Terraform Apply does not work on the first execution but works on the second execution when using the TLS provider.

[RAK5HITHM]

Terraform CLI and Provider Versions

Terraform v1.7.5
on linux_amd64

• provider registry.terraform.io/hashicorp/local v2.5.1
• provider registry.terraform.io/hashicorp/tls v4.0.5

Terraform Configuration

resource "local_file" "key_data" {
        filename       = "/tmp/.pki/private_key.pem"
        content = tls_private_key.private_key.private_key_pem
        file_permission =  "0400"
}
resource "tls_private_key" "private_key" {
  algorithm   = "RSA"
  rsa_bits  = 2048
}
resource "tls_cert_request" "csr" {
  private_key_pem = file("/tmp/.pki/private_key.pem")
  depends_on = [ local_file.key_data ]

  subject {
    common_name  = "flexit.com"
    organization = "FlexIT Consulting Services"
  }
}

Expected Behavior

The resources should have be created

Actual Behavior

On the first time of execution of "Terraform apply" it will lead to an error, but again, running the command without any changes will not lead to any errors.

Terraform used the selected providers to generate the following execution plan.
Resource actions are indicated with the following symbols:

• create

Terraform will perform the following actions:

local_file.key_data will be created

• resource "local_file" "key_data" {
  • content = (sensitive value)
  • content_base64sha256 = (known after apply)
  • content_base64sha512 = (known after apply)
  • content_md5 = (known after apply)
  • content_sha1 = (known after apply)
  • content_sha256 = (known after apply)
  • content_sha512 = (known after apply)
  • directory_permission = "0777"
  • file_permission = "0400"
  • filename = "/tmp/.pki/private_key.pem"
  • id = (known after apply)
    }

tls_cert_request.csr will be created

• resource "tls_cert_request" "csr" {

  • cert_request_pem = (known after apply)

  • id = (known after apply)

  • key_algorithm = (known after apply)

  • subject {

    • common_name = "flexit.com"
    • organization = "FlexIT Consulting Services"
      }
      }

tls_private_key.private_key will be created

• resource "tls_private_key" "private_key" {
  • algorithm = "RSA"
  • ecdsa_curve = "P224"
  • id = (known after apply)
  • private_key_openssh = (sensitive value)
  • private_key_pem = (sensitive value)
  • private_key_pem_pkcs8 = (sensitive value)
  • public_key_fingerprint_md5 = (known after apply)
  • public_key_fingerprint_sha256 = (known after apply)
  • public_key_openssh = (known after apply)
  • public_key_pem = (known after apply)
  • rsa_bits = 2048
    }

Plan: 3 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.

Enter a value: yes

tls_private_key.private_key: Creating...
tls_private_key.private_key: Creation complete after 0s [id=25af835c9684099533320c17d0ee4208bdf7809d]
local_file.key_data: Creating...
local_file.key_data: Creation complete after 0s [id=297e2a6a0f059da4c9746f569f44965c29f986a8]
╷
│ Error: Provider produced inconsistent final plan
│
│ When expanding the plan for tls_cert_request.csr to include new values learned so
│ far during apply, provider "registry.terraform.io/hashicorp/tls" produced an invalid
│ new value for .private_key_pem: inconsistent values for sensitive attribute.
│
│ This is a bug in the provider, which should be reported in the provider's own issue
│ tracker.
╵

Steps to Reproduce

1. terraform apply

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[austinvalle]

Hey there @RAK5HITHM 👋🏻, thanks for reporting the issue and sorry you're running into trouble here.

From first glance, that error seems to suggest that the file function used in tls_cert_request is returning different data from the /tmp/.pki/private_key.pem file between plan and apply (maybe the file already exists on the system running the apply). Running your configuration from scratch I get an error like:

 $ terraform validate
╷
│ Error: Invalid function argument
│ 
│   on main.tf line 13, in resource "tls_cert_request" "csr":
│   13:   private_key_pem = file("/tmp/.pki/private_key.pem")
│     ├────────────────
│     │ while calling file(path)
│ 
│ Invalid value for "path" parameter: no file exists at "/tmp/.pki/private_key.pem"; this function works only with files that are
│ distributed as part of the configuration source code, so if this file will be created by a resource in this configuration you must
│ instead obtain this result from an attribute of that resource.

The file function will run at plan time and collect the data of the file before the local_file.key_data is created.

If your goal is to utilize the PEM data created from the tls_private_key.private_key resource you can rely on the data that Terraform already knows about in the attributes, something like:

resource "tls_private_key" "private_key" {
  algorithm = "RSA"
  rsa_bits  = 2048
}

resource "tls_cert_request" "csr" {
  private_key_pem = tls_private_key.private_key.private_key_pem

  subject {
    common_name  = "flexit.com"
    organization = "FlexIT Consulting Services"
  }
}