azurerm_key_vault_certificate is replaced on each terraform apply if key usages are not sorted

tabneib commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.14.4

Affected Resource(s)

azurerm_key_vault_certificate

azurerm_2.57.0

Terraform Configuration Files

resource "azurerm_key_vault_certificate" "example" {
  name         = "example"
  key_vault_id = azurerm_key_vault.example.id

  certificate_policy {
    issuer_parameters {
      name = "Self"
    }

    key_properties {
      exportable = true
      key_size   = 2048
      key_type   = "RSA"
      reuse_key  = true
    }

    lifetime_action {
      action {
        action_type = "AutoRenew"
      }

      trigger {
        days_before_expiry = 30
      }
    }

    secret_properties {
      content_type = "application/x-pkcs12"
    }

    x509_certificate_properties {

      extended_key_usage = ["1.3.6.1.5.5.7.3.1","1.3.6.1.5.5.7.3.2"]

      // Notice that the items are not sorted lexicographically 
      key_usage = [
        "digitalSignature",
        "keyEncipherment",
        "keyCertSign",
      ]

      subject            = "CN=example.com"
      validity_in_months = 12
    }
  }
}

Expected Behaviour

On the first run of terraform apply, the certificate is created. On the second run of terraform apply with no change in between, no resource would be added/updated/replaced.

Actual Behaviour

On the first terraform apply, the certificate is correctly created. On each subsequent terraform apply, the certificate is replaced with a new one due to change in the key_usage.

If the items in key_usage are sorted lexicographically, the certificate will not be replaced as expected behavior. azurerm seems to sort the key usages somewhere and do the comparison incorrectly. This is not documented anywhere and also should not be implemented this way.

github-actions[bot] commented 2 years ago

This functionality has been released in v3.0.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

github-actions[bot] commented 2 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashicorp / terraform-provider-azurerm