google_sql_database_instance Unremovable deprecation warning for require_ssl

[acharrett]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.8.4
on

• provider registry.terraform.io/hashicorp/google v5.33.0 & v5.34.0
• provider registry.terraform.io/hashicorp/google-beta v5.33.0 & v5.34.0

Affected Resource(s)

google_sql_database_instance

Terraform Configuration

resource "google_sql_database_instance" "testdb" {
  provider         = google
  project          = "xyz-123"
  region           = "us-east1"
  name             = "testdb"
  database_version = "POSTGRES_15"

  settings {
    tier = "db-n1-standard-1"
    ip_configuration {
      ipv4_enabled = true
      ssl_mode     = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
      require_ssl  = true
    }
  }
}

Debug Output

No response

Expected Behavior

Provider 5.33.0 introduced a deprecation warning for the use of require_ssl and to set ssl_mode and require_ssl together until require_ssl is removed in a future release.

If you follow those instructions, and set both ssl_mode and require_ssl (as in the code example) you still get the warning. If you try and remove require_ssl then the code fails, which is something that #17443 discusses.

As a result this generates a warning that I am unable to resolve by making changes to my terraform code.

Following the documented practice should remove the warning.

Actual Behavior

Plan: 1 to add, 0 to change, 0 to destroy.
╷
│ Warning: Argument is deprecated
│ 
│   with google_sql_database_instance.testdb,
│   on db.tf line 24, in resource "google_sql_database_instance" "testdb":
│   24:       require_ssl  = true
│ 
│ `require_ssl` will be fully deprecated in a future major release. For now, please use `ssl_mode` with a compatible `require_ssl` value instead.
│ 
│ (and one more similar warning elsewhere)
╵

Steps to reproduce

1. terraform apply

Important Factoids

No response

References

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#ssl_mode
#17443

b/348529672

[ggtisc]

Confirmed issue!

According to terraform registry require_ssl is optional, but after creating the resource, and then when we attempt to remove the field it results on an error 400:

Error, failed to update instance settings for : googleapi: Error 400: Invalid request: For a Postgres instance, sslMode value TRUSTED_CLIENT_CERTIFICATE_REQUIRED and requireSsl value false are conflicting. When sslMode=TRUSTED_CLIENT_CERTIFICATE_REQUIRED, requireSsl must be true. When requireSsl=false, sslMode must be ALLOW_UNENCRYPTED_AND_ENCRYPTED or ENCRYPTED_ONLY. It's recommended that you only set sslMode.

[SehiiRohoza]

I have the same issue with CloudSQL MySQL while using Terraform 1.8.2 while using sslMode only:

Error: Error, failed to update instance settings for : googleapi: Error 400: Invalid request: For a MySQL instance, sslMode value TRUSTED_CLIENT_CERTIFICATE_REQUIRED and requireSsl value false are conflicting. When sslMode=TRUSTED_CLIENT_CERTIFICATE_REQUIRED, requireSsl must be true. When requireSsl=false, sslMode must be ALLOW_UNENCRYPTED_AND_ENCRYPTED or ENCRYPTED_ONLY. It's recommended that you only set sslMode., invalid

and while using sslMode with require_ssl I got a warning:

require_ssl will be fully deprecated in a future major release. For now, please use ssl_mode with a compatible require_ssl value instead.