Resource google_compute_target_https_proxy fails to update certificates with certificate_manager_certificates attribute

[K3nks]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version

1.5.1

Affected Resource(s)

google_compute_target_https_proxy

Terraform Configuration

  internal_loadbalancer_config = {
    ssl_certs            = ["certname1", "certname2", "certname3"] 
  }


locals {
  ssl_cert_list = [for cert in var.internal_loadbalancer_config.ssl_certs : "//certificatemanager.googleapis.com/projects/${var.project_id}/locations/global/certificates/${cert}"]
}


resource "google_compute_target_https_proxy" "ilb-target-proxy" {
  name                             = "${var.env}-ilb-target-https-proxy"
  project                          = var.project_id
  url_map                          = google_compute_url_map.ilb-url-map.id
  certificate_manager_certificates = local.ssl_cert_list


}

Debug Output

No response

Expected Behavior

The target proxy certificates are updated from certificate_manager_certificates

Actual Behavior

The update of certificates on google_compute_target_https_proxy from certificate_manager_certificates fails

module.test.google_compute_target_https_proxy.ilb-target-proxy: Modifying... [id=projects/gcp-project-id/global/targetHttpsProxies/test-lb-target-https-proxy]
╷
│
 
Error: 
Error updating TargetHttpsProxy "projects/gcp-project-id/global/targetHttpsProxies/test-lb-target-https-proxy": googleapi: Error 41
2: Certificate Map or at least 1 SSL certificate must be specified for setting SSL certificates in TargetHttpsProxy., conditionNotMet
│ 
│   with module.test.google_compute_target_https_proxy.ilb-target-proxy,
│   on ../modules/test/load-balancer.tf line 80, in resource "google_compute_target_https_proxy" "ilb-target-proxy":
│   80: resource "google_compute_target_https_proxy" "ilb-target-proxy" {

Steps to reproduce

1. terraform apply

Important Factoids

Using google provider version 5.21.0

References

The above terraform configuration is based on the documented example in the provider documentation:
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_target_https_proxy#example-usage---target-https-proxy-certificate-manager-certificate

b/331207883

[ggtisc]

Hi @K3nks as the error says: **Certificate Map** or at least 1 SSL certificate must be specified for setting SSL certificates in TargetHttpsProxy., conditionNotMet you need to specify a Map, but you are assigning a list... So you need to change it for a map. You can follow the next guide to achieve this and learn more about terraform data types: https://developer.hashicorp.com/terraform/language/expressions/types#map

[K3nks]

Hi @K3nks as the error says: **Certificate Map** or at least 1 SSL certificate must be specified for setting SSL certificates in TargetHttpsProxy., conditionNotMet you need to specify a Map, but you are assigning a list... So you need to change it for a map. You can follow the next guide to achieve this and learn more about terraform data types: https://developer.hashicorp.com/terraform/language/expressions/types#map

The documentation specifies a List:

resource "google_compute_target_https_proxy" "default" {
  name                             = "target-http-proxy"
  url_map                          = google_compute_url_map.default.id
  certificate_manager_certificates =  ["//certificatemanager.googleapis.com/${google_certificate_manager_certificate.default.id}"] # [google_certificate_manager_certificate.default.id] is also acceptable
}

From the error it seems its expecting a google_certificate_manager_certificate_map or ssl_certificates

[ggtisc]

@K3nks could you please provide a link to verify this information?

[K3nks]

Its in the Provider Documentation here?
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_target_https_proxy#example-usage---target-https-proxy-certificate-manager-certificate

[ggtisc]

After checking the documentation link it specify a format for the certificate_manager_certificates, but never specify if it require a map or a list when the need is to add more than just 1 certificate according to the error: Certificate Map or at least 1 SSL certificate must be specified for setting SSL certificates in TargetHttpsProxy., conditionNotMet So this could be probably a documentation issue.

[melinath]

Note from triage: This is a bug, not a documentation issue. "Certificate Map" does not indicate that the value should be a map; rather, certificateMap is another field on this resource (referencing a CertificateMap API field.) certificate_manager_certificates is actually sent to the API in the sslCertificates field, so this configuration should result in the correct API resource being created (or updated.) Something is going wrong here and will need to be investigated further. attn @ggtisc

[Hamzawy63]

This is a bug and will be fixed by GoogleCloudPlatform/magic-modules#10261

certificate_manager_certificates is actually sent to the API in the sslCertificates field, so this configuration should result in the correct API resource being created (or updated.)

Yes, and this conversion is done using a custom_encoder that should be triggered to modify both the creation request and the update request. However, for TargetHttpsProxy and RegionTargetHttpsProxy resources, the encoder is not executed during the update phase. This is probably because those resources are uncommon case where the entire resource is marked as immutable, but it has a field-specific update that overrides that

yaqs/2098594962982567936

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.