Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Undescribed breaking change in provider validation (v0.21.0) #144

Open
LoicBer opened this issue Jul 15, 2024 · 0 comments
Open

Undescribed breaking change in provider validation (v0.21.0) #144

LoicBer opened this issue Jul 15, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@LoicBer
Copy link

LoicBer commented Jul 15, 2024

PROBLEM SUMMARY

Release v0.21.0 introduced a new verification that may fail Terraform even when the provider is not used.

Context:
We are handling workload identities with a dedicated Terraform module. This module can be configured to optionally use the Venafi provider to produce client certificates. However, by default, no Venafi resources are created and we do not provide credentials to the venafi provider. Our default configuration used to work with provider v0.20.0 but started to fail with v0.21.0, even though no such change of behavior was described in the release notes.

STEPS TO REPRODUCE

Here is a basic Terraform main.tf that works well with v0.20.0 but fails with v0.21.0:

terraform {
  required_version = ">= 1.4"
  required_providers {
    venafi = {
      source  = "venafi/venafi"
      version = "= 0.21" # works with 0.20
    }
  }
}

provider "venafi" {
  dev_mode     = false 
  url          = "https://xxxxxxxxxxxxxxxxx" #replace by actual endpoint
  zone         = "dummyzone"
  access_token = "invalid_token"
}

resource "venafi_certificate" "auth_cert" {
  count        = 0 # RESOURCE IS NOT CREATED
  common_name  = "demo"
  algorithm    = "RSA"
  rsa_bits     = "2048"
  csr_origin   = "service"
  key_password = "somesecretpathphrase"
}

then run terraform plan

Note that a venafi_certificate resource is declared with a count = 0 , so no certificate would actually be created. This config mimics a module where Venafi certificates would be optional.

EXPECTED RESULTS

Same behavior as with v0.20.0: successful plan

OR

Being warned in the release notes that some additional verifications are now performed

ACTUAL RESULTS

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Failed to initialize Venafi client
│
│   with provider["registry.terraform.io/venafi/venafi"],
│   on main.tf line 14, in provider "venafi":
│   14: provider "venafi" {
│
│ Failed to authenticate to Venafi platform: vcert error: your data contains problems: auth error: vcert error:
│ your data contains problems: auth error

ENVIRONMENT DETAILS

Venafi v0.20.0
Terraform v1.4.6

COMMENTS/WORKAROUNDS

We found that we can use dev_mode = true to disable connexion to Venafi platform when the module does not actually require certificates. Our config looks like:

provider "venafi" {
  dev_mode     = local.no_venafi_certs_required
  url          = var.venafi_url
  zone         = var.venafi_zone
  access_token = var.access_token
}

locals {
  no_venafi_certs_required = # some logic on input variables 
}

This change in behavior may have been introduced by 2a09026
@LoicBer LoicBer added the bug Something isn't working label Jul 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@LoicBer