SQL instance's authorized_networks constantly shifting order

[butla]

Terraform Version

v0.10.7

Affected Resource(s)

google_sql_database_instance

Terraform Configuration Files

variable "environment"     { }
variable "application"     { default = "intervention" }
variable "region"          { default = "us-east1"     }
variable "region_zone"     { default = "us-east1-b"   }
variable "project_id"      { }


terraform {
  backend "gcs" {
    bucket  = "intervention-terraform"
    path    = "intervention/terraform.tfstate"
  }
}

provider "google" {
  project     = "${var.project_id}"
  region      = "${var.region}"
  version     = "1.0.1"
}

resource "google_compute_address" "intervention-address" {
  name = "intervention-address"
}

resource "google_compute_instance" "intervention" {
  tags         = ["intervention-host"]
  name         = "${var.application}"
  machine_type = "n1-standard-1"
  zone         = "${var.region_zone}"

  boot_disk {
    initialize_params {
      image = "ubuntu-1604-lts"
      type  = "pd-standard"
    }
  }

  network_interface {
    network = "default"

    access_config {
      nat_ip = "${google_compute_address.intervention-address.address}"
    }
  }

  service_account {
    scopes = ["https://www.googleapis.com/auth/logging.write"]
  }
}

resource "random_id" "name_suffixes" {
  byte_length = 4
}

resource "google_sql_database_instance" "sql_database_instance" {
  name             = "${var.environment}-${var.application}-${random_id.name_suffixes.hex}"
  region           = "${var.region}"
  database_version = "POSTGRES_9_6"

  settings {
    tier      = "db-g1-small"
    disk_type = "PD_SSD"

    ip_configuration {
      authorized_networks {
        name = "${var.application}"
        value = "${google_compute_instance.intervention.network_interface.0.access_config.0.nat_ip}"
      }
      authorized_networks {
        name = "stitchdata-1"
        value = "52.23.137.21/32"
      }
      authorized_networks {
        name = "stitchdata-2"
        value = "52.204.223.208/32"
      }
      authorized_networks {
        name = "stitchdata-3"
        value = "52.204.228.32/32"
      }
      authorized_networks {
        name = "stitchdata-4"
        value = "52.204.230.227/32"
      }
      authorized_networks {
        name = "stitchdata-5"
        value = "54.88.76.97/32"
      }
      authorized_networks {
        name = "webster-pl-tmobile"
        value = "178.180.0.0/16"
      }
    }

    backup_configuration {
      enabled = true
      start_time = "01:00"
    }

    location_preference {
      zone = "${var.region_zone}"
    }

    maintenance_window {
      day          = 6
      hour         = 1
      update_track = "stable"
    }
  }
}

resource "google_sql_database" "sql_database" {
  name     = "intervention"
  instance = "${google_sql_database_instance.sql_database_instance.name}"
}

resource "google_sql_user" "users_root" {
  name     = "root"
  instance = "${google_sql_database_instance.sql_database_instance.name}"
  host     = ""
  password = "NOT GONNA GIVE YOU THAT"
}

resource "google_sql_user" "users_stitchdata" {
  name     = "stitchdata"
  instance = "${google_sql_database_instance.sql_database_instance.name}"
  host     = ""
  password = "NOT GONNA GIVE YOU THAT"
  project  = "${var.project_id}"
}

Debug Output

https://gist.github.com/anonymous/a8baf57441aa6c1e158dc9ee5a30c54c

Expected Behavior

After running terraform apply, running terraform plan reports nothing to update.

Actual Behavior

After running terraform apply, running terraform plan reports that the list of authorized_networks on the SQL server needs to be updated. The set of IPs and their names doesn't change, actually. But terraform wants to put them in different order every single time, for some reason.

Steps to Reproduce

1. terraform apply
2. terraform plan

[rosbo]

Note to the implementer:
authorized_networks should be a Set. This will requires three things:

1. Changing type for authorized_networks to schema.Set
2. Write a hashing function for the set elements
3. Write a migrate function to avoid creating a diff when switching from List to Set (example for this here.

[butla]

What's interesting, is that that used to work OK in some previous version. I don't know which that was, because we're not running the deployment often, and we didn't have the provider version pinned (now it is).

[rosbo]

Did you also have multiple authorized_networks before?

Another possibility is that the Cloud API changed their implementation and are using a set instead of a list (ordered vs unordered container) now...

[butla]

Yeah, we pretty much always had the same number of networks.

[Cidan]

Note, the only way to actually reproduce this is to create the resources, then edit the network list at least once -- this will then trigger the bug.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!