Deletion of managed SOA record-sets fails on terraform destroy

[rtokarek-fastly]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v1.2.8
on darwin_amd64
+ provider registry.terraform.io/hashicorp/google v4.41.0

Affected Resource(s)

• google_dns_record_set
  type = "SOA"

Terraform Configuration Files

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "= 4.41"
    }
  }
}

resource "google_dns_managed_zone" "tfprovidergooglebug-com" {
  project    = var.project_id
  name       = "tfprovidergooglebug-com"
  dns_name   = "tfprovidergooglebug.com."
  visibility = "public"
}

resource "google_dns_record_set" "tfprovidergooglebug-soa" {
  project      = var.project_id
  managed_zone = "tfprovidergooglebug-com"
  name         = "tfprovidergooglebug.com."
  type         = "SOA"
  ttl          = "21600"
  rrdatas      = ["ns-cloud-d1.googledomains.com. cloud-dns-hostmaster.google.com. 1 21600 3600 259200 120"]
}

Debug Output

terraform apply output is not applicable. That succeeds just fine. The trouble is terraform destroy. The debug output is uninteresting, but can be provided if somebody really wants.

Expected Behavior

Because the SOA record is fundamental to the zone, a destroy or delete operation should fake deletion – the same as for root-level NS records. The SOA gets deleted when the zone resource is deleted, but because we're managing the SOA record content, we run into a problem when destroying. Terraform wants to delete the managed SOA record before deleting the zone. The google cloud DNS apis properly deny deletion, but the underlying terraform go code shouldn't even try. It's not appropriate in this case.

Actual Behavior

google_dns_record_set.tfprovidergooglebug-soa: Destroying... [id=projects/<project_id>/managedZones/tfprovidergooglebug-com/rrsets/tfprovidergooglebug.com./SOA]
google_dns_managed_zone.tfprovidergooglebug-com: Destroying... [id=projects/<project_id>/managedZones/tfprovidergooglebug-com]
google_dns_managed_zone.tfprovidergooglebug-com: Destruction complete after 1s
╷
│ Error: Error when reading or editing google_dns_record_set: googleapi: Error 400: The resource record set 'entity.change.deletions[0]' is invalid because a zone must contain exactly one resource record set of type 'SOA' at the apex., invalidZoneApex
│ 
│ 

The problem is here:

terraform-provider-google/google/resource_dns_record_set.go

Lines 339 to 357 in 06ee238

	// NS records must always have a value, so we short-circuit delete
	// this allows terraform delete to work, but may have unexpected
	// side-effects when deleting just that record set.
	// Unfortunately, you can set NS records on subdomains, and those
	// CAN and MUST be deleted, so we need to retrieve the managed zone,
	// check if what we're looking at is a subdomain, and only not delete
	// if it's not actually a subdomain
	if d.Get("type").(string) == "NS" {
	mz, err := config.NewDnsClient(userAgent).ManagedZones.Get(project, zone).Do()
	if err != nil {
	return fmt.Errorf("Error retrieving managed zone %q from %q: %s", zone, project, err)
	}
	domain := mz.DnsName
	if domain == d.Get("name").(string) {
	log.Println("[DEBUG] NS records can't be deleted due to API restrictions, so they're being left in place. See https://www.terraform.io/docs/providers/google/r/dns_record_set.html for more information.")
	return nil
	}
	}

The simple solution is to add to the check for NS record type to also check for SOA if d.Get("type").(string) == "NS" || d.Get("type").(string) == "SOA" {

A PR that does this, updates the comment, and updates debug log is forthcoming.

Steps to Reproduce

1. Pick a project you have permissions to create a DNS zone resource in, and set a variable project_id to that.
2. create a .tf file with the config from above.
3. terraform init
4. terraform apply
5. terraform destroy

Observe the error on step 5.

[rtokarek-fastly]

A PR is here:

#12828

[rtokarek-fastly]

I closed #12828 as I believe this needs to be changed in the relevant MagicModules code here instead: https://github.com/GoogleCloudPlatform/magic-modules/blob/276f1c70094bafdf5c5d66e09330a4755f985776/mmv1/third_party/terraform/resources/resource_dns_record_set.go#L339-L357

[rtokarek-fastly]

PR GoogleCloudPlatform/magic-modules#6724 for GoogleCloudPlatform/magic-modules is up.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.