Open wangzhihao0629 opened 1 month ago
TL;DR: It is very sensitive with \n
and there are slightly different behaviors when adding new certificate vs removing old certificate. The solution ended up being making sure there is no extra '\n' between certificates and and there is a newline by the end the secret (certificates).
It turned out to be the reason that I added an extra \n
between certificates. Now it works well for the case of appending new certificate.
However I got a similar error when removing the first certificate.
"""
-----BEGIN CERTIFICATE-----
1st
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
2nd
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
3rd
-----END CERTIFICATE-----
=>
-----BEGIN CERTIFICATE-----
2nd
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
3rd
-----END CERTIFICATE-----
"""
This is the error I got:
╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to module.cloud-ops-temporal-namespace.temporalcloud_namespace.temporal_namespace, provider "provider[\"registry.terraform.io/temporalio/temporalcloud\"]" produced
│ an unexpected new value: .accepted_client_ca: inconsistent values for sensitive attribute.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵
I look into the differences between the certificates saved in the secretmanager and showing in the Temporal Cloud UI.
The only difference is that in Temporal Cloud UI the certificates has a new line by the end
I tested it by manually adding \n
to the secret in secretmanager and the terraform plan
now says
No changes. Your infrastructure matches the configuration.
What are you really trying to do?
I am testing rotating certificates by appending a new one to
accepted_client_ca
.For context, I created a Terraform module to integrate with secretmanager where we store the certificates. We have a job that rotates the certificates by appending to the secretmanager and we expect to do a
terraform apply
after the secret in secretmanager is updated. We want to hide these details so we created Terraform module which basically wrap thetemporalcloud_namespace
withaws_secretsmanager_secret
.This is how I define the namespace:
Describe the bug
After I set the initial certificates, I successfully set up my namespace using Terraform.
However, after I add a new certificate and apply again, there was an error:
When I tried to apply again, it's a different error:
I went to the console to check my CA certificate of my namespace. There are actually two.
But right now I cannot apply the Terraform and there is always a drift.
Minimal Reproduction
Environment/Versions
Terraform information: