Google_compute_vpn_tunnel must be replaced

Terraform Version

Configuration

terraform {
   backend "gcs" {
      bucket = "xxxx_terraform_state"
      prefix = "global"
   }
}

provider "google" {
   project     = "xxxx"
   credentials = file("~/terraform.json")
   region      = "southamerica-east1"
   zone        = "southamerica-east1-a"
}

Resource

resource "google_compute_vpn_tunnel" "vpn_xx_tunnel" {
  name                            = "vpn-xx-tunnel"
  peer_ip                         = "xxx.xx.xx.xx"
  shared_secret                   = "****"
  target_vpn_gateway              = google_compute_vpn_gateway.vpn.self_link
  peer_external_gateway_interface = 0
  local_traffic_selector          = ["10.100.100.0/24"]
  remote_traffic_selector         = ["192.168.0.0/16"]
  vpn_gateway_interface           = 0
  ike_version                     = 2
  depends_on = [
    google_compute_forwarding_rule.vpn_rule_esp,
    google_compute_forwarding_rule.vpn_rule_udp500,
    google_compute_forwarding_rule.vpn_rule_udp4500
  ]
}

Imported with

$ terraform import google_compute_vpn_tunnel.vpn_xx_tunnel vpn-xx-tunnel

tfstate

{
  "version": 4,
  "terraform_version": "0.14.5",
  "serial": 48,
  "lineage": ".....",
  "outputs": {},
  "resources": [
//(attributes hidden)
{
      "mode": "managed",
      "type": "google_compute_vpn_tunnel",
      "name": "vpn_xx_tunnel",
      "provider": "provider[\"registry.terraform.io/hashicorp/google\"]",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "creation_timestamp": "2019-06-25T11:32:00.128-07:00",
            "description": "",
            "detailed_status": "Tunnel is up and running.",
            "id": "projects/xxxx/regions/southamerica-east1/vpnTunnels/vpn-xx-tunnel",
            "ike_version": 2,
            "local_traffic_selector": [
              "10.100.100.0/24"
            ],
            "name": "vpn-xx-tunnel",
            "peer_external_gateway": "",
            "peer_external_gateway_interface": 0,
            "peer_gcp_gateway": "",
            "peer_ip": "xxx.xx.xx.xx",
            "project": "xxxx",
            "region": "southamerica-east1",
            "remote_traffic_selector": [
              "192.168.0.0/16"
            ],
            "router": "",
            "self_link": "https://www.googleapis.com/compute/v1/projects/xxxx/regions/southamerica-east1/vpnTunnels/vpn-xx-tunnel",
            "shared_secret": null,
            "shared_secret_hash": "AApx7t-WYtqhIS_aqtR6TxPpcT7L",
            "target_vpn_gateway": "https://www.googleapis.com/compute/v1/projects/xxxx/regions/southamerica-east1/targetVpnGateways/vpn-xx",
            "timeouts": {
              "create": null,
              "delete": null
            },
            "tunnel_id": "3663386056616564303",
            "vpn_gateway": "",
            "vpn_gateway_interface": 0
          },
          "sensitive_attributes": [],
          "private": "**************"
        }
      ]
    }
  ]
}

Output

Terraform will perform the following actions:

  # google_compute_vpn_tunnel.vpn_xx_tunnel must be replaced
-/+ resource "google_compute_vpn_tunnel" "vpn_xx_tunnel" {
      ~ creation_timestamp              = "2019-06-25T11:32:00.128-07:00" -> (known after apply)
      ~ detailed_status                 = "Tunnel is up and running." -> (known after apply)
      ~ id                              = "projects/xxxx/regions/southamerica-east1/vpnTunnels/vpn-xx-tunnel" -> (known after apply)
        name                            = "vpn-xx-tunnel"
      ~ project                         = "xxxx" -> (known after apply)
      ~ region                          = "southamerica-east1" -> (known after apply)
      ~ self_link                       = "https://www.googleapis.com/compute/v1/projects/xxxx/regions/southamerica-east1/vpnTunnels/vpn-xx-tunnel" -> (known after apply)
      + shared_secret                   = (sensitive value)
      ~ shared_secret_hash              = "AApx7t-WYtqhIS_aqtR6TxPpcT7L" -> (known after apply)
      ~ tunnel_id                       = "3663386056616569999" -> (known after apply)
        # (7 unchanged attributes hidden)

      - timeouts {}
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Question

No attribute indicates the reason for the replacement.

How about the shared secret? Is it different compared to the deployment?

Please format your code within triple back-ticks. Thank You.

Thanks @tbugfinder ,
No! The shared secret is the same. Look shared secret hash (adjusted).

Sorry! Code formated.

After import, terraform state doesn’t include the shared_secret (+) attribute (could you confirm that?). After adding this to the code the property is changing so the tunnel is replaced.
Does that make sense?

Yes! Exactly.
I manually changed the default.tfstate and changed the shared_secret attribute and solved it.

Before:

"shared_secret": null

After:

"shared_secret": "xxxxxxxxx"

Result:

$ teffaform plan
No changes. Infrastructure is up-to-date.