Data source google_dns_keys broken in > version 4.59

[YuriyKishchenko]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Affected Resource(s)

• data.google_dns_keys

Terraform Configuration Files

The following code that is copied from the documentation works with provider version <= 4.59, but fails with newer versions

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "~> 4.61.0"
    }
  }
}

provider "google" {
}

resource "google_dns_managed_zone" "foo" {
  name     = "foobar"
  dns_name = "foo.bar."

  dnssec_config {
    state         = "on"
    non_existence = "nsec3"
  }
}

data "google_dns_keys" "foo_dns_keys" {
  managed_zone = google_dns_managed_zone.foo.id
}

output "foo_dns_ds_record" {
  description = "DS record of the foo subdomain."
  value       = data.google_dns_keys.foo_dns_keys.key_signing_keys[0].ds_record
}

Expected Behavior

Terraform plan on provider version 4.59.0 produces the output (expected):

  # data.google_dns_keys.foo_dns_keys will be read during apply
  # (config refers to values not yet known)
 <= data "google_dns_keys" "foo_dns_keys" {
      + id                = (known after apply)
      + key_signing_keys  = (known after apply)
      + managed_zone      = (known after apply)
      + project           = (known after apply)
      + zone_signing_keys = (known after apply)
    }

  # google_dns_managed_zone.foo will be created
  + resource "google_dns_managed_zone" "foo" {
      + creation_time   = (known after apply)
      + description     = "Managed by Terraform"
      + dns_name        = "foo.bar."
      + force_destroy   = false
      + id              = (known after apply)
      + managed_zone_id = (known after apply)
      + name            = "foobar"
      + name_servers    = (known after apply)
      + project         = (known after apply)
      + visibility      = "public"

      + cloud_logging_config {
          + enable_logging = (known after apply)
        }

      + dnssec_config {
          + kind          = "dns#managedZoneDnsSecConfig"
          + non_existence = "nsec3"
          + state         = "on"

          + default_key_specs {
              + algorithm  = (known after apply)
              + key_length = (known after apply)
              + key_type   = (known after apply)
              + kind       = (known after apply)
            }
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + foo_dns_ds_record = (known after apply)

Actual Behavior

Terraform plan on provider version 4.61.0 produces the error:

╷
│ Error: Invalid index
│
│   on main.tf line 30, in output "foo_dns_ds_record":
│   30:   value       = data.google_dns_keys.foo_dns_keys.key_signing_keys[0].ds_record
│     ├────────────────
│     │ data.google_dns_keys.foo_dns_keys.key_signing_keys is empty list of object
│
│ The given key does not identify an element in this collection value: the collection has no elements.

Steps to Reproduce

1. terraform plan

[ayush-jain1]

+1 facing same issue, we pinned the provider to 4.59.0 to over come this

[johnhoran]

I haven't been able to pin down enough to post an issue, but it feels like 4.60 has issues populating data objects. I can no longer connect to a kubernetes cluster using

data "google_client_config" "default" {}
data "google_container_cluster" "gke_cluster" {
  name     = "blue-k8s"
  location = "us-central1"
}
provider "kubernetes" {
  host  = "https://${data.google_container_cluster.gke_cluster.endpoint}"
  token = data.google_client_config.default.access_token
  cluster_ca_certificate = base64decode(
    data.google_container_cluster.gke_cluster.master_auth.0.cluster_ca_certificate
  )
}

And I also ran into issues populating a google_dns_managed_zone, terraform just tried to read those forever, but I didn't see anything retrying in the debug logs.

[edwardmedia]

Below are two plans for google_dns_keys from different versions. Two attributes are missing from v4.61.0.

from v4.59.0

 <= data "google_dns_keys" "foo_dns_keys" {
      + id                = (known after apply)
      + key_signing_keys  = (known after apply)
      + managed_zone      = (known after apply)
      + project           = (known after apply)
      + zone_signing_keys = (known after apply)
    }

v4.61.0

 <= data "google_dns_keys" "foo_dns_keys" {
      + id           = (known after apply)
      + managed_zone = (known after apply)
      + project      = (known after apply)
    }

[SarahFrench]

Hi all,

I've been looking into this and this is what I've found.

There's a problem with Computed blocks in providers that use the plugin framework (which we added in v4.60.0) and also use protocol 5 to communicate with Terraform core (we currently use protocol 5 to allow the provider to be muxed).

The solution to the problem in this issue is to re-work how the data source is written to avoid this problem. I've manually tested this and it solves the problem 🎉 and I'll open a PR soon

Useful links:

• Original issue in plugin framework issue
• Official documentation's guidance for this

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.