Open satwell opened 2 days ago
Hi! If you don't mind, I'd like to drag this nifty example into the guides. It's not actually a bug. The certificate resource doesn't have any modifiable parameter that signaled the need to change. To make your example work, simply change the resource section to the following:
resource “routeros_system_certificate” “server_cert” {
name = “server”
common_name = tls_cert_request.server_csr.subject[0].common_name
import {
cert_file_name = routeros_file.server_cert.name
key_file_name = routeros_file.server_key.name
}
depends_on = [routeros_file.server_cert, routeros_file.server_key]
lifecycle {
replace_triggered_by = [
tls_locally_signed_cert.server_cert.cert_pem
]
}
}
And yes, thanks for the perfect description of the problem :)
Thanks for the quick reply! You're right, using replace_triggered_by
does seem to solve the issue. It would be helpful to have that included in the example in the docs for routeros_system_certificate
. (And feel free to reuse anything from my repro case to improve the docs!)
I wonder though, would it make more sense for routeros_system_certificate
to allow the user to specify the content of the cert and key rather than a filename? The resource itself could be responsible for writing that content to temporary files as part of the import. It seems like this would remove the need for a lifecycle
config.
And it would also fix another minor annoyance: the certificate import removes the files, so then Terraform recreates those files on the next run even if there are no other changes. So right now my example in the bug description takes two apply runs to reach steady state.
The contents of the key and certificate can be specified in the scenario. An example is available in the documentation. But as for creating temporary files, I would not like to do it, so as not to complicate the code. Although it may be worth looking into this direction.
Describe the bug I'm trying to manage the TLS certificate on a RouterOS 7.16 device with terraform-routeros/routeros 1.65.1. I create the key and certificate externally and then import with Terraform using
routeros_system_certificate
withimport
. The initial import works fine. But when I try to rotate the certificate, the certificate on RouterOS isn't updated, even though therouteros_file
resources do get updated.To Reproduce This example uses the
hashicorp/tls
provider to implement a basic CA. Then it creates a key and CSR, signs the CSR with the CA, and imports the resulting signed certificate and key into RouterOS. I output the serial of the certificate on RouterOS and the serial of the certificate created by thetls
provider to make it easy to compare.The initial apply works as expected:
And this matches the
serial-number
on the device:Now I'll rotate the certificate by tainting the
tls_locally_signed_cert
to trigger creation of a new certificate:terraform plan
tells me thatrouteros_file.server_key
androuteros_file.server_cert
will created, andtls_locally_signed_cert.server_cert
will be replaced. For some reason it doesn't replace or updaterouteros_system_certificate.server_cert
:And notice that serial numbers don't match any more. The device is still using the old certificate, which we can confirm by running
/certificate/print detail where name="server"
again.Just to be thorough, we can also verify that the uploaded
routeros_file
resources contain the new certificate. Let's import it with a different name to keep it separate:Expected behavior Updating the imported certificates in Terraform should result in the certificates being updated in RouterOS.