"Error comparing certificate and key" when creating more than one certificate resource for the same hostname

[MarioUhrik]

PROBLEM SUMMARY When I try to create multiple certificates using the same hostname, the private keys are generated incorrectly and terraform plan starts failing every run until the Terraform state file is manually repaired.

STEPS TO REPRODUCE terraform apply where the "for each" spawns 3 counts of auth_cert

resource "venafi_certificate" "auth_cert" {
  for_each = {
    for name, spn in local.spn_to_create : name => spn
    if spn.certificate
  }
  common_name = "test-subdomain.subdomain.domain.net"
  algorithm   = "RSA"
  rsa_bits    = "2048"
}

EXPECTED RESULTS I get 3 valid certificates resources and no issues.

ACTUAL RESULTS

• the first certificate resource has correct certificate and private key fields
• the second certificate resource has the same certificate as the first one, but a different private key which doesn't match the certificate
• the third certificate resource has the same certificate as the first one, but a different private key which doesn't match the certificate

The private key and the certificate are compared to each other during each terraform plan/apply/destroy run, and this mismatch is detected here: https://github.com/Venafi/terraform-provider-venafi/blob/master/venafi/resource_venafi_certificate.go#L323 throwing this error message, and failing the run:

error comparing certificate and key: tls: failed to find any PEM data in key input

This is particularly nasty, because it locks you out of most standard Terraform commands.

ENVIRONMENT DETAILS

• terraform-provider-venafi v0.16.0
• Terraform v1.1.7

COMMENTS/WORKAROUNDS The only recovery is to remove the offending certificate resources from the Terraform state.

Thanks to @samuelstolicny @miroslavkohutik for finding and diagnosing the bug.

[luispresuelVenafi]

Hi @MarioUhrik , thank you for reaching out!

We confirmed this issue is happening in TPP side (not issue on VaaS side) and is due to how it behaves with certificates objects. Since when trying to create 3 certificates with the same common_name at the same time, we are stressing the issuance in TPP with the same certificate object since they all three try to get the same name that you would normally see in the portal. This was designed in order to follow best practices. The fact that you got wrong certificates in state shouldn't have happened, that is another bug we are going look for to get fix along with the fix for this situation.

We are currently going to be adding the option to pass the object name in those cases in an upcoming release.