search

Venafi / terraform-provider-venafi

HashiCorp Terraform provider that uses Venafi to streamline machine identity (certificate and key) acquisition.
https://www.terraform.io/docs/providers/venafi/
Mozilla Public License 2.0
16 stars 20 forks source link

Setting an Expiration Window can block Terraform from destroying resources #79

Closed cdmadrigal closed 2 years ago

cdmadrigal commented 2 years ago

PROBLEM SUMMARY If you request a certificate with an expiration window greater than the Issuing Templates validity period you will be be unable to destroy the terraform resources during clean up.

STEPS TO REPRODUCE

EXPECTED RESULTS The certificate resource within Terraform should be destroyed OR the request shouldn't have occurred in the first place.

ACTUAL RESULTS

resource "venafi_certificate" "tls_server" {
  common_name = "web.venafi.example"
  san_dns = [
    "web01.venafi.example",
    "web02.venafi.example"
  ]
  algorithm = "RSA"
  rsa_bits = 2048
  expiration_window = 720
}

Error: certificate validity duration 168h0m30s is less than configured expiration window 720h0m0s

ENVIRONMENT DETAILS VaaS Venafi Terraform Provider version 0.13

COMMENTS/WORKAROUNDS Either allow the certificate to be destroyed or block the initial creation of the certificate if the expiration_window is greater than the Issuing Template validity policy.

luispresuelVenafi commented 2 years ago

Hi @cdmadrigal I've been revising this case and rather than a bug, this seems to be an enhancement of what we have today, since this have been an expected behavior as we also had this mentioned before in: https://github.com/Venafi/terraform-provider-venafi/issues/6

That error is prompted due to the feature of the expiration_window is meeting the undesired value in the refresh validation of the Terraform state. In general, is a very rare use case (and we don't encourage) to set an expiration_window as big as the duration of the certificate.

I'm currently looking if any of the proposed solutions can work.

cdmadrigal commented 2 years ago

Hi @luispresuelVenafi, due to the behavior i'd still consider it a bug. Once the certificate has been issued you can't run terraform destroy. If you try to change the expiration_window to be policy compliant (i.e: change it from 720 to 100), Terraform still throws the error. If you remove the expiration_window entirely you still get the error. The only way to solve the issue is to destroy the state file which we shouldn't consider as a solution.

luispresuelVenafi commented 2 years ago

Hi @cdmadrigal , the first behaviour you mentioned should have worked. I just tested it in a issuing template with also a validity time of 168 hours (1 week) and also set the expiration_window to 100 hours. Could you share the output and terraform file template?

Screenshot from 2022-03-23 13-06-26

The other case also seems to be running correctly in my test, since although not setting the expiration_window, we set a default value of 168 hours, so it should have let you delete it (but with no confirmation prompt). Could you also share the output and a terraform file template if this is not the behavior that is happening on your side?

luispresuelVenafi commented 2 years ago

I'm re-labeling it back as bug, since although on time before seemed to be the expected behavior, we still want to validate if the user is providing bad input

cdmadrigal commented 2 years ago

Luis, my test cases were around someone requesting a certificate with 720h expiry and then trying to fix it after it's been issued. In all cases of them trying to fix it (adjust the expiration window or remove the expiration window) you will run in to the same issue and the only solution is to delete the state file.

luispresuelVenafi commented 2 years ago

I see, you meant updating it after it has already has been issued (not creating it before hand with those values) got it. Then, yes, it was expected behavior. Still a bug if now we want to validate bad input from the user of that side. I created the main issue to attend here this since this also impacts re-running terraform plan as well after the certificate have been issued.