terraform import doesn't work with cloud DNS in GCP

[ghost]

I am trying to import cloud dns A record from GCP using terraform import but it throws error. The record already exists so the error for non-existent resource doesn't make sense below. Did anyone try it before?
module.cloud_dns.google_dns_record_set.a: Importing from ID "production-us-east1/server1/A"...
module.cloud_dns.google_dns_record_set.a: Import complete!
Imported google_dns_record_set (ID: production-us-east1/server1/A)
module.cloud_dns.google_dns_record_set.a: Refreshing state... (ID: production-us-east1/server1/A)

Error: module.cloud_dns.google_dns_record_set.a[0] (import id: production-us-east1/server1/A): 1 error(s) occurred:

import module.cloud_dns.google_dns_record_set.a[0] result: production-us-east1/server1/A: import module.cloud_dns.google_dns_record_set.a (id: production-us-east1/server1/A): Terraform detected a resource with this ID doesn't
exist. Please verify the ID is correct. You cannot import non-existent
resources using Terraform import.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• If an issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to "hashibot", a community member has claimed the issue already.

Terraform Version

terraform version
Terraform v0.11.10

• provider.google v1.20.0
• provider.template v2.0.0

Affected Resource(s)

• google_dns_record_set

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://www.hashicorp.com/security
# If reproducing the bug involves modifying the config file (e.g., apply a config,
# change a value, apply the config again, see the bug) then please include both the
# version of the config before the change, and the version of the config after the change.

Debug Output

Panic Output

Expected Behavior

google dns a record imported.

Actual Behavior

module.cloud_dns.google_dns_record_set.a: Importing from ID "production-us-east1/server1/A"...
module.cloud_dns.google_dns_record_set.a: Import complete!
Imported google_dns_record_set (ID: production-us-east1/server1/A)
module.cloud_dns.google_dns_record_set.a: Refreshing state... (ID: production-us-east1/server1/A)

Error: module.cloud_dns.google_dns_record_set.a[0] (import id: production-us-east1/server1/A): 1 error(s) occurred:

import module.cloud_dns.google_dns_record_set.a[0] result: production-us-east1/server1/A: import module.cloud_dns.google_dns_record_set.a (id: production-us-east1/server1/A): Terraform detected a resource with this ID doesn't
exist. Please verify the ID is correct. You cannot import non-existent
resources using Terraform import.

Steps to Reproduce

following terraform doc online https://www.terraform.io/docs/providers/google/r/dns_record_set.html

terraform import google_dns_record_set.frontend prod-zone/frontend.prod.mydomain.com./A

Important Factoids

References

• #0000

[emilymye]

Can you please send us your config for your dns_record_set and the debug log when you import? i.e.

TF_LOG=DEBUG terraform import google_dns_record_set.frontend ...

I was able to correctly import a DNS record set just now so I probably need more information to debug this issue.

[ghost]

@emilymye is there any private channel you want us to share all config and debug details?

[ghost]

I have attached the dns record import debug log here. DNS record config details:
ttl: "60" (seconds)
type: "A"

terraform import output.pdf

[ghost]

@emilymye @rileykarson any updates on this bug?

[rileykarson]

Can you confirm whether you experience this on a 2.X release, preferably 2.3.0? 1.20.0 was a few months ago so this has probably been fixed since then, and we're unable to backport fixes to 1.X series regardless (the provider release mechanism doesn't allow it.)

[ghost]

yes i upgraded to 2.3.0 release, and i am still getting same error in terraform import.

Error: module.cloud_dns.google_dns_record_set.a[0] (import id: prod-us-central1-aaaa-io/aaa01.prod.us-central1.aaaa.io/A): 1 error(s) occurred:

• import module.cloud_dns.google_dns_record_set.a[0] result: prod-us-central1-aaaa-io/aaa01.prod.us-central1.aaaa.io/A: import module.cloud_dns.google_dns_record_set.a (id: prod-us-central1-aaaa-io/aaa01.prod.us-central1.aaaa.io/A): Terraform detected a resource with this ID doesn't
  exist. Please verify the ID is correct. You cannot import non-existent
  resources using Terraform import.

[rileykarson]

Are you able to share the command you're using + debug logs at that version?

[ghost]

I have attached debug log with command here.
tf import debug log-2.3.0.pdf

[rileykarson]

Comparing the debug logs to our CI, I think Terraform is performing correctly, it's just an issue with the format of the supplied id. Unfortunately this resource is pretty freeform, and I can't spot any obvious fixes. Has this worked in prior versions?

[ghost]

No this has never worked for us before, We filed one more bug for similar errors in google instance group import back in December last year.
#2504

[rileykarson]

In that case I suspect an incorrect id has been supplied. Can you try gcloud dns record-sets list on the resource and post your results? Preferably with --log-http set.

https://cloud.google.com/sdk/gcloud/reference/dns/record-sets/

[ghost]

Here is the output for describe and list commands.
dns describe.pdf

dns list.pdf

[ghost]

any updates on this bug based on last input provided.

[rileykarson]

Hmm- I'm fairly confident that the managed zone name is incorrect. Can you try gcloud dns managed-zones list --log-http?

[ghost]

There are so many zones coming in the output. I am pasting the one that i am trying to import from

{
"name": "prod-us-central1-aaaa-io",
"dnsName": "prod.us-central1.aaaa.io.",
"description": "",
"id": "287193058197200",
"nameServers": [
"ns-private.googledomains.com."
],
"creationTime": "2018-01-17T01:57:53.123Z",
"visibility": "private",
"privateVisibilityConfig": {
"networks": [
{
"networkUrl": "https://www.googleapis.com/compute/v1/projects/prod-shared-vpc-project/global/networks/prod-shared-vpc-network",
"kind": "dns#managedZonePrivateVisibilityConfigNetwork"
}
],
"kind": "dns#managedZonePrivateVisibilityConfig"
},
"kind": "dns#managedZone"
},

[rileykarson]

Hmm- unfortunately, I can't see what's going wrong here. Since gcloud can't find it either, it isn't a Terraform issue. I suspect the name is slightly different than what's been provided, but it doesn't look like it in those (likely anonymised / obfuscated?) snippets.

[ghost]

gcloud can find the managed zone in above output "name": "prod-us-central1-aaaa-io", what do you mean by gcloud cannot find it.

[ghost]

can we discuss over hangout or share details on a private channel to investigate this issue.

[rileykarson]

gcloud was unable to find a managed zone with that name, same as Terraform in unable to. From the describe output;

{
"error": {
"code": 404,
"message": "The 'parameters.managedZone' resource named 'prod-us-central1-aaaa-io' does
not exist.",
"errors": [
{
"message": "The 'parameters.managedZone' resource named 'prod-us-central1-aaaa-io'
does not exist.",
"domain": "global",
"reason": "notFound"
}
]
}
}

[ghost]

The above error we are getting in terraform import and that is the reason we are not able to import dns records or instance groups (#2504) from gcp, but i dont get when you say we are unable to see a managed zone using gcloud. I am attaching a complete output for gcloud dns managed-zones list --log-http command that clearly shows that it can find the managed zone we are trying to import from.

dns list full output.pdf

[rileykarson]

The problem is that neither gcloud nor terraform is able to identify the single resource. Looking briefly at the import id again, did you attempt to import it with

prod-us-central1-aaaa-io/host001.prod.us-central1.aaaa.io/A?

Looking at the import example (https://www.terraform.io/docs/providers/google/r/dns_record_set.html#import) you need a trailing dot, eg;

prod-us-central1-aaaa-io/host001.prod.us-central1.aaaa.io./A

[ghost]

yes earlier we imported without trailing dot.

Now when we added trailing dot, its still throwing same error. I am attaching the error log here.

Error: module.cloud_dns.google_dns_record_set.a[0] (import id: prod-us-central1-aaaa-io/aaaa001.prod.us-central1.aaaa.io./A): 1 error(s) occurred:

* import module.cloud_dns.google_dns_record_set.a[0] result: prod-us-central1-aaaa-io/aaaa001.prod.us-central1.aaaa.io./A: import module.cloud_dns.google_dns_record_set.a (id: prod-us-central1-aaaa-io/aaaa001.prod.us-central1.aaaa.io./A): Terraform detected a resource with this ID doesn't
exist. Please verify the ID is correct. You cannot import non-existent
resources using Terraform import.

dns error output.pdf

[rileykarson]

In that case, since we're seeing similar behaviour between gcloud and Terraform, I suspect it's an API issue. I'd suggest filing a bug here: https://b.corp.google.com/issues/new?component=187241&template=0

I would include the gcloud commands we've attempted to use in addition to the Terraform issue.

[rsalmond]

@Preete is the DNS record you're trying to import in the same project as the one specified in your provider block?

That is how I have encountered this issue, it appears there is no way to specify the project to import the record from. Our workaround has been to temporarily change the project in the provider block, import the resource, then change it back.

[jtrh]

it appears there is no way to specify the project to import the record from. Our workaround has been to temporarily change the project in the provider block, import the resource, then change it back.

I'm experiencing exactly the same problem as @rsalmond. There's no way to specify the project when importing a google_dns_record_set resource, so Terraform attempts to use the default project and fails when the DNS zone is in a different project.

@rsalmond's workaround works for me.

[jparrill]

Same here:

resource "google_dns_record_set" "dns_record" {
  count         = "${var.amount}"
  name          = "${var.hostname_prefix}-${count.index}.${var.dns_zone}"
  managed_zone  = "${var.dns_name}"
  type          = "A"
  ttl           = "300"
  rrdatas       = ["${element(google_compute_instance.instances.*.network_interface.0.access_config.0.nat_ip, count.index)}"]
}

Any clues?

[jeremy-albuixech]

I was able to work around the issue thanks to @rsalmond comment.

If your DNS zone is managed in another GCP project than your application, make sure to switch the Google provider(s) to use your DNS project instead of your application project when you import the DNS.

Even with an aliased provider it didn't work, it looks like the import used the first "google" provider in my providers list.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!