Skip to content

[Bug]: Updating a vault_pki_secret_backend_root_cert.ttl value does not update the certificate in vault #2415

New issue
New issue
Open
Open
[Bug]: Updating a vault_pki_secret_backend_root_cert.ttl value does not update the certificate in vault#2415
Labels
bug
@Jay-Madden

Description

@Jay-Madden
Jay-Madden
opened on Feb 25, 2025

Terraform Core Version

1.7.4

Terraform Vault Provider Version

4.6.0

Vault Server Version

1.17.5

Affected Resource(s)

Given the following terraform

locals {
  seconds_in_minutes = 60
  seconds_in_hours = local.seconds_in_minutes * 60
  seconds_in_days = local.seconds_in_hours * 24
}

resource "vault_mount" "pki" {
  path                      = var.pki_mount_name
  type                      = "pki"
  description               = "CA"

  max_lease_ttl_seconds     = local.seconds_in_days * 364 * 10
}

resource "vault_pki_secret_backend_issuer" "repro_issuer" {
  backend     = vault_pki_secret_backend_root_cert.repro_certificate.backend
  issuer_ref  = vault_pki_secret_backend_root_cert.repro_certificate.issuer_id
  issuer_name = "test-repro-issuer"
}

resource "vault_pki_secret_backend_root_cert" "repro_certificate" {
  backend     = vault_mount.pki.path
  type        = "internal"
  common_name = "test-repro"

  ttl = 432000 # 5 Days
}

Upon apply the following NotBefore and NotAfter are generated in vault correctly.

Image

However, when the terraform is updated to change the ttl of the vault_pki_secret_backend_root_cert

locals {
  seconds_in_minutes = 60
  seconds_in_hours = local.seconds_in_minutes * 60
  seconds_in_days = local.seconds_in_hours * 24
}

resource "vault_mount" "pki" {
  path                      = var.pki_mount_name
  type                      = "pki"
  description               = "CA"

  max_lease_ttl_seconds     = local.seconds_in_days * 364 * 10
}

resource "vault_pki_secret_backend_issuer" "repro_issuer" {
  backend     = vault_pki_secret_backend_root_cert.repro_certificate.backend
  issuer_ref  = vault_pki_secret_backend_root_cert.repro_certificate.issuer_id
  issuer_name = "test-repro-issuer"
}

resource "vault_pki_secret_backend_root_cert" "repro_certificate" {
  backend     = vault_mount.pki.path
  type        = "internal"
  common_name = "test-repro"

  ttl = 864000 # 10 Days
}

And an apply is run the following plan is generated

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.vault-pki.vault_pki_secret_backend_root_cert.repro_certificate will be updated in-place
  ~ resource "vault_pki_secret_backend_root_cert" "repro_certificate" {
        id                 = "pki-lab-shared/issuer/499c3473-aaeb-986e-8719-dcf8703e57c6"
      ~ ttl                = "432000" -> "864000"
        # (13 unchanged attributes hidden)
    }

With the apply outputting the following

module.vault-pki.vault_pki_secret_backend_root_cert.repro_certificate: Modifying... [id=pki-lab-shared/issuer/499c3473-aaeb-986e-8719-dcf8703e57c6]
module.vault-pki.vault_pki_secret_backend_root_cert.repro_certificate: Modifications complete after 0s [id=pki-lab-shared/issuer/499c3473-aaeb-986e-8719-dcf8703e57c6]
Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Expected Behavior

The provider should either error out, or plan a recreation of the certificate and issuer in vault.

Actual Behavior

The apply appears to go through successfully. However when the certificate is inspected in vault it remains unchanged.

Image

Relevant Error/Panic Output Snippet



Terraform Configuration Files


locals {
  seconds_in_minutes = 60
  seconds_in_hours = local.seconds_in_minutes * 60
  seconds_in_days = local.seconds_in_hours * 24
}

resource "vault_mount" "pki" {
  path                      = var.pki_mount_name
  type                      = "pki"
  description               = "CA"

  max_lease_ttl_seconds     = local.seconds_in_days * 364 * 10
}

resource "vault_pki_secret_backend_issuer" "repro_issuer" {
  backend     = vault_pki_secret_backend_root_cert.repro_certificate.backend
  issuer_ref  = vault_pki_secret_backend_root_cert.repro_certificate.issuer_id
  issuer_name = "test-repro-issuer"
}

resource "vault_pki_secret_backend_root_cert" "repro_certificate" {
  backend     = vault_mount.pki.path
  type        = "internal"
  common_name = "test-repro"

  ttl = 432000 # 5 Days
}


Steps to Reproduce


Apply the terraform, once it is applied update the ttl value on the vault_pki_secret_backend_root_cert object and apply again. Observe that drift is detected but nothing changes in vault.


Debug Output


No response


Panic Output


No response


Important Factoids


No response


References


This appears to have been an issue in vault_pki_secret_backend_cert here #353 that was fixed a few years ago. But it was not propogated to vault_pki_secret_backend_root_cert


Would you like to implement a fix?


None
Metadata
Metadata
Assignees
No one assigned
    Labels
    bug
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions