VPN forced replacement

[Maarc-D]

Hi there,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

If this is a bug report (for when something is there, but doesn't work how it should), please use the bug issue template instead.

If this is an enhancement / feature request (for when something (a resource, field, etc.) is missing, and should be added), please use the enhancement template instead.

If you have a support request or question, please check out the other resources listed here.

If your issue does not fit into one of the above templates, please fill out the following:

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment or link the pull request to this issue.

Terraform Version

All terraform versions
Google provider version : 4.61.0

Affected Resource(s)

google_compute_ha_vpn_gateway

Terraform Configuration Files (if applicable)

resource "google_compute_ha_vpn_gateway" "onprem" {
  for_each = google_compute_network.this
  region   = var.region
  project  = local.account_ids[terraform.workspace]
  name     = "vpn-worldline-onprem-${lower(terraform.workspace)}"
  network  = each.value.id
  # stack_type = "IPV4_ONLY" # same issue with IPV4_IPV6
}

Issue Description

No matter which stack_type we put it force gateway replacement so tunnels too.

-/+ resource "google_compute_ha_vpn_gateway" "onprem" {
      ~ id         = "projects/myproject/regions/europe-west1/vpnGateways/vpn" -> (known after apply)
        name       = "vpn"
      ~ network    = "https://www.googleapis.com/compute/v1/projects/myproject/global/networks/vpc-myproject" -> "projects/myproject/global/networks/vpc-myproject"
      ~ self_link  = "https://www.googleapis.com/compute/v1/projects/myproject/regions/europe-west1/vpnGateways/vpn" -> (known after apply)
      + stack_type = "IPV4_ONLY" # forces replacement

-/+ resource "google_compute_ha_vpn_gateway" "onprem" {
      ~ id         = "projects/myproject/regions/europe-west1/vpnGateways/vpn" -> (known after apply)
        name       = "vpn"
      ~ network    = "https://www.googleapis.com/compute/v1/projects/myproject/global/networks/vpc-myproject" -> "projects/myproject/global/networks/vpc-myproject"
      ~ self_link  = "https://www.googleapis.com/compute/v1/projects/myproject/regions/europe-west1/vpnGateways/vpn" -> (known after apply)
      + stack_type = "IPV4_IPV6" # forces replacement

Important Factoids

References

• #0000

[Maarc-D]

For me the refresh must get the current value of the attribut stack_type and it's not the case

[Maarc-D]

I tried to pull my state edit it add the stack_type attribute manually

, push it
try a new plan but did not resolve it, the attribut it still in my state after the refresh but still want to recreate the gateway

[Maarc-D]

After looking to the code : https://github.com/hashicorp/terraform-provider-google/blob/main/google/resource_compute_ha_vpn_gateway.go seems that there is no Update method, that could explain why we have trouble here no ?

[komalkanth]

What a co-incidence that we're seeing this with Terraform version 0.13.7 just from today itself? Is this possibly because of some changes to Google API?

[edwardmedia]

@Maarc-D I have tested on below config, and couldn't repro the issue. Could you provide the steps to repro? And share your debug log?

resource "google_compute_ha_vpn_gateway" "ha_gateway1" {
  region   = "us-central1"
  name     = "issue14264"
  network  = google_compute_network.network1.id
  stack_type = "IPV4_IPV6"
}

resource "google_compute_network" "network1" {
  name                    = "issue14264"
  auto_create_subnetworks = false
}

resource "google_compute_ha_vpn_gateway" "ha_gateway2" {
  region   = "us-central1"
  name     = "issue14264-2"
  network  = google_compute_network.network1.id
  stack_type = "IPV4_ONLY"
}

[komalkanth]

@edwardmedia I can't confirm it's the exact issue we're seeing but all the symptoms are there. In our case the VPNs are deployed with 0.12.24 and the plan shows all the VPNs and the gateways being replaced when trying with 0.13.7

[edwardmedia]

I do see stack_type was introduced by #14141 in v4.61.0.

Somehow different versions of terraform treat Optional, ForceNew and Default differently?

Another stack_type issue: #14203

[komalkanth]

I can confirm that I don't see the gateways and VPNs being replaced if I hard code my provider version to before v4.61.0.

[trodge]

This resource does not have an update method in the API, so any changes require recreating the resource. Specifying a field that was previously unspecified is a change from Terraform's perspective.

[rileykarson]

@trodge: This may be the same issue as #14203, sometimes APIs return nothing (i.e. null) for resources created before an arbitrary date. This happens when services don't backfill new fields they introduce. default_if_empty or the approach taken there are appropriate if that's the case.

[tgoodsell-tempus]

Can confirm we had the same issue as #14203, where this new value was seen as a net new by Terraform and wanted to recreate:

  # module.gcp_vpn_gateway_office["us-central1"].google_compute_ha_vpn_gateway.ha_gateway must be replaced
-/+ resource "google_compute_ha_vpn_gateway" "ha_gateway" {
      ~ id         = "projects/redacted/regions/us-central1/vpnGateways/zro-psa-vpn-for-office-usce1" -> (known after apply)
        name       = "zro-psa-vpn-for-office-usce1"
      ~ network    = "https://www.googleapis.com/compute/v1/projects/redacted/global/networks/inf-m-zro-env-network" -> "inf-m-zro-env-network"
      ~ self_link  = "https://www.googleapis.com/compute/v1/projects/redacted/regions/us-central1/vpnGateways/zro-psa-vpn-for-office-usce1" -> (known after apply)
      + stack_type = "IPV4_ONLY" # forces replacement
        # (2 unchanged attributes hidden)

      ~ vpn_interfaces {
          ~ id                      = 0 -> (known after apply)
          + interconnect_attachment = (known after apply)
          ~ ip_address              = "redacted" -> (known after apply)
        }
      - vpn_interfaces {
          - id         = 1 -> null
          - ip_address = "redacted" -> null
        }
    }

[rileykarson]

@trodge we may want to cherrypick this one to Monday's release, it's a perma-destroy: https://github.com/hashicorp/terraform-provider-google/wiki/Release-Process#when-to-cherry-pick

[cschroer]

@rileykarson / @trodge is there any reason this was not included in yesterdays 4.62 release?

We are using this resource a lot, and we currently need to nail our provider version to <=4.60 to prevent a lot of infrastructure recreation.

[rileykarson]

None I'm aware of. FYI @trodge, also FYI @SarahFrench as current BOD (we made https://github.com/hashicorp/terraform-provider-google/releases/tag/v4.60.1 based on a similar issue)

[SarahFrench]

This has been released in :
https://github.com/hashicorp/terraform-provider-google/releases/tag/v4.62.1
https://github.com/hashicorp/terraform-provider-google-beta/releases/tag/v4.62.1

[cschroer]

Thanks a lot! :)

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.