azuredevops_serviceendpoint_servicefabric - client_certificate not updated (due to bcrypt?)

[hbuckle]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

Terraform v1.2.2
on windows_amd64

• provider registry.terraform.io/hashicorp/azurerm v3.11.0
• provider registry.terraform.io/hashicorp/local v2.2.3
• provider registry.terraform.io/microsoft/azuredevops v0.2.1

Affected Resource(s)

• azuredevops_serviceendpoint_servicefabric

Terraform Configuration Files

locals {
  string1 = "pntfakyjuyaqnxjdoemcipgpxqtyjxryvutsupobjlylwkvptkmxdwwaoftypceklajrxlcxy"
  string2 = "pntfakyjuyaqnxjdoemcipgpxqtyjxryvutsupobjlylwkvptkmxdwwaoftypceklajrxlcxy/extra"
}

resource "azuredevops_serviceendpoint_servicefabric" "example" {
  project_id            = data.azuredevops_project.project.id
  service_endpoint_name = "example"
  cluster_endpoint      = "tcp://test.internal:19000"

  certificate {
    server_certificate_lookup      = "CommonName"
    server_certificate_common_name = "test.internal"
    client_certificate             = local.string1
  }
}

Expected Behavior

Change the client_certificate to reference string2 and run terraform plan - the service endpoint should be updated

Actual Behavior

No changes. Your infrastructure matches the configuration.

Important Factoids

I think this may be due to the bcrypt hashing mechanism being used - it seems bcrypt has a limit of 72 bytes for passwords.

In my real configuration the client_certificate comes from a key vault certificate - when it gets renewed the first part of the base 64 string representation of the certificate is the same as the previous version

[hbuckle]

@xuzhang3 - what can we do to address this, is there a different hashing mechanism that could be used?
We're having to update all of our service connections manually at the moment

[xuzhang3]

@hbuckle for other service connection with secret/password, this issue used to be an unnecessary set of the secret/password. I need to debug into it to find out why terraform ignore the changes.

[xuzhang3]

@hbuckle this is bcrypt issue, bcrypt has a limitation of max length 72 while the test secret here is over than 73.

[hbuckle]

@xuzhang3 - yes that's what I assumed. The client_certificate expects a base64 encoded certificate, which is well over 72 characters, and the first part of the strings are often identical (you can see this if you create a key vault with a self signed cert, create a new version of it and compare the base64 strings)

[xuzhang3]

@hbuckle tend to remove the hash validator