tls_self_signed_cert being replaced when upgrading from v3 to v4 because of default values

[jhyot]

Terraform CLI and Provider Versions

Terraform v1.7.5
on darwin_arm64

• provider registry.terraform.io/hashicorp/azurerm v3.97.1
• provider registry.terraform.io/hashicorp/tls v4.0.5

Terraform Configuration

resource "tls_self_signed_cert" "aks-ingress-backend" {
  private_key_pem = tls_private_key.aks-ingress-backend.private_key_pem
  subject {
    common_name = "${local.aks_resource_prefix}-ingress"

    // These are explicitly specified to avoid replacement on 4.x
    // https://github.com/hashicorp/terraform-provider-tls/issues/284
    country = ""
    locality = ""
    organization = ""
    organizational_unit = ""
    postal_code = ""
    province = ""
    serial_number = ""
    street_address = []
  }

  validity_period_hours = 10 * 365 * 24
  allowed_uses = [
    "digital_signature",
    "key_encipherment",
    "server_auth"
  ]
  dns_names = var.backend_ingress_cert_dns_names
  ip_addresses = [
    "127.0.0.1"
  ]

Expected Behavior

This resource was created on the 3.1.0 provider, and the problem was now triggered when upgrading from 3.1.0 -> 4.0.5.

Expecting no replacement of certificate when applying this unchanged config with the new provider version.

Actual Behavior

Certificate is being replaced. Plan output (some values redacted):

  # module.aks_cluster.tls_self_signed_cert.aks-ingress-backend must be replaced
-/+ resource "tls_self_signed_cert" "aks-ingress-backend" {
      ~ cert_pem              = <<-EOT
            -----BEGIN CERTIFICATE-----
            <redacted>
            -----END CERTIFICATE-----
        EOT -> (known after apply)
      ~ id                    = "<redacted>" -> (known after apply)
      + is_ca_certificate     = false # forces replacement
      ~ key_algorithm         = "RSA" -> (known after apply)
      ~ private_key_pem       = (sensitive value)
      + set_authority_key_id  = false # forces replacement
      + set_subject_key_id    = false # forces replacement
      ~ validity_end_time     = "2031-08-07T17:11:42.3952779+02:00" -> (known after apply)
      ~ validity_start_time   = "2021-08-09T17:11:42.3952779+02:00" -> (known after apply)
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

The values that supposedly force replacement have never been set in my config and should be the default values.

tf state pull actually shows that two of the values are null in my state and the third one (set_authority_key_id) not present at all:

{
  <... rest of JSON omitted ...>
    "is_ca_certificate": null,
    "key_algorithm": "RSA",
    "private_key_pem": "<redacted>",
    "ready_for_renewal": false,
    "set_subject_key_id": null,
  <... rest of JSON omitted ...>
}

Even if I set the 3 values explicitly to null or to false in my config, the plan is the same, with the forced replacement.

Note that #284 forced me to update the config with the empty default values for subject. This here is a different issue which still forces replacement regardless of whether I set the empty subject values explicitly or not.

Steps to Reproduce

1. terraform apply

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[jhyot]

The workaround is to manually edit the state file, to add the default false values for the three config keys in question.