google_cloud_run_domain_mapping resources keeps recreating with every apply action

[sherifkozman]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

v0.13.5

Affected Resource(s)

*google_cloud_run_domain_mapping

Terraform Configuration Files

resource "google_cloud_run_domain_mapping" "media" {
  project  = var.gcp_project
  location = "us-central1"
  name     = "media.host.com"

  metadata {
    annotations = {
      "run.googleapis.com/launch-stage" = "BETA"
    }
    namespace = var.gcp_project
  }

  spec {
    route_name = google_cloud_run_service.media.name
  }
}

Expected Behavior

If the mapping resource exists, nothing should happen.

Actual Behavior

Even though resource exists, it gets deleted and re-created causing command to fail as this resources instructs Google API to destroy an SSL certificate and re-created with which new mapping entry

Steps to Reproduce

1. terraform apply

References

b/271914033

[edwardmedia]

I can repro it https://paste.googleplex.com/5619834659274752

[rileykarson]

Can both of you please share the version of the provider you're using? There have been several changes to this resource recently as a result of an annotation that was suddenly enforced, and it's hard to tell whether this has already been fixed or not.

Additionally:

@edwardmedia: Did part of your plan output get clipped? The plan indicates that the resource is getting recreated, but there's no (forces new resource) message or indication of why a new resource is getting created.

@sherifkozman: Can you post plan output as well? Which field is causing the resource to get recreated?

[edwardmedia]

@rileykarson my version is terraform-provider-google_v3.51.0_ Yes to the plan output

[rileykarson]

@edwardmedia can you post a full plan output if your original one was clipped?

[edwardmedia]

Here is the plan @rileykarson

[rileykarson]

@edwardmedia: Did your original terraform apply fail? Your plan indicates the resource is tainted, and Terraform is behaving correctly (tainted resources are resources that are created in a bad state or marked as tainted by the user, and should be destroyed on next apply). When I try a create, I get the following message related to domain ownership which taints the resource:

Error: Error waiting to create DomainMapping: resource is in failed state "Ready:False", message: Caller is not authorized to administer the domain 'media.host.com'. If you own 'media.host.com', you can obtain authorization by verifying ownership of the domain, or any of its parent domains, via the Webmaster Central portal: https://www.google.com/webmasters/verification/verification?domain=media.host.com. We recommend verifying ownership of the largest scope you wish to use with subdomains (eg. verify 'example.com' if you wish to map 'subdomain.example.com').

[edwardmedia]

@rileykarson here is another fresh run log

[aman-w-kumar]

[Dragotic]

This is still a thing...I imported the google_cloud_run_domain_mapping resources that were created manually and now terraform shows changes in the labels forcing a recreation of the resource.

If I add the following lifecycle then I get no changes but I'm getting 10s of annoying terraform warnings

   lifecycle {
     ignore_changes = [
       metadata[0].effective_labels,
       metadata[0].terraform_labels
     ]
   }

The warning:

│ Warning: Redundant ignore_changes element
│ 
│   on ../../modules/cloud-run/main.tf line 325, in resource "google_cloud_run_domain_mapping" "this":
│  325: resource "google_cloud_run_domain_mapping" "this" {
│ 
│ Adding an attribute name to ignore_changes tells Terraform to ignore future
│ changes to the argument in configuration after the object has been created,
│ retaining the value originally configured.
│ 
│ The attribute metadata[0].effective_labels is decided by the provider alone
│ and therefore there can be no configured value to compare with. Including
│ this attribute in ignore_changes has no effect. Remove the attribute from
│ ignore_changes to quiet this warning.

Which is obviously NOT redundant as you can see below.

If I don't add the lifecycle I'm getting the force replacement.

          ~ effective_labels      = { # forces replacement
              - "cloud.googleapis.com/location" = "us-central1" -> null
              + "environment"                   = "staging"
              + "goog-terraform-provisioned"    = "true"
              - "run.googleapis.com/overrideAt" = "2024-04-24T10:01:55.727Z" -> null
              + "terraform"                     = "true"

[rileykarson]

@zli82016 fyi

[zli82016]

@Dragotic , can you share the Terraform configuration for the resource google_cloud_run_domain_mapping and API response to get the resource? Thanks.

[Dragotic]

@zli82016 of course, here you go:

resource "google_cloud_run_domain_mapping" "this" {
  location = google_cloud_run_v2_service.this.location
  project  = google_cloud_run_v2_service.this.project
  name     = "example.com"

  metadata {
    namespace = local.project_id
  }
  spec {
    route_name = google_cloud_run_v2_service.this.name
  }

  lifecycle {
    ignore_changes = [
      metadata[0].effective_labels,
      metadata[0].terraform_labels
    ]
  }
}

And the response:

-/+ resource "google_cloud_run_domain_mapping" "this" {
      ~ id       = "redacted" -> (known after apply)
        name     = "example.com"
      ~ status   = [
          - {
              - conditions          = [
                  - {
                      - message = ""
                      - reason  = ""
                      - status  = "True"
                      - type    = "Ready"
                    },
                  - {
                      - message = ""
                      - reason  = ""
                      - status  = "True"
                      - type    = "CertificateProvisioned"
                    },
                  - {
                      - message = ""
                      - reason  = ""
                      - status  = "True"
                      - type    = "DomainRoutable"
                    },
                ]
              - mapped_route_name   = "service-name"
              - observed_generation = 1
              - resource_records    = [
                  - {
                      - name   = "sapi"
                      - rrdata = "ghs.googlehosted.com."
                      - type   = "CNAME"
                    },
                ]
            },
        ] -> (known after apply)
        # (2 unchanged attributes hidden)

      ~ metadata {
          - annotations           = {} -> null
          ~ effective_annotations = {
              - "run.googleapis.com/operation-id"  = "redacted"
              - "serving.knative.dev/creator"      = "redacted"
              - "serving.knative.dev/lastModifier" = "redacted"
            } -> (known after apply)
          ~ effective_labels      = { # forces replacement
              - "cloud.googleapis.com/location" = "us-central1" -> null
              + "environment"                   = "staging"
              + "goog-terraform-provisioned"    = "true"
              - "run.googleapis.com/overrideAt" = "2024-04-24T10:01:55.727Z" -> null
              + "terraform"                     = "true"
            }
          ~ generation            = 1 -> 0
          - labels                = {} -> null
          ~ resource_version      = "redacted" -> (known after apply)
          ~ self_link             = "redacted" -> (known after apply)
          ~ terraform_labels      = { # forces replacement
              + "environment"                = "staging"
              + "goog-terraform-provisioned" = "true"
              + "terraform"                  = "true"
            }
          ~ uid                   = "<redacted>" -> (known after apply)
            # (1 unchanged attribute hidden)
        }

      ~ spec {
          - force_override   = false -> null
            # (2 unchanged attributes hidden)
        }
    }

[zli82016]

@Dragotic,
the new terraform_labels seems to be the provider default labels.

          ~ terraform_labels      = { # forces replacement
              + "environment"                = "staging"
              + "goog-terraform-provisioned" = "true"
              + "terraform"                  = "true"
            }

The values of terraform_labels are determined by its value in Terraform state, which is empty during terraform import. This is an known issue and not resolvable for now.

You can ignore the warning about ignore_changes.