search

RedisLabs / terraform-provider-rediscloud

Terraform Redis Cloud Provider: Deploy, update, and manage Redis Cloud databases as code through HashiCorp Terraform
https://registry.terraform.io/providers/RedisLabs/rediscloud/latest
Apache License 2.0
30 stars 23 forks source link

Database updates silently wipes out client_ssl_certificate #478

Closed atsui-bay1 closed 3 weeks ago

atsui-bay1 commented 5 months ago

Terraform Version

Terraform v1.3.6

Affected Resource(s)

Please list the resources as a list, for example:

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource "rediscloud_subscription_database" "database" {
  subscription_id = rediscloud_subscription.subscription[0].id
  name            = "dummy"
  port            = 10000

  memory_limit_in_gb           = 2
  data_persistence             = "none"
  throughput_measurement_by    = "operations-per-second"
  throughput_measurement_value = 2000

  replication   = true
  resp_version  = "resp3"
  data_eviction = "volatile-lru"

  enable_default_user = false
  enable_tls          = true
}

Debug Output

Please provider a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist.

Panic Output

If Terraform produced a panic, please provide a link to a GitHub Gist containing the output of the crash.log.

Expected Behavior

We enable mutualTLS and upload client certificates via a separate process, as we do not want the keys/certs to be added to the Terraform statefile. When we change an option through Terraform, these uploaded client certs are being removed from the database. This would be fine, except the terraform plan does NOT show that the client_ssl_certificate on the resource will be removed.

Actual Behavior

The client certificates were removed silently from the database. The terraform plan should indicate that the certs will be removed as part of the apply.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply
  2. Enable mTLS and upload a client certificate outside of Terraform
  3. make a change to the resource in Terraform
  4. terraform apply
  5. Notice that the plan does NOT show the cert removal, but the cert will be gone after the apply completes

Important Factoids

Are there anything atypical about your accounts that we should know? For example: Running in EC2 Classic? Custom version of OpenStack? Tight ACLs?

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:

JohnSharpe commented 3 weeks ago

Hi @atsui-bay1, great catch, thanks! The API doesn't return the full certificates so we can't detect changes, but it does give us a hint as to whether a certificate is in place. In your situation, as of 1.8.0, the provider detects if some certificate is in place and, if your configuration doesn't provide anything, the text "unknown certificate" is written into state, so your plan would show something like:

- client_tls_certificates: ["unknown certificate"]

Hopefully that helps remedy your issue, please let us know how you get on!

atsui-bay1 commented 3 weeks ago

Hi @JohnSharpe Thanks for the fix, it does solve our problem!