rsa_bits is set for tls_private_key even when algorithm = "ECDSA"

[tspearconquest]

Terraform CLI and Provider Versions

Terraform v1.3.1
on darwin_amd64
+ provider registry.terraform.io/hashicorp/tls v4.0.4

Your version of Terraform is out of date! The latest version
is 1.3.6. You can update by downloading from https://www.terraform.io/downloads.html

Terraform Configuration

resource "tls_private_key" "server_key" {
  algorithm   = "ECDSA"
  ecdsa_curve = "P521"
}

Expected Behavior

  # tls_private_key.server_key will be created
  + resource "tls_private_key" "server_key" {
      + algorithm                     = "ECDSA"
      + ecdsa_curve                   = "P521"
      + id                            = (known after apply)
      + private_key_openssh           = (sensitive value)
      + private_key_pem               = (sensitive value)
      + private_key_pem_pkcs8         = (sensitive value)
      + public_key_fingerprint_md5    = (known after apply)
      + public_key_fingerprint_sha256 = (known after apply)
      + public_key_openssh            = (known after apply)
      + public_key_pem                = (known after apply)
    }

Actual Behavior

  # tls_private_key.server_key will be created
  + resource "tls_private_key" "server_key" {
      + algorithm                     = "ECDSA"
      + ecdsa_curve                   = "P521"
      + id                            = (known after apply)
      + private_key_openssh           = (sensitive value)
      + private_key_pem               = (sensitive value)
      + private_key_pem_pkcs8         = (sensitive value)
      + public_key_fingerprint_md5    = (known after apply)
      + public_key_fingerprint_sha256 = (known after apply)
      + public_key_openssh            = (known after apply)
      + public_key_pem                = (known after apply)
      + rsa_bits                      = 2048
    }

Steps to Reproduce

1. terraform plan

How much impact is this issue causing?

Low

Logs

No response

Additional Information

The documentation mentions that this value is only used when algorithm = "RSA" so there is no reason for it to be included in the state file or outputs. When algorithm = "ECDSA" or algorithm = "ED25519", Terraform should hide the rsa_bits line and not save the value to the state file.

I want to use tls_private_key to generate a private ECDSA key for signing my own CA with tls_self_signed_cert, but I don't want any RSA related information in the state file or output, since I'm not requesting an RSA key.

This seems to only affect the output and the values saved into the state file, but does not appear to cause any abnormal functionality in the provider or the generated certificates in the state.

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[tspearconquest]

Actually, upon further testing, this does cause abnormal functionality.

I left out the rsa_bits with algorithm = "ECDSA" and generated a certificate locally with terraform plan followed by terraform apply.

Then I ran terraform plan again to confirm no changes:

❯ terraform plan -out plan
tls_private_key.ca_key: Refreshing state... [id=096300c25a9a634a5b6b3b6039ca9b2b77e7baa6]
tls_private_key.server_key: Refreshing state... [id=801a05e31a79fb9051625dfe5d4ebd65ee049508]
tls_cert_request.server_csr: Refreshing state... [id=d8e49e436e0ade51e593822b26b36fd7edd818a2]
tls_self_signed_cert.ca_cert: Refreshing state... [id=263861910634595957572633798312256012026]
tls_locally_signed_cert.server_cert: Refreshing state... [id=211343064850266243715313131738143119829]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Then I added the line rsa_bits = 0 to my resource, as below:

resource "tls_private_key" "server_key" {
  algorithm   = "ECDSA"
  ecdsa_curve = "P521"
  rsa_bits    = 0
}

Then ran terraform plan again: