New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Provider produced invalid plan #245
Comments
Hello @kaefferlein - Sorry you are having issues here. Let me see if I can help. I have taken your example code, but I had to modify it a bit because it was referring terraform {
required_version = ">= 1.0.2, < 2"
required_providers {
tls = {
source = "hashicorp/tls"
version = "4.0.0"
}
}
}
resource "tls_private_key" "sealed_secrets_key" {
algorithm = "RSA"
rsa_bits = 4096
}
resource "tls_self_signed_cert" "sealed_secrets_cert" {
private_key_pem = tls_private_key.sealed_secrets_key.private_key_pem
subject {
common_name = "test common name"
organization = "test organization"
}
validity_period_hours = 1
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
lifecycle {
ignore_changes = [ready_for_renewal]
}
} My terraform:
Terraform
That is a warning from Terraform itself, and it does make sense. But it's legit to ignore. So I applied:
And any successive
Can you double check:
|
Update. I think I managed to make the error in question appear. I had to alter the configuration so to make the early renewal kick in sooner: ...
resource "tls_self_signed_cert" "sealed_secrets_cert" {
private_key_pem = tls_private_key.sealed_secrets_key.private_key_pem
subject {
common_name = "test common name"
organization = "test organization"
}
validity_period_hours = 1
early_renewal_hours = 1 <------
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
lifecycle {
ignore_changes = [ready_for_renewal]
}
} By keeping the ignoring of
I'll keep looking into this, but the warnings and the error are likely to be intertwined. |
@kaefferlein - Can I ask why are you using lifecycle {
ignore_changes = [ready_for_renewal]
} Is the intention to prevent the self signed cert to expire (testing/dev environment?)? |
Hi @detro, thanks for your replies so far :)
yes, I guess so - unfortunately I can not tell you exactly why this has been done. Do you think the |
Hi @kaefferlein, thanks for the reply. So, the way to fix this and not have TF raise that error, is probably to increase the certificate validity in years or multiple years: it would generate a new certificate the first time you The auto renewal process is at the moment a backed-in behaviour of the provider, and can't be avoided. Setting We are discussing with the Terraform Core team on what's the best course of action is, but meanwhile, to unblock your situation, I would suggest setting Please let us know if this helps. |
Hello again @kaefferlein. I discussed with my team and here is the outcome. First of all, we have identified this to be an issue with Once the fix lands, this should be signified also by the disappearance of the warning noticed above:
In terms of having never-expiring certificate, given the current feature set of this provider, the correct way to set that up is by setting If this "never try to auto renew" behavior is desirable by multiple practitioners, we would be happy to consider a feature request, and use it to gather and confirm interest in this change. One interesting scenario that removing or allow-disabling of auto renewal could do, is to pair it with the use of the replace_triggered_by functionality introduced in Terraform: practitioners could come up with more intricate and bespoke logic to control what/when/how the replacement of a certificate (i.e. renewal) should be triggered. This is of course outside of the scope of this issue, but it's food for thought. Lastly, given the Terraform 1.0 Compatibility Promises, once the fix from hashicorp/terraform#31509 ships, upgrading TF should be all it is required to resolve this issue. This is also true for any I hope this is exhaustive and it provides ways to a resolution. Thank you |
Terraform CLI and Provider Versions
Terraform v1.2.0
on darwin_amd64
Terraform Configuration
Expected Behavior
Plan should run without an error
Actual Behavior
Plan errored with the following error:
Steps to Reproduce
terraform plan
How much impact is this issue causing?
Medium
Logs
No response
Additional Information
Pinning to version 3.4.0 fixes it, yet we want to use the current version :)
Code of Conduct
The text was updated successfully, but these errors were encountered: