terraform-provider-bigip icon indicating copy to clipboard operation
terraform-provider-bigip copied to clipboard

Published 20 hours ago verified publisher icon F5Networks

SSL Certificates are re-created in TF, but can be replaced in the UI

Open pcfens opened this issue 3 years ago • 5 comments

Environment

  • TMOS/Bigip Version: 14.1.4
  • Terraform Version: 1.0.8
  • Terraform bigip provider Version: 1.1.0

Summary

When the content of an SSL certificate is changed TF wants to replace the object, which fails because the object is in use by an SSL profile. If done through the TMUI web interface SSL certificates can be replaced.

Steps To Reproduce

  1. Create an SSL certificate with Terraform that's used by a profile:
resource "bigip_ltm_profile_client_ssl" "example_com" {
  name          = "/Common/example.com"
  defaults_from = bigip_ltm_profile_client_ssl.clientssl-example.name

  cert  = "/Common/example_cert"
  chain = "/Common/Intermediate-2020"
  key   = "/Common/example.com_key"
}

resource "bigip_ssl_certificate" "example_com_cert" {
  name      = "example.com_cert"
  content   = file("ssl/certs/example.com.crt")
  partition = "Common"
}

Replace the file at ssl/certs/example.com.crt with a new certificate. Terraform will want to replace the resource.

If you go as far as running the apply step, the replacement will fail because the certificate is in use by the profile.

Expected Behavior

The certificate is replaced without deleting the resource.

I know the Schema definition is what's causing the recreate requirement. If that's removed the F5 still responds with Error: Error in Importing certificate (example.com_cert): HTTP 409 :: {"code":409,"message":"01020066:3: The requested Certificate File (/Common/example.com_cert) already exists in partition Common.","errorStack":[],"apiError":3}

pcfens avatar Oct 11 '21 21:10 pcfens

Created INFRAANO-594 to further investigate this issue. Need to determine a better approach to properly handle this issue.

trinaths avatar Nov 23 '21 09:11 trinaths

@pcfens if certificates are already referenced in client-ssl/server-ssl profile, updating certificate content is not possible through REST API. if we want to update certificate/key first we should dereference it from profiles and then update cert/key.

to addresses the cert/key updation i made changes if it is not referenced in any profiles , fixes will be available for next release

RavinderReddyF5 avatar Dec 02 '21 10:12 RavinderReddyF5

Thanks @RavinderReddyF5. Am I correct in assuming the limitation is in the API on the F5 itself and not in a Go library? If that's the case we may submit a feature request through support and our sales team just to get it on the roadmap.

Thanks a ton for working through the fix on this!

pcfens avatar Dec 02 '21 22:12 pcfens

@RavinderReddyF5 is there an update on this issue? we are facing the same challenge. thanks

mikebou avatar May 19 '22 13:05 mikebou

I think that this issue can be tackled via the new replace_triggered_by lifecycle argument presented in Terraform 1.2 - I haven't tested that yet, but it looks promising.

ajchiarello avatar May 19 '22 14:05 ajchiarello

Feature implemented

pgouband avatar Apr 03 '23 14:04 pgouband