fastly_service_vcl.logging_bigquery always shows change

[LevOlkha]

Terraform Version

Terraform v1.6.6
on darwin_amd64
+ provider registry.terraform.io/fastly/fastly v5.6.0
+ provider registry.terraform.io/hashicorp/google v5.1.0
+ provider registry.terraform.io/hashicorp/google-beta v5.10.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.23.0
+ provider registry.terraform.io/hashicorp/local v2.4.0
+ provider registry.terraform.io/hashicorp/random v3.6.0

Affected Fastly Terraform Resource(s)

Please list the affected resources, for example:

• fastly_service_vcl

Terraform Configuration Files

# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.

provider "registry.terraform.io/fastly/fastly" {
  version     = "5.6.0"
  constraints = "5.6.0"
  hashes = [
    "h1:Bs/2HwqaC3ws6tIRk3KfYAWKU54GvGbXlQk4RJpjUn0=",
    "zh:056f4df5d358bc387df629804c3d8508af53e88e52c2e444ee40f27bcfc58c78",
    "zh:0789add78a9a8964a76cda093602cefc2853f640d0f7c67cf6a209b63f5dd582",
    "zh:2e26ddd68532562b51c389a7a36331bd6828eae9ddee3ea9782e9e6f6368b725",
    "zh:36c3cc88ca6930b825b5057905daa836ff5c315dce5a0ea4cedb4c57a3002d69",
    "zh:3a47a5497a45a06cfd214a703422a585040788a82251cbc21d0fb4732770c31b",
    "zh:3adc87bd992455e013f8c79aad8cd4a75bde48037a6044ba0ad2e1247796b95c",
    "zh:5fc2c843caecead98bcf0aae5930257e684c4d3aa20e8c8fa1a2d17bb80747b0",
    "zh:69d9b863ed691bafca7e38547a6d37ca12759a28f948186152e433bd804dc2b8",
    "zh:7b3bfbbf70d9a72823dbda25839c3ccead87bd623bde1a1f489c2fb57a450428",
    "zh:933388918761730b3ad058f81e54ae486d6701fce0ae19867fd3149d49e9da9e",
    "zh:a9b48f0602bba8924befd1cc22fee8d2ad809bb40c847614187eb82b4543f837",
    "zh:b45d56528709ba429641eb18a07134ea286158148cdfa7a6afccdbc95a008391",
    "zh:d11d72ea5c05c66f3e9659a0e38d51caf850cd1d0a3821921682fd9224bc4276",
    "zh:e578dd1d29f8b14e545319ec09856cca0008f9e5a272de791fc5ea8f363e6078",
  ]
}

provider "registry.terraform.io/hashicorp/google" {
  version     = "5.1.0"
  constraints = "5.1.0"
  hashes = [
    "h1:76HT6nyFNWu7v1+VSIRwrs45hH7z8iZR23W8jon5K+Q=",
    "h1:sWFV9Doy66DZYiyeFPGy3UWG5Zwqaw0aSDoIkrm8A/M=",
    "zh:01f24868bba2292a097cb7d754b41a660050475235c07ceddeceaa8f2a19f6d8",
    "zh:184182ec28d6aec21531001092e276f1ea1b1b6ad2bba7e632bc56c5d6f2ec77",
    "zh:2fb6762046649acb625bb7c8e9955eaca2e64ecebd1313c5e843c957ddfa9d2f",
    "zh:38178391ae9444c1c6b77489d6afcbf4ec30be733ae4d88b94b1c1d800ae706a",
    "zh:49d2c57cd6c82336ddebe8ecb7ee0d6882b276b7ba32c62d82828c4530088c22",
    "zh:73eecd0d8dc45b5c3ebb3adce16761c84c7048f7fa70088ad7ac30641381edd9",
    "zh:81bd96748be1a4abac25fb6ae93cd6b84a10ed4b03435405df7ccbc38a1e8053",
    "zh:882ac45a7a3e1cce1eabef5be28d66c2eed9fc881a81c9dcc66b863a1e0d829c",
    "zh:9141b04c8bdf079f0e82b750ab090a7ab20a56975906b7fae76434ea5cc71b5f",
    "zh:9369ed15e686807422b30958bf84860d9b4f112aee0173a1e6367f056f8e4c97",
    "zh:e83e5ede7f74206a13310d29d4b6599e9ed54fa4b86427d15332de10630848dc",
    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
  ]
}

provider "registry.terraform.io/hashicorp/google-beta" {
  version = "5.10.0"
  hashes = [
    "h1:FbQG6/zQoZsAmErPjaDsu6snwopIKc9LqrLipyxgiPk=",
    "h1:SaobVU0390V8hPtNVvnJrAXfm+ZIZRVJB6m6VFjAnkQ=",
    "zh:1004ac3733679254abcc7f5e9d594d9ee079cf071391a92f82b50077e07c70b5",
    "zh:1e25af33d20b6ab369860d5b7c746b4a3b3dccc061b14dde91b6ccccfe704cc4",
    "zh:2873a614a1dc1c460246edc95a558ad9befedf93490a0204bee8fb95362813cc",
    "zh:2f421e13247b3822ef3c2e07e1aee948116a5064c386466a53fb72486daded20",
    "zh:517c13cd146d3451789da8f13cbfa5355c3e88456cf762ad3918dada84a5f261",
    "zh:56553ae44f4089f5149551714daaf3c97205d4638dd93b0675ed777476d56048",
    "zh:6925a07bcb9ab70faa84bf36f87990025e3f9cd6c8cfab5260877f60086c8161",
    "zh:72454b65ee4a24896d215f7f7af41e31336865c86d6c20ea4acb63596e75ac0d",
    "zh:8b05f8a6ff51999bf65e3127618931647a00bc9abf739f0711151e4145cae3d5",
    "zh:a3b7d3b39740088174d121bc7e4e3ce27da0ebf0c87877f8fce9277b0046c75b",
    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
    "zh:fe2af4fcda1b45d73ef8b8c728c150e00d1a4d5c0323b30d7d43c6f24ed78bcb",
  ]
}

provider "registry.terraform.io/hashicorp/kubernetes" {
  version     = "2.23.0"
  constraints = "2.23.0"
  hashes = [
    "h1:arTzD0XG/DswGCAx9JEttkSKe9RyyFW9W7UWcXF13dU=",
    "h1:cMs2scNCSgQhGamomGT5Ag4i8ms/mql1AR7NJc2hmbA=",
    "zh:10488a12525ed674359585f83e3ee5e74818b5c98e033798351678b21b2f7d89",
    "zh:1102ba5ca1a595f880e67102bbf999cc8b60203272a078a5b1e896d173f3f34b",
    "zh:1347cf958ed3f3f80b3c7b3e23ddda3d6c6573a81847a8ee92b7df231c238bf6",
    "zh:2cb18e9f5156bc1b1ee6bc580a709f7c2737d142722948f4a6c3c8efe757fa8d",
    "zh:5506aa6f28dcca2a265ccf8e34478b5ec2cb43b867fe6d93b0158f01590fdadd",
    "zh:6217a20686b631b1dcb448ee4bc795747ebc61b56fbe97a1ad51f375ebb0d996",
    "zh:8accf916c00579c22806cb771e8909b349ffb7eb29d9c5468d0a3f3166c7a84a",
    "zh:9379b0b54a0fa030b19c7b9356708ec8489e194c3b5e978df2d31368563308e5",
    "zh:aa99c580890691036c2931841e88e7ee80d59ae52289c8c2c28ea0ac23e31520",
    "zh:c57376d169875990ac68664d227fb69cd0037b92d0eba6921d757c3fd1879080",
    "zh:e6068e3f94f6943b5586557b73f109debe19d1a75ca9273a681d22d1ce066579",
    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
  ]
}

provider "registry.terraform.io/hashicorp/local" {
  version     = "2.4.0"
  constraints = "2.4.0"
  hashes = [
    "h1:Bs7LAkV/iQTLv72j+cTMrvx2U3KyXrcVHaGbdns1NcE=",
    "h1:ZUEYUmm2t4vxwzxy1BvN1wL6SDWrDxfH7pxtzX8c6d0=",
    "zh:53604cd29cb92538668fe09565c739358dc53ca56f9f11312b9d7de81e48fab9",
    "zh:66a46e9c508716a1c98efbf793092f03d50049fa4a83cd6b2251e9a06aca2acf",
    "zh:70a6f6a852dd83768d0778ce9817d81d4b3f073fab8fa570bff92dcb0824f732",
    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
    "zh:82a803f2f484c8b766e2e9c32343e9c89b91997b9f8d2697f9f3837f62926b35",
    "zh:9708a4e40d6cc4b8afd1352e5186e6e1502f6ae599867c120967aebe9d90ed04",
    "zh:973f65ce0d67c585f4ec250c1e634c9b22d9c4288b484ee2a871d7fa1e317406",
    "zh:c8fa0f98f9316e4cfef082aa9b785ba16e36ff754d6aba8b456dab9500e671c6",
    "zh:cfa5342a5f5188b20db246c73ac823918c189468e1382cb3c48a9c0c08fc5bf7",
    "zh:e0e2b477c7e899c63b06b38cd8684a893d834d6d0b5e9b033cedc06dd7ffe9e2",
    "zh:f62d7d05ea1ee566f732505200ab38d94315a4add27947a60afa29860822d3fc",
    "zh:fa7ce69dde358e172bd719014ad637634bbdabc49363104f4fca759b4b73f2ce",
  ]
}

provider "registry.terraform.io/hashicorp/random" {
  version = "3.6.0"
  hashes = [
    "h1:I8MBeauYA8J8yheLJ8oSMWqB0kovn16dF/wKZ1QTdkk=",
    "h1:p6WG1IPHnqx1fnJVKNjv733FBaArIugqy58HRZnpPCk=",
    "zh:03360ed3ecd31e8c5dac9c95fe0858be50f3e9a0d0c654b5e504109c2159287d",
    "zh:1c67ac51254ba2a2bb53a25e8ae7e4d076103483f55f39b426ec55e47d1fe211",
    "zh:24a17bba7f6d679538ff51b3a2f378cedadede97af8a1db7dad4fd8d6d50f829",
    "zh:30ffb297ffd1633175d6545d37c2217e2cef9545a6e03946e514c59c0859b77d",
    "zh:454ce4b3dbc73e6775f2f6605d45cee6e16c3872a2e66a2c97993d6e5cbd7055",
    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
    "zh:91df0a9fab329aff2ff4cf26797592eb7a3a90b4a0c04d64ce186654e0cc6e17",
    "zh:aa57384b85622a9f7bfb5d4512ca88e61f22a9cea9f30febaa4c98c68ff0dc21",
    "zh:c4a3e329ba786ffb6f2b694e1fd41d413a7010f3a53c20b432325a94fa71e839",
    "zh:e2699bc9116447f96c53d55f2a00570f982e6f9935038c3810603572693712d0",
    "zh:e747c0fd5d7684e5bfad8aa0ca441903f15ae7a98a737ff6aca24ba223207e2c",
    "zh:f1ca75f417ce490368f047b63ec09fd003711ae48487fba90b4aba2ccf71920e",
  ]
}

Expected Behavior

when no change to configuration is made, no changes should be done for plan

Actual Behavior

logging_bigquery is always reporting change

Debug Output (optional)

2024-01-02T11:43:20.075-0800 [DEBUG] provider.terraform-provider-fastly_v5.6.0: Creating clone of version (614) for updates: timestamp=2024-01-02T11:43:20.075-0800
2024-01-02T11:43:20.831-0800 [DEBUG] provider.terraform-provider-fastly_v5.6.0: Sleeping 7 seconds to allow Fastly Version to be available: timestamp=2024-01-02T11:43:20.831-0800
2024-01-02T11:43:27.834-0800 [DEBUG] provider.terraform-provider-fastly_v5.6.0: Update BigQuery Opts: fastly.UpdateBigQueryInput{AccountName:(*string)(nil), Dataset:(*string)(nil), Format:(*string)(nil), FormatVersion:(*int)(nil), Name:"BigQuery", NewName:(*string)(nil), Placement:(*string)(nil), ProjectID:(*string)(nil), ResponseCondition:(*string)(nil), SecretKey:(*string)(0xc0005a1130), ServiceID:"", ServiceVersion:615, Table:(*string)(nil), Template:(*string)(nil), User:(*string)(nil)}: timestamp=2024-01-02T11:43:27.834-0800

Steps to Reproduce

1. terraform apply

Important Factoids (optional)

Is there anything atypical about your account or set up that we should know?

[Integralist]

👋🏻 Hi @LevOlkha

Can you provide (or some of) your Terraform configuration (i.e. your Fastly specific configuration such as your logging_bigquery block).

It would be useful to know what your state looks like for that particular resource block (e.g. terraform show or cat terraform.tfstate) so we can understand why the Terraform provider thinks there is something to change.

It looks like from the log output that it's trying to update the logging resource block. Could you try running your terraform apply again with the following env vars prefixed (these will display the actually HTTP request/response for the Fastly API calls)...

TF_LOG=DEBUG FASTLY_DEBUG_MODE=true terraform apply

Thanks.

[LevOlkha]

@Integralist
I cannot post the whole outputs there since they contain sensitive information and keys.

I compared terraform.tfstate with debug logs.
It seems that difference is in the filed secret_key
In logging_bigquery it is defined as
secret_key = trimspace(chomp(data.google_secret_manager_secret_version.bigquery_service_key.secret_data))

in logs file we can see ( I redacted parts)

- .logging_bigquery: planned set element cty.ObjectVal(map[string]cty.Value{"account_name":cty.StringVal(""), <***REDACTED***> "secret_key":cty.StringVal("-----BEGIN PRIVATE KEY-----\\n<***REDACTED***>
) does not correlate with any element in actual

and in terraform.tfstate

            "logging_bigquery": [
              {
                "account_name": "",
<***REDACTED***>
"secret_key": "-----BEGIN PRIVATE KEY-----\n

all \n in secret_key field in state file are \\n in the log file

and terraform plan shows

      - logging_bigquery {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
      + logging_bigquery {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }

what is interesting that if I create plan terraform show
it has the same values for secret_key as values from log file
"secret_key":"-----BEGIN PRIVATE KEY-----\\n

So it seems that values saved in state file are not the same as applied in plan

[JacobCoffee]

Just as a data point, fastly_service_vcl.logging_datadog in pythondotorg's patch to enable NGWAF, we noticed that there is ALWAYS a change for this even though nothing is ever changed.

python/pythondotorg@1795b1f#diff-c4edee4039d22cfe2fd0d1ef214e7eba022aa85b29dd5677f4485f60e5b7a668

Similarly, when recently trying to enable NGWAF for PyPI we had to upgrade the Fastly TF provider from v1 to v5.16.

https://github.com/pypi/infra/pull/172/files

We now see in our plans that it also always now shows changed for fastly_service_vcl.logging_https.

The only commonality here is the ugpraded Fastly provider, I think.
Nothing in either of these logging settings was touched

[kkopachev]

Same issue with logging_gcs.

I think I figured it out. API returns new line at the end on private key, while you're passing key with no new line at the end.
Solved in my case like this:

secret_key = "${trimspace(chomp(data.aws_secretsmanager_secret_version.current_gcp.secret_string))}\n"

[kkopachev]

I think I figured it out.

That was a red herring 🤦 , unfortunately.
I solved it, but another way.
In my case certificate content was coming from AWS Secrets Manager secret which was formatted with literal \n characters in the string, like this

-----BEGIN PRIVATE KEY-----\nMIIEvAIBAD...\n......3Q==\n-----END PRIVATE KEY-----

I changed it so instead of \n it is actually new lines in there:

-----BEGIN PRIVATE KEY-----
MIIEvAIBAD...
......3Q==
-----END PRIVATE KEY-----

and that helped after 1 apply