Updating a google_compute_ssl_certificate fails if it is used by a google_compute_target_https_proxy

[wendorf]

Terraform Version

v0.7.13

Affected Resource(s)

• google_compute_ssl_certificate
• google_compute_target_https_proxy

Terraform Configuration Files

variable "env_name" {
  description = "A unique namespace for all resources"
}

resource "google_compute_http_health_check" "http_health_check" {
  name = "${var.env_name}-http-health-check"
}

resource "google_compute_backend_service" "backend_service" {
  name          = "${var.env_name}-backend-service"
  health_checks = ["${google_compute_http_health_check.http_health_check.self_link}"]
}

resource "google_compute_url_map" "url_map" {
  name            = "${var.env_name}-url-map"
  default_service = "${google_compute_backend_service.backend_service.self_link}"
}

resource "google_compute_ssl_certificate" "ssl_certificate" {
  name        = "${var.env_name}-ssl-certificate"
  private_key = "-----BEGIN RSA PRIVATE KEY-----\n-----END RSA PRIVATE KEY-----"
  certificate = "-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"
}

resource "google_compute_target_https_proxy" "target_https_proxy" {
  name             = "${var.env_name}-target-https-proxy"
  url_map          = "${google_compute_url_map.url_map.self_link}"
  ssl_certificates = ["${google_compute_ssl_certificate.ssl_certificate.self_link}"]
}

Debug Output

https://gist.github.com/wendorf/c06658d04d8ce9011a559c1636fbad4e

Expected Behavior

Updating a google_compute_ssl_certificate that is attached to a google_compute_target_https_proxy should not fail.

Actual Behavior

Updating the private key and cert for a google_compute_ssl_certificate failed with "* google_compute_ssl_certificate.ssl_certificate: Error deleting ssl certificate: googleapi: Error 400: The ssl_certificate resource 'my-ssl-certificate' is already being used by 'my-target-https-proxy', resourceInUseByAnotherResource"

Steps to Reproduce

1. terraform apply with an initial key/cert pair
2. Update the template with a new key/cert pair
3. terraform apply again

[cblecker]

It looks like it's doing a delete/recreate on the SSL certificate resource rather than updating it in place. It doesn't look like an update method has been created for this resource at all.

Relevant code:
https://github.com/hashicorp/terraform/blob/v0.7.13/builtin/providers/google/resource_compute_ssl_certificate.go

[paddycarver]

A workaround that could be worth trying is adding create_before_destroy = true on the ssl certificate.

[paddycarver]

For some more information on this, re: @cblecker's comment:

It looks like SSL certificates on GCE aren't able to be updated through the API; you can read, create, and delete, but not update. So the resource is (as far as I can tell) doing the right thing by not providing an update method; instead, a new resource needs to be created and the old one destroyed whenever there's a change.

Because the SSL certificate is attached to the HTTPS proxy, GCP stops it from being deleted. So the new SSL certificate needs to be created, the HTTPS proxy needs to be updated to use the new certificate, and the old SSL certificate is then not being used, so it can be deleted.

To do this in Terraform, we use create_before_destroy to enable this behaviour, which specifies that the new SSL certificate should be created before the old one is destroyed.

Hopefully that makes sense! Feel free to reach out if there's any confusion.

[cblecker]

Hi @paddyforan --
Wouldn't we need a field like "name_prefix" for that? Or manually changing the name each time it's updated?

You're right though, there is no update method for this resource at all, so create_before_destroy is probably the way to go.

[paddycarver]

According to my testing, name does need to be unique, so name_prefix is necessary to make this work properly. I'll put it on my todo list, it shouldn't take long to do. Don't know whether it will make it into 0.8 or not, though, I'm already trying to finish some stuff up in time. :)

[cblecker]

@paddyforan --
Heh.. I was already thinking it wouldn't take much because the code is mostly already there. I whipped up something quick (haven't wrote docs yet).

[paddycarver]

You're awesome! 👍 Commented on it; docs and a simple test case are pretty much all that stands in the way of this getting merged. Feel free to tag off with me if you don't think you'll have time to hit that stuff today. :)

[paddycarver]

Name prefixes will now be part of 0.8, which means the best recommendation I have is to:

1. Use a name_prefix on the SSL certificate
2. Use create_before_destroy to make sure the updated cert is created and used before the old one is destroyed

That should resolve the issue. If not, please feel free to comment back here and we'll reopen the issue, or just open a new issue. Thanks for reporting!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.