proxmox_virtual_environment_certificate always gets updated when a certificate chain is used

[julego]

Describe the bug When a certificate chain is used, changes are always detected on a proxmox_virtual_environment_certificate resource when running terraform plan, and then gets updated on each terraform apply, even when the certificate chain was previously successfully installed on the node.

This happens probably because the Proxmox API endpoint (/nodes/{node}/certificates/info) only returns the first certificate found in /etc/pve/nodes/{node}/pveproxy-ssl.pem, not the whole file/chain content.

A workaround would be to use the SSH client to get the actual chain content.

To Reproduce Steps to reproduce the behavior:

1. Create a proxmox_virtual_environment_certificate resource with a certificate chain

resource "proxmox_virtual_environment_certificate" "pve" {
  node_name = "pve"

  certificate = "pem encoded certificate"
  certificate_chain = "pem encoded intermediate certificate"
  private_key = "pem encoded private key"
}

2. Run terraform apply to initially install the certificate

3. Confirm that the pveproxy-ssl.pem file installed on the node contains the whole chain

root@pve:~# cat /etc/pve/nodes/pve/pveproxy-ssl.pem
-----BEGIN CERTIFICATE-----
[certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[intermediate]
-----END CERTIFICATE-----

4. Run terraform apply again, the certificate gets re-installed on the node

proxmox_virtual_environment_certificate.pve: Refreshing state... [id=pve_certificate]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # proxmox_virtual_environment_certificate.pve will be updated in-place
  ~ resource "proxmox_virtual_environment_certificate" "pve" {
      + certificate_chain         = <<-EOT
            -----BEGIN CERTIFICATE-----
            [...]
            -----END CERTIFICATE-----
        EOT
        id                        = "pve_certificate"
        # (13 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
proxmox_virtual_environment_certificate.pve: Modifying... [id=pve_certificate]
proxmox_virtual_environment_certificate.pve: Modifications complete after 1s [id=pve_certificate]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Expected behavior Running terraform plan should not detect any changes, and terraform apply should not reinstall the certificate.

Additional context Tested with Terraform 1.5 and provider 0.48.2 on a single node setup running Proxmox 8.1.4

[spacex]

This is partially due to the fact that the proxmox API does not include the certificate chain in the response.

It should be possible for the resource to "remember" what certificate chain it set on the resource and update it when presented with a new one.

Also, a workaround is to use this in the resource:

  lifecycle {
    ignore_changes = [
      certificate_chain
    ]
  }

This causes it to not show as changed on subsequent plans/applies, however, if the chain changed and the certificate didn't (for some reason, which could even include adding a missing intermediate CA), it wouldn't trigger an update.

[bpg-autobot[bot]]

Marking this issue as stale due to inactivity in the past 180 days. This helps us focus on the active issues. If this issue is reproducible with the latest version of the provider, please comment. If this issue receives no comments in the next 30 days it will automatically be closed. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!