Resource venafi_certificate not revoking on destroy

[smeluski]

PROBLEM SUMMARY I ran a terraform destroy for a certificate resource expecting it to revoke the certificate, but it still exists. I can taint the resource and it will destroy/create producing a new version of the certificate without any problems.

STEPS TO REPRODUCE terraform destroy venafi_certificate

EXPECTED RESULTS Certificate is revoked, but it doesn't appear that anything happens.

ACTUAL RESULTS Certificate is still valid in the Venafi portal

ENVIRONMENT DETAILS [DEBUG] GET https://registry.terraform.io/v1/providers/terraform-providers/venafi/0.9.3/download/windows/amd64

COMMENTS/WORKAROUNDS revoke the certificate using another means.

Details of cert creation:

provider venafi { alias = "programmatic" url = "https://servername.com/vedsdk" tpp_username = tpp_password = zone = "Certificates\Non-Production\Dev Ops\" dev_mode = "false" }

resource "venafi_certificate" "this" { provider = venafi.programmatic common_name = "certdomain.com" algorithm = "RSA" rsa_bits = "2048" san_dns = ["certdomain.com"] san_email = null san_ip = null key_password = null expiration_window = 2160 }

Details from terraform destroy execution: 2020-07-30T03:59:07.6324165Z 2020/07/29 20:59:07 [DEBUG] venafi_certificate.this: applying the planned Delete change 2020-07-30T03:59:07.6324601Z 2020/07/29 20:59:07 [TRACE] GRPCProvider: ApplyResourceChange 2020-07-30T03:59:07.6325141Z venafi_certificate.this: Destroying... [id=\VED\Policy\Certificates\Non-Production\Dev Ops\certdomain.com] 2020-07-30T03:59:07.6334691Z 2020/07/29 20:59:07 [TRACE] : eval: terraform.EvalWriteState 2020-07-30T03:59:07.6335569Z 2020/07/29 20:59:07 [TRACE] EvalWriteState: removing state object for venafi_certificate.this 2020-07-30T03:59:07.6336019Z 2020/07/29 20:59:07 [TRACE] : eval: terraform.EvalApplyPost 2020-07-30T03:59:07.6336620Z 2020/07/29 20:59:07 [TRACE] : eval: *terraform.EvalUpdateStateHook 2020-07-30T03:59:07.6337235Z venafi_certificate.this: Destruction complete after 0s

[jtcarnes]

@tr1ck3r Any progress on the issue? I am encountering the same thing and can help out if need be.

[javierlga]

I have the same issue, I thought the certificate would be revoked after running terraform destroy. Is there any update from the Venafi team?

[tr1ck3r]

We've only received a handful of requests for this enhancement to date. It makes sense but some have provided feedback that they wouldn't want a certificate to be revoked on destroy because needless revocation leads to bloated CRLs. So based on that, the revocation behavior would need to be optional. I believe those customers are eliminating the need for revocation by requesting certificates that are only valid for a short time longer than the infrastructure that is using them (i.e. leveraging the valid_days option).

[javierlga]

We've only received a handful of requests for this enhancement to date. It makes sense but some have provided feedback that they wouldn't want a certificate to be revoked on destroy because needless revocation leads to bloated CRLs. So based on that, the revocation behavior would need to be optional. I believe those customers are eliminating the need for revocation by requesting certificates that are only valid for a short time longer than the infrastructure that is using them (i.e. leveraging the valid_days option).

I agree that everyone has different needs, probably making it optional would be the best, however, if I understand correctly valid_days won't apply for those certificates whose expiration date is managed by the CA template in the zone or am I misunderstanding that part?

[j-chao]

I agree that making an optional parameter would be useful.

[derhally]

Might make sense to have a boolean argument "revoke_on_destroy" which would follow the pattern of other terraform resources.

[luispresuelVenafi]

Rather than do revoking, as we do not want to use as is a discoraged practice, we provided a way to rather retire certificates in latest (by the moment of this comment) Terraform Provider version 0.18.0. I'm closing this issue accordingly.

[justinmchase]

I want to hard delete on destroy, how can I do that? What is the difference between retire, delete and revoke?

[luispresuelVenafi]

Hi @justinmchase ,

What do you mean with "hard delete on destroy"?

With "retire" enabled now in our provider, during destroy in Terraform, you would basically would be deleting the certificate from VCP's (Venafi Control Plane) or TLS Protect Datacenter's Inventory. Before introducing retiring to our Terraform provider, it was not possible and only was rermoved from State file.

So essentially, you would be deleting it from both places: your applicable Venafi Platform and your State file in your Terraform configuration. As of today, this behavior is by default.

[justinmchase]

Ok it's just that on the UI the command is called delete so when you say retire here it sounds like some kind of soft delete mode. Also it seems to not be deleting for me so is the default to not delete on destroy?

[luispresuelVenafi]

It should be by default in latest versions of the plugin. Which version of the our Terraform provider are you using? Which Venafi Platform?

[justinmchase]

Ok if it's supposed to be the default behavior I'll just double check my version and that I don't have something else going on. Thanks.