Google - Postgres always tries to recreate user

[sce81]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• If an issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to "hashibot", a community member has claimed the issue already.

• terraform 0.12.2
• google_2.8.0
• vault 2.0.0

Affected Resource(s)

google_sql_user
vault_generic_secret

Terraform Configuration Files

data "vault_generic_secret" "postgres_database" {
  path = "blah/blah/blah/postgres-database"
}

  sql_user_password     = [data.vault_generic_secret.postgres_database.data["SECRET1"], data.vault_generic_secret.postgres_database.data["SECRET2"], data.vault_generic_secret.postgres_database.data["SECRET3"], data.vault_generic_secret.postgres_database.data["SECRET4"]]


  resource "google_sql_user" "sql_user" {
  count    = var.sql_user_count
  name     = element(var.sql_user_name, count.index)
  instance = google_sql_database_instance.master.name
  host     = element(var.sql_user_host, count.index)
  password = element(var.sql_user_password, count.index)
}


  sql_user_password     = [data.vault_generic_secret.postgres_database.data["SECRET1"], data.vault_generic_secret.postgres_database.data["SECRET2"], data.vault_generic_secret.postgres_database.data["SECRET3"], data.vault_generic_secret.postgres_database.data["SECRET4"]]

Debug Output

Panic Output

Expected Behavior

No changes should be seen

Actual Behavior

on tf 0.11.14 it changed the resources every apply, however this does not cause issue except registering a change. But for the mysql instance (which uses the same module) this behavior does not happen.

since 0.12.2 i get the following error and it is unable to complete the process

**Error: Provider produced inconsistent result after apply

When applying changes to
module.integration_postgres_database.google_sql_user.sql_user[2], provider
"google" produced an unexpected new value for was present, but now absent.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.**

Steps to Reproduce

every apply

1. terraform apply

Important Factoids

References

• #0000

[danawillow]

Hi @sce81, I'm having a bit of trouble understanding your config- it looks like some of the fields are outside of data sources/resources. Also, would you mind adding in what the output from terraform plan is, so we can see which fields it thinks it's going to change? Debug logs (https://www.terraform.io/docs/internals/debugging.html) would also be super helpful so we can see what requests/responses are being sent/received to/from the GCP APIs.

[sce81]

Yes, absolutely. Im not in a position to do so now but i am more than happy to provide you with a detailed output of my resources to help you investigate. Is there a secure way for me to do so?

[danawillow]

Sure! Depending on how secure you need, here are a few options:

• share the info publicly in a gist, but redact any private information. For example, you could replace something like projects/my-project/instances/my-instance with projects/***/instances/***. This is still helpful to us so we can see the shape of the requests being sent/received. The values are far less important.
• encrypt it with HCs PGP key: https://www.hashicorp.com/security. I'm not a HC employee, but I can ask one of them to then share the important info with me.
• If you have a TAM, CE, or other support contact at Google, send it to them and ask them to send it to me.
• DM me in the GCP slack (http://bit.ly/gcp-slack) and share it with me there.

Any of those work?

[sce81]

Thanks Dana, I have sent you the terraform debug file through Slack

[danawillow]

From looking at the debug logs, one of the messages is Removing SQL User "[REDACTED]" because it's gone, which comes right after an API response that shows the user is there. However, since it's postgres, I'm fairly confident this is the same as #3848, which was fixed in 2.9.

Closing this out, but if the problem persists after an upgrade to 2.9.1, please don't hesistate to reopen!

[sce81]

Hi Dana, Using Google Provider 2.9.1 i am finding the issue where TF tries to replace the postgres user on each run, continues to happen, although the change is now successful. It stil erroneously reports that it needs to recreate the user.

  # module.rnd_postgres_database.google_sql_user.sql_user[1] must be replaced
-/+ resource "google_sql_user" "sql_user" {
      + host     = "172.22.0.0/255.255.224.0" # forces replacement
      ~ id       = "rndteam//rnd-postgres-db" -> (known after apply)
        instance = "rnd-postgres-db"
        name     = "rndteam"
        password = (sensitive value)
      ~ project  = "PROJECT" -> (known after apply)
    }

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!