Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ibm_sm_private_certificate_configuration/s: broken dependency logic #5968

Open
sean-freeman opened this issue Feb 5, 2025 · 2 comments
Open

ibm_sm_private_certificate_configuration/s: broken dependency logic #5968

sean-freeman opened this issue Feb 5, 2025 · 2 comments
Labels
service/Secrets Manager Issues related to Secrets Manager

Comments

@sean-freeman
Copy link

sean-freeman commented Feb 5, 2025
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

all

Affected Resource(s)

  • ibm_sm_private_certificate_configuration_root_ca
  • ibm_sm_private_certificate_configuration_intermediate_ca
  • ibm_sm_private_certificate_configuration_template

Panic Output

ibm_sm_private_certificate_configuration_root_ca forces replacement will create error:

DeleteConfigurationWithContext failed
The root CA test-root-ca can't be deleted.
It is a CA issuer. [secrets-manager.09047E]

ibm_sm_private_certificate_configuration_intermediate_ca forces replacement will create error:

DeleteConfigurationWithContext failed
The intermediate CA test-intermediate-ca can't be deleted.
It is associated with a certificate template. [secrets-manager.09068E]

Expected Behavior

Terraform Provider should be aware of the nested objects (and depends_on does not work either):

  • ibm_sm_private_certificate_configuration_root_ca
    • ibm_sm_private_certificate_configuration_intermediate_ca
      • ibm_sm_private_certificate_configuration_template

For example, Terraform Resource *_intermediate_ca refers to Terraform Resource *_root_ca - therefore any change that forces replacement of _root_ca should also force the replacement of *_intermediate_ca

SIDE NOTE: All of the examples provided in the documentation are low quality, would suggest using the below reproduce example to also improve the documentation

Actual Behavior

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "ibm_sm_private_certificate_configuration_root_ca" "root_certificate_authority" {
  provider       = ibm.central

  # Secrets Manager target
  instance_id    = ""
  region         = "us-east"
  ## automatic arguments
  ## endpoint_type  = null # public, private
  ## secret_type
  ## config_type

  # Root Certificate Authority Name
  name                 = "test-root-ca"
  # alt_names            = null # null or [ "default"" ]

  # Type
  ttl                  = "100d" # Expiration Date / TTL (must be less than Max). 100s, 100m, 100h, 100d etc
  max_ttl              = "600d" # Max TTL for subordinate CAs, cannot be amended. 100s, 100m, 100h, 100d etc
  max_path_length      = -1 # not required for Root CA
  issuing_certificates_urls_encoded = true # true, false to encode the issuing certificate URL in end-entity certificates

  # Subject
  common_name          = "root.ca.cn" # e.g. "root.ca.cn"
  # organization         = [ "test-root-ca-org" ]
  # ou                   = [ "test-root-ca-org-unit" ]
  # country              = [ "test-root-ca-us" ]
  # province             = [ "test-root-ca-us-east" ]
  # locality             = [ "test-root-ca-us-east-2" ]
  # street_address       = [ "test-root-ca-vpc-subnet-1" ]
  # postal_code          = [ "test-root-ca-resource-group-default" ]

  # Subject Alternative Names instead of the CA Certificate Common Name
  # These names can be either hostnames or email addresses
  # ip_sans              = null # null or [ "default"" ]
  # uri_sans             = null # null or [ "default"" ]
  # other_sans           = null # null or [ "default" ]
  # exclude_cn_from_sans = false # true, false whether Common Name included in DNS or Email SANs

  # KMS
  key_type             = "rsa" # rsa, ec
  key_bits             = 2048
  format               = "pem" # pem, pem_bundle
  private_key_format   = "der" # der, pkcs8

  # CRL
  crl_disable                       = false # do not use true, will cause error 'configuration name X is already in use'
  crl_distribution_points_encoded   = true # true, false
  crl_expiry                        = "100d" # null, 100s, 100m, 100h, 100d etc
}


resource "ibm_sm_private_certificate_configuration_intermediate_ca" "intermediate_certificate_authority" {
  provider       = ibm.central
  depends_on     = [ ibm_sm_private_certificate_configuration_root_ca.root_certificate_authority ]

  # Secrets Manager target
  instance_id    = ""
  region         = "us-east"
  ## automatic arguments
  ## endpoint_type  = null # public, private
  ## secret_type
  ## config_type

  # Intermediate Certificate Authority Name
  name                 = "test-intermediate-ca"
  # alt_names            = null # null or [ "default"" ]

  # Type
  ttl                  = "100d" # Expiration Date / TTL (must be less than Max). e.g. 100s, 100m, 100h, 100d etc
  max_ttl              = "600d" # Max TTL for subordinate CAs, cannot be amended. e.g. 100s, 100m, 100h, 100d etc
  max_path_length      = -1 # no limit -1, or other integer
  issuing_certificates_urls_encoded = true # true, false whether to encode the issuing certificate URL in end-entity certificates
  signing_method       = "internal" # internal, external
  issuer               = ibm_sm_private_certificate_configuration_root_ca.root_certificate_authority.name

  # Subject
  common_name          = "intermediate.ca.cn" # e.g. "intermediate.ca.cn"
  # organization         = [ "test-intermediate-ca-org" ]
  # ou                   = [ "test-intermediate-ca-org-unit" ]
  # country              = [ "test-intermediate-ca-us" ]
  # province             = [ "test-intermediate-ca-us-east" ]
  # locality             = [ "test-intermediate-ca-us-east-2" ]
  # street_address       = [ "test-intermediate-ca-vpc-subnet-1" ]
  # postal_code          = [ "test-intermediate-ca-resource-group-default" ]

  # Subject Alternative Names instead of the CA Certificate Common Name
  # These names can be either hostnames or email addresses
  # ip_sans              = null # null or [ "default"" ]
  # uri_sans             = null # null or [ "default"" ]
  # other_sans           = null # null or [ "default"" ]
  # exclude_cn_from_sans = false # true, false whether Common Name included in DNS or Email SANs

  # KMS
  key_type             = "rsa" # rsa, ec
  key_bits             = 2048
  format               = "pem" # pem, pem_bundle
  private_key_format   = "der" # der, pkcs8

  # CRL
  crl_disable                       = false # do not use true, will cause error 'configuration name X is already in use'
  crl_distribution_points_encoded   = true # true, false
  crl_expiry                        = "100d" # null, 100s, 100m, 100h, 100d etc
}



resource "ibm_sm_private_certificate_configuration_template" "intermediate_certificate_template" {
  provider       = ibm.central
  depends_on     = [ ibm_sm_private_certificate_configuration_intermediate_ca.intermediate_certificate_authority ]

  # Secrets Manager target
  instance_id    = ""
  region         = "us-east"
  ## automatic args
  # endpoint_type  = null # public, private
  # secret_type
  # config_type

  # Intermediate Template
  name                   = "test-intermediate-template"
  certificate_authority  = "test-intermediate-ca"

  # General
  ttl                    = "200h" # TTL of the generated certificates. e.g. 100s, 100m, 100h, 100d etc
  max_ttl                = "600d" # Max TTL of the generated certificates. e.g. 100s, 100m, 100h, 100d etc
  key_type               = "rsa" # rsa, ec
  key_bits               = 2048
  allowed_secret_groups  = null # null or ["secret-group"] for list of allowed secret groups

  # Domain
  allowed_domains        = null # List of allowed domains, subdomains or wildcards e.g. ["test.com"]
  allow_bare_domains     = false # true, false whether to allow bare domains
  allow_subdomains       = false # true, false whether to allow subdomains
  allow_any_name         = false # true, false whether to allow any Common Name (CN)
  enforce_hostnames      = false # true, false whether to allow only valid hostnames

  # Certificate Roles
  server_flag            = false # true, false whether to use certificates for Server
  client_flag            = false # true, false whether to use certificates for Client
  code_signing_flag      = false # true, false whether to use certificates for Code Signing
  email_protection_flag  = false # true, false whether to use certificates for Email Protection

  # Subject
  # organization         = [ "test-intermediate-template-org" ]
  # ou                   = [ "test-intermediate-template-org-unit" ]
  # country              = [ "test-intermediate-template-us" ]
  # province             = [ "test-intermediate-template-us-east" ]
  # locality             = [ "test-intermediate-template-us-east-2" ]
  # street_address       = [ "test-intermediate-template-vpc-subnet-1" ]
  # postal_code          = [ "test-intermediate-template-resource-group-default" ]

  # Hidden from Web GUI, shown below with default values
  #key_usage = [ "DigitalSignature","KeyAgreement","KeyEncipherment"] # additional options are "ContentCommitment","DataEncipherment","CertSign","CRLSign"
  #allow_localhost = true
  #allowed_domains_template = false
  #allow_glob_domains = false
  #allow_ip_sans = true
  #use_csr_common_name = true
  #use_csr_sans = true
  #require_cn = true
  #basic_constraints_valid_for_non_ca = false
  #not_before_duration = "30s"

}

Steps to Reproduce

  1. terraform apply
@github-actions github-actions bot added the service/Secrets Manager Issues related to Secrets Manager label Feb 5, 2025
@haimsch
Copy link
Collaborator

haimsch commented Feb 10, 2025
edited
Loading

@sean-freeman All we can do here is add a note in the documentation of these resources, saying that the force-new attributes cannot be modified after an intermediate CA has been created with this root CA (in the root CA doc) and similar notes for intermediate CA and template documentation.
Other than that, there's nothing much we can do. it isn't possible to identify that dependency within the Terraform flow. When an attribute is marked as ForceNew, the Terraform framework tries to delete and replace without calling the IBM plugin code at all, so there's no way to the plugin code to prevent this behavior.
With regard to the examples, they can be improved.

@sean-freeman
Copy link
Author

@haimsch Leaving this open until above examples are moved into documentation, showing the depends_on between the 3 objects (root CA, intermediate CA, intermediate Template).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
service/Secrets Manager Issues related to Secrets Manager
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sean-freeman @haimsch