Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

google_dns_keys data source broken in v5.0.0 #16096

Closed
juliocc opened this issue Oct 3, 2023 · 4 comments · Fixed by GoogleCloudPlatform/magic-modules#9152, hashicorp/terraform-provider-google-beta#6431 or #16098
Assignees
Labels
Milestone

Comments

@juliocc
Copy link

juliocc commented Oct 3, 2023

Terraform Version

Terraform v1.5.7
on darwin_arm64
+ provider registry.terraform.io/hashicorp/google v5.0.0

Affected Resource(s)

  • google_dns_keys

Terraform Configuration Files

data "google_dns_keys" "dns_keys" {
  managed_zone = "test-zone"
  project      = "my-project"
}

Debug Output

Output for v5.0.0 (fails)
Output for v4.84.0 (succeeds)

Panic Output

N/A

Expected Behavior

Apply should succeed without any errors, even if there are no keys

Actual Behavior

❯ terraform apply
data.google_dns_keys.dns_keys: Reading...
╷
│ Error: Error when reading or editing dataSourceDnsKeys
│
│   with data.google_dns_keys.dns_keys,
│   on main.tf line 1, in data "google_dns_keys" "dns_keys":
│    1: data "google_dns_keys" "dns_keys" {
│
│ googleapi: Error 404: The 'collection' resource named 'dnsKeys' does not exist., notFound

Steps to Reproduce

  1. Install provider v5.0.0
  2. Create a dns zone in any project
  3. terraform apply the code above updating project and zone accordingly

Important Factoids

Provider version 4.84 works correctly without changes to the code.

References

N.A

@juliocc juliocc added the bug label Oct 3, 2023
@rileykarson rileykarson added this to the Post-5.0.0 milestone Oct 3, 2023
@rileykarson rileykarson self-assigned this Oct 3, 2023
@rileykarson
Copy link
Collaborator

This may be intentional, a case of https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/version_5_upgrade#datasources-now-error-universally-on-404

Does your managed zone exist at the time the datasource is getting evaluated?

@juliocc
Copy link
Author

juliocc commented Oct 3, 2023

Yes, the zone exists, but it doesn't have DNSSEC enabled. I did this other test and it also fails:

data "google_dns_keys" "dns_keys" {
  managed_zone = data.google_dns_managed_zone.zone.id
  project      = "my-project"
}


data "google_dns_managed_zone" "zone" {
  project = "my-project"
  name    = "test-example"
}

output "zone" {
  value = data.google_dns_managed_zone.zone
}

Result:

❯ terraform apply
data.google_dns_managed_zone.zone: Reading...
data.google_dns_managed_zone.zone: Read complete after 1s [id=projects/my-project/managedZones/test-example]
data.google_dns_keys.dns_keys: Reading...

Changes to Outputs:
  + zone = {
      + description     = "Terraform managed."
      + dns_name        = "test.example."
      + id              = "projects/my-project/managedZones/test-example"
      + managed_zone_id = 7820503003962313000
      + name            = "test-example"
      + name_servers    = [
          + "ns-cloud-c1.googledomains.com.",
          + "ns-cloud-c2.googledomains.com.",
          + "ns-cloud-c3.googledomains.com.",
          + "ns-cloud-c4.googledomains.com.",
        ]
      + project         = "my-project"
      + visibility      = "public"
    }

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.
╷
│ Error: Error when reading or editing dataSourceDnsKeys
│
│   with data.google_dns_keys.dns_keys,
│   on main.tf line 1, in data "google_dns_keys" "dns_keys":
│    1: data "google_dns_keys" "dns_keys" {
│
│ googleapi: Error 404: The 'collection' resource named 'dnsKeys' does not exist., notFound

Note that the same code works perfectly if the zone has DNSSEC enabled.

Is this WAI? If it is, does that mean one should not try use google_dns_keys on zones that have DNSSEC disabled?

@rileykarson
Copy link
Collaborator

Is this WAI? If it is, does that mean one should not try use google_dns_keys on zones that have DNSSEC disabled?

Yes- the signal we're getting from the API is that only zones with DNSSEC enabled can have them. Previously the datasource would never have returned results, and now it will correctly inform you that the collection you're attempting to query could not exist by propagating the 404 error.

Copy link

github-actions bot commented Nov 3, 2023

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.