DNS module DNSSEC config errors

[lianatech-teemu-hemmila]

Initially created dns zone with cloud-foundation-fabric module version v23 without declaring any DNSSEC configs. When upgraded to v27 following happens.

With module declaration:

module "public_dns" {
  source     = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/dns?ref=v27.0.0"
  ...
  zone_config = {
    domain = "<domain>."
    public = {}
  }
  ...

Error is produced in apply phase (plan succeeds):

│ Error: Error updating ManagedZone "projects/liana-common-dns/managedZones/<zone>": googleapi: Error 400: The 'entity.managedZone.dnssecConfig' parameter is required but was missing., required

When introducing DNSSEC config with explicitly setting state = "off"

module "public_dns" {
  source     = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/dns?ref=v27.0.0"
  ...
  zone_config = {
    domain =  "<domain>."
    public = {
      dnssec_config = {
        state = "off"
      }
    }
  }
  ...

This error is produced:

Planning failed. Terraform encountered an error while generating this plan.

│ Error: Error when reading or editing dataSourceDnsKeys
│ 
│   with module.public_dns.data.google_dns_keys.dns_keys[0],
│   on .terraform/modules/public_dns/modules/dns/main.tf line 160, in data "google_dns_keys" "dns_keys":
│  160: data "google_dns_keys" "dns_keys" {
│ 
│ googleapi: Error 404: The 'collection' resource named 'dnsKeys' does not
│ exist., notFound

This might also be related to google provider upgrade to v5 but I'm not sure should the module be refactored to not try to read the dns keys when state is set to off, but the dnssec_config exists (since provider seems to require it).

[juliocc]

@lianatech-teemu-hemmila can you try with HEAD? I just tried your first example and it works for me

module "private-dns" {
  source     = "../modules/dns"
  project_id = module.project.id
  name       = "test-example"
  zone_config = {
    domain = "gcp.example.com."
    public = {}
  }
}

Result:

Terraform will perform the following actions:

  # module.private-dns.google_dns_managed_zone.dns_managed_zone[0] will be created
  + resource "google_dns_managed_zone" "dns_managed_zone" {
      + creation_time    = (known after apply)
      + description      = "Terraform managed."
      + dns_name         = "gcp.example.com."
      + effective_labels = (known after apply)
      + force_destroy    = false
      + id               = (known after apply)
      + managed_zone_id  = (known after apply)
      + name             = "test-example"
      + name_servers     = (known after apply)
      + project          = "<REDACTED>"
      + reverse_lookup   = false
      + terraform_labels = (known after apply)
      + visibility       = "public"

      + cloud_logging_config {
          + enable_logging = false
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.private-dns.google_dns_managed_zone.dns_managed_zone[0]: Creating...
module.private-dns.google_dns_managed_zone.dns_managed_zone[0]: Creation complete after 2s [id=projects/<REDACTED>/managedZones/test-example]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

[lianatech-teemu-hemmila]

Thanks for response @juliocc. I'm sorry, what do you mean by trying with HEAD?

I think the problem is with the fact that the Cloud DNS zone resource was created with old version of the module, which introduced the DNSSEC config (with state = "off").

With old version of the module:

module "test-zone" {
  source      = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/dns?ref=v23.0.0"
  project_id  = "<project>"
  name        = "test-zone"
  domain      = "<redacted>"
  type        = "public"

We get:

  + resource "google_dns_managed_zone" "public" {
      + creation_time    = (known after apply)
      + dns_name         = "<redacted>"
      + effective_labels = (known after apply)
      + force_destroy    = false
      + id               = (known after apply)
      + managed_zone_id  = (known after apply)
      + name             = "test-zone"
      + name_servers     = (known after apply)
      + project          = "<redacted>"
      + terraform_labels = (known after apply)
      + visibility       = "public"

      + dnssec_config {
          + kind          = "dns#managedZoneDnsSecConfig"
          + non_existence = "nsec3"
          + state         = "off"

          + default_key_specs {
              + algorithm  = "rsasha256"
              + key_length = 2048
              + key_type   = "keySigning"
              + kind       = "dns#dnsKeySpec"
            }
          + default_key_specs {
              + algorithm  = "rsasha256"
              + key_length = 1024
              + key_type   = "zoneSigning"
              + kind       = "dns#dnsKeySpec"
            }
        }
    }

So the dnssec_config block is introduced with state = off.

When creating new resource with v27 module:

module "test-zone" {
  source      = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/dns?ref=v27.0.0"
  project_id  = "<redacted>"
  name        = "test-zone"
  
  zone_config = {
    domain = "<domain>"
    public = {}
  }
}

It works fine and doesn't create the dnssec_config block.

Now, when we have upgraded our modules to v27, terraform tries to remove this dnssec_config, but apply fails. Terraform state is still updated to not have it. When I import the resource from GCP again to state, it has the dnssec_config block (state = "off").

So maybe this is something to consider with module declaration. For new resources, everything works fine. But when migrating to resources created with older module to new, some inconsitency happens.

[ludoo]

We never support backwards compatibility, it would just be too much work and sometimes be even impossible. :)

[lianatech-teemu-hemmila]

Ok, thanks for clarifying that :)