Release v0.21.0 introduced a new verification that may fail Terraform even when the provider is not used.
Context:
We are handling workload identities with a dedicated Terraform module. This module can be configured to optionally use the Venafi provider to produce client certificates. However, by default, no Venafi resources are created and we do not provide credentials to the venafi provider. Our default configuration used to work with provider v0.20.0 but started to fail with v0.21.0, even though no such change of behavior was described in the release notes.
STEPS TO REPRODUCE
Here is a basic Terraform main.tf that works well with v0.20.0 but fails with v0.21.0:
terraform {
required_version = ">= 1.4"
required_providers {
venafi = {
source = "venafi/venafi"
version = "= 0.21" # works with 0.20
}
}
}
provider "venafi" {
dev_mode = false
url = "https://xxxxxxxxxxxxxxxxx" #replace by actual endpoint
zone = "dummyzone"
access_token = "invalid_token"
}
resource "venafi_certificate" "auth_cert" {
count = 0 # RESOURCE IS NOT CREATED
common_name = "demo"
algorithm = "RSA"
rsa_bits = "2048"
csr_origin = "service"
key_password = "somesecretpathphrase"
}
then run terraform plan
Note that a venafi_certificate resource is declared with a count = 0, so no certificate would actually be created. This config mimics a module where Venafi certificates would be optional.
EXPECTED RESULTS
Same behavior as with v0.20.0: successful plan
OR
Being warned in the release notes that some additional verifications are now performed
ACTUAL RESULTS
Planning failed. Terraform encountered an error while generating this plan.
╷
│ Error: Failed to initialize Venafi client
│
│ with provider["registry.terraform.io/venafi/venafi"],
│ on main.tf line 14, in provider "venafi":
│ 14: provider "venafi" {
│
│ Failed to authenticate to Venafi platform: vcert error: your data contains problems: auth error: vcert error:
│ your data contains problems: auth error
ENVIRONMENT DETAILS
Venafi v0.20.0
Terraform v1.4.6
COMMENTS/WORKAROUNDS
We found that we can use dev_mode = true to disable connexion to Venafi platform when the module does not actually require certificates. Our config looks like:
provider "venafi" {
dev_mode = local.no_venafi_certs_required
url = var.venafi_url
zone = var.venafi_zone
access_token = var.access_token
}
locals {
no_venafi_certs_required = # some logic on input variables
}
This change in behavior may have been introduced by 2a09026
PROBLEM SUMMARY
Release v0.21.0 introduced a new verification that may fail Terraform even when the provider is not used.
Context: We are handling workload identities with a dedicated Terraform module. This module can be configured to optionally use the Venafi provider to produce client certificates. However, by default, no Venafi resources are created and we do not provide credentials to the venafi provider. Our default configuration used to work with provider v0.20.0 but started to fail with v0.21.0, even though no such change of behavior was described in the release notes.
STEPS TO REPRODUCE
Here is a basic Terraform
main.tfthat works well with v0.20.0 but fails with v0.21.0:then run
terraform planNote that a
venafi_certificateresource is declared with acount = 0, so no certificate would actually be created. This config mimics a module where Venafi certificates would be optional.EXPECTED RESULTS
Same behavior as with v0.20.0: successful plan
OR
Being warned in the release notes that some additional verifications are now performed
ACTUAL RESULTS
ENVIRONMENT DETAILS
Venafi v0.20.0 Terraform v1.4.6
COMMENTS/WORKAROUNDS
We found that we can use
dev_mode = trueto disable connexion to Venafi platform when the module does not actually require certificates. Our config looks like:This change in behavior may have been introduced by 2a09026