Closed cdmadrigal closed 2 years ago
Hi @cdmadrigal I've been revising this case and rather than a bug, this seems to be an enhancement of what we have today, since this have been an expected behavior as we also had this mentioned before in: https://github.com/Venafi/terraform-provider-venafi/issues/6
That error is prompted due to the feature of the expiration_window
is meeting the undesired value in the refresh validation of the Terraform state. In general, is a very rare use case (and we don't encourage) to set an expiration_window
as big as the duration of the certificate.
I'm currently looking if any of the proposed solutions can work.
Hi @luispresuelVenafi, due to the behavior i'd still consider it a bug.
Once the certificate has been issued you can't run terraform destroy
. If you try to change the expiration_window
to be policy compliant (i.e: change it from 720 to 100), Terraform still throws the error. If you remove the expiration_window
entirely you still get the error. The only way to solve the issue is to destroy the state file which we shouldn't consider as a solution.
Hi @cdmadrigal , the first behaviour you mentioned should have worked. I just tested it in a issuing template with also a validity time of 168 hours (1 week) and also set the expiration_window to 100 hours. Could you share the output and terraform file template?
The other case also seems to be running correctly in my test, since although not setting the expiration_window, we set a default value of 168 hours, so it should have let you delete it (but with no confirmation prompt). Could you also share the output and a terraform file template if this is not the behavior that is happening on your side?
I'm re-labeling it back as bug, since although on time before seemed to be the expected behavior, we still want to validate if the user is providing bad input
Luis, my test cases were around someone requesting a certificate with 720h expiry and then trying to fix it after it's been issued. In all cases of them trying to fix it (adjust the expiration window or remove the expiration window) you will run in to the same issue and the only solution is to delete the state file.
I see, you meant updating it after it has already has been issued (not creating it before hand with those values) got it. Then, yes, it was expected behavior. Still a bug if now we want to validate bad input from the user of that side. I created the main issue to attend here this since this also impacts re-running terraform plan
as well after the certificate have been issued.
PROBLEM SUMMARY If you request a certificate with an expiration window greater than the Issuing Templates validity period you will be be unable to destroy the terraform resources during clean up.
STEPS TO REPRODUCE
terraform apply
. This will issue the certificate successfully.terraform destroy
. This will throw an error and not delete any resources.Error: certificate validity duration 168h0m30s is less than configured expiration window 720h0m0s
EXPECTED RESULTS The certificate resource within Terraform should be destroyed OR the request shouldn't have occurred in the first place.
ACTUAL RESULTS
Error: certificate validity duration 168h0m30s is less than configured expiration window 720h0m0s
ENVIRONMENT DETAILS VaaS Venafi Terraform Provider version 0.13
COMMENTS/WORKAROUNDS Either allow the certificate to be destroyed or block the initial creation of the certificate if the
expiration_window
is greater than the Issuing Template validity policy.