Resource google_compute_target_https_proxy fails to provision with certificate_manager_certificates attribute

[adamstrawson]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally
  to expedite investigation and resolution of this issue.

Terraform Version

1.7.2.

Affected Resource(s)

google_compute_target_https_proxy

Terraform Configuration

resource "google_certificate_manager_dns_authorization" "default" {
  name     = "example-com"
  domain   = "example.com"
}

resource "google_certificate_manager_certificate" "default" {
  name     = "example-com"
  scope    = "EDGE_CACHE"
  managed {
    domains = [
      google_certificate_manager_dns_authorization.default.domain,
    ]
    dns_authorizations = [
      google_certificate_manager_dns_authorization.default.id,
    ]
  }
}

resource "google_compute_target_https_proxy" "default" {
  name             = "https-proxy"
  url_map          = google_compute_url_map.default.id # Not included in example
  certificate_manager_certificates = [  google_certificate_manager_certificate.default.id ]
}

Debug Output

No response

Expected Behavior

The target proxy is created, with the example.com certificate.

Actual Behavior

The creation of google_compute_target_https_proxy fails as the use of managed cloud certificates isn't supported.

google_compute_target_https_proxy.default: Creating...
╷
│ Error: Error creating TargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/{project}/locations/global/certificates/{resource}. Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid
│
│   with google_compute_target_https_proxy.default,
│   on loadbalancer.tf line 55, in resource "google_compute_target_https_proxy" "default":
│   55: resource "google_compute_target_https_proxy" "default" {

Steps to reproduce

1. terraform apply

Important Factoids

Using google provider version 5.14.0

References

The above terraform configuration is based on the documented example in the provider documentation: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_target_https_proxy#example-usage---target-https-proxy-certificate-manager-certificate

b/324044382

[edwardmedia]

@adamstrawson I noticed below error which is from the api. Where did you see it is supported? Can you share the full debug log that contains the requests and responses to the api?

Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid

[adamstrawson]

@adamstrawson I noticed below error which is from the api. Where did you see it is supported? Can you share the full debug log that contains the requests and responses to the api?

Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid

Hi @edwardmedia, Support for Certificate manager is shown within the Google Provider documentation, and has listed examples of its use - See https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_target_https_proxy#example-usage---target-https-proxy-certificate-manager-certificate

From a load balancer perspective, it's also shown here: https://cloud.google.com/load-balancing/docs/ssl-certificates#certificate-summary
Note under Global external Application Load Balancer Certificate Manager is supported for both self-managed and Google-managed`

I'll need to do a small POC to be able to supply debug logs, as these resources are part of a larger module, but I'll get that put together shortly.

[edwardmedia]

@adamstrawson thanks for the info, and preparing the logs. Waiting for that.

[adamstrawson]

Okay, from a bit further digging, this does appear to be an API issue, rather than terraform.

I can recreate the same issue via gcloud, following this documentation https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth.

Do you know the best way to raise API issues, or should I go through our TAM?

[edwardmedia]

it is mentioned in the doc that below format is accepted.

Accepted format is

• //certificatemanager.googleapis.com/projects/{project}/locations/{location}/certificates/{resourceName}
• or just the self_link projects/{project}/locations/{location}/certificates/{resourceName}

From the error below, it seems the format does match what it asks. Forward the issue to the service team for taking a look at its behind

Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/{project}/locations/global/certificates/{resource}. Cloud certificate reference is not supported for TargetHttpsProxy creation

[adamstrawson]

Yeah, I tried both formats as per the docs, both have the same error.

google_certificate_manager_certificate.default.id is the same as projects/{project}/locations/{location}/certificates/{resourceName}

resource "google_compute_target_https_proxy" "default" {
  name             = "https-proxy"
  url_map          = google_compute_url_map.default.id # Not included in example
  certificate_manager_certificates = [  google_certificate_manager_certificate.default.id ]
}

and I tried

resource "google_compute_target_https_proxy" "default" {
  name             = "https-proxy"
  url_map          = google_compute_url_map.default.id # Not included in example
  certificate_manager_certificates = [  "//certificatemanager.googleapis.com/${google_certificate_manager_certificate.default.id}" ]
}

My theory above that it's an API issue, rather than the Terraform provider is because gcloud has the same error, despite this being a documented step in guide for this specific use case (Ref: https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth#att-cert-target-proxy)

gcloud compute target-https-proxies create foobar \
    --url-map=<snip> \
    --global \
    --certificate-manager-certificates=<snip>

ERROR: (gcloud.compute.target-https-proxies.create) Could not fetch resource:
 - Invalid value for field 'resource.sslCertificates[0]': 'https://certificatemanager.googleapis.com/v1/projects/<snip>/locations/global/certificates/<snip>'. Cloud certificate reference is not supported for TargetHttpsProxy creation.

[adamstrawson]

After some further digging, and chatting with GCP support, the recommended(?) way is to use Certificate Maps instead

resource "google_compute_target_https_proxy" "default" {
  name            = "https-proxy"
  url_map         = google_compute_url_map.default.id
  certificate_map = "//certificatemanager.googleapis.com/${google_certificate_manager_certificate_map.default.id}"
}

It would be great to confirmation if that's the case, and whether the use of the attribute certificate_manager_certificates should be removed in favour of certificate_map? Or if there is a downstream API error and it should be possible to use certificate_manager_certificates

In the mean time, I'm unblocked as I can use certificate_map instead for now.

[Daniel-I-Am]

This issue also affects the google_compute_region_target_https_proxy, which does not have a similar workaround unfortunately as it does not support the use of a certificate_map. Any resolution is greatly appreciated.

[pawelJas]

Without full configuration it is hard to do a proper analysis. At this point certificate_manager_certificates are not supported by Global External Application Load Balancer. certificate_map only works with Global External Application Load Balancer so I can guess that your configuration is not supported yet. google_compute_region_target_https_proxy should not have the same problem as all regional products support certificate_manager_certificates.

[Daniel-I-Am]

When I posted my message I had assumed the information above would be sufficient. Here's all the information I would post if I would have opened this as a new report, in case it helps any. This is quite similar to some things above, but for the google_compute_region_target_https_proxy and associated regional resources, instead of global ones.

The documentation mentions certificate_manager_certificates can be configured, but doing so according to the documentation leads to failures from the API.

The documentation mentions two formats being accepted. I attempted both.

---

Terraform output full URI

Terraform used the selected providers to generate the following execution plan. Resource
actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1 will be created
  + resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1" {
      + certificate_manager_certificates = [
          + "//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1",
        ]
      + creation_timestamp               = (known after apply)
      + id                               = (known after apply)
      + name                             = "cloud-run-internal-https-proxy-ccm-west1-new"
      + project                          = "<my-project>"
      + proxy_id                         = (known after apply)
      + region                           = "europe-west1"
      + self_link                        = (known after apply)
      + url_map                          = "projects/<my-project>/regions/europe-west1/urlMaps/cloud-run-internal-west1"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1: Creating...
╷
│ Error: Error creating RegionTargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid
│
│   with google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1,
│   on ilb.tf line 35, in resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1":
│   35: resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1" {

Terraform output self_link

Terraform used the selected providers to generate the following execution plan. Resource
actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1 will be created
  + resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1" {
      + certificate_manager_certificates = [
          + "projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1",
        ]
      + creation_timestamp               = (known after apply)
      + id                               = (known after apply)
      + name                             = "cloud-run-internal-https-proxy-ccm-west1-new"
      + project                          = "<my-project>"
      + proxy_id                         = (known after apply)
      + region                           = "europe-west1"
      + self_link                        = (known after apply)
      + url_map                          = "projects/<my-project>/regions/europe-west1/urlMaps/cloud-run-internal-west1"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1: Creating...
╷
│ Error: Error creating RegionTargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates[0]': 'https://certificatemanager.googleapis.com/v1/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid
│
│   with google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1,
│   on ilb.tf line 35, in resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1":
│   35: resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1" {

Terraform configuration

resource "google_compute_region_url_map" "cloud_run_internal_url_map_west1" {
  name   = "cloud-run-internal-west1"
  region = var.region_west1

  default_url_redirect {
    https_redirect         = true
    host_redirect          = "www.example.com"
    path_redirect          = "/"
    strip_query            = true
    redirect_response_code = "FOUND"
  }
}

resource "google_certificate_manager_dns_authorization" "internal_load_balancer_domain_west1" {
  name        = "internal-load-balancer-dns-auth-${var.environment}-west1"
  location    = var.region_west1
  description = "The internal load-balancer dns auth (${var.region_west1})"
  domain      = "<my-domain>"

  depends_on = [google_project_service.certificatemanager]
}

resource "google_certificate_manager_certificate" "wildcard_internal_load_balancer_domain_west1" {
  name        = "wildcard-internal-load-balancer-${var.environment}-west1"
  location    = var.region_west1
  description = "The wildcard cert for *.<my-domain> (${var.region_west1})"

  managed {
    domains = [
      "<my-domain>",
      "*.<my-domain>"
    ]

    dns_authorizations = [
      google_certificate_manager_dns_authorization.internal_load_balancer_domain_west1.id
    ]
  }
}

resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1" {
  name    = "cloud-run-internal-https-proxy-ccm-west1-new"
  region  = var.region_west1
  url_map = google_compute_region_url_map.cloud_run_internal_url_map_west1.id

  certificate_manager_certificates = [
    "//certificatemanager.googleapis.com/${google_certificate_manager_certificate.wildcard_internal_load_balancer_domain_west1.id}",
    # Or use the self_link format (which matches the id attribute)
    #google_certificate_manager_certificate.wildcard_internal_load_balancer_domain_west1.id,
  ]
}

Relevant debug output

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1 will be created
  + resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1" {
      + certificate_manager_certificates = [
          + "//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1",
        ]
      + creation_timestamp               = (known after apply)
      + id                               = (known after apply)
      + name                             = "cloud-run-internal-https-proxy-ccm-west1-new"
      + project                          = "<my-project>"
      + proxy_id                         = (known after apply)
      + region                           = "europe-west1"
      + self_link                        = (known after apply)
      + url_map                          = "projects/<my-project>/regions/europe-west1/urlMaps/cloud-run-internal-west1"
    }

Plan: 1 to add, 0 to change, 0 to destroy.
2024-05-15T11:40:55.999+0200 [DEBUG] command: asking for input: "\nDo you want to perform these actions?"

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

[CUT irrelevant ProviderTransformer/ReferenceTransformer/pruneUnusedNodes log lines]
google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1: Creating...
2024-05-15T11:41:00.428+0200 [INFO]  Starting apply for google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1
2024-05-15T11:41:00.431+0200 [DEBUG] google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1: applying the planned Create change
2024-05-15T11:41:00.432+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:00 [DEBUG] converting the field CertificateManagerCertificates to sslCertificates before sending the request
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:00 [DEBUG] Creating new RegionTargetHttpsProxy: map[string]interface {}{"name":"cloud-run-internal-https-proxy-ccm-west1-new", "region":"projects/<my-project>/global/regions/europe-west1", "sslCertificates":[]interface {}{"//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1"}, "urlMap":"projects/<my-project>/regions/europe-west1/urlMaps/cloud-run-internal-west1"}
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:00 [DEBUG] Waiting for state to become: [success]
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:00 [DEBUG] Retry Transport: starting RoundTrip retry loop
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:00 [DEBUG] Retry Transport: request attempt 0
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:00 [DEBUG] Google API Request Details:
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: ---[ REQUEST ]---------------------------------------
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: POST /compute/v1/projects/<my-project>/regions/europe-west1/targetHttpsProxies?alt=json HTTP/1.1
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Host: compute.googleapis.com
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: User-Agent: Terraform/1.7.5 (+https://www.terraform.io) Terraform-Plugin-SDK/2.31.0 terraform-provider-google/5.21.0
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Content-Length: 374
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Content-Type: application/json
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: X-Goog-User-Project: <my-project>
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Accept-Encoding: gzip
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: {
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:  "name": "cloud-run-internal-https-proxy-ccm-west1-new",
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:  "region": "projects/<my-project>/global/regions/europe-west1",
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:  "sslCertificates": [
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:   "//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1"
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:  ],
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:  "urlMap": "projects/<my-project>/regions/europe-west1/urlMaps/cloud-run-internal-west1"
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: }
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5
2024-05-15T11:41:00.433+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: -----------------------------------------------------
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:01 [DEBUG] Google API Response Details:
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: ---[ RESPONSE ]--------------------------------------
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: HTTP/2.0 400 Bad Request
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Cache-Control: private
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Content-Type: application/json; charset=UTF-8
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Date: Wed, 15 May 2024 09:41:01 GMT
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Server: ESF
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Vary: Origin
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Vary: X-Origin
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Vary: Referer
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: X-Content-Type-Options: nosniff
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: X-Frame-Options: SAMEORIGIN
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: X-Xss-Protection: 0
2024-05-15T11:41:01.084+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: {
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:   "error": {
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:     "code": 400,
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:     "message": "Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation.",
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:     "errors": [
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:       {
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:         "message": "Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation.",
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:         "domain": "global",
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:         "reason": "invalid"
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:       }
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:     ]
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:   }
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: }
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: -----------------------------------------------------
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:01 [DEBUG] Retry Transport: Stopping retries, last request failed with non-retryable error: googleapi: got HTTP response code 400 with body: HTTP/2.0 400 Bad Request
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Cache-Control: private
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Content-Type: application/json; charset=UTF-8
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Date: Wed, 15 May 2024 09:41:01 GMT
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Server: ESF
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Vary: Origin
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Vary: X-Origin
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: Vary: Referer
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: X-Content-Type-Options: nosniff
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: X-Frame-Options: SAMEORIGIN
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: X-Xss-Protection: 0
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: {
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:   "error": {
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:     "code": 400,
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:     "message": "Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation.",
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:     "errors": [
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:       {
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:         "message": "Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation.",
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:         "domain": "global",
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:         "reason": "invalid"
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:       }
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:     ]
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5:   }
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: }
2024-05-15T11:41:01.085+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:01 [DEBUG] Retry Transport: Returning after 1 attempts
2024-05-15T11:41:01.085+0200 [ERROR] provider.terraform-provider-google_v5.21.0_x5: Response contains error diagnostic: tf_proto_version=5.4 tf_req_id=dcd22c46-a487-a1ec-e8a1-8f8b7f511edc diagnostic_detail="" diagnostic_severity=ERROR diagnostic_summary="Error creating RegionTargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid" tf_provider_addr=registry.terraform.io/hashicorp/google tf_resource_type=google_compute_region_target_https_proxy tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-plugin-go@v0.20.0/tfprotov5/internal/diag/diagnostics.go:62 @module=sdk.proto timestamp="2024-05-15T11:41:01.085+0200"
2024-05-15T11:41:01.118+0200 [DEBUG] State storage *statemgr.Filesystem declined to persist a state snapshot
2024-05-15T11:41:01.118+0200 [ERROR] vertex "google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1" error: Error creating RegionTargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid
╷
│ Error: Error creating RegionTargetHttpsProxy: googleapi: Error 400: Invalid value for field 'resource.sslCertificates[0]': '//certificatemanager.googleapis.com/projects/<my-project>/locations/europe-west1/certificates/wildcard-internal-load-balancer-dev-west1'. Cloud certificate reference is not supported for TargetHttpsProxy creation., invalid
│
│   with google_compute_region_target_https_proxy.cloud_run_internal_proxy_ccm_west1,
│   on ilb.tf line 35, in resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1":
│   35: resource "google_compute_region_target_https_proxy" "cloud_run_internal_proxy_ccm_west1" {
│
╵
2024-05-15T11:41:01.134+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:01 [DEBUG] [transport] [server-transport 0xc0012761a0] Closing: Server.Stop called
2024-05-15T11:41:01.134+0200 [DEBUG] provider.terraform-provider-google_v5.21.0_x5: 2024/05/15 11:41:01 [DEBUG] [transport] [server-transport 0xc0012761a0] loopyWriter exiting with error: transport closed by client
2024-05-15T11:41:01.134+0200 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-05-15T11:41:01.136+0200 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/google/5.21.0/linux_amd64/terraform-provider-google_v5.21.0_x5 pid=108696
2024-05-15T11:41:01.136+0200 [DEBUG] provider: plugin exited

[pawelJas]

@Daniel-I-Am I agree that documentation is not clear about the support.
At the moment the certificate_manager_certificates are not supported for:

• Global UrlMaps with External, External_Managed or Internal_Self_Managed BackendServices
• Global UrlMaps with BackendBuckets (as those are External or External_Managed only)
• Any UrlMaps which have no BackendServices.

The latest is a bug/feature gap which should be fixed that year by allowing LoadBalancingScheme to be set in UrlMap (optional field). As for now the workaround is to add a dummy BackendService in a dummy PatchMatcher in the UrlMap. BackendService does not need to have any Backends, just need to show the scheme.

[Daniel-I-Am]

Oh wow. Now I understand the things I was seeing. I have been able to roll it out once for one load balancer, but not any other. The difference being that the one where it succeeded did have backend services configured and others did not, as they were set up quickly for testing with just a default redirect (I did not realize that this could even cause this oddity). I had opened a ticket with Google Cloud support, but they were unable to tell me what was happening.

Thanks for the explanation, clears up a lot for me :)

This does unblock me for the time being, but still leaves the same questions open for this issue.

[bahag-klickst]

@adamstrawson
Thanks for bringing up this issue.

@Daniel-I-Am
Thanks for contributing with your terraform output and configuration

@pawelJas
Thanks for pointing out the unsupported configurations as of now.
As I was stumbling across one of these unsupported combinations yesterday and then decided to go with a certificate map (as pointed out by @adamstrawson), I found that the combination is working Terraform and GCP wise, but unfortunately the GCP UI is not showing the certificate properly afterwards when viewing the details of the global Load Balancer, set up via Terraform.
Are there any plans on the roadmap to either allow the certificate_manager_certificates for global Load Balancers or to fix the UI not showing the certificate properly issue?

Thanks to all of you and best regards,
Tim.

[pawelJas]

Hi @bahag-klickst,

I have reached out to the UI team and I have confirmed that certificate_map is not supported yet. It is possible to view the certificate_map in the TargetHttpsProxy or TargetSslProxy detailed view but not at the Global Load Balancer view.
They are starting to work on that and say that it should be launched by the end of the year.

certificate_manager_certificates for Global External Load Balancer work should also start soon, but might take more time. Probably will be ready some time in 2025.