Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Timeout when deleting a lb_certificate assigned to sni_container_refs inside a lb_listener #944

Closed
grafburg opened this issue Mar 30, 2021 · 0 comments · Fixed by #987
Closed

Timeout when deleting a lb_certificate assigned to sni_container_refs inside a lb_listener #944

grafburg opened this issue Mar 30, 2021 · 0 comments · Fixed by #987
Assignees
@outcatcher
Labels
bug
Milestone
v1.23.8

Comments

@grafburg
Copy link

grafburg commented Mar 30, 2021
edited
Loading

Terraform Version

Terraform v0.14.9
+ provider registry.terraform.io/opentelekomcloud/opentelekomcloud v1.23.4

Affected Resource(s)

opentelekomcloud_lb_listener_v2
opentelekomcloud_lb_certificate_v2

Terraform Configuration Files

Original configuration:

resource "opentelekomcloud_lb_certificate_v2" "elb_certificates" {
  count = 3
  name = "pixx${count.index}.com"
  domain = "pixx${count.index}.com"
  private_key = file("/home/linux/ssl-${count.index}/priv.key")
  certificate  = file("/home/linux/ssl-${count.index}/cert.crt")
}

resource "opentelekomcloud_lb_listener_v2" "elb_listener" {
  name = "test"
  loadbalancer_id = opentelekomcloud_lb_loadbalancer_v2.elb_public.id
  protocol = "TERMINATED_HTTPS"
  protocol_port = "4443"
  http2_enable = true
  tls_ciphers_policy = "tls-1-0"
  default_tls_container_ref = opentelekomcloud_lb_certificate_v2.elb_certificates[0].id
  sni_container_refs = [
    for s in opentelekomcloud_lb_certificate_v2.elb_certificates: s.id
  ]
}

Configuration after changes (2 elb certificates are being deleted)

resource "opentelekomcloud_lb_certificate_v2" "elb_certificates" {
  count = 1 # <-- Only change, from 3 to 1
  name = "pixx${count.index}.com"
  domain = "pixx${count.index}.com"
  private_key = file("/home/linux/ssl-${count.index}/priv.key")
  certificate  = file("/home/linux/ssl-${count.index}/cert.crt")

# Resource elb_listener is the same
}

Debug Output/Panic Output

"Terraform show" with the original config

# module.network.opentelekomcloud_lb_listener_v2.elb_listener:
resource "opentelekomcloud_lb_listener_v2" "elb_listener" {
    admin_state_up            = true
    default_tls_container_ref = "00751e5d484444128ea66729d50a9374"
    http2_enable              = true
    id                        = "21262b19-66a8-40f8-98e7-b319c940c452"
    loadbalancer_id           = "fd2fa867-d20d-47d7-984a-6bf39a938163"
    name                      = "test"
    protocol                  = "TERMINATED_HTTPS"
    protocol_port             = 4443
    region                    = "eu-de"
    sni_container_refs        = [
        "00751e5d484444128ea66729d50a9374",
        "457570f039fe4b3fadad73dd488c952a",
        "984a79a6acc246509b9b28bed442974d",
    ]
    tags                      = {}
    tenant_id                 = "de4912e595164e3e932d57ec8b0469f3"
    tls_ciphers_policy        = "tls-1-0"
}

"Terraform apply" with the configuration after changes (count from 3 to 1)

  # module.network.opentelekomcloud_lb_certificate_v2.elb_certificates[1] will be destroyed
  - resource "opentelekomcloud_lb_certificate_v2" "elb_certificates" {
      - certificate = <<-EOT
            -----BEGIN CERTIFICATE-----
			....
            -----END CERTIFICATE-----
        EOT -> null
      - create_time = "2021-03-30 14:14:55" -> null
      - domain      = "pixx1.com" -> null
      - id          = "457570f039fe4b3fadad73dd488c952a" -> null
      - name        = "pixx1.com" -> null
      - private_key = <<-EOT
            -----BEGIN PRIVATE KEY-----
            ...
            -----END PRIVATE KEY-----
        EOT -> null
      - region      = "eu-de" -> null
      - type        = "server" -> null
      - update_time = "2021-03-30 14:16:08" -> null
    }

  # module.network.opentelekomcloud_lb_certificate_v2.elb_certificates[2] will be destroyed
  - resource "opentelekomcloud_lb_certificate_v2" "elb_certificates" {
      - certificate = <<-EOT
            -----BEGIN CERTIFICATE-----
            ...
            -----END CERTIFICATE-----
        EOT -> null
      - create_time = "2021-03-30 14:14:55" -> null
      - domain      = "pixx2.com" -> null
      - id          = "984a79a6acc246509b9b28bed442974d" -> null
      - name        = "pixx2.com" -> null
      - private_key = <<-EOT
            -----BEGIN PRIVATE KEY-----
            ...
            -----END PRIVATE KEY-----
        EOT -> null
      - region      = "eu-de" -> null
      - type        = "server" -> null
      - update_time = "2021-03-30 14:16:08" -> null
    }

  # module.network.opentelekomcloud_lb_listener_v2.elb_listener will be updated in-place
  ~ resource "opentelekomcloud_lb_listener_v2" "elb_listener" {
        id                        = "21262b19-66a8-40f8-98e7-b319c940c452"
        name                      = "test"
      ~ sni_container_refs        = [
            "00751e5d484444128ea66729d50a9374",
          - "457570f039fe4b3fadad73dd488c952a",
          - "984a79a6acc246509b9b28bed442974d",
        ]
        tags                      = {}
        # (9 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 2 to destroy.

Steps to Reproduce

  1. Create a opentelekomcloud_lb_certificate_v2 resource with "count" (list should have at least 2 entries)
  2. Create a opentelekomcloud_lb_listener_v2 resource and assign the lb_certificates from step 1 to the sni_container_refs variable over a for loop
  3. Run the file with terraform apply
  4. Reduce the count in the newly created opentelekomcloud_lb_certificate_v2 resource (so in real time you would delete some certificates from the elastic load balancer)
  5. Run terraform apply again

Expected Behavior

Terraform first updates the opentelekomcloud_lb_listener_v2 resource and removes the lb_certificates from the sni_container_refs list (as they are deleted), and then removes the certificates from the Elastic Load Balancer

Actual Behavior

Terraform tries to delete the certificates from the Elastic Load Balancer before removing them from the sni_container_refs list, which is not possible and results in a timeout

Additional Information

A short summary about my case and problem:

I use the resource opentelekomcloud_lb_listener_v2 in Terraform as a list with all certificates the load balancer should have (for simplicity I use only count = 3 in the original configuration above, but in real I have a list in my .tfvars - file with all certificates).

After that, I want to use some of these certificates in a SNI list for my public HTTPS load balancer. So I have a for loop inside the sni_container_refs variable that returns a list of all the certificate ids I want to use (you can see the final result in the terraform show - output).

Now I want to delete some certificates as they may have expired.
In the above configuration (see configuration after changes) I just reduced the count number to 1. In real time I would delete some entries from my list in the .tfvars file.
The above output from terraform apply shows the right things: the two certificates are deleted and removed from the list in the sni_container_refs variable.
But After the apply, terraform tries to delete the certificates before removing them from the sni_container_refs variable, which is not possible (at least that's my guess) and therefore leads to a timeout after 5 minutes
@outcatcher outcatcher added this to the v1.23.7 milestone Mar 30, 2021
@grafburg grafburg changed the title Timeout when deleting an ELB certificate assigned to a listener Timeout when deleting an ELB certificate assigned to sni_container_refs inside a lb_listener Mar 30, 2021
@grafburg grafburg changed the title Timeout when deleting an ELB certificate assigned to sni_container_refs inside a lb_listener Timeout when deleting a lb_certificate assigned to sni_container_refs inside a lb_listener Mar 30, 2021
@outcatcher outcatcher self-assigned this Apr 12, 2021
@outcatcher outcatcher mentioned this issue Apr 14, 2021
Merged
3 tasks
otc-zuul bot pushed a commit that referenced this issue Apr 14, 2021
@outcatcher
Get rid of acc test workaround for lb_listener (#983)
cd8172f 
Get rid of acc test workaround for `lb_listener`

Summary of the Pull Request
Make default_tls_container_ref and client_ca_tls_container_ref computed
Change type of sni_container_refs to TypeSet
Part of #981
PR Checklist

 Refers to: #981 #944
 Tests added/passed.
 Schema updated.

Acceptance Steps Performed
=== RUN   TestAccLBV2Listener_basic
--- PASS: TestAccLBV2Listener_basic (86.02s)
=== RUN   TestAccLBV2Listener_tls
--- PASS: TestAccLBV2Listener_tls (83.56s)
PASS

Process finished with the exit code 0

Reviewed-by: Rodion Gyrbu <fpsoff@outlook.com>
Reviewed-by: Anton Sidelnikov <None>
Reviewed-by: None <None>
@outcatcher outcatcher modified the milestones: v1.23.7, v1.23.8 Apr 15, 2021
@outcatcher outcatcher mentioned this issue Apr 15, 2021
Merged
2 tasks
@outcatcher outcatcher added the bug label Apr 16, 2021
@otc-zuul otc-zuul bot closed this as completed in #987 Apr 20, 2021
otc-zuul bot pushed a commit that referenced this issue Apr 20, 2021
@outcatcher
Fix certificate deletion (#987)
d3e1312 
Fix certificate deletion

Summary of the Pull Request
Remove certificate from listeners if the deletion fails
Fixes #944
PR Checklist

 Refers to: #944
 Tests added/passed.

Acceptance Steps Performed
=== RUN   TestAccLBV2ListenerSni
--- PASS: TestAccLBV2ListenerSni (416.19s)
PASS

Process finished with the exit code 0

Reviewed-by: None <None>
Reviewed-by: Rodion Gyrbu <fpsoff@outlook.com>
Reviewed-by: Anton Sidelnikov <None>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@outcatcher outcatcher

Labels
bug
Projects
None yet
Milestone
v1.23.8
Development

Successfully merging a pull request may close this issue.

Fix certificate deletion opentelekomcloud/terraform-provider-opentelekomcloud
2 participants
@outcatcher @grafburg