search

bpg / terraform-provider-proxmox

Terraform Provider for Proxmox
https://registry.terraform.io/providers/bpg/proxmox
Mozilla Public License 2.0
687 stars 119 forks source link

proxmox_virtual_environment_certificate always gets updated when a certificate chain is used #1110

Open julego opened 4 months ago

julego commented 4 months ago

Describe the bug When a certificate chain is used, changes are always detected on a proxmox_virtual_environment_certificate resource when running terraform plan, and then gets updated on each terraform apply, even when the certificate chain was previously successfully installed on the node.

This happens probably because the Proxmox API endpoint (/nodes/{node}/certificates/info) only returns the first certificate found in /etc/pve/nodes/{node}/pveproxy-ssl.pem, not the whole file/chain content.

A workaround would be to use the SSH client to get the actual chain content.

To Reproduce Steps to reproduce the behavior:

  1. Create a proxmox_virtual_environment_certificate resource with a certificate chain
resource "proxmox_virtual_environment_certificate" "pve" {
  node_name = "pve"

  certificate = "pem encoded certificate"
  certificate_chain = "pem encoded intermediate certificate"
  private_key = "pem encoded private key"
}

  1. Run terraform apply to initially install the certificate

  2. Confirm that the pveproxy-ssl.pem file installed on the node contains the whole chain

root@pve:~# cat /etc/pve/nodes/pve/pveproxy-ssl.pem
-----BEGIN CERTIFICATE-----
[certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[intermediate]
-----END CERTIFICATE-----
  1. Run terraform apply again, the certificate gets re-installed on the node
proxmox_virtual_environment_certificate.pve: Refreshing state... [id=pve_certificate]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # proxmox_virtual_environment_certificate.pve will be updated in-place
  ~ resource "proxmox_virtual_environment_certificate" "pve" {
      + certificate_chain         = <<-EOT
            -----BEGIN CERTIFICATE-----
            [...]
            -----END CERTIFICATE-----
        EOT
        id                        = "pve_certificate"
        # (13 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
proxmox_virtual_environment_certificate.pve: Modifying... [id=pve_certificate]
proxmox_virtual_environment_certificate.pve: Modifications complete after 1s [id=pve_certificate]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Expected behavior Running terraform plan should not detect any changes, and terraform apply should not reinstall the certificate.

Additional context Tested with Terraform 1.5 and provider 0.48.2 on a single node setup running Proxmox 8.1.4

spacex commented 4 months ago

This is partially due to the fact that the proxmox API does not include the certificate chain in the response.

It should be possible for the resource to "remember" what certificate chain it set on the resource and update it when presented with a new one.

Also, a workaround is to use this in the resource:

  lifecycle {
    ignore_changes = [
      certificate_chain
    ]
  }

This causes it to not show as changed on subsequent plans/applies, however, if the chain changed and the certificate didn't (for some reason, which could even include adding a missing intermediate CA), it wouldn't trigger an update.