Open julego opened 4 months ago
This is partially due to the fact that the proxmox API does not include the certificate chain in the response.
It should be possible for the resource to "remember" what certificate chain it set on the resource and update it when presented with a new one.
Also, a workaround is to use this in the resource:
lifecycle {
ignore_changes = [
certificate_chain
]
}
This causes it to not show as changed on subsequent plans/applies, however, if the chain changed and the certificate didn't (for some reason, which could even include adding a missing intermediate CA), it wouldn't trigger an update.
Describe the bug When a certificate chain is used, changes are always detected on a proxmox_virtual_environment_certificate resource when running terraform plan, and then gets updated on each terraform apply, even when the certificate chain was previously successfully installed on the node.
This happens probably because the Proxmox API endpoint (/nodes/{node}/certificates/info) only returns the first certificate found in /etc/pve/nodes/{node}/pveproxy-ssl.pem, not the whole file/chain content.
A workaround would be to use the SSH client to get the actual chain content.
To Reproduce Steps to reproduce the behavior:
Run terraform apply to initially install the certificate
Confirm that the pveproxy-ssl.pem file installed on the node contains the whole chain
Expected behavior Running terraform plan should not detect any changes, and terraform apply should not reinstall the certificate.
Additional context Tested with Terraform 1.5 and provider 0.48.2 on a single node setup running Proxmox 8.1.4