Updating access_config to null doesn't remove assigned public IP

[harshthakkar01]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version

Terraform v1.8.2
on linux_amd64

• provider registry.terraform.io/hashicorp/google v5.26.0

Affected Resource(s)

google_compute_instance_from_template

Terraform Configuration

resource "google_compute_instance_template" "tpl" {
  name         = "template"
  machine_type = "e2-medium"
  project = var.project

  disk {
    source_image = "debian-cloud/debian-11"
    auto_delete  = true
    disk_size_gb = 100
    boot         = true
  }

  network_interface {
    network = "default"
  }
}

variable "access_config" {
  type = list(object({
    nat_ip       = string
    network_tier = string
  }))

  default = []
  # default = [
  #   # { nat_ip = "34.42.58.236", network_tier = "public" },
  #   # ... more items
  # ]
}

resource "google_compute_instance_from_template" "tpl" {
  name = "instance-from-template"
  zone = var.zone
  project = var.project
  network_interface {
  dynamic "access_config" {
    for_each = var.access_config
    content {
      nat_ip       = access_config.value.nat_ip
      network_tier = access_config.value.network_tier
    }
  }
}
  source_instance_template = google_compute_instance_template.tpl.self_link_unique
}

Debug Output

At first, when the resource has non-empty access_config and I try to deploy with null or empty access_config it cannot find any difference in the configuration and doesn't remove the nat_ip assigned to it.

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Expected Behavior

1. When we deploy a resource with null access_config, the compute instance shouldn't have public IP enabled.
2. When we deploy with non-empty access_config on the existing resource, it should have nat_ip assigned.
3. When we deploy with null access_config on this existing resource, it should identify the difference in configuration and public IP assigned to the resource should be removed.

Actual Behavior

3. It doesn't identify difference in configuration when I deploy null access_config on existing resource with non-empty access_config. Therefore, it doesn't update the public IP assigned to this resource.

Steps to reproduce

1. terraform apply with access_config's default value = [].
2. terraform apply with access_config's non-empty value.
3. terraform apply with access_config's default value = [].

Important Factoids

No response

References

No response

[ggtisc]

Hi @harshthakkar01!

After replicating this scenario a couple of times no bug was detected. If you only need to stop using the nat_ip you just need to adapt your terraform configuration by removing the 'nat_ip' argument from your variable and from the access_config block of code like this:

network_interface {
  dynamic "access_config" {
    for_each = var.access_config
    content {
#      nat_ip       = access_config.value.nat_ip
      network_tier = access_config.value.network_tier
    }
  }