search

terraform-ibm-modules / terraform-ibm-devsecops-alm

This is the DevSecOps Application Lifecycle Management Deployable Architecture
Apache License 2.0
2 stars 3 forks source link

New signing key is created with every deployment #458

Open in-1911 opened 4 months ago

in-1911 commented 4 months ago

When using the module with create_signing_key = true a new signing key is generated with every deployment. This may make incremental updates to the deployed resources problematic as the previously signed components may not pass validation once the key is regenerated.

Affected modules

prereq/main.tf

Terraform CLI and Terraform provider versions

Terraform output

Applying the module without any change in input variables:

2024/07/30 02:23:53 Terraform apply | Terraform used the selected providers to generate the following execution
 2024/07/30 02:23:53 Terraform apply | plan. Resource actions are indicated with the following symbols:
 2024/07/30 02:23:53 Terraform apply |   ~ update in-place
 2024/07/30 02:23:53 Terraform apply | 
 2024/07/30 02:23:53 Terraform apply | Terraform will perform the following actions:
 2024/07/30 02:23:53 Terraform apply | 
 2024/07/30 02:23:53 Terraform apply |   # module.prereqs[0].ibm_sm_arbitrary_secret.secret_signing_certifcate[0] will be updated in-place
 2024/07/30 02:23:53 Terraform apply |   ~ resource "ibm_sm_arbitrary_secret" "secret_signing_certifcate" {
 2024/07/30 02:23:53 Terraform apply |         id                      = "us-south/ed0****203/793****275e"
 2024/07/30 02:23:53 Terraform apply |         name                    = "signing-certificate"
 2024/07/30 02:23:53 Terraform apply |       ~ payload                 = (sensitive value)
 2024/07/30 02:23:53 Terraform apply |         # (19 unchanged attributes hidden)
 2024/07/30 02:23:53 Terraform apply |     }
 2024/07/30 02:23:53 Terraform apply | 
 2024/07/30 02:23:53 Terraform apply |   # module.prereqs[0].ibm_sm_arbitrary_secret.secret_signing_key[0] will be updated in-place
 2024/07/30 02:23:53 Terraform apply |   ~ resource "ibm_sm_arbitrary_secret" "secret_signing_key" {
 2024/07/30 02:23:53 Terraform apply |         id                      = "us-south/ed0****203/983****e4b"
 2024/07/30 02:23:53 Terraform apply |         name                    = "signing-key"
 2024/07/30 02:23:53 Terraform apply |       ~ payload                 = (sensitive value)
 2024/07/30 02:23:53 Terraform apply |         # (19 unchanged attributes hidden)
 2024/07/30 02:23:53 Terraform apply |     }
 2024/07/30 02:23:53 Terraform apply | 
 2024/07/30 02:23:53 Terraform apply | Plan: 0 to add, 2 to change, 0 to destroy.
 2024/07/30 02:23:57 Terraform apply | module.prereqs[0].ibm_sm_arbitrary_secret.secret_signing_key[0]: Modifying... [id=us-south/ed07****203/983****e4b]
 2024/07/30 02:23:57 Terraform apply | module.prereqs[0].ibm_sm_arbitrary_secret.secret_signing_certifcate[0]: Modifying... [id=us-south/ed0****203/793****75e]
 2024/07/30 02:23:58 Terraform apply | module.prereqs[0].ibm_sm_arbitrary_secret.secret_signing_certifcate[0]: Modifications complete after 2s [id=us-south/ed0****203/793****75e]
 2024/07/30 02:23:59 Terraform apply | module.prereqs[0].ibm_sm_arbitrary_secret.secret_signing_key[0]: Modifications complete after 2s [id=us-south/ed0****203/983****e4b]

Debug output

Expected behavior

A new key should only be generated if the key parameters (name/email) are changing

Actual behavior

Steps to reproduce (including links and screen captures)

  1. Run terraform apply

Anything else

By submitting this issue, you agree to follow our Code of Conduct

huayuenh commented 4 months ago

Related to this https://github.com/terraform-ibm-modules/terraform-ibm-devsecops-alm/issues/457

The secrets provisioning is the draft version. Scoping the apikeys and not regenerating the signing keys is planned