Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating to version >=4.9.0 tries to recreate my certificates #173

Closed
Sodki opened this issue Feb 15, 2023 · 5 comments
Closed

Updating to version >=4.9.0 tries to recreate my certificates #173

Sodki opened this issue Feb 15, 2023 · 5 comments
Assignees
Labels
impact/regression Something that used to work, but is now broken kind/bug Some behavior is incorrect or out of spec p0 A bug severe enough to interrupt existing work
Milestone

Comments

@Sodki
Copy link

Sodki commented Feb 15, 2023

What happened?

After upgrading to version 4.9.0 or 4.9.1, the provider tries to recreate my certificates. Version 4.8.0 doesn't have this problem. I've noticed the behaviour with pulumi_tls.SelfSignedCert and pulumi_tls.CertRequest, at least.

Expected Behavior

Upgrading the provider should keep my certificates as they are.

Steps to reproduce

I have the following resources using version 4.8.0:

import pulumi_tls

private_key = pulumi_tls.PrivateKey(
    "test",
    algorithm="RSA",
    rsa_bits=2048,
)

certificate = pulumi_tls.SelfSignedCert(
    "test",
    allowed_uses=[],
    private_key_pem=private_key.private_key_pem,
    validity_period_hours=17532,
    subject={
	"commonName": "test",
    },
    is_ca_certificate=True,
)

When upgrading to version 4.9.0 or 4.9.1 and running Pulumi again, the provider tries to recreate my certificates:

$ pulumi up
Previewing update (test):
     Type                         Name       Plan        Info
     pulumi:pulumi:Stack          test-test              3 messages

Details:

$ pulumi pre --diff
Previewing update (test):
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:test::test::pulumi:pulumi:Stack::test-test]
    +-tls:index/selfSignedCert:SelfSignedCert: (replace)
        [id=163756299127691278443768045046878756806]
        [urn=urn:pulumi:test::test::tls:index/selfSignedCert:SelfSignedCert::test]
        [provider: urn:pulumi:test::test::pulumi:providers:tls::default_4_8_0::3d5fd58d-f2b2-48f4-99cf-0ed04b358a7f => urn:pulumi:test::test::pulumi:providers:tls::default_4_9_1::output<string>]
      + allowedUses        : []
      ~ certPem            : "-----BEGIN CERTIFICATE-----\nMIIC2jCCAcKgAwIBAgIQezJQ5dkkgNHd40eadYDfxjANBgkqhkiG9w0BAQsFADAP\nMQ0wCwYDVQQDEwR0ZXN0MB4XDTIzMDIxNTAwNDkyNloXDTI1MDIxNDEyNDkyNlow\nDzENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nALrdMo22GhLlebnNjQ45FpOOzWXSAu9HKRjHH2Udtaf8BbH5F0t0qUamaGUCaKxt\nT37U7SLDDdmoqiLbTMldxN+SHkh6TmXWJiaygbxBaAhtqwBg3njMlOK123CO8fOW\nb51eD9x9vAIpcX4Tzx3pEglm/Ynmy3PhKr/tO7KBuQsSpBSLj6ciugyi1b98aAp8\nQLHnC9BxQ9SymxCW6FVd9fQJsbh/HHv67NtE/mQeuQa847tGbCW8d7WO6n1U32Gm\nC0E/Ti98b60Y0gYx/Li6MO/2vTHjyKBzmRlEpndy4Cy2qvIHO0UPFE7TVpa7vhHm\nUnZc/Ra8BfICfOZO6pA/kMsCAwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNV\nHQ4EFgQUyrF/T3mhurI5vFt3D5cyhT3HVvQwDQYJKoZIhvcNAQELBQADggEBAIKL\nw3WtXjUU1gEMdoiu+NpoIOP7Mec2RukyWZb7WB2MHWR9KlYKQl3zoNeVlsKvenFR\nd19DHC5zDjjp2Tkls5MG4RuwbprsYcAVF2c2XK1G+SdMxd02lK0KpsbSQqt5DF24\nYhNqurs39+Xm2E4WZuI+HPlAkVcN8p0xr9mZzcyfYOigwasz06rmYhZtJTbc1vs9\n2qqEqTNDCgfNEqj1qCPnhSzrQ9kQlNeAOFNh+irZ1yoAyBLaKSPqthSf0RyX4HYc\nA4gOS+E3+V+ahFcvh04oygJtE3xVdkrNpmMkoI+ueES/TqgRZdq+BFR8veMO5LZV\nW204ENr2roS8jggreAo=\n-----END CERTIFICATE-----\n" => output<string>
        earlyRenewalHours  : 0
      ~ id                 : "163756299127691278443768045046878756806" => output<string>
        isCaCertificate    : true
      ~ keyAlgorithm       : "RSA" => output<string>
        privateKeyPem      : [secret]
        readyForRenewal    : false
      + setAuthorityKeyId  : false
      + setSubjectKeyId    : false
      ~ subject            : {
            commonName        : "test"
          - country           : ""
          - locality          : ""
          - organization      : ""
          - organizationalUnit: ""
          - postalCode        : ""
          - province          : ""
          - serialNumber      : ""
          - streetAddresses   : []
        }
      ~ validityEndTime    : "2025-02-14T12:49:26.124615667Z" => output<string>
        validityPeriodHours: 17532
      ~ validityStartTime  : "2023-02-15T00:49:26.124615667Z" => output<string>
@ previewing update....
Resources:
    +-1 to replace

Output of pulumi about

CLI          
Version      3.55.0
Go Version   go1.20
Go Compiler  gc

Plugins
NAME          VERSION
python        unknown
tls           4.9.1

Host     
OS       fedora
Version  37
Arch     x86_64

This project is written in python: executable='/usr/bin/python3' version='3.11.1


Dependencies:
NAME                 VERSION
pip                  23.0.0
pulumi-tls           4.9.1

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

@Sodki Sodki added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Feb 15, 2023
@t0yv0 t0yv0 added p1 A bug severe enough to be the next item assigned to an engineer and removed needs-triage Needs attention from the triage team labels Feb 15, 2023
@t0yv0 t0yv0 self-assigned this Feb 15, 2023
@t0yv0 t0yv0 added this to the 0.85 milestone Feb 15, 2023
@t0yv0 t0yv0 pinned this issue Feb 15, 2023
@t0yv0
Copy link
Member

t0yv0 commented Feb 15, 2023

Thank you for reporting the issue!

I think I can reproduce the issue with upstream also. The previous Pulumi provider version was based on approximately 3.4.0 of upstream, and the new one is ahead of 4.0.4, but even with these versions TF generates replacement plans. There is also hashicorp/terraform-provider-tls#263

The ideal case for us would be if upstream TF provider implemented state upgrades to seamlessly make these upgrades happen. I'll explore what else we can do in the meanwhile.

terraform {
  required_providers {
    tls = {
      source = "hashicorp/tls"
      # version = "3.4.0"
      version = "4.0.4"
    }
  }
}

resource "tls_private_key" "test_key" {
  algorithm = "RSA"
  rsa_bits = 2048
}

resource "tls_self_signed_cert" "test_cert" {
    allowed_uses = []
    private_key_pem = tls_private_key.test_key.private_key_pem
    validity_period_hours = 17532
    subject {
      common_name = "test"
    }
    is_ca_certificate = true
}
t0yv0@Antons-MacBook-Pro> terraform plan                                                                                                                                                        ~/tmp/2023/02/pulumi-tls-173
tls_private_key.test_key: Refreshing state... [id=dbdaeca811cd34307f45e80da8b5252bdbb639e8]
tls_self_signed_cert.test_cert: Refreshing state... [id=66944529544721065207896626692832922643]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # tls_self_signed_cert.test_cert must be replaced
-/+ resource "tls_self_signed_cert" "test_cert" {
      ~ cert_pem              = <<-EOT
            -----BEGIN CERTIFICATE-----
            MIIC2jCCAcKgAwIBAgIQMl0MItHkoS3z+FJ5k+yMEzANBgkqhkiG9w0BAQsFADAP
            MQ0wCwYDVQQDEwR0ZXN0MB4XDTIzMDIxNTE1NDcwNVoXDTI1MDIxNTAzNDcwNVow
            DzENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
            AKNUeRwxiA3fMrXYO+YbHmHZpEfs1lFfFPI32ux/RYJA2y31/C6wIdNkK8AUcnGw
            sYuURDIVxvv1UuiaOnTaqYfO+I77vtBOAMJiq7WxM6iC4pYwUTM6+07UOFAbkrMO
            M70vY6dS9TAhirexB/Y3vRgJ9G7kiym4PzlKKF3AlYzyFLYPFPCYJZjTPOEaCJ3S
            LaQNNEQT0NufxZfonnqhx02MMKrqyytKU3eT750DQdZISGJGeNEY8ldpOyw0DK8Y
            xTuHqLwSyf7VCbug3qJUp/1yOgh/fZSm+xLgzmA3q5NaDGl4kwHyEAi4xGD2NENq
            c5CgxnxGi7bTPORWJsCB6IcCAwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
            HQ4EFgQUNsO8KZaFrCdG9XXUmdKdhrf352UwDQYJKoZIhvcNAQELBQADggEBAEuC
            7ZAY8X26vBWDUHIBwn+8UjQBmhQHTanlFzXlxshUg0NoDTIeOBnvmenXlchsCga6
            zeDYr08aeUUFA7p6Q9cZfTIGsJXymtyFA8t63e+pIz28IpVonI57jG2AFVlhAtEg
            Y+QvlwyI0NQHTrbjNx/0KjHLgqz2WauWuo+kAEyWsTDQk+nlMJ7SG++CD08GETQN
            xAqwXNCoHKeXHuVpzgRjAFaXN3DBWLe3vb7eeJFeu2sVM1gKhhvWDU5PmBH9Aymr
            ICra39RV6nNwWgNTyfiN4xBvLCbAbFd2viosc0dZo9kk05S8oBHtuPJ7diPEi9GN
            QWl11m2jNREqqUQEkCo=
            -----END CERTIFICATE-----
        EOT -> (known after apply)
      ~ id                    = "66944529544721065207896626692832922643" -> (known after apply)
      ~ key_algorithm         = "RSA" -> (known after apply)
      ~ private_key_pem       = (sensitive value)
      + set_authority_key_id  = false
      + set_subject_key_id    = false
      ~ validity_end_time     = "2025-02-14T22:47:05.022489-05:00" -> (known after apply)
      ~ validity_start_time   = "2023-02-15T10:47:05.022489-05:00" -> (known after apply)
        # (5 unchanged attributes hidden)

      ~ subject { # forces replacement
            # (1 unchanged attribute hidden)
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

@t0yv0
Copy link
Member

t0yv0 commented Feb 15, 2023

@Sodki does upgrading to https://github.com/pulumi/pulumi-tls/releases/tag/v4.10.0 fix the problem for you for the moment? We've reverted upstream to last known working version and pushed another v4.x.x tag.

@t0yv0
Copy link
Member

t0yv0 commented Feb 15, 2023

The root cause of the issue is hashicorp/terraform-provider-tls#284

At the very least we should have marked the Pulumi upgrade as a major version bump to match the upstream version bump. We may still do so in the future, but unfortunately the manual workarounds from 284 currently do not work on the Pulumi version. I'll need to make this works before attempting the upgrade again.

@Sodki
Copy link
Author

Sodki commented Feb 16, 2023

Thank you @t0yv0, version 4.10.0 fixes the problem. 👏

@Sodki Sodki closed this as completed Feb 16, 2023
@t0yv0
Copy link
Member

t0yv0 commented Feb 16, 2023

Thank you! And apologies for this disruption.

@t0yv0 t0yv0 unpinned this issue Feb 16, 2023
@mikhailshilkov mikhailshilkov added the impact/regression Something that used to work, but is now broken label Mar 28, 2023
@AaronFriel AaronFriel added p0 A bug severe enough to interrupt existing work and removed p1 A bug severe enough to be the next item assigned to an engineer labels Apr 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
impact/regression Something that used to work, but is now broken kind/bug Some behavior is incorrect or out of spec p0 A bug severe enough to interrupt existing work
Projects
None yet
Development

No branches or pull requests

4 participants