Google compute backend service: iap parameter is no more optional for provider version >=6.0.0

[shumak80]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.9.5-dev
on linux_amd64

• provider registry.terraform.io/hashicorp/google v6.0.0

Affected Resource(s)

• google_compute_backend_service
• google_compute_region_backend_service

Terraform Configuration

resource "google_compute_backend_service" "nginx" {
  name                            = "be-${var.app_name}-${var.env}-${var.nginx_port}"
  description                     = "Backend for ${var.app_name}-${var.env}-nginx"
  port_name                       = "${var.app_name}-${var.env}-nginx-80"
  protocol                        = "HTTP"
  session_affinity                = "NONE"
  affinity_cookie_ttl_sec         = "0"
  timeout_sec                     = "30"
  enable_cdn                      = false
  connection_draining_timeout_sec = "30"
  load_balancing_scheme           = "EXTERNAL"
  security_policy                 = var.security_policy_selflink

  dynamic "backend" {
    for_each = var.instance_group
    content {
      group           = backend.value
      balancing_mode  = "UTILIZATION"
      max_utilization = "0.9"
    }
  }

  health_checks = [google_compute_health_check.app.self_link]
  log_config {
    enable      = "true"
    sample_rate = "0.1"
  }
}

Debug Output

Terraform will perform the following actions:

  # module.loadbalancer.google_compute_backend_service.nginx will be updated in-place
  ~ resource "google_compute_backend_service" "nginx" {
        id                              = "projects/xxxxxxx"
        name                            = "be-xxxx-80"
        # (22 unchanged attributes hidden)

      - iap {
          - enabled                     = false -> null
          - oauth2_client_secret_sha256 = (sensitive value) -> null
            # (2 unchanged attributes hidden)
        }

        # (2 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Expected Behavior

The "iap" parameter should be optional and shouldn't cause any changes to state if it's not mentioned in terraform manifest.

Actual Behavior

"iap" parameter is enforced to changed from default "false" to null value. Even if it's not declared in terraform configuration

Steps to reproduce

1. terraform apply

Important Factoids

The issue is in version 6.0.0 and 6.0.1

References

Bug fix which enforce optional parameter --> #18772

b/362477127

[roaks3]

For reference, this was a breaking change from the 6.0.0 release, but it seems like it is not behaving as expected here. Per the guide, iap.enabled is now required, but I think it should still be an option for the iap block itself to be omitted.

[arnabadg-google]

Previously iap {enabled = false} was added by default to the terraform request when iap was not added in the terraform configuration. This was causing issues with custom org constraints where any IAP usage is prohibited b/310147789. We changed the behavior so that no IAP object is added to the request (This will behave the same from API perspective) and made iap.enabled required whenever IAP object is configured GoogleCloudPlatform/magic-modules#9581.

[utnehmer]

When iap {enabled = false} is manually added to a google_compute_backend_service resource and the iap block later removed from the resource block. The same behavior could be observed.

      - iap {
          - enabled                     = false -> null
          - oauth2_client_secret_sha256 = (sensitive value) -> null
            # (2 unchanged attributes hidden)
        }

But the IAP config seems to be never removed from the backend service. Every future terraform plan shows the same change.

A different behavior but maybe related issue is when iap {enabled = true} is set.

Changing it to iap {enabled = false} results in

      ~ iap {
          ~ enabled                     = true -> false
            # (3 unchanged attributes hidden)
        }

but the IAP config is not set to false / IAP is not disabled. Every future terraform plan shows the same change. Same when the IAP block is removed.

      - iap {
          - enabled                     = true -> null
          - oauth2_client_secret_sha256 = (sensitive value) -> null
            # (2 unchanged attributes hidden)
        }

the IAP config is not removed from the backend service / IAP is not disabled. Every future terraform plan shows the same change.

[ervin-pactum]

is it safe to add IAP to lifecycle.ignore_changes until this is fixed?

[c2thorn]

is it safe to add IAP to lifecycle.ignore_changes until this is fixed?

yes, please add to lifecycle.ignore_changes until we get the fix out

[shumak80]

@c2thorn Do you have any ETA for the fix?

[c2thorn]

@c2thorn Do you have any ETA for the fix?

The fix should be in next week's release in 6.4.0

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.