Failed to update target_https_proxy from ssl_certificates to certificate_map

[wata727]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

% terraform -v
Terraform v1.2.1
on darwin_amd64
+ provider registry.terraform.io/hashicorp/google v4.34.0
+ provider registry.terraform.io/hashicorp/google-beta v4.34.0

Affected Resource(s)

• google_compute_target_https_proxy

Terraform Configuration Files

This failure is happening with the change updating the ssl_certificates to the certificate_map, as below:

resource "google_compute_target_https_proxy" "https_proxy" {
  name             = "${var.name}-https-proxy"
  description      = var.https_proxy_description
  url_map          = google_compute_url_map.https_url_map[0].self_link
+ certificate_map  = var.certificate_map
- ssl_certificates = var.ssl_certificates
  ssl_policy       = var.ssl_policy == "" ? module.ssl_policy[0].id : var.ssl_policy
  quic_override    = "NONE"
}

terraform plan output:

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.cloud_lb_url_map.module.https_url_map.google_compute_target_https_proxy.https_proxy[0] will be updated in-place
  ~ resource "google_compute_target_https_proxy" "https_proxy" {
      + certificate_map    = "https://certificatemanager.googleapis.com/v1/projects/<PROJECT_NAME>/locations/global/certificateMaps/<MAP_NAME>"
        id                 = "projects/<PROJECT_NAME>/global/targetHttpsProxies/<PROXY_NAME>"
        name               = "<PROXY_NAME>"
      ~ ssl_certificates   = [
          - "https://www.googleapis.com/compute/v1/projects/<PROJECT_NAME>/global/sslCertificates/<CERTIFICATE_NAME>",
        ]
        # (8 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Expected Behavior

The target proxy should be updated without errors, and the certificate map is available.

Actual Behavior

terraform apply fails with the following error:

module.cloud_lb_url_map.module.https_url_map.google_compute_target_https_proxy.https_proxy[0]: Modifying... [id=projects/<PROJECT_NAME>/global/targetHttpsProxies/<PROXY_NAME>]
╷
│ Error: Error updating TargetHttpsProxy "projects/<PROJECT_NAME>/global/targetHttpsProxies/<PROXY_NAME>": googleapi: Error 412: Certificate Map or at least 1 SSL certificate must be specified for setting SSL certificates in TargetHttpsProxy., conditionNotMet
│ 
│   with module.cloud_lb_url_map.module.https_url_map.google_compute_target_https_proxy.https_proxy[0],
│   on ../../modules/cloud-load-balancing/url-map/main.tf line 90, in resource "google_compute_target_https_proxy" "https_proxy":
│   90: resource "google_compute_target_https_proxy" "https_proxy" {
│ 

Steps to Reproduce

1. Create google_compute_target_https_proxy with ssl_certificates.
2. Add certificate_map and remove ssl_certificates at the same time.
3. terraform apply

Research

This seems to be an API call order issue. The provider checks for changes in ssl_certificates and call API, before certificate_map.
https://github.com/hashicorp/terraform-provider-google/blob/v4.35.0/google/resource_compute_target_https_proxy.go#L366-L433

The error occurs because the Google API does not allow either the SSL certificate or the certificate map to be unbound.

Possible approaches are:

• Check for changes in ssl_certificates and certificate_map and add one before deleting one.
  • As far as I can see, the Google API does not return an error even if both are set at the same time.
• Allow setting both ssl_certificates and certificate_map in google_compute_target_https_proxy resource.
  • The current schema definition does not allow both to be set at the same time.
    • https://github.com/hashicorp/terraform-provider-google/blob/v4.35.0/google/resource_compute_target_https_proxy.go#L69
  • Being able to configure both allows users to set the certificate map first and remove the SSL certificates later.

References

• Add support for Wildcard SSL certs via Certificate Manager which google have now added #11037
• Add certificate_map to compute_target_https_proxy #12227

[tbjorkna]

I have exactly the same issue, but as a temporary workaround until this is fixed, I used gcloud to attach the certificate map to the target proxy and used the lifecycle meta-argument to ignore changes affecting certificate_map:

lifecycle { ignore_changes = [certificate_map] } to resource "google_compute_target_https_proxy" "default"

This way I can continue to use Terraform without it wanting to destroy changes made with gcloud.

[edwardmedia]

@c2thorn could you take a look at this?

[Stanwise]

The proposed approach of letting both ssl_certificates and certificate_map to be set in the google_compute_target_https_proxy resource is the correct one.

Specifying both for the duration of the migration is the only safe approach. See: https://cloud.google.com/certificate-manager/docs/migrate#apply_the_new_certificate_map_to_the_target_load_balancer

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.