Incorrect key_algorithm handling forces delete & replace of ibm_sm_private_certificate on every apply #4978

davesteinberg · 2023-12-08T21:59:32Z

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

Affected Resource(s)

ibm_sm_private_certificate

Terraform Configuration Files

The following simple Terraform configures the private certificate engine in Secrets Manager and then creates a certificate for use in the VPC VPN Server service. The thing to note is in the certificate template, I'm specifying a non-default key_bits of 4096.

terraform {
  required_version = "~>1.5"

  required_providers {
    ibm = {
      source  = "IBM-Cloud/ibm"
      version = "~>1.60.0"
    }
  }
}

provider "ibm" {
  ibmcloud_api_key = var.ibmcloud_api_key
  region           = var.region
}

variable "ibmcloud_api_key" {
  description = "API key for use by this Terraform module."
  type        = string
  sensitive   = true
}

variable "region" {
  description = "Region where resources will be provisioned."
  type        = string
  default     = "ca-tor"
}

variable "prefix" {
  description = "Name prefix for common resources."
  type        = string
  default     = "bug"
}

# Resource group
resource "ibm_resource_group" "rg" {
  name = var.prefix
}

# Secrets Manager instance
resource "ibm_resource_instance" "sm" {
  name              = "${var.prefix}-sm"
  resource_group_id = ibm_resource_group.rg.id
  service           = "secrets-manager"
  plan              = "standard"
  location          = var.region

  timeouts {
    create = "30m"
  }
}

# Secret group
resource "ibm_sm_secret_group" "sg" {
  instance_id = ibm_resource_instance.sm.guid
  region      = var.region
  name        = var.prefix
}

# Private certificate engine configuration for VPN certificate: Root CA
resource "ibm_sm_private_certificate_configuration_root_ca" "root" {
  instance_id                       = ibm_resource_instance.sm.guid
  region                            = var.region
  name                              = "${var.prefix}-root-ca"
  common_name                       = "${var.prefix}-root-ca"
  max_ttl                           = "${365 * 10}d"
  issuing_certificates_urls_encoded = true
  key_type                          = "rsa"
  key_bits                          = 4096
  crl_disable                       = false
  crl_distribution_points_encoded   = true
}

# Intermediate CA
resource "ibm_sm_private_certificate_configuration_intermediate_ca" "vpn" {
  instance_id                       = ibm_resource_instance.sm.guid
  region                            = var.region
  name                              = "${var.prefix}-vpn-ca"
  signing_method                    = "internal"
  issuer                            = ibm_sm_private_certificate_configuration_root_ca.root.name
  common_name                       = "${var.prefix}-vpn-ca"
  max_ttl                           = "${365 * 10}d"
  issuing_certificates_urls_encoded = true
  key_type                          = "rsa"
  key_bits                          = 4096
  crl_disable                       = false
  crl_distribution_points_encoded   = true
}

# Certificate template
resource "ibm_sm_private_certificate_configuration_template" "vpn_server" {
  instance_id           = ibm_resource_instance.sm.guid
  region                = var.region
  name                  = "${var.prefix}-vpn-server-template"
  certificate_authority = ibm_sm_private_certificate_configuration_intermediate_ca.vpn.name
  ttl                   = "${365 * 3}d"
  key_type              = "rsa"
  key_bits              = 4096
  allowed_secret_groups = ibm_sm_secret_group.sg.secret_group_id
  allowed_domains       = ["vpn-server.vpn.ibm.com"]
  allow_bare_domains    = true
  server_flag           = true
  client_flag           = false
}

# VPN server certificate
resource "ibm_sm_private_certificate" "vpn_server" {
  instance_id          = ibm_resource_instance.sm.guid
  region               = var.region
  name                 = "${var.prefix}-management-vpn-server-cert"
  secret_group_id      = ibm_sm_secret_group.sg.secret_group_id
  certificate_template = resource.ibm_sm_private_certificate_configuration_template.vpn_server.name
  ttl                  = "${365 * 3}d"
  common_name          = "vpn-server.vpn.ibm.com"
  rotation {
    auto_rotate = true
    interval    = 365 * 3 - 30
    unit        = "day"
  }
}

Steps to Reproduce

Create a terraform.tfvars with an ibmcloud_api_key for your account.
Run terraform init.
Run terraform apply once.
Runterraform apply a second time.

Expected Behavior

The first apply correctly creates the resources.
The second apply does nothing, as nothing has changed.

Actual Behavior

On the first apply, the template is created with the correct value of key_bits:

  # ibm_sm_private_certificate_configuration_root_ca.root will be created
  + resource "ibm_sm_private_certificate_configuration_root_ca" "root" {
      ...
      + key_bits                          = 4096
      + key_type                          = "rsa"
      ...
    }

However, Terraform reports the wrong value of key_algorithm on the certificate, seemingly ignoring what's in the template:

  # ibm_sm_private_certificate.vpn_server will be created
  + resource "ibm_sm_private_certificate" "vpn_server" {
      ...
      + key_algorithm           = "RSA2048"
      ...
    }

However, the certificate that's created does have the correct key algorithm, which you can verify in the Secrets Manager UI.

On the second apply, Terraform correctly reports the current value of key_algorithm as "RSA4096", but again, it thinks it's going to set it to "RSA2048", so it decides it needs to destroy and replace the certificate.

  # ibm_sm_private_certificate.vpn_server must be replaced
-/+ resource "ibm_sm_private_certificate" "vpn_server" {
      ...
      ~ key_algorithm           = "RSA4096" -> "RSA2048" # forces replacement
      ...
    }

The same problem recurs on every subsequent apply, making the certificate unusable.

The text was updated successfully, but these errors were encountered:

IdanAdar · 2024-01-03T10:15:46Z

Fixed in 1.61.

…ickup fix for [known provider issue](IBM-Cloud/terraform-provider-ibm#4978) (#152)

github-actions bot added service/Resource Management Issues related to Resource Manager or Resource controller Issues service/Secrets Manager Issues related to Secrets Manager labels Dec 8, 2023

IdanAdar assigned yonatanyell Dec 13, 2023

yonatanyell mentioned this issue Dec 26, 2023

Bugs fixes for Secrets Manager #5008

Merged

IdanAdar closed this as completed Jan 3, 2024

ocofaigh mentioned this issue Jan 5, 2024

Update required ibm provider version to >=1.61.0, <2.0.0 to pull in fix for known issue terraform-ibm-modules/terraform-ibm-secrets-manager-private-cert#144

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Incorrect key_algorithm handling forces delete & replace of ibm_sm_private_certificate on every apply #4978

Incorrect key_algorithm handling forces delete & replace of ibm_sm_private_certificate on every apply #4978

davesteinberg commented Dec 8, 2023

IdanAdar commented Jan 3, 2024

Incorrect key_algorithm handling forces delete & replace of ibm_sm_private_certificate on every apply #4978

Incorrect key_algorithm handling forces delete & replace of ibm_sm_private_certificate on every apply #4978

Comments

davesteinberg commented Dec 8, 2023

Community Note

Terraform CLI and Terraform IBM Provider Version

Affected Resource(s)

Terraform Configuration Files

Steps to Reproduce

Expected Behavior

Actual Behavior

IdanAdar commented Jan 3, 2024