After importing google_compute_ssl_certificate resource is marked to be replaced

[aswinkm-tc]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v0.14.2

Affected Resource(s)

• google_compute_ssl_certificate

Terraform Configuration Files

resource "google_compute_ssl_certificate" "global_cert" {
  name_prefix = "mycert"
  private_key = file("private_key.key")
  certificate = file("cert.pem")

  lifecycle {
    create_before_destroy = true
  }
}

Debug Output

Panic Output

Expected Behavior

tf import 'google_compute_ssl_certificate.global_cert' 'projects/myproject/global/sslCertificates/mycert-04ebddd630a87c' would import the certificate and no change will appear on terraform plan

Actual Behavior

Imports the certificate successfully
name_prefix and private_key are missing and marked to be added asking for the certificate to be replaced
I checked the state file and it was mentioned as null
So I tried manually adding those fields in the state file, it caused the addition of those fields in the plan but still asks to be replaced with all the fields except for the manually modified ones( private_key & name_prefix ) to be changed

Steps to Reproduce

1. terraform import google_compute_ssl_certificate
2. terraform plan

Important Factoids

References

• #0000

[venkykuberan]

API does not return private_key during import call as its a client asset, therefore we set it to null in the state. Also name_prefix is a computed field which gets created only in the resource Create call. This is one of the resources not suited well for import due to its sensitive values (private_key).
Any change (addition/ modification) in private_key will make the resource to be recreated.

@c2thorn your thoughts?

[aswinkm-tc]

Thanks for the prompt reply. If this is the case then wouldn't it be better to disable importing such a resource? Would be a bummer though.

[c2thorn]

There isn't a good way to handle this well in the provider. There is no way to verify that private_key in the config is the same value as in the backend except during resource creation. We also cannot set the value in state at the time of import (we don't have access to the config value).

If you want to import this resource, I suggest adding ignore_changes to the resource config and ignore the problematic fields until you are actually needing to modify them. Since this is still an option, I don't think disabling the import entirely is necessary.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!