azurerm_iothub_dps_certificate name validation is too restrictive

[julian7]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

Call us reckless, but we originally used file names to define IoT Hub DPS certificates:

❯ az iot dps certificate list --dps-name XXXX --resource-group XXXX | jq '.value[].name'
"DevCA.cer"
"DevInterCA.cer"

However, when I tried to define them in Terraform, I'm getting an error during plan: Error: "name" may only contain alphanumeric characters and dashes.

Looking into the provider, I found that the schema has validate.IoTHubName validator for both the IoT Hub's name, and for certificate name:

https://github.com/hashicorp/terraform-provider-azurerm/blob/2e1650aa1cbe3dad37e8572289e0b0aaa8785494/internal/services/iothub/iothub_dps_certificate_resource.go#L43

Unfortunately, I couldn't find a good place in Azure docs for good limits for the "friendly name."

Terraform Version

1.2.8

AzureRM Provider Version

3.22.0

Affected Resource(s)/Data Source(s)

azurerm_iothub_dps_certificate

Terraform Configuration Files

terraform {
  backend "local" {}
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.14"
    }
  }
}

provider "azurerm" {
  features {}
}
resource "azurerm_iothub_dps_certificate" "root" {
  name                = "DevCA.cer"
  resource_group_name = "... existing resource group name ..."
  iot_dps_name        = "... existing IoT DPS name ..."
  certificate_content = filebase64("./certs/DevCA.cer")
}

Debug Output/Panic Output

2022-09-13T16:45:02.940+0200 [INFO]  Terraform version: 1.2.8
2022-09-13T16:45:02.941+0200 [DEBUG] using github.com/hashicorp/go-tfe v1.0.0
2022-09-13T16:45:02.941+0200 [DEBUG] using github.com/hashicorp/hcl/v2 v2.12.0
2022-09-13T16:45:02.941+0200 [DEBUG] using github.com/hashicorp/terraform-config-inspect v0.0.0-20210209133302-4fd17a0faac2
2022-09-13T16:45:02.941+0200 [DEBUG] using github.com/hashicorp/terraform-svchost v0.0.0-20200729002733-f050f53b9734
2022-09-13T16:45:02.941+0200 [DEBUG] using github.com/zclconf/go-cty v1.11.0
2022-09-13T16:45:02.941+0200 [INFO]  Go runtime version: go1.19
2022-09-13T16:45:02.941+0200 [INFO]  CLI args: []string{"terraform", "plan", "-out=x"}
2022-09-13T16:45:02.941+0200 [DEBUG] Attempting to open CLI config file: /Volumes/GE/.terraformrc
2022-09-13T16:45:02.941+0200 [INFO]  Loading CLI configuration from /Volumes/GE/.terraformrc
2022-09-13T16:45:02.942+0200 [DEBUG] Not reading CLI config directory because config location is overridden by environment variable
2022-09-13T16:45:02.942+0200 [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2022-09-13T16:45:02.942+0200 [DEBUG] ignoring non-existing provider search directory /Users/js/.terraform.d/plugins
2022-09-13T16:45:02.942+0200 [DEBUG] ignoring non-existing provider search directory /Users/js/Library/Application Support/io.terraform/plugins
2022-09-13T16:45:02.942+0200 [DEBUG] ignoring non-existing provider search directory /Library/Application Support/io.terraform/plugins
2022-09-13T16:45:02.943+0200 [INFO]  CLI command args: []string{"plan", "-out=x"}
2022-09-13T16:45:03.055+0200 [DEBUG] checking for provisioner in "."
2022-09-13T16:45:03.057+0200 [DEBUG] checking for provisioner in "/opt/homebrew/bin"
2022-09-13T16:45:03.058+0200 [INFO]  backend/local: starting Plan operation
2022-09-13T16:45:03.058+0200 [DEBUG] created provider logger: level=debug
2022-09-13T16:45:03.058+0200 [INFO]  provider: configuring client automatic mTLS
2022-09-13T16:45:03.067+0200 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/azurerm/3.22.0/darwin_arm64/terraform-provider-azurerm_v3.22.0_x5 args=[.terraform/providers/registry.terraform.io/hashicorp/azurerm/3.22.0/darwin_arm64/terraform-provider-azurerm_v3.22.0_x5]
2022-09-13T16:45:03.073+0200 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/hashicorp/azurerm/3.22.0/darwin_arm64/terraform-provider-azurerm_v3.22.0_x5 pid=55224
2022-09-13T16:45:03.073+0200 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/hashicorp/azurerm/3.22.0/darwin_arm64/terraform-provider-azurerm_v3.22.0_x5
2022-09-13T16:45:03.086+0200 [INFO]  provider.terraform-provider-azurerm_v3.22.0_x5: configuring server automatic mTLS: timestamp=2022-09-13T16:45:03.086+0200
...
2022-09-13T16:45:03.112+0200 [DEBUG] provider.terraform-provider-azurerm_v3.22.0_x5: Registering Resources for "Web"..: timestamp=2022-09-13T16:45:03.112+0200
2022-09-13T16:45:03.113+0200 [DEBUG] provider: using plugin: version=5
2022-09-13T16:45:03.113+0200 [DEBUG] provider.terraform-provider-azurerm_v3.22.0_x5: plugin address: address=/Volumes/GE/tmp/plugin2334855433 network=unix timestamp=2022-09-13T16:45:03.112+0200
2022-09-13T16:45:03.188+0200 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2022-09-13T16:45:03.189+0200 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/azurerm/3.22.0/darwin_arm64/terraform-provider-azurerm_v3.22.0_x5 pid=55224
2022-09-13T16:45:03.189+0200 [DEBUG] provider: plugin exited
2022-09-13T16:45:03.189+0200 [DEBUG] Building and walking validate graph
2022-09-13T16:45:03.189+0200 [DEBUG] ProviderTransformer: "azurerm_iothub_dps_certificate.root" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/azurerm"]
2022-09-13T16:45:03.189+0200 [DEBUG] ReferenceTransformer: "azurerm_iothub_dps_certificate.root" references: []
2022-09-13T16:45:03.189+0200 [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/hashicorp/azurerm\"]" references: []
2022-09-13T16:45:03.189+0200 [DEBUG] Starting graph walk: walkValidate
2022-09-13T16:45:03.190+0200 [DEBUG] created provider logger: level=debug
2022-09-13T16:45:03.190+0200 [INFO]  provider: configuring client automatic mTLS
2022-09-13T16:45:03.193+0200 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/azurerm/3.22.0/darwin_arm64/terraform-provider-azurerm_v3.22.0_x5 args=[.terraform/providers/registry.terraform.io/hashicorp/azurerm/3.22.0/darwin_arm64/terraform-provider-azurerm_v3.22.0_x5]
2022-09-13T16:45:03.199+0200 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/hashicorp/azurerm/3.22.0/darwin_arm64/terraform-provider-azurerm_v3.22.0_x5 pid=55225
2022-09-13T16:45:03.199+0200 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/hashicorp/azurerm/3.22.0/darwin_arm64/terraform-provider-azurerm_v3.22.0_x5
2022-09-13T16:45:03.212+0200 [INFO]  provider.terraform-provider-azurerm_v3.22.0_x5: configuring server automatic mTLS: timestamp=2022-09-13T16:45:03.212+0200
...
2022-09-13T16:45:03.238+0200 [DEBUG] provider.terraform-provider-azurerm_v3.22.0_x5: Registering Resources for "Web"..: timestamp=2022-09-13T16:45:03.238+0200
2022-09-13T16:45:03.238+0200 [DEBUG] provider: using plugin: version=5
2022-09-13T16:45:03.238+0200 [DEBUG] provider.terraform-provider-azurerm_v3.22.0_x5: plugin address: address=/Volumes/GE/tmp/plugin2010742630 network=unix timestamp=2022-09-13T16:45:03.238+0200
2022-09-13T16:45:03.352+0200 [ERROR] provider.terraform-provider-azurerm_v3.22.0_x5: Response contains error diagnostic: tf_rpc=ValidateResourceTypeConfig diagnostic_detail= tf_proto_version=5.2 diagnostic_severity=ERROR tf_provider_addr=provider tf_resource_type=azurerm_iothub_dps_certificate @caller=github.com/hashicorp/terraform-plugin-go@v0.10.0/tfprotov5/internal/diag/diagnostics.go:56 @module=sdk.proto diagnostic_attribute=AttributeName("name") diagnostic_summary=""name" may only contain alphanumeric characters and dashes" tf_req_id=14088d2c-30de-2ea1-d595-729f5e44ff56 timestamp=2022-09-13T16:45:03.352+0200
2022-09-13T16:45:03.352+0200 [ERROR] vertex "azurerm_iothub_dps_certificate.root" error: "name" may only contain alphanumeric characters and dashes
╷
│ Error: "name" may only contain alphanumeric characters and dashes
│
│   with azurerm_iothub_dps_certificate.root,
│   on dps.tf line 2, in resource "azurerm_iothub_dps_certificate" "root":
│    2:   name                = "DevCA.cer"
│
╵
2022-09-13T16:45:03.353+0200 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2022-09-13T16:45:03.354+0200 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/azurerm/3.22.0/darwin_arm64/terraform-provider-azurerm_v3.22.0_x5 pid=55225
2022-09-13T16:45:03.354+0200 [DEBUG] provider: plugin exited

Expected Behaviour

An IoT Hub DPS certificate is created

Actual Behaviour

2022-09-13T16:45:03.352+0200 [ERROR] vertex "azurerm_iothub_dps_certificate.root" error: "name" may only contain alphanumeric characters and dashes ╷ │ Error: "name" may only contain alphanumeric characters and dashes │ │ with azurerm_iothub_dps_certificate.root, │ on dps.tf line 2, in resource "azurerm_iothub_dps_certificate" "root": │ 2: name = "DevCA.cer" │ ╵

Steps to Reproduce

terraform plan

Important Factoids

No response

References

No response

[myc2h6o]

Hi @julian7 thanks for opening the issue! Since the certificate name you used could pass the validation on Azure end, the validation in the provider probably needs to be adjusted, I'll check that

[myc2h6o]

Hi @julian7 I've opened #18694 to fix the validation. DevCA.cer will be considered as a valid certificate name with the fix.

[github-actions[bot]]

This functionality has been released in v3.26.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[myc2h6o]

@katbyte should this be v3.27.0 instead of v3.26.0 which was already released?

[julian7]

@katbyte apparently, there were a few PRs fell into the hole of not closing 3.26 milestone on time, and therefore there were a few changes to the release of 3.27.0 not reflected in the CHANGELOG.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.