Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make csr optional for origin ca #955

Merged
merged 5 commits into from
Feb 17, 2021
Merged

make csr optional for origin ca #955

merged 5 commits into from
Feb 17, 2021

Conversation

jacobbednarz
Copy link
Member

In the past, the CSR was required as it was the only method of generating
certificates. That isn't the case anymore and in some scenarios, we don't need
to enforce the CSR as we may be importing. Instead of enforcing this at the
schema level, we can make it optional and apply it within the Create should
it be present.

Fixes #950

As a bonus I've also fixed a bug with the requested_validity not being
persisted within the state which prevents storing unnecessary null values.

@jacobbednarz
resource/cloudflare_origin_ca_certificate: make csr optional
0dadcc6 
In the past, the CSR was required as it was the only method of generating
certificates. That isn't the case anymore and in some scenarios, we don't need
to enforce the CSR as we may be importing. Instead of enforcing this at the
schema level, we can make it optional and apply it within the `Create` should
it be present.

Fixes #950
@jacobbednarz
resource/cloudflare_origin_ca_certificate: calculate and store certif…
155821a 
…icate validity

While fixing another issue in this resource, I noticed we were not setting the
`requested_validity` however it is a schema attribute. As this value isn't
present in the API, we need to manually calculate it using some time
comparisons based on the certificate `ExpiresOn` value.
@jacobbednarz jacobbednarz mentioned this pull request Feb 15, 2021
Closed
@spkane
Copy link

spkane commented Feb 15, 2021

Using provider 2.18.0 my current terraform reports No changes. Infrastructure is up-to-date., but just changing over to the provider compiled from this branch results it wanting to recreate an existing origin_ca_cert which appears to be due to the requested_validity change.

      - requested_validity = 5471 -> null # forces replacement
        # (3 unchanged attributes hidden)
    }

I haven't tested the CSR portion yet, since I ran into this first.

@spkane
Copy link

spkane commented Feb 16, 2021
edited
Loading

My HCL looks like this:

resource "cloudflare_origin_ca_certificate" "example" {
  csr                = tls_cert_request.example.cert_request_pem
  hostnames          = [ "*.example.com", "example.com" ]
  request_type       = "origin-rsa"
}

I tried changing it to this:

resource "cloudflare_origin_ca_certificate" "example" {
  csr                = tls_cert_request.example.cert_request_pem
  hostnames          = [ "*.example.com", "example.com" ]
  request_type       = "origin-rsa"
  requested_validity = 5471
}

which resulted in this error:

Error: expected requested_validity to be one of [7 30 90 365 730 1095 5475], got 5471

And, of course, changing it to 5475 resulted in it wanting to delete and recreate the resource again.

@jacobbednarz
Copy link
Member Author

i can't see why we'd need request_validity to recreate the resource -- i've removed it in 6595c82

@jacobbednarz jacobbednarz merged commit bb51d4e into master Feb 17, 2021
@jacobbednarz jacobbednarz deleted the make-csr-optional-for-origin-ca branch February 17, 2021 03:10
@steven-xufan
Copy link

Hi, since request_validity is now saved in the state, the validity decreases every day (if we run terraform plan) and it is showing up as changes now. Is that expected?

@BojanZelic
Copy link
Contributor

I've been seeing resources get recreated because of the request_validity change aswell

Getting around it via:

resource "cloudflare_origin_ca_certificate" "cloudflare_origin" {
  hostnames          = ["hostname"]
  request_type       = "origin-rsa"
  requested_validity = 365

  lifecycle {
    ignore_changes = [ requested_validity ]
  }
}

for now.

@azhurbilo azhurbilo mentioned this pull request Apr 15, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Can't import an origin_ca_certificate that was auto created in the UI and get the state happy
4 participants
@jacobbednarz @spkane @steven-xufan @BojanZelic