-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Terraform tries recreating the SSL cert everytime due to domain name mismatch #6658
Terraform tries recreating the SSL cert everytime due to domain name mismatch #6658
Comments
@universalvishwa I ran below code and can't repro your issue. It does not show difference after initial apply. Your error complains related to # Google managed SSL certificate for HTTPS load balancing
resource "google_compute_managed_ssl_certificate" "default" {
provider = google-beta
name = "example-httplb"
managed {
domains = [google_dns_record_set.ipv4.name]
}
depends_on = [google_dns_record_set.ipv4]
}
# Output
output "dns_names" {
value = google_dns_record_set.ipv4.name
}
output "ssl_cert" {
value = {
certificate_id = google_compute_managed_ssl_certificate.default.certificate_id,
creation_timestamp = google_compute_managed_ssl_certificate.default.creation_timestamp,
expire_time = google_compute_managed_ssl_certificate.default.expire_time
}
}
resource "google_dns_record_set" "ipv4" {
name = "frontend.${google_dns_managed_zone.prod.dns_name}"
type = "A"
ttl = 300
managed_zone = google_dns_managed_zone.prod.name
rrdatas = ["10.20.30.40"]
}
resource "google_dns_managed_zone" "prod" {
name = "prod-zone"
dns_name = "myvaliddomain.net."
} |
@edwardmedia, Here is the actual code that I am sure will reproduce the problem. provider "google" {
project = "example-464"
}
terraform {
required_version = ">= 0.12.26"
}
terraform {
backend "gcs" {
bucket = "my-remote-state"
prefix = "ssltest/clouddns"
}
}
resource "google_dns_record_set" "ipv4" {
name = "frontend.${google_dns_managed_zone.prod.dns_name}"
type = "A"
ttl = 300
managed_zone = google_dns_managed_zone.prod.name
rrdatas = ["10.20.30.40"]
project = "example-464"
}
resource "google_dns_record_set" "ipv6" {
name = "frontend6.${google_dns_managed_zone.prod.dns_name}"
type = "AAAA"
ttl = 300
managed_zone = google_dns_managed_zone.prod.name
rrdatas = ["2600:1901:0:1717::"]
project = "example-464"
}
resource "google_dns_managed_zone" "prod" {
name = "prod-zone"
dns_name = "myvaliddomain.net."
project = "example-464"
}
resource "google_compute_url_map" "default" {
name = "url-map"
description = "a description"
project = "example-464"
default_service = google_compute_backend_service.default.id
}
resource "google_compute_backend_service" "default" {
name = "backend-service"
port_name = "http"
protocol = "HTTP"
timeout_sec = 10
project = "example-464"
health_checks = [google_compute_http_health_check.default.id]
}
resource "google_compute_http_health_check" "default" {
name = "http-health-check"
request_path = "/"
check_interval_sec = 1
timeout_sec = 1
project = "example-464"
}
resource "google_compute_target_https_proxy" "default" {
name = "test-proxy"
url_map = google_compute_url_map.default.id
ssl_certificates = [google_compute_managed_ssl_certificate.default.id]
project = "example-464"
}
# Google managed SSL certificate for HTTPS load balancing
resource "google_compute_managed_ssl_certificate" "default" {
provider = google-beta
name = "example-httplb"
managed {
domains = [google_dns_record_set.ipv4.name, google_dns_record_set.ipv6.name]
}
project = "example-464"
depends_on = [google_dns_record_set.ipv4, google_dns_record_set.ipv6]
}
# Output
output "dns_names" {
value = google_dns_record_set.ipv4.name
}
output "ssl_cert" {
value = {
certificate_id = google_compute_managed_ssl_certificate.default.certificate_id,
creation_timestamp = google_compute_managed_ssl_certificate.default.creation_timestamp,
expire_time = google_compute_managed_ssl_certificate.default.expire_time
}
} |
I do see now the plan shows the differences. Thank you, @universalvishwa |
@edwardmedia @c2thorn , is there any chance that you can confirm if this is a clear bug or not. I'm somewhat blocked on a project I'm working on without clarity. To me it seemed like bug that can be fixed. I would be grateful if you can confirm. Thanks. |
Hi @universalvishwa |
@universalvishwa I'm not sure if this would be a viable workaround for you, but you may be able to quickly get around this error by splitting up your IPv4 and IPv6 domains into separate certs in the config. |
Is this fix been released yet? |
@universalvishwa yes this should be a part ofv3.29 of google-beta |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
Community Note
modular-magician
user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot
, a community member has claimed the issue already.Terraform Version
Terraform v0.12.26
provider.google v3.9.0
provider.google-beta v3.9.0
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
Actual Behavior
Steps to Reproduce
terraform plan
When running plan after on an existing apply, it will always result in an update like this.
terraform apply
Fails with the following error.
Important Factoids
Things I noticed,
google_compute_managed_ssl_certificate
stores DNS names without a.
(root) at the end as part of the SSL cert domains..
at the end. Even at that time, the final DNS names shown in the cert had no.
.
and Domain names from the SSL cert without the.
-> Always sees them as two different things (even though they are the same, and wants to go and recreate the SSL Cert every time. Then trigger other dependencies etc..)References
It may be the same as #10546. I'm opening this because, I'm not allowed to comment or vote up the issue.
Do note that this is now #5356. But it is related. The workaround suggested by @chrisst is not an acceptable solution for our scenarios because it always enables recreates the SSL cert (Which we don't want)
The text was updated successfully, but these errors were encountered: