Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls_cert_request not recreated when private_key_pem changes #255

Closed
1 task done
pascal-hofmann opened this issue Aug 9, 2022 · 2 comments · Fixed by #257
Closed
1 task done

tls_cert_request not recreated when private_key_pem changes #255

pascal-hofmann opened this issue Aug 9, 2022 · 2 comments · Fixed by #257
Assignees
@bendbennett
Labels
bug

Comments

@pascal-hofmann
Copy link

pascal-hofmann commented Aug 9, 2022
edited
Loading

Terraform CLI and Provider Versions

Terraform v1.2.5
on darwin_amd64
+ provider registry.terraform.io/hashicorp/tls v4.0.1

Terraform Configuration

resource "tls_private_key" "this" {
  algorithm = "RSA"
  rsa_bits  = 4096
}

resource "tls_cert_request" "client_csr" {
  private_key_pem = tls_private_key.this.private_key_pem

  subject {
    common_name = "this"
  }
}

Expected Behavior

When the private key changes, the CSR should be recreated.

Actual Behavior

The CSR stays unchanged. Only the private_key_pem attribute in terraform state is changed.

Steps to Reproduce

  1. terraform apply
  2. terraform state pull | jq -r '.resources[] | select(.type == "tls_cert_request") | .instances[0].attributes.cert_request_pem' | openssl req -noout -modulus | openssl md5
  3. terraform state pull | jq -r '.resources[] | select(.type == "tls_private_key").instances[0].attributes.private_key_pem' | openssl rsa -noout -modulus | openssl md5

→ Both md5 hashes match at this point.

  1. terraform taint tls_private_key.this
  2. terraform apply
  3. terraform state pull | jq -r '.resources[] | select(.type == "tls_cert_request") | .instances[0].attributes.cert_request_pem' | openssl req -noout -modulus | openssl md5
  4. terraform state pull | jq -r '.resources[] | select(.type == "tls_private_key").instances[0].attributes.private_key_pem' | openssl rsa -noout -modulus | openssl md5

→ CSR is unchanged. md5 hashes do not match

How much impact is this issue causing?

High

Code of Conduct

  • I agree to follow this project's Code of Conduct
@pascal-hofmann
Copy link
Author

I just checked with hashicorp/tls v3.4.0. There a change of private_key_pem forces a replacement.

So this is a bug that was introduced in version 4.

…
  # tls_cert_request.client_csr must be replaced
-/+ resource "tls_cert_request" "client_csr" {
…
      ~ private_key_pem  = (sensitive value) # forces replacement
…

@bendbennett bendbennett mentioned this issue Aug 11, 2022
Merged
bendbennett added a commit that referenced this issue Aug 19, 2022
@bendbennett
Amending CHANGELOG.md (#255)
a512f5c
bendbennett added a commit that referenced this issue Aug 19, 2022
@bendbennett
Fix requiresReplaceIfStateContainsPEMString function so that the rege…
89650a3 
…xp used identifies that BEGIN and END text can contain spaces, for instance -----BEGIN RSA PRIVATE KEY----- (#255)
bendbennett added a commit that referenced this issue Aug 19, 2022
@bendbennett
Bump dependencies and fix tests (#255)
100c4e8
bendbennett added a commit that referenced this issue Aug 19, 2022
@bendbennett
Updating CHANGELOG.md (#255)
9da82fa
@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bendbennett bendbennett

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

tls_cert_request not recreated when private_key_pem changes hashicorp/terraform-provider-tls
2 participants
@pascal-hofmann @bendbennett