terraform-provider-azuredevops icon indicating copy to clipboard operation
terraform-provider-azuredevops copied to clipboard
verified publisher icon microsoft

azuredevops_serviceendpoint_servicefabric - client_certificate not updated (due to bcrypt?)

Open hbuckle opened this issue 3 years ago • 5 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

Terraform v1.2.2 on windows_amd64

  • provider registry.terraform.io/hashicorp/azurerm v3.11.0
  • provider registry.terraform.io/hashicorp/local v2.2.3
  • provider registry.terraform.io/microsoft/azuredevops v0.2.1

Affected Resource(s)

  • azuredevops_serviceendpoint_servicefabric

Terraform Configuration Files

locals {
  string1 = "pntfakyjuyaqnxjdoemcipgpxqtyjxryvutsupobjlylwkvptkmxdwwaoftypceklajrxlcxy"
  string2 = "pntfakyjuyaqnxjdoemcipgpxqtyjxryvutsupobjlylwkvptkmxdwwaoftypceklajrxlcxy/extra"
}

resource "azuredevops_serviceendpoint_servicefabric" "example" {
  project_id            = data.azuredevops_project.project.id
  service_endpoint_name = "example"
  cluster_endpoint      = "tcp://test.internal:19000"

  certificate {
    server_certificate_lookup      = "CommonName"
    server_certificate_common_name = "test.internal"
    client_certificate             = local.string1
  }
}

Expected Behavior

Change the client_certificate to reference string2 and run terraform plan - the service endpoint should be updated

Actual Behavior

No changes. Your infrastructure matches the configuration.

Important Factoids

I think this may be due to the bcrypt hashing mechanism being used - it seems bcrypt has a limit of 72 bytes for passwords.

In my real configuration the client_certificate comes from a key vault certificate - when it gets renewed the first part of the base 64 string representation of the certificate is the same as the previous version

hbuckle avatar Jun 27 '22 12:06 hbuckle

@xuzhang3 - what can we do to address this, is there a different hashing mechanism that could be used? We're having to update all of our service connections manually at the moment

hbuckle avatar Jul 07 '22 07:07 hbuckle

@hbuckle for other service connection with secret/password, this issue used to be an unnecessary set of the secret/password. I need to debug into it to find out why terraform ignore the changes.

xuzhang3 avatar Jul 07 '22 08:07 xuzhang3

@hbuckle this is bcrypt issue, bcrypt has a limitation of max length 72 while the test secret here is over than 73.

xuzhang3 avatar Jul 08 '22 08:07 xuzhang3

@xuzhang3 - yes that's what I assumed. The client_certificate expects a base64 encoded certificate, which is well over 72 characters, and the first part of the strings are often identical (you can see this if you create a key vault with a self signed cert, create a new version of it and compare the base64 strings)

hbuckle avatar Jul 08 '22 08:07 hbuckle

@hbuckle tend to remove the hash validator

xuzhang3 avatar Jul 08 '22 08:07 xuzhang3