tls_self_signed_cert and tls_locally_signed_cert are always replaced

[nbraun-wolf]

Hi there,

I found a problem that is tls_self_signed_cert and tls_locally_signed_cert are always replaced on each terraform apply. According to the docs, this should not happen.

This resource considers its instances to have been deleted after either their validity periods ends or the early renewal period is reached. At this time, applying the Terraform configuration will cause a new certificate to be generated for the instance.

Terraform Version

Terraform v1.0.5
on linux_amd64
+ provider registry.terraform.io/hashicorp/azurerm v2.74.0
+ provider registry.terraform.io/hashicorp/helm v2.3.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.4.1
+ provider registry.terraform.io/hashicorp/null v3.1.0
+ provider registry.terraform.io/hashicorp/tls v3.1.0

Affected Resource(s)

Please list the resources as a list, for example:

• tls_self_signed_cert
• tls_locally_signed_cert

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

variable "linkerd_identity_validity_period_hours" {
  default = 3000
}

variable "linkerd_identity_early_renewal_hours" {
  default = 168
}

variable "linkerd_identity_allowed_uses" {
  default = [
    "crl_signing",
    "cert_signing",
    "server_auth",
    "client_auth"
  ]
}

resource "tls_private_key" "root" {
  algorithm   = "ECDSA"
  ecdsa_curve = "P256"
}

resource "tls_self_signed_cert" "root" {
  is_ca_certificate     = true
  key_algorithm         = tls_private_key.root.algorithm
  private_key_pem       = tls_private_key.root.private_key_pem
  validity_period_hours = var.linkerd_identity_validity_period_hours
  early_renewal_hours   = var.linkerd_identity_validity_period_hours
  allowed_uses          = toset(var.linkerd_identity_allowed_uses)

  dns_names = ["root.linkerd.cluster.local"]
  subject {
    common_name  = "root.linkerd.cluster.local"
    organization = "root linkerd mtls"
  }
}

resource "tls_private_key" "issuer" {
  algorithm   = "ECDSA"
  ecdsa_curve = "P256"
}

resource "tls_cert_request" "issuer" {
  key_algorithm   = tls_private_key.issuer.algorithm
  private_key_pem = tls_private_key.issuer.private_key_pem
  dns_names       = ["issuer.linkerd.cluster.local"]
  subject {
    common_name  = "issuer.linkerd.cluster.local"
    organization = "issuer linkerd mtls"
  }
}

resource "tls_locally_signed_cert" "issuer" {
  is_ca_certificate     = true
  ca_key_algorithm      = tls_private_key.root.algorithm
  ca_private_key_pem    = tls_private_key.root.private_key_pem
  ca_cert_pem           = tls_self_signed_cert.root.cert_pem
  cert_request_pem      = tls_cert_request.issuer.cert_request_pem
  validity_period_hours = var.linkerd_identity_validity_period_hours
  early_renewal_hours   = var.linkerd_identity_validity_period_hours
  allowed_uses          = toset(var.linkerd_identity_allowed_uses)
}

Expected Behavior

It should not recreate the cert until early_renewal_hours is reached.

Actual Behavior

It wants to destroy and recreate the cert

# tls_locally_signed_cert.issuer must be replaced
resource "tls_locally_signed_cert" "issuer" {
      ~ ca_cert_pem           = "2eb1e542a6dc44d4079152e6fe8d1c187ab222a5" -> (known after apply) # forces replacement
 
# tls_self_signed_cert.root must be replaced
resource "tls_self_signed_cert" "root" {
      ~ ready_for_renewal     = false -> true # forces replacement
...

Steps to Reproduce

Run terraform apply twice.

References

Not sure if its the same but sounds related.
#79

[nbraun-wolf]

So, I found out while experimenting, that when removing early_renewal_hours the cert would not be generated new on each apply.

[sebastiangaiser]

@nbraun-wolf we experienced the same. Changing the cert every time for me is a bug.

[kirecek]

in the snippet you linked, you are setting the same value for validity_period_hours and also for early_renewal_hours.

  validity_period_hours = var.linkerd_identity_validity_period_hours
  early_renewal_hours   = var.linkerd_identity_validity_period_hours

Renewal in a such case is expected because

After changing the code to example bellow (renewal hours value must be lower than validity period):

  validity_period_hours = var.linkerd_identity_validity_period_hours
  early_renewal_hours   = var.linkerd_identity_early_renewal_hours

it works fine.

[detro]

As reported indeed by @kirecek , this is an issue with the early_renewal_hours.

By setting the same amount for validity_period_hours and early_renewal_hours, you are essentially making it "always ready for early renewal".

Example:

• Current time is t
• Creation time is T
• Validity time is T + V: meaning, the certificate is invalid when t > T+V
• Early renewal time is T - E, but E == V in this case: this means that early renewal kicks in as soon as T-E >= t > T

In short, early renewal time is measured backward from the validity expiration.
Hope this clarifies things, but please let me know if it still doesn't.

Closing now.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.