failed to apply google_dns_managed_zone

[fawaf]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version

Terraform v1.7.5
on darwin_arm64
+ provider registry.terraform.io/hashicorp/google v5.21.0

Affected Resource(s)

google_dns_managed_zone

Terraform Configuration

#tfsec:ignore:google-dns-enable-dnssec
resource "google_dns_managed_zone" "dns_managed_zone" {
  project     = "blah"
  name        = "foo-com
  dns_name    = "foo.com."
  description = "Managed by Terraform"
  labels      = {}

  visibility = "public"

  dynamic "private_visibility_config" {
    for_each = "public" == "public" ? toset([]) : toset([1])

    content {
      networks {
        network_url = data.google_compute_network.main_vpc.self_link
      }
    }
  }
}

Debug Output

https://gist.github.com/fawaf/38d1633ef38e8a37867a24cedd054190

Expected Behavior

tf should have applied successfully if the zone already exists previously

Actual Behavior

error produced:

Error: Error updating ManagedZone "projects/blah/managedZones/foo" googleapi: Error 400: The 'entity.managedZone.dnssecConfig' parameter is required but was missing., required

Steps to reproduce

1. zone already exists in gcp project
2. terraform apply

Important Factoids

No response

References

No response

b/332515087

[ggtisc]

Hi @fawaf could you be more specific on what are you trying to update or it can be any property like the description? For example:

Initial value:
description = "Managed by Terraform"

Updated value:
description = "Managed by Terraform 2.0"

[fawaf]

ahh for sure. I'm not updating anything. it works on initial creation and then immediately fails the second time the apply is run. the plan shows tf tries to remove the dnssec config.

orm used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
  ~ update in-place

Terraform will perform the following actions:

  # google_dns_managed_zone.dns_managed_zone will be updated in-place
  ~ resource "google_dns_managed_zone" "dns_managed_zone" {
        id               = "projects/blah/managedZones/blah"
        name             = "blah"
        # (11 unchanged attributes hidden)

      - dnssec_config {
          - kind          = "dns#managedZoneDnsSecConfig" -> null
          - non_existence = "nsec3" -> null
          - state         = "off" -> null

          - default_key_specs {
              - algorithm  = "rsasha256" -> null
              - key_length = 2048 -> null
              - key_type   = "keySigning" -> null
              - kind       = "dns#dnsKeySpec" -> null
            }
          - default_key_specs {
              - algorithm  = "rsasha256" -> null
              - key_length = 1024 -> null
              - key_type   = "zoneSigning" -> null
              - kind       = "dns#dnsKeySpec" -> null
            }
        }

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to per

[roaks3]

I was not able to reproduce the issue following your steps. I noticed that the GET /dns/v1/projects/... API call for me did not return a dnssecConfig field (as expected), but your API call did return a dnssecConfig field, and is responsible for the diff you're seeing.

Is there any chance this managed zone was modified outside of Terraform (like through the console or gcloud)?

[fawaf]

i tested it on both types of zones that you mentioned. modifying outside of tf causes the error, and directly creating with tf and not touching it afterwards also produces the same error. i'll double check again if there's something funky going on.

[roaks3]

I looked into this a bit more (reading our docs and some internal source), and it looks to me like there are ways for DNSSEC to be configured elsewhere that could be applied to a newly created zone, even when a dnssec_config is not explicitly specified. However, I'm not an expert on these features, so I'm going to forward to the service team to have a look.

If this is a default that is applied to the zone on the backend, I believe we would need to add a default_from_api: true line to this field to avoid this diff.