search

hashicorp / terraform-provider-tls

Utility provider that works with Transport Layer Security keys and certificates. It provides resources that allow private keys, certificates and certficate requests to be created as part of a Terraform deployment.
https://registry.terraform.io/providers/hashicorp/tls/latest
Mozilla Public License 2.0
183 stars 101 forks source link

tls_self_signed_cert being replaced when upgrading from v3 to v4 because of default values #491

Open jhyot opened 5 months ago

jhyot commented 5 months ago

Terraform CLI and Provider Versions

Terraform v1.7.5 on darwin_arm64

Terraform Configuration

resource "tls_self_signed_cert" "aks-ingress-backend" {
  private_key_pem = tls_private_key.aks-ingress-backend.private_key_pem
  subject {
    common_name = "${local.aks_resource_prefix}-ingress"

    // These are explicitly specified to avoid replacement on 4.x
    // https://github.com/hashicorp/terraform-provider-tls/issues/284
    country = ""
    locality = ""
    organization = ""
    organizational_unit = ""
    postal_code = ""
    province = ""
    serial_number = ""
    street_address = []
  }

  validity_period_hours = 10 * 365 * 24
  allowed_uses = [
    "digital_signature",
    "key_encipherment",
    "server_auth"
  ]
  dns_names = var.backend_ingress_cert_dns_names
  ip_addresses = [
    "127.0.0.1"
  ]

Expected Behavior

This resource was created on the 3.1.0 provider, and the problem was now triggered when upgrading from 3.1.0 -> 4.0.5.

Expecting no replacement of certificate when applying this unchanged config with the new provider version.

Actual Behavior

Certificate is being replaced. Plan output (some values redacted):

  # module.aks_cluster.tls_self_signed_cert.aks-ingress-backend must be replaced
-/+ resource "tls_self_signed_cert" "aks-ingress-backend" {
      ~ cert_pem              = <<-EOT
            -----BEGIN CERTIFICATE-----
            <redacted>
            -----END CERTIFICATE-----
        EOT -> (known after apply)
      ~ id                    = "<redacted>" -> (known after apply)
      + is_ca_certificate     = false # forces replacement
      ~ key_algorithm         = "RSA" -> (known after apply)
      ~ private_key_pem       = (sensitive value)
      + set_authority_key_id  = false # forces replacement
      + set_subject_key_id    = false # forces replacement
      ~ validity_end_time     = "2031-08-07T17:11:42.3952779+02:00" -> (known after apply)
      ~ validity_start_time   = "2021-08-09T17:11:42.3952779+02:00" -> (known after apply)
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

The values that supposedly force replacement have never been set in my config and should be the default values.

tf state pull actually shows that two of the values are null in my state and the third one (set_authority_key_id) not present at all:

{
  <... rest of JSON omitted ...>
    "is_ca_certificate": null,
    "key_algorithm": "RSA",
    "private_key_pem": "<redacted>",
    "ready_for_renewal": false,
    "set_subject_key_id": null,
  <... rest of JSON omitted ...>
}

Even if I set the 3 values explicitly to null or to false in my config, the plan is the same, with the forced replacement.

Note that https://github.com/hashicorp/terraform-provider-tls/issues/284 forced me to update the config with the empty default values for subject. This here is a different issue which still forces replacement regardless of whether I set the empty subject values explicitly or not.

Steps to Reproduce

  1. terraform apply

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

No response

Code of Conduct

jhyot commented 5 months ago

The workaround is to manually edit the state file, to add the default false values for the three config keys in question.