google_compute_region_ssl_certificate forces replacement on unchanged certificate/private key

[ivankorn]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.9.3
on linux_amd64

• provider registry.terraform.io/hashicorp/google v6.4.0
• provider registry.terraform.io/hashicorp/google-beta v6.4.0

Affected Resource(s)

• google_compute_region_ssl_certificate
• google_secret_manager_secret_version

Terraform Configuration

data "google_secret_manager_secret_version" "private_key" {
  secret  = "private_key_wildcard_w_san_domain_name"
  project = local.gcp_project_id

  depends_on = [module.project-cfg]
}

data "google_secret_manager_secret_version" "cert_pem" {
  secret  = "wildcard_w_san_cert_pem_domain_name"
  project = local.gcp_project_id

  depends_on = [module.project-cfg]
}

resource "random_id" "certificate" {
  byte_length = 4
  prefix      = "${local.dns_zone_name}-"

  keepers = {
    private_key = base64sha256(data.google_secret_manager_secret_version.private_key.secret_data)
    certificate = base64sha256(data.google_secret_manager_secret_version.cert_pem.secret_data)
  }
}

resource "google_compute_region_ssl_certificate" "self" {
  name        = random_id.certificate.hex
  description = "Wildcard multi-san for ${title(local.dns_zone_name)}"
  project     = local.gcp_project_id
  region      = var.region
  private_key = data.google_secret_manager_secret_version.private_key.secret_data
  certificate = data.google_secret_manager_secret_version.cert_pem.secret_data

  depends_on = [module.project-cfg]

  lifecycle {
    create_before_destroy = true
  }
}

Debug Output

2024-09-27T22:22:24.594+0300 [DEBUG] ReferenceTransformer: "google_compute_region_ssl_certificate.self" references: []
2024-09-27T22:22:24.594+0300 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-09-27T22:22:24.595+0300 [INFO]  provider: plugin process exited: plugin=.terraform/providers/registry.terraform.io/hashicorp/random/3.6.3/linux_amd64/terraform-provider-random_v3.6.3_x5 id=1243049
2024-09-27T22:22:24.597+0300 [DEBUG] provider: plugin exited
�[0m�[1mgoogle_compute_region_ssl_certificate.self: Refreshing state... [id=projects/<project_name>/regions/<region_name>/sslCertificates/<cert_name>-5b2d8587]�[0m
2024-09-27T22:22:24.602+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: 2024/09/27 22:22:24 [DEBUG] Waiting for state to become: [success]
2024-09-27T22:22:24.602+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: 2024/09/27 22:22:24 [DEBUG] Retry Transport: starting RoundTrip retry loop
2024-09-27T22:22:24.602+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: 2024/09/27 22:22:24 [DEBUG] Retry Transport: request attempt 0
2024-09-27T22:22:24.602+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: 2024/09/27 22:22:24 [DEBUG] Google API Request Details:
2024-09-27T22:22:24.602+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: ---[ REQUEST ]---------------------------------------
2024-09-27T22:22:24.602+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: GET /compute/v1/projects/<project_name>/regions/<region_name>/sslCertificates/<cert_name>-5b2d8587?alt=json HTTP/1.1
2024-09-27T22:22:24.602+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: Host: compute.googleapis.com
2024-09-27T22:22:24.602+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: User-Agent: Terraform/1.9.3 (+https://www.terraform.io) Terraform-Plugin-SDK/2.33.0 terraform-provider-google/6.4.0
2024-09-27T22:22:24.602+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: Content-Type: application/json
2024-09-27T22:22:24.602+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: Accept-Encoding: gzip
2024-09-27T22:22:24.602+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5
2024-09-27T22:22:24.602+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5
2024-09-27T22:22:24.603+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: -----------------------------------------------------
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: 2024/09/27 22:22:24 [DEBUG] Google API Response Details:
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: ---[ RESPONSE ]--------------------------------------
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: HTTP/2.0 200 OK
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: Cache-Control: private
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: Content-Type: application/json; charset=UTF-8
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: Date: Fri, 27 Sep 2024 19:22:24 GMT
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: Server: ESF
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: Vary: Origin
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: Vary: X-Origin
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: Vary: Referer
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: X-Content-Type-Options: nosniff
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: X-Frame-Options: SAMEORIGIN
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: X-Xss-Protection: 0
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: {
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5:   "kind": "compute#sslCertificate",
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5:   "id": "5501311363569104396",
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5:   "creationTimestamp": "2024-09-27T03:28:51.346-07:00",
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5:   "name": "<cert_name>-5b2d8587",
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5:   "description": "Wildcard multi-san for <team>",
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5:   "selfLink": "https://www.googleapis.com/compute/v1/projects/<project_name>/regions/<region_name>/sslCertificates/<cert_name>-5b2d8587",
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5:   "certificate": "-----BEGIN CERTIFICATE-----<REMOVED>-----END CERTIFICATE-----",
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5:   "selfManaged": {
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5:     "certificate": "-----BEGIN CERTIFICATE-----<REMOVED>-----END CERTIFICATE-----"
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5:   },
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5:   "type": "SELF_MANAGED",
2024-09-27T22:22:24.744+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5:   "subjectAlternativeNames": [
2024-09-27T22:22:24.745+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5:     "*.domain.name",
2024-09-27T22:22:24.745+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5:     "*.zone.domain.name",
2024-09-27T22:22:24.745+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5:     "*.zone.domain.name",
2024-09-27T22:22:24.745+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: "*.zone.domain.name"
2024-09-27T22:22:24.745+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5:   ],
2024-09-27T22:22:24.745+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5:   "expireTime": "2025-07-18T16:59:59.000-07:00",
2024-09-27T22:22:24.745+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5:   "region": "https://www.googleapis.com/compute/v1/projects/<project_name>/regions/<region_name>"
2024-09-27T22:22:24.745+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: }
2024-09-27T22:22:24.745+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5
2024-09-27T22:22:24.745+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: -----------------------------------------------------
2024-09-27T22:22:24.745+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: 2024/09/27 22:22:24 [DEBUG] Retry Transport: Stopping retries, last request was successful
2024-09-27T22:22:24.745+0300 [DEBUG] provider.terraform-provider-google_v6.4.0_x5: 2024/09/27 22:22:24 [DEBUG] Retry Transport: Returning after 1 attempts

Expected Behavior

Since private key and certificate secrets in GCP Secret Manager remain unchanged. Certificate should remain unchanged as well. Its resource should not trigger replacement.

Please note: Secret version is created and active/unchanged since 1st of August, but Terraform still triggers replacement (tried multiple provider and terraform versions - behavior is the same)

$ gcloud secrets versions list private_key_wildcard_w_san_<domain_name> --project=<project_name> 
NAME  STATE    CREATED              DESTROYED
1     enabled  2024-08-01T17:59:22  - 
$ gcloud secrets versions list wildcard_w_san_cert_pem_<domain_name> --project=<project_name> 
NAME  STATE    CREATED              DESTROYED
1     enabled  2024-08-01T18:00:11  - 
$ 

Actual Behavior

Resource replacement is triggered.

  # google_compute_region_ssl_certificate.self must be replaced
+/- resource "google_compute_region_ssl_certificate" "self" {
      ~ certificate        = (sensitive value) # forces replacement
      ~ certificate_id     = 4674593621525986235 -> (known after apply)
      ~ creation_timestamp = "2024-09-23T03:39:16.857-07:00" -> (known after apply)
      ~ expire_time        = "2025-07-18T16:59:59.000-07:00" -> (known after apply)
      ~ id                 = "projects/<project_name>/regions/<region-name>/sslCertificates/<cert-name>-5451eb1e" -> (known after apply)
      ~ name               = "<cert-name>-5451eb1e" # forces replacement -> (known after apply) # forces replacement
      + name_prefix        = (known after apply)
      ~ private_key        = (sensitive value) # forces replacement
      ~ self_link          = "https://www.googleapis.com/compute/v1/projects/<project_name>/regions/<region-name>/sslCertificates/<cert-name>-5451eb1e" -> (known after apply)
        # (3 unchanged attributes hidden)
    }

Steps to reproduce

1. terraform plan or terraform apply

Important Factoids

No response

References

No response

[ggtisc]

Hi @ivankorn!

I tried to replicate this issue with the next configuration:

1. First I create the following resources:

resource "google_secret_manager_secret" "sm_secret_19668_pk" {
  secret_id = "sm-secret-19668-pk"

  labels = {
    label = "my-label"
  }

  replication {
    auto {}
  }
}

resource "google_secret_manager_secret_version" "sm_sv_19668_pk" {
  secret = google_secret_manager_secret.sm_secret_19668_pk.id
  secret_data = file("./utils/key.pem")
}

resource "google_secret_manager_secret" "sm_secret_19668_cert" {
  secret_id = "sm-secret-19668-cert"

  labels = {
    label = "my-label-2"
  }

  replication {
    auto {}
  }
}

resource "google_secret_manager_secret_version" "sm_sv_19668_cert" {
  secret = google_secret_manager_secret.sm_secret_19668_cert.id
  secret_data = file("./utils/cert.pem")
}

2. Then I cleaned the tfstate file and created the next data sources referencing the previously created resources:

data "google_secret_manager_secret_version" "sm_sv_19668_pk" {
  secret  = "projects/my-project/secrets/sm-secret-19668-pk"
  project = "my-project"
}

data "google_secret_manager_secret_version" "sm_sv_19668_cert" {
  secret  = "projects/my-project/secrets/sm-secret-19668-cert"
  project = "my-project"
}

3. After this I created the next resources:

resource "random_id" "random_id_19668" {
  byte_length = 4
  prefix      = "cr-ssl-cert-19668-"

  keepers = {
    private_key = base64sha256(data.google_secret_manager_secret_version.sm_sv_19668_pk.secret_data)
    certificate = base64sha256(data.google_secret_manager_secret_version.sm_sv_19668_cert.secret_data)
  }
}

resource "google_compute_region_ssl_certificate" "cr_ssl_cert_19668" {
  name        = random_id.random_id_19668.hex
  description = "something"
  project     = "my-project"
  region      = "us-central1"
  private_key = data.google_secret_manager_secret_version.sm_sv_19668_pk.secret_data
  certificate = data.google_secret_manager_secret_version.sm_sv_19668_cert.secret_data

  lifecycle {
    create_before_destroy = true
  }
}

4. Finally I tried multiple times to reproduce the issue with terraform plan and apply but nothing changes and it always shows the same message:

No changes. Your infrastructure matches the configuration.

If you continue having issues please be more specific in what you are doing different from this to verify this situation again.