Unable to disable/enable PSC on existing google_sql_database_instance

[henry-yu-mi]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.14.4
on darwin_arm64

• provider registry.terraform.io/hashicorp/google v7.20.0
• provider registry.terraform.io/hashicorp/google-beta v7.20.0

Affected Resource(s)

google_sql_database_instance

Terraform Configuration

resource "google_sql_database_instance" "this" {
  name                = "my-instance"
  project             = "my-project-123456"
  region              = "us-east1"
  database_version    = "POSTGRES_13"
  deletion_protection = true

  settings {
    tier = "db-custom-1-3840"
    
    ip_configuration {
      ipv4_enabled    = true
      private_network = "projects/my-project-123456/global/networks/my-network"
      ssl_mode        = "ALLOW_UNENCRYPTED_AND_ENCRYPTED"

      dynamic "authorized_networks" {
        for_each = {
          "NAT Gateway East"   = "123.45.100.1/32"
        }
        content {
          name  = authorized_networks.key
          value = authorized_networks.value
        }
      }


      "psc_config" {
        for_each = var.psc_enabled ? [1] : []
        content {
          # Problematic: when toggling this value
          psc_enabled               = true
          allowed_consumer_projects = []
        }
      }
    }
  }
}

Debug Output

No response

Expected Behavior

When changing psc_enabled from false to true (or vice versa), Terraform should:

1. Either make multiple sequential API calls (PSC change first, then other settings)
2. Or handle this as a single atomic operation

Actual Behavior

Plan shows:

- psc_config {
    - allowed_consumer_projects = [] -> null
    - psc_enabled               = false -> null
  }
+ psc_config {
    + allowed_consumer_projects = []
    + psc_enabled               = true
  }

Error: Error, failed to update instance settings for : googleapi: Error 400: Invalid request: Enabling or disabling Private Service Connect and changing other fields at the same time is not allowed., invalid

  with module.this.google_sql_database_instance.this[0],
  on ../../modules/signal/sql.tf line 2, in resource "google_sql_database_instance" "this":
   2: resource "google_sql_database_instance" "this" {

Steps to reproduce

1. Create a Cloud SQL instance with psc_enabled = false (or omit PSC config entirely)
2. Change psc_enabled
3. Run terraform apply

Important Factoids

The Google Cloud SQL API has a restriction that prevents enabling/disabling PSC alongside other field changes in the same request. Terraform treats the change as:

Remove the old psc_config block (with psc_enabled = false)
Add a new psc_config block (with psc_enabled = true)

References

https://github.com/hashicorp/terraform-provider-google/blob/main/website/docs/r/sql_database_instance.html.markdown

[ggtisc]

Hi @henry-yu-mi

I can't know the values of your variables or locals, but I can share with you a code which works based on your configuration. The unique thing you need to do is check the values of your variables to confirm they are correct and valid values for each fields.

resource "google_compute_network" "vpc_26169" {
  name                    = "vpc-26169"
  auto_create_subnetworks = false
}

resource "google_compute_global_address" "private_ip_alloc_26169" {
  name          = "private-ip-alloc-26169"
  purpose       = "VPC_PEERING"
  address_type  = "INTERNAL"
  prefix_length = 24 
  network       = google_compute_network.vpc_26169.id
}

resource "google_service_networking_connection" "snc_26169" {
  network                 = google_compute_network.vpc_26169.id
  service                 = "servicenetworking.googleapis.com"
  reserved_peering_ranges = [google_compute_global_address.private_ip_alloc_26169.name]
}

locals {
  onprem = ["203.0.113.45", "198.51.100.12"]
}

resource "google_sql_database_instance" "sql_db_instance_26169" {
  name                = "sql-db-instance-26169"
  region              = "us-east1"
  database_version    = "POSTGRES_13"
  deletion_protection = false
  depends_on          = [google_service_networking_connection.snc_26169]

  settings {
    tier = "db-custom-1-3840"
    
    ip_configuration {
      ipv4_enabled    = true
      ssl_mode        = "ALLOW_UNENCRYPTED_AND_ENCRYPTED"
      private_network = google_compute_network.vpc_26169.id

      dynamic "authorized_networks" {
        for_each = local.onprem
        iterator = onprem

        content {
          name  = "onprem-${onprem.key}"
          value = onprem.value
        }
      }

      psc_config {
        psc_enabled = true
        allowed_consumer_projects = []
      }
    }
  }
}

[jemc]

@ggtisc - does your configuration actually allow you to toggle psc_enabled on and off without errors? That's what this ticket is about.

[ggtisc]

psc_enabled

Sure

[smartyr73]

Hi @ggtisc,

The example code you posted is for a different deployment method.

Your code uses the legacy PSA pattern for Cloud SQL deployment, whereas the original poster is using PSC.

[ggtisc]

Could you give me an example of how are you implementing it without using values which I cannot see? For sensitive data you coud use examples like:

project = "my-project"
user = "my-user@my-domain.com"
org_id = 1234567890
etc, we just need valid values for the configuration to replicate your issue