               "https://www.googleapis.com/compute/v1/projects/my-project-id/global/urlMaps/lb-https-tf-internal-lb"


Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

google_compute_target_https_proxy.target_https_proxy: Creating...
  creation_timestamp: "" => "<computed>"
  name:               "" => "tp-https-tf-internal-lb"
  project:            "" => "<computed>"
  proxy_id:           "" => "<computed>"
  self_link:          "" => "<computed>"
  ssl_certificates.#: "" => "1"
  ssl_certificates.0: "" => "https://www.googleapis.com/compute/v1/projects/my-project-id/global/sslCertificates/my-domain-com"
  ssl_policy:         "" => "https://www.googleapis.com/compute/v1/projects/my-project-id/global/sslPolicies/sslp-compatible"
  url_map:            "" => "https://www.googleapis.com/compute/v1/projects/my-project-id/global/urlMaps/lb-https-tf-internal-lb"

Error: Error applying plan:

1 error occurred:
        * google_compute_target_https_proxy.target_https_proxy: 1 error occurred:
        * google_compute_target_https_proxy.target_https_proxy: Error creating TargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates': ''. No SSL certificate can be specified in TargetHttpsProxy when using Traffic Director. Please use SslPolicy instead., invalid

I don't understand these errors and did not find anything on internet about it.
Here is my terraform config for the HTTPS target proxy resource:

google_compute_target_https_proxy.target_https_proxy:
  id = tp-https-tf-internal-lb
  creation_timestamp = 2019-08-05T08:05:38.430-07:00
  description = 
  name = tp-https-tf-internal-lb
  project = my-project-id
  proxy_id = 4671823515802655583
  quic_override = 
  self_link = https://www.googleapis.com/compute/v1/projects/my-project-id/global/targetHttpsProxies/tp-https-tf-internal-lb
  ssl_certificates.# = 0
  ssl_policy = https://www.googleapis.com/compute/v1/projects/my-project-id/global/sslPolicies/sslp-compatible
  url_map = https://www.googleapis.com/compute/v1/projects/my-project-id/global/urlMaps/lb-https-tf-internal-lb

Is something wrong in my Target HTTPS proxy configuration or is this a bug?

[Chupaka]

Can you do that change manually via Web UI?

[Kumoservices]

Hi,

with no beta provider, i have this today in my GCP test:

Error: Error creating TargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates': ''. No SSL certificate can be specified in TargetHttpsProxy when using Traffic Director. Please use SslPolicy instead., invalid

on load_balancing.tf line 17, in resource "google_compute_target_https_proxy" "appserver":
17: resource "google_compute_target_https_proxy" "appserver" {

Error: Error creating TargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates': ''. No SSL certificate can be specified in TargetHttpsProxy when using Traffic Director. Please use SslPolicy instead., invalid

on load_balancing.tf line 17, in resource "google_compute_target_https_proxy" "appserver":
17: resource "google_compute_target_https_proxy" "appserver" {

Extract of part of code :
resource "google_compute_target_https_proxy" "appserver" {
count = "${var.vm_counter}"
name = "${var.entity}-${var.keykats}-${var.environment}-thp-appserver-${format("%03d", count.index + 1)}"
description = "a description"
url_map = "${google_compute_url_map.appserver.*.self_link["${count.index}"]}"
ssl_certificates = ["${google_compute_ssl_certificate.testdotcom.self_link}"]
ssl_policy = "${google_compute_ssl_policy.appserver.name}"
}

resource "google_compute_ssl_policy" "appserver" {
name = "custom-ssl-policy"
min_tls_version = "TLS_1_2"
profile = "CUSTOM"
custom_features = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]

if i commented the certificate line in target_proxy definition i have this :
Error: Missing required argument

on load_balancing.tf line 17, in resource "google_compute_target_https_proxy" "appserver":
17: resource "google_compute_target_https_proxy" "appserver" {

"The argument "ssl_certificates" is required, but no definition was found..."

[rileykarson]

Can you share the config for your load balancing resources? Specifically, I'm interested in the backend service, target HTTPs proxy and URL map.

[Kumoservices]

always in terraform 0.12, I have made some changes now but same final issue :

resource "google_compute_global_address" "nginx" {
name = "${var.entity}-${var.keykats}-${var.environment}-eip-webfront"
}

resource "google_compute_global_forwarding_rule" "nginxhttps" {
count = "${var.vm_counter}"
name = "${var.entity}-${var.keykats}-${var.environment}-gfr-nginx-${format("%03d", count.index + 1)}"
target = "${google_compute_target_https_proxy.nginx.*.self_link[count.index]}"
port_range = "443"
}

resource "google_compute_target_https_proxy" "nginx" {
count = "${var.vm_counter}"
name = "${var.entity}-${var.keykats}-${var.environment}-thp-nginx-${format("%03d", count.index + 1)}"
description = "a description"
url_map = "${google_compute_url_map.nginx.*.self_link["${count.index}"]}"
ssl_certificates = ["${google_compute_ssl_certificate.totodot.fr.self_link}"]
ssl_policy = "${google_compute_ssl_policy.appserver.name}"
}

resource "google_compute_ssl_policy" "appserver" {
name = "custom-ssl-policy"
min_tls_version = "TLS_1_2"
profile = "CUSTOM"
custom_features = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
}

resource "google_compute_ssl_certificate" "totodotfr" {
name = "${var.entity}-${var.keykats}-${var.environment}-crt-totodotr"
private_key = "${file("files/certificates/wildcard.toto.fr.key")}"
certificate = "${file("files/certificates/wildcard.toto.fr.crt")}"
}

resource "google_compute_url_map" "nginx" {
count = "${var.vm_counter}"
name = "${var.entity}-${var.keykats}-${var.environment}-ump-nginx-${format("%03d", count.index + 1)}"
description = "a description"
default_service = "${google_compute_backend_service.nginx.*.self_link["${count.index}"]}"

host_rule {
hosts = ["gcppoc.toto.fr"]
path_matcher = "allpaths"
}

path_matcher {
name = "allpaths"
default_service = "${google_compute_backend_service.nginx.*.self_link["${count.index}"]}"

path_rule {
  paths   = ["/*"]
  service = "${google_compute_backend_service.nginx.*.self_link["${count.index}"]}"
}

}
}

resource "google_compute_backend_service" "nginx" {
count = "${var.vm_counter}"
name = "${var.entity}-${var.keykats}-${var.environment}-bks-nginx-${format("%03d", count.index + 1)}"
description = "a descrition"
port_name = "https"
protocol = "HTTPS"
timeout_sec = "10"
load_balancing_scheme = "INTERNAL_SELF_MANAGED"

// Fix for group value issue : hashicorp/terraform#4336
backend {
group = "${replace(google_compute_instance_group_manager.nginx.*.self_link[count.index], "Manager", "")}"
balancing_mode = "UTILIZATION"
capacity_scaler = "1"
max_utilization = "0.8"
description = "a description"
}

health_checks = ["${google_compute_health_check.autohealing.self_link}"]
}

resource "google_compute_http_health_check" "nginx" {
name = "${var.entity}-${var.keykats}-${var.environment}-hhc-frw-nginx"
description = "Default ${var.asset} HTTP health check for backend service"
request_path = "/"
healthy_threshold = "2"
unhealthy_threshold = "2"
timeout_sec = "5"
check_interval_sec = "5"
port = "80"
}

...

i have now :
Error: Error creating TargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates': ''. No SSL certificate can be specified in TargetHttpsProxy when using Traffic Director. Please use SslPolicy instead., invalid

on load_balancing.tf line 16, in resource "google_compute_target_https_proxy" "nginx":
16: resource "google_compute_target_https_proxy" "nginx" {

Error: Error creating TargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates': ''. No SSL certificate can be specified in TargetHttpsProxy when using Traffic Director. Please use SslPolicy instead., invalid

on load_balancing.tf line 16, in resource "google_compute_target_https_proxy" "nginx":
16: resource "google_compute_target_https_proxy" "nginx" {

If i comment ssl_certificates parm in "google_compute_target_https_proxy" i have this :

Error: Missing required argument

on load_balancing.tf line 16, in resource "google_compute_target_https_proxy" "nginx":
16: resource "google_compute_target_https_proxy" "nginx" {

The argument "ssl_certificates" is required, but no definition was found.

[rileykarson]

We don't have support for L7 ILB yet, so this isn't possible today. Once supported, there'll be regional variants of each of these LB resources. By using the global variants, your config is effectively using Traffic Director. Per my understanding based on https://cloud.google.com/traffic-director/docs/traffic-director-concepts#limitations, HTTPS traffic is unsupported.

If you're interested in L7 ILB support, please 👍 #4190. I'd suggest including specific GCP guides / resources for the feature that you're interested in as well.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!