Allow dnssec_config update for google_dns_managed_zone

[lawliet89]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v0.12.19
+ provider.google v3.4.0

Affected Resource(s)

• google_dns_managed_zone

Expected Behavior

Updating dnssec_config should not force replacement.

Actual Behavior

The existing managed zone must be destroyed before the dnssec_config can be updated.

  # google_dns_managed_zone.example must be replaced
-/+ resource "google_dns_managed_zone" "example" {
        description  = "Company Domain name"
        dns_name     = "example.com."
      ~ id           = "example-com" -> (known after apply)
      - labels       = {} -> null
        name         = "example-com"
      ~ name_servers = [
          - "ns-cloud-a1.googledomains.com.",
          - "ns-cloud-a2.googledomains.com.",
          - "ns-cloud-a3.googledomains.com.",
          - "ns-cloud-a4.googledomains.com.",
        ] -> (known after apply)
        project      = "example"
        visibility   = "public"

      + dnssec_config { # forces replacement
          + kind          = "dns#managedZoneDnsSecConfig" # forces replacement
          + non_existence = "nsec3" # forces replacement
          + state         = "on" # forces replacement

          + default_key_specs { # forces replacement
              + algorithm  = "ecdsap256sha256" # forces replacement
              + key_length = 256 # forces replacement
              + key_type   = "keySigning" # forces replacement
              + kind       = "dns#dnsKeySpec" # forces replacement
            }
          + default_key_specs { # forces replacement
              + algorithm  = "ecdsap256sha256" # forces replacement
              + key_length = 256 # forces replacement
              + key_type   = "zoneSigning" # forces replacement
              + kind       = "dns#dnsKeySpec" # forces replacement
            }
        }

      - timeouts {}
    }

References

GCP docs (https://cloud.google.com/dns/docs/dnssec-config#enabling) mentions that DNSSEC can be updated for existing zones.

In fact, I managed to enable DNSSEC for my existing zones using gcloud.

[edwardmedia]

@lawliet89 Can you post your configuration here? Thanks

[lawliet89]

This is the diff in the configuration that caused the issue.

resource "google_dns_managed_zone" "example" {
   name        = var.name
   dns_name    = var.dns_name
   description = "Example Domain name"
+  project     = var.project_id
+
+  dnssec_config {
+    # on, off, transfer
+    state = "on"
+
+    # nsec, nsec3
+    non_existence = "nsec3"
+
+    default_key_specs {
+      algorithm  = "ecdsap256sha256"
+      key_length = 256
+      key_type   = "keySigning"
+    }
+
+    default_key_specs {
+      algorithm  = "ecdsap256sha256"
+      key_length = 256
+      key_type   = "zoneSigning"
+    }
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
 }

[edwardmedia]

I do see below plan if I want to flip the dnssec between on and off

Plan: 1 to add, 0 to change, 1 to destroy.

[lawliet89]

For reference, the entire dnsssec_config attribute has ForceNew: true. cf. https://github.com/terraform-providers/terraform-provider-google/blob/e47132abd91fd0410dbc8b4b55fef833ea302657/google/resource_dns_managed_zone.go#L70

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!