Support Custom Timeouts

Venafi / terraform-provider-venafi

HashiCorp Terraform provider that uses Venafi to streamline machine identity (certificate and key) acquisition.

https://www.terraform.io/docs/providers/venafi/

Mozilla Public License 2.0

16 stars 20 forks source link

Support Custom Timeouts #80

Open jaikanthjay46 opened 2 years ago

jaikanthjay46 commented 2 years ago

BUSINESS PROBLEM

Provisioning time is erratic and exceeds 3 mins sometimes. Would be handy to have a control over timeout instead of 3 mins for all of them.

PROPOSED SOLUTION

special timeouts block in terraform can be used to override the timeout.

https://www.terraform.io/language/resources/syntax#operation-timeouts

CURRENT ALTERNATIVES Try Again Later

VENAFI EXPERIENCE

jaikanthjay46 commented 2 years ago

Also, can I contribute to this issue ?

tr1ck3r commented 2 years ago

@jaikanthjay46 yes, we very much welcome contributions from our developer community 😃 The design standard for our open source integrations is that the CA must be able to reliability issue requested certificates in 60 seconds or less or we consider it not viable for the modern automation use case we're targeting. We decided to allow up 3 times longer to account for bursts of requests that could temporarily degrade the CA's throughput. Please just make sure your enhancement doesn't change the default behavior.

jkacou commented 1 year ago

@tr1ck3r yes I agree with you untill we come to the approval steps from Venafi administrators / security in a company Since we are not able to deal with the timeout and never we will have an human approval in 60s (neither in 3min) all requests where we need an human approval systematically fails and it is a big mess.. :( I would prefer to have a long running job (with a certain custom timeout) waiting for an human approval for this case.. since make it asynchronous is a non sense to me because we will lose the terraform main advantage, the config state tracking... Considering it can cause some performance issues to the platform, is a specific state (as a pending for approval) is possible as a return to terraform and that way it could know how to deal with it? (and not recreate a new certificate because it have nothing in its state to remember the previous timeout, and here is the infinite loop of recreations and timeouts) Delete the approval step is not really an option..

afhamilton commented 1 year ago

I came to raise this issue and was somewhat happy that we aren't the only ones who have problems due to the lack of a timeout block. I'm also surprised that this was raised over a year ago and still hasn't been addressed.

We have an external CA that Venafi reaches out to (via the internet) when managing public certs as well as an approval step so consequently all our plans that require external certificates are failing. We had to remove all Venafi resources from our code and will now have to manually download the certs and upload to our appliances.