Using bigip_ssl_key_cert resource does not allow same object name for both cert and key - common practice on BIG-IP

scoffeyfv commented 1 month ago

TMOS 17.1 (but isn't relevant)
Terraform Version: 1.3.6
Terraform bigip provider Version: 1.22

Summary

If using the bigip_ssl_key_cert resource to create a SSL keypair, the same name can not be used for cert and key object. Doing so results in error on apply: "Certificate/Key has unknown format or security type (/Common/testpair2)". It is valid to use the same name, and indeed if you create a keypair in the BIG-IP TMUI, both cert and key have the same name, so this should be possible via Terraform.

Steps To Reproduce

Create a resource such as:

resource "bigip_ssl_key_cert" "keypair1" {
  cert_name    = "keypair1"
  cert_content = "./testpair1.crt" 
  key_name     = "keypair1"
  key_content  = "./testpair1.key" 
  partition    = "Common"
}

Attempt to apply.

Expected Behavior

Apply should be successful, with SSL cert and SSK key created with name "keypair1"

Actual Behavior

Apply fails with error:

Error: error while ending transaction: &{%!d(string=transaction failed:01070712:3: Certificate/Key has unknown format or security type (/Common/keypair1).)}
│ 
│   with bigip_ssl_key_cert.keypair1,
│   on main.tf line 30, in resource "bigip_ssl_key_cert" "keypair1":
│   30: resource "bigip_ssl_key_cert" "keypair1" {

Inspecting resource_bigip_ssl_key_cert.go func resourceBigipSSLKeyCertCreate shows that the order of actions for creating key and cert is the issue, combined with the file upload using the object name.

upload key file
start transaction
add key object
upload cert file and add cert object
commit transaction The above order results in the "add key" executing at commit transaction time, AFTER the key file got overwritten by the cert file with the same name.

Observation

Use of transaction for adding the key/cert will not be compatible with using the same filename for key and cert, because the immediate action of file uploads must always occur before the transaction commits, and of course if we use the same filename, the cert file will over-write the key file. So, we must use different filenames for upload but find a way to still support having the same object name for key and cert.

scoffeyfv commented 1 month ago

I think this may need a change in github.com/f5devcentral/go-bigip/sys.go unfortunately as we are leveraging UploadCertificate(certpath string, cert *Certificate) from there, and that combines both the upload and adding the cert object, and takes the filename for the upload from cert.Name. So either that needs modifying to make the file upload unique (good practice)... or we could implement the cert upload/add within the provider locally.

pgouband commented 1 month ago

Hi,

Thanks for reporting. Added to the backlog and internal tracking ID for this request is: INFRAANO-1552.

F5Networks / terraform-provider-bigip