Terraform shows difference for gce-container-declaration after some time

[enricojonas]

When using the output metadata_value which the module produces, after some time terraform shows a difference.

It seems that the compute engine API internally modifies the metadata gce-container-declaration after some time.

My observations show that the following is happening:

• A banner is inserted on top

      # DISCLAIMER:
      # This container declaration format is not a public API and may change without
      # notice. Please use gcloud command-line tool or Google Cloud Console to run
      # Containers on Google Compute Engine.

• all quotes are removed from the declaration yaml.

That means, if you apply after some time again, those changes are shown in the plan.

Expected behavior

There should not be any changes shown if no changes have been done.

Observed behavior

Changes are shown after some time.

Terraform will perform the following actions:

  # module.xxx.google_compute_instance.xxxx will be updated in-place
  ~ resource "google_compute_instance" "xxxx" {
        id                        = "projects/xxx/zones/europe-west1-b/instances/xxx"
      ~ metadata                  = {
          ~ "gce-container-declaration" = <<-EOT
              - # DISCLAIMER:
              - # This container declaration format is not a public API and may change without
              - # notice. Please use gcloud command-line tool or Google Cloud Console to run
              - # Containers on Google Compute Engine.
              - 
              - spec:
              -   containers:
              -   - image: europe-west4-docker.pkg.dev/xxx/xxx/xxx
              -     securityContext:
              -       fs_group: 999
              -       run_as_user: 999
              -   restartPolicy: OnFailure
              + "spec":
              +   "containers":
              +   - "image": "europe-west4-docker.pkg.dev/xxx/xxx/xxx"
              +     "securityContext":
              +       "fs_group": 999
              +       "run_as_user": 999
              +   "restartPolicy": "OnFailure"
            EOT
            # (4 unchanged elements hidden)
        }
        name                      = "xxx"
        tags                      = [
            "xxx",
            "xxx",
            "xxx",
        ]
        # (23 unchanged attributes hidden)

        # (8 unchanged blocks hidden)
    }

Terraform Configuration

module "gce-container" {
  source  = "terraform-google-modules/container-vm/google"
  version = "3.2.0" # Upgrade the version if necessary.

  container = {
    image = "europe-west4-docker.pkg.dev/xxx/xxx/xxx"

    securityContext = {
      run_as_user : 999
      fs_group : 999
    }
...

resource "google_compute_instance" "xxx" {
...
...

  metadata = {
    # Required metadata key.
    gce-container-declaration = module.gce-container.metadata_value
    google-logging-enabled    = "true"
    google-monitoring-enabled = "true"
    enable-oslogin            = "true"
    block-project-ssh-keys    = "true"
  }
...

Terraform Version

Terraform v1.9.7
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v6.5.0

Additional information

Currently, I have implemented the following workaround. Maybe the module could make use of a similar workaround as yamlencode function is limited to wrap all keys and values in quotes.

locals {
  # Needed because google is inserting this after sometime automatically.
  metadata_missing_banner = <<-EOT
# DISCLAIMER:
# This container declaration format is not a public API and may change without
# notice. Please use gcloud command-line tool or Google Cloud Console to run
# Containers on Google Compute Engine.
EOT
}

  metadata = {
    # Required metadata key.
    gce-container-declaration = join("\n", [local.metadata_missing_banner, replace(module.gce-container.metadata_value, "\"", "")])

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

[enricojonas]

It's still an issue.