terraform-provider-vault
terraform-provider-vault copied to clipboard
Published
20 hours ago •
hashicorp
hashicorp
[Bug]: vault_pki_secret_backend_cert resources are tainted BEFORE updating attributes
trafficstars
Terraform Core Version
1.10.4
Terraform Vault Provider Version
=3.9.0, <=3.25.0
Vault Server Version
1.16.1
Affected Resource(s)
vault_pki_secret_backend_cert
Expected Behavior
In provider versions <=3.8.2, we can delay a certificate from being renewed by setting min_seconds_remaining to less than the expiry, or by setting auto_renew to false.
Actual Behavior
On version >= 3.9.0, <=3.25.0, the certificate is tainted and then the auto_renew or min_seconds_remaining attributes are updated. They then work as expected on the next run (i.e. not auto_renew'ing again). This behaviour change seems accidental as it's not listed in the changelog.
Relevant Error/Panic Output Snippet
Terraform Configuration Files
terraform {
required_providers {
vault = {
source = "hashicorp/vault"
# version = "3.8.2" # This version works as expected
version = "<=3.25.0" # This version does not function as expected
}
}
resource "vault_pki_secret_backend_cert" "web-certificate" {
backend = "venafi-pki"
name = local.vaultVenafiRole
common_name = var.commonName
alt_names = var.altNames
auto_renew = true
min_seconds_remaining = 432000 # 5 days in seconds
ttl = 120h # 5 days in hours
}
### Steps to Reproduce
- Provision a certificate with a vault_pki_secret_backend_cert with ttl == min_seconds_remaining
- Update either `min_seconds_remaining = 1` and/or `auto_renew = false`
- Perform a plan; if the certificate is replaced, this is not desired behaviour. If the attributes are updated and the certificate is not tainted / forced renew, then this is as expected.
### Debug Output
_No response_
### Panic Output
_No response_
### Important Factoids
_No response_
### References
Suspect this issue may have been caused by the following change:
https://github.com/hashicorp/terraform-provider-vault/pull/1597
### Would you like to implement a fix?
No
