terraform-provider-bigip icon indicating copy to clipboard operation
terraform-provider-bigip copied to clipboard

Published 20 hours ago verified publisher icon F5Networks

In-place ssl updates fail due to ForceNew

Open theforhad opened this issue 5 years ago • 2 comments

I have successfully deployed ssl_key, ssl_cert, and ssl_profile using the below.

resource "bigip_ssl_key" "ssl_key" {
  name      = "domain.key"
  content   = file("domain.key")
  partition = "Common"
}

resource "bigip_ssl_certificate" "ssl_cert" {
  name      = "domain.crt"
  content   = file("domain.crt")
  partition = "Common"
}

resource "bigip_ltm_profile_client_ssl" "ssl_profile" {
  name          = "/Common/somedomain.com"
  partition     = "Common"
  defaults_from = "/Common/clientssl"
  authenticate  = "always"
  ciphers       = "DEFAULT"
  key           = bigip_ssl_key.ssl_key.name
  cert          = bigip_ssl_certificate.ssl_cert.name
}

Problem: Now that the certificate isexpiring, one would assume updating the content attribute would be all that is needed to perform an in-place update of the certificate, except it forces a recreate of the object, which would fail due to the cert and key already being attached to the profile.

 # bigip_ssl_certificate.ssl_cert must be replaced
 -/+ resource "bigip_ssl_certificate" "ssl_cert" {
       ~ content   = (sensitive value)
       ~ id        = "domain.crt" -> (known after apply)
         name      = "domain.crt"
         partition = "Common"
     }
   # bigip_ssl_key.ssl_key must be replaced
 -/+ resource "bigip_ssl_key" "ssl_key" {
       ~ content   = (sensitive value)
       ~ id        = "domain.key" -> (known after apply)
         name      = "domain.key"
         partition = "Common"
     }
 Plan: 2 to add, 0 to change, 2 to destroy.

bigip_ssl_key.ssl_key: Destroying... [id=domain.key]
 bigip_ssl_certificate.ssl_cert: Destroying... [id=domain.crt]
 Error: HTTP 400 :: {"code":400,"message":"01070265:3: The Certificate Key File (/Common/domain.key) cannot be deleted because it is in use by a ClientSSL CertKeyChain Entry (/Common/somedomain.com default).","errorStack":[],"apiError":3}
 Error: HTTP 400 :: {"code":400,"message":"01070265:3: The Certificate File (/Common/domain.crt) cannot be deleted because it is in use by a ClientSSL CertKeyChain Entry (/Common/somedomain.com default).","errorStack":[],"apiError":3}

Solution: Unless I'm using these resources incorrectly, i think removing the ForceNew attribute would provide the fix and desired outcome for when anyone would want to update certificates. The following resources and lines would need to be updated.

https://github.com/terraform-providers/terraform-provider-bigip/blob/adf43060354d5aa197d61bfb64432811fa577c56/bigip/resource_bigip_ssl_certificate.go#L32 and https://github.com/terraform-providers/terraform-provider-bigip/blob/adf43060354d5aa197d61bfb64432811fa577c56/bigip/resource_bigip_ssl_key.go#L32.

theforhad avatar Jun 01 '20 17:06 theforhad

@theforhad Thanks for Identifying Issue and Solution proposal. Sure will remove ForceNew: true for fixing this issue.

RavinderReddyF5 avatar Jun 01 '20 17:06 RavinderReddyF5

Tracking with TER-368

focrensh avatar Jul 07 '20 14:07 focrensh

Hi, closing this request now. Please re-open if required or send an email to [email protected]. Thanks!

KrithikaChidambaram avatar Feb 21 '23 12:02 KrithikaChidambaram