Properly force a new resource whenenver the cert is near expiry #1440

benashz · 2022-05-06T22:06:39Z

Affected resources:

vault_pki_secret_backend_cert
vault_pki_secret_backend_sign

The previous approach would leave some computed values out of sync
whenever the certificate determined to be expired. This was
because the approach attempted to leverage a combination of schema CustomizeDiff,
and Update functions, rather than taking advantage of the ability to
mark the resource as requiring replacement within the CustomizeDiff
function itself.

Community Note

Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Closes #835

Release note for CHANGELOG:

Output from acceptance testing:

$ time make testacc TESTARGS='-v -test.run Test*Pki*'

==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test -v -v -test.run Test*Pki* -timeout 30m ./...

[...]

ok      github.com/hashicorp/terraform-provider-vault/util      (cached) [no tests to run]
=== RUN   TestPkiSecretBackendCert_basic
--- PASS: TestPkiSecretBackendCert_basic (6.87s)
=== RUN   TestPkiSecretBackendCert_revoke
--- PASS: TestPkiSecretBackendCert_revoke (8.54s)
=== RUN   TestPkiSecretBackendCert_renew
--- PASS: TestPkiSecretBackendCert_renew (11.08s)
=== RUN   TestPkiSecretBackendConfigCA_basic
--- PASS: TestPkiSecretBackendConfigCA_basic (1.71s)
=== RUN   TestPkiSecretBackendConfigUrls_basic
--- PASS: TestPkiSecretBackendConfigUrls_basic (3.16s)
=== RUN   TestPkiSecretBackendCrlConfig_basic
--- PASS: TestPkiSecretBackendCrlConfig_basic (3.87s)
=== RUN   TestPkiSecretBackendIntermediateCertRequest_basic
--- PASS: TestPkiSecretBackendIntermediateCertRequest_basic (1.86s)
=== RUN   TestPkiSecretBackendIntermediateSetSigned_basic
--- PASS: TestPkiSecretBackendIntermediateSetSigned_basic (3.32s)
=== RUN   TestPkiSecretBackendRole_basic
--- PASS: TestPkiSecretBackendRole_basic (3.05s)
=== RUN   TestPkiSecretBackendRootCertificate_basic
--- PASS: TestPkiSecretBackendRootCertificate_basic (10.92s)
=== RUN   TestPkiSecretBackendRootSignIntermediate_basic_default
--- PASS: TestPkiSecretBackendRootSignIntermediate_basic_default (2.86s)
=== RUN   TestPkiSecretBackendRootSignIntermediate_basic_pem
--- PASS: TestPkiSecretBackendRootSignIntermediate_basic_pem (4.25s)
=== RUN   TestPkiSecretBackendRootSignIntermediate_basic_der
--- PASS: TestPkiSecretBackendRootSignIntermediate_basic_der (3.53s)
=== RUN   TestPkiSecretBackendRootSignIntermediate_basic_pem_bundle
--- PASS: TestPkiSecretBackendRootSignIntermediate_basic_pem_bundle (6.56s)
=== RUN   TestPkiSecretBackendRootSignIntermediate_basic_pem_bundle_multiple_intermediates
--- PASS: TestPkiSecretBackendRootSignIntermediate_basic_pem_bundle_multiple_intermediates (3.28s)
=== RUN   TestPkiSecretBackendSign_basic
--- PASS: TestPkiSecretBackendSign_basic (3.75s)
=== RUN   TestPkiSecretBackendSign_renew
--- PASS: TestPkiSecretBackendSign_renew (13.42s)
PASS
ok      github.com/hashicorp/terraform-provider-vault/vault     (cached)
make testacc TESTARGS='-v -test.run Test*Pki*'  4.74s user 5.53s system 386% cpu 2.657 total


...

Affected resources: - resource_pki_secret_backend_cert - resource_pki_secret_backend_sign The previous approach would leave some computed values out of sync whenever the certificate was within the expiry window. This was because it attempted to leverage a combination of schema CustomizeDiff, and Update functions, rather than taking advantage of the ability to mark the resource as requiring replacement with the CustomizeDiff function itself.

- simplify testWaitCertExpiry()

vinay-gopalan

LGTM!

…icorp#1440) Affected resources: - vault_pki_secret_backend_cert - vault_pki_secret_backend_sign The previous approach would leave some computed values out of sync whenever the certificate determined to be expired. This was because the approach attempted to leverage a combination of schema CustomizeDiff, and Update functions, rather than taking advantage of the ability to mark the resource as requiring replacement within the CustomizeDiff function itself. Other fixes: - cleanup related PKI test Terraform. - pki-sign: validate the CSR to the generated certificate

benashz requested a review from vinay-gopalan May 6, 2022 22:06

github-actions bot added the size/L label May 6, 2022

benashz mentioned this pull request May 6, 2022

Mark expiration and serial_number fields as computed during certificate auto_renew #816

Closed

Fix PKI cert renewal test

25f0327

github-actions bot added size/XL and removed size/L labels May 8, 2022

benashz added 2 commits May 8, 2022 12:34

Update tests for PKI sign, fix testWaitCertExpiry()

935ab97

Cleanup PKI test TF

f63a54a

benashz added this to the 3.6.0 milestone May 8, 2022

Validate the CSR to the generated certificate

b6b428a

- simplify testWaitCertExpiry()

vinay-gopalan approved these changes May 9, 2022

View reviewed changes

benashz merged commit 7afeebd into main May 9, 2022

benashz deleted the VAULT-5860/pki-cert-trigger-force-new-on-expiry branch May 9, 2022 19:41

romanobrien mentioned this pull request Nov 18, 2022

Fix: pkiSecretBackendCertResource renewal silently failing without permissions to list all mounts. #1674

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Properly force a new resource whenenver the cert is near expiry #1440

Properly force a new resource whenenver the cert is near expiry #1440

benashz commented May 6, 2022 •

edited

Loading

vinay-gopalan left a comment

Properly force a new resource whenenver the cert is near expiry #1440

Properly force a new resource whenenver the cert is near expiry #1440

Conversation

benashz commented May 6, 2022 • edited Loading

Community Note

vinay-gopalan left a comment

Choose a reason for hiding this comment

benashz commented May 6, 2022 •

edited

Loading