-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
avi_sslkeyandcertificate always has changes #594
Comments
Having this issue as well. We're leveraging a Certificate Management profile to issue certificates with Let's Encrypt. I can get it to issue the certificate appropriately, but subsequent executions are detecting changes as the TF state read is pulling back the rest of the details that are now populated behind the certificate. Example TF: data "avi_certificatemanagementprofile" "profile" {
name = "LetsEncrypt-Infoblox"
}
resource "avi_sslkeyandcertificate" "foo" {
name = "terraform-example-foo"
type = "SSL_CERTIFICATE_TYPE_VIRTUALSERVICE"
certificate {
self_signed = false
subject {
common_name = "letsencryptautomationtest.contoso.com"
organization = "MYORG"
organization_unit = "OU"
locality = "TOWN"
state = "STATE"
country = "US"
}
}
key_params {
algorithm = "SSL_KEY_ALGORITHM_RSA"
rsa_params {
key_size = "SSL_KEY_2048_BITS"
}
}
certificate_management_profile_ref = data.avi_certificatemanagementprofile.profile.id
} Terraform Output:
We can't simply ignore changes on the certificates block since if we have any changes to the subject, etc, we would want TF make the necessary changes and issue a new certificate. lifecycle {
ignore_changes = [ certificate, ca_certs ]
} |
Describe the bug
When
avi_sslkeyandcertificate
is used, it always has changes. Even though neither key or certificate has actually changed.Reproduction steps
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt
terraform apply
.. this creates the expected certificate.terraform apply
orplan
, shows changes:Expected behavior
If the key or certificate has not changed, nothing should be changed.
Additional context
Possibly related to #510 and/or #522 ? Tested with provider version v22.1.5, NSX ALB version 22.1.5 2p3. The same is true for the Ansible module which is also not idempotent. So I assume this is because the API doesn't reveal information after the certificate is created. If that's the case, IMO, it should be documented and a workaround (implicit ignore?) offered.
The text was updated successfully, but these errors were encountered: