Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: vault_pki_secret_backend_cert resources are tainted BEFORE updating attributes #2407

Open
jskirde opened this issue Feb 18, 2025 · 0 comments
Open

[Bug]: vault_pki_secret_backend_cert resources are tainted BEFORE updating attributes #2407

jskirde opened this issue Feb 18, 2025 · 0 comments
Labels
bug

Comments

@jskirde
Copy link

jskirde commented Feb 18, 2025

Terraform Core Version

1.10.4

Terraform Vault Provider Version

=3.9.0, <=3.25.0

Vault Server Version

1.16.1

Affected Resource(s)

vault_pki_secret_backend_cert

Expected Behavior

In provider versions <=3.8.2, we can delay a certificate from being renewed by setting min_seconds_remaining to less than the expiry, or by setting auto_renew to false.

Actual Behavior

On version >= 3.9.0, <=3.25.0, the certificate is tainted and then the auto_renew or min_seconds_remaining attributes are updated. They then work as expected on the next run (i.e. not auto_renew'ing again). This behaviour change seems accidental as it's not listed in the changelog.

Relevant Error/Panic Output Snippet



Terraform Configuration Files


terraform {
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      # version = "3.8.2" # This version works as expected
      version = "<=3.25.0" # This version does not function as expected
    }
}


resource "vault_pki_secret_backend_cert" "web-certificate" {
  backend               = "venafi-pki"
  name                  = local.vaultVenafiRole
  common_name           = var.commonName
  alt_names             = var.altNames
  auto_renew            = true
  min_seconds_remaining = 432000 # 5 days in seconds
  ttl                   = 120h # 5 days in hours
}

### Steps to Reproduce

- Provision a certificate with a vault_pki_secret_backend_cert with ttl == min_seconds_remaining
- Update either `min_seconds_remaining = 1` and/or `auto_renew = false`
- Perform a plan; if the certificate is replaced, this is not desired behaviour. If the attributes are updated and the certificate is not tainted / forced renew, then this is as expected.


### Debug Output

_No response_

### Panic Output

_No response_

### Important Factoids

_No response_

### References

Suspect this issue may have been caused by the following change:
https://github.com/hashicorp/terraform-provider-vault/pull/1597

### Would you like to implement a fix?

No

      		
    

      
  





        



            

              
            

        

      


      
    








      

    



      

  
            

    

      
    

    


      

          @jskirde
jskirde




          added
  the 

  bug

 label


      Feb 18, 2025

    

  












  
  

    

      

  





  




  
  

              

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  



  






  
                  




    

  


      
  

    Assignees
  



        

    No one assigned







      


  


  

    Labels
  



    

      

    bug









      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          


  

    

      
        

          
    

    Development
  




            
    
No branches or pull requests







      
    

  




      

    

  
      

  

    

      1 participant
    

    

        
          @jskirde