Cannot set value for `key_algorithm` for `tls_cert_request` resource

[ZeroDeth]

Found a bug? Maybe our Slack Community can help.

Describe the Bug

A clear and concise description of what the bug is.

Module stopped working 22th July even upgraded with new release (same errors)

 Error: Invalid Configuration for Read-Only Attribute
│ 
│   with module.ec2_client_vpn.module.self_signed_cert_ca.tls_cert_request.default,
│   on .terraform/modules/ec2_client_vpn.self_signed_cert_ca/main.tf line 24, in resource "tls_cert_request" "default":
│   24:   key_algorithm   = var.private_key_algorithm
│ 
│ Cannot set value for this attribute as the provider has marked it as
│ read-only. Remove the configuration line setting the value.
│ 
│ Refer to the provider documentation or contact the provider developers for
│ additional information about configurable and read-only attributes that are
│ supported.
╵
╷
│ Error: Invalid Configuration for Read-Only Attribute
│ 
│   with module.ec2_client_vpn.module.self_signed_cert_ca.tls_self_signed_cert.default,
│   on .terraform/modules/ec2_client_vpn.self_signed_cert_ca/main.tf line 62, in resource "tls_self_signed_cert" "default":
│   62:   key_algorithm   = var.private_key_algorithm
│ 
│ Cannot set value for this attribute as the provider has marked it as
│ read-only. Remove the configuration line setting the value.
│ 
│ Refer to the provider documentation or contact the provider developers for
│ additional information about configurable and read-only attributes that are
│ supported.
╵
╷
│ Error: Invalid Configuration for Read-Only Attribute
│ 
│   with module.ec2_client_vpn.module.self_signed_cert_root.tls_cert_request.default,
│   on .terraform/modules/ec2_client_vpn.self_signed_cert_root/main.tf line 24, in resource "tls_cert_request" "default":
│   24:   key_algorithm   = var.private_key_algorithm
│ 
│ Cannot set value for this attribute as the provider has marked it as
│ read-only. Remove the configuration line setting the value.
│ 
│ Refer to the provider documentation or contact the provider developers for
│ additional information about configurable and read-only attributes that are
│ supported.
╵
╷
│ Error: Invalid Configuration for Read-Only Attribute
│ 
│   with module.ec2_client_vpn.module.self_signed_cert_root.tls_self_signed_cert.default,
│   on .terraform/modules/ec2_client_vpn.self_signed_cert_root/main.tf line 62, in resource "tls_self_signed_cert" "default":
│   62:   key_algorithm   = var.private_key_algorithm
│ 
│ Cannot set value for this attribute as the provider has marked it as
│ read-only. Remove the configuration line setting the value.
│ 
│ Refer to the provider documentation or contact the provider developers for
│ additional information about configurable and read-only attributes that are
│ supported.
╵
╷
│ Error: Invalid Configuration for Read-Only Attribute
│ 
│   with module.ec2_client_vpn.module.self_signed_cert_server.tls_cert_request.default,
│   on .terraform/modules/ec2_client_vpn.self_signed_cert_server/main.tf line 24, in resource "tls_cert_request" "default":
│   24:   key_algorithm   = var.private_key_algorithm
│ 
│ Cannot set value for this attribute as the provider has marked it as
│ read-only. Remove the configuration line setting the value.
│ 
│ Refer to the provider documentation or contact the provider developers for
│ additional information about configurable and read-only attributes that are
│ supported.
╵
╷
│ Error: Invalid Configuration for Read-Only Attribute
│ 
│   with module.ec2_client_vpn.module.self_signed_cert_server.tls_self_signed_cert.default,
│   on .terraform/modules/ec2_client_vpn.self_signed_cert_server/main.tf line 62, in resource "tls_self_signed_cert" "default":
│   62:   key_algorithm   = var.private_key_algorithm
│ 
│ Cannot set value for this attribute as the provider has marked it as
│ read-only. Remove the configuration line setting the value.
│ 
│ Refer to the provider documentation or contact the provider developers for
│ additional information about configurable and read-only attributes that are
│ supported.

Expected Behavior

A clear and concise description of what you expected to happen.

Steps to Reproduce

Steps to reproduce the behavior:

1. Go to '...'
2. Run '....'
3. Enter '....'
4. See error

provider "awsutils" {
  region = "eu-west-2"
}

module "ec2_client_vpn" {
  source  = "registry.terraform.io/cloudposse/ec2-client-vpn/aws"
  version = "0.12.4"
  enabled = local.create_ec2_client_vpn

  #  providers = {
  #    aws = aws.eu_west_2
  #  }

  ca_common_name     = "vpn.internal.tst.xxx.io"
  root_common_name   = "vpn-client.internal.tst.xxx.io"
  server_common_name = "vpn-server.internal.tst.xxx.io"

  vpc_id                        = module.vpc_0.vpc_id
  client_cidr                   = "10.21.0.0/22"
  organization_name             = "xxx"
  logging_enabled               = false
  logging_stream_name           = "client_vpn"
  retention_in_days             = 0
  associated_subnets            = module.vpc_0.database_subnets
  authorization_rules           = []
  additional_routes             = []
  associated_security_group_ids = []
  export_client_certificate     = true
  split_tunnel                  = true
  dns_servers                   = ["1.1.1.1", "8.8.8.8"]

  tags = local.common_tags
}

output "vpn_endpoint_arn" {
  value = module.ec2_client_vpn.vpn_endpoint_arn
}
output "vpn_endpoint_id" {
  value = module.ec2_client_vpn.vpn_endpoint_id
}
output "vpn_endpoint_dns_name" {
  value = module.ec2_client_vpn.vpn_endpoint_dns_name
}
output "client_configuration" {
  sensitive = true
  value     = module.ec2_client_vpn.full_client_configuration # Stored in paramtter-store under [self-signed-cert-root.pem & self-signed-cert-root.key]
}

Screenshots

If applicable, add screenshots or logs to help explain your problem.

Environment (please complete the following information):

Anything that will help us triage the bug will help. Here are some ideas:

• macOS & Terraform Cloud
• Terraform Version 1.1.9
• versions.tf

# ---------------------------------------------------------------------------------------------------------------------
# Terraform version constraints
# ---------------------------------------------------------------------------------------------------------------------

terraform {
  required_version = ">= 1.0.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 3.72, >= 4.10"
    }
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = ">= 2.10"
    }
    helm = {
      source  = "hashicorp/helm"
      version = ">= 2.4.1"
    }
    local = {
      source  = "hashicorp/local"
      version = ">= 2.1"
    }
    null = {
      source  = "hashicorp/null"
      version = ">= 3.1"
    }
    http = {
      source  = "terraform-aws-modules/http"
      version = "2.4.1"
    }
    kubectl = {
      source  = "gavinbunney/kubectl"
      version = ">= 1.14"
    }
    random = {
      source  = "hashicorp/random"
      version = ">= 2.2"
    }
    awsutils = {
      source  = "cloudposse/awsutils"
      version = ">= 0.11.0"
    }
    tfe = {
      source  = "hashicorp/tfe"
      version = "~> 0.30.2"
    }
    grafana = {
      source  = "grafana/grafana"
      version = ">= 1.13.3"
    }
  }
}

Additional Context

Add any other context about the problem here.

[nishant8BITS]

Facing same issue since yesterday

Error: Invalid Configuration for Read-Only Attribute
with module.ec2_client_vpn.module.self_signed_cert_server.tls_self_signed_cert.default
on .terraform/modules/ec2_client_vpn.self_signed_cert_server/main.tf line 62, in resource "tls_self_signed_cert" "default":
  key_algorithm   = var.private_key_algorithm
Cannot set value for this attribute as the provider has marked it as read-only. Remove the configuration line setting the value.

Refer to the provider documentation or contact the provider developers for additional information about configurable and read-only attributes that are supported.

[sandy2008]

Hi ppl! We released a workaround push to fix the current issue: https://registry.terraform.io/modules/MonoidDev/ec2-client-vpn/aws/0.12.7

[renilthomas]

@sandy2008 apart from the read-only attribute there is this issue

[ERROR] vertex “provider[\“[registry.terraform.io/cloudposse/awsutils](http://registry.terraform.io/cloudposse/awsutils)\“]” error: Missing required argument

Does it work for you?

[sandy2008]

@sandy2008 apart from the read-only attribute there is this issue

[ERROR] vertex “provider[\“[registry.terraform.io/cloudposse/awsutils](http://registry.terraform.io/cloudposse/awsutils)\“]” error: Missing required argument

Does it work for you?

I didn’t have this issue, could you submit a PR to my upstream?

I will release it.

[renilthomas]

Please ignore my issue mentioned above. Adding the provider regions solved the issue.

[sandy2008]

Got it ;)

2022年8月2日(火) 21:22 Renil @.***>:

Please ignore my issue mentioned above. Adding the provider regions solved the issue.

— Reply to this email directly, view it on GitHub https://github.com/cloudposse/terraform-aws-ec2-client-vpn/issues/49#issuecomment-1202416360, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEJ4QRXKYTSO6TNUXIH43Z3VXEHHTANCNFSM54WEAQ5A . You are receiving this because you were mentioned.Message ID: @.***>

[ZeroDeth]

Thank you @sandy2008 for solving certs issue and working now. hopefully adding more examples support authentication_type = "federated-authentication" because this never work with me plus couldn't enabled log group

│ Error: "name" isn't a valid log group name (alphanumeric characters, underscores, hyphens, slashes, hash signs and dots are allowed): ""
│
│   with module.client_vpn_endpoint.module.cloudwatch_log.aws_cloudwatch_log_group.default[0],
│   on .terraform/modules/client_vpn_endpoint.cloudwatch_log/main.tf line 17, in resource "aws_cloudwatch_log_group" "default":
│   17:   name              = module.log_group_label.id
│

[nitrocode]

This issue should be resolved by PR https://github.com/cloudposse/terraform-aws-ec2-client-vpn/pull/50

Please comment if this issue is still present in the latest version of this module.

[nitrocode]

Please comment if this is still unresolved by PR #50.