Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix dnssec_config issue on state off #2035

Merged
merged 1 commit into from
Feb 1, 2024
Merged

Fix dnssec_config issue on state off #2035

merged 1 commit into from
Feb 1, 2024

Conversation

haraldhaas
Copy link
Contributor

If a Cloud DNS managed zone has been created through this module without dnssec_config and the DNS Zone is manually modified in the UI, for example to enable logging, even if you do not touch the DNSSEC configuration, a dnssec_config will be added to the terraform state, with the variable state set to off:

      + dnssec_config {
          + kind          = "dns#managedZoneDnsSecConfig"
          + non_existence = "nsec3"
          + state         = "off"

          + default_key_specs {
              + algorithm  = "rsasha256"
              + key_length = 2048
              + key_type   = "keySigning"
              + kind       = "dns#dnsKeySpec"
            }
          + default_key_specs {
              + algorithm  = "rsasha256"
              + key_length = 1024
              + key_type   = "zoneSigning"
              + kind       = "dns#dnsKeySpec"
            }
        }

From this point on, you can no longer run terraform without running into an error of the API complaining about the missing dnssec_config:

│ Error: Error updating ManagedZone "projects/<project-id>/managedZones/<zone-name>": googleapi: Error 400: The 'entity.managedZone.dnssecConfig' parameter is required but was missing., required

Adding the dnssec_config with state = "off" currently leads to the google_dns_keys being fetched, which is not allowed if no keys exist, as highlighted in the providers documentation google_dns_keys leading to a different error:

│ googleapi: Error 404: The 'collection' resource named 'dnsKeys' does not exist., notFound

This fix changes the behaviour of google_dns_keys being retrieved only when the state is set to on instead of relying on the general presence of the dnssec_config.

Checklist

I applicable, I acknowledge that I have:

  • Read the contributing guide
  • Ran terraform fmt on all modified files
  • Regenerated the relevant README.md files using tools/tfdoc.py
  • Made sure all relevant tests pass

@juliocc
Copy link
Collaborator

juliocc commented Feb 1, 2024

Very subtle and difficult to figure out. Thanks for the fix!

@juliocc juliocc enabled auto-merge (squash) February 1, 2024 06:40
@juliocc juliocc merged commit dda0250 into GoogleCloudPlatform:master Feb 1, 2024
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juliocc juliocc juliocc approved these changes

Assignees
No one assigned
Labels
on:modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@haraldhaas @juliocc