azurerm_nginx_certificate recreates when key_vault_secret_id is modified

[agazeley]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.4.6

AzureRM Provider Version

3.58.0

Affected Resource(s)/Data Source(s)

azurerm_nginx_certificate

Terraform Configuration Files

# Pulled from https://github.com/nginxinc/nginxaas-for-azure-snippets/blob/main/snippets/terraform/certificates/main.tf

terraform {
  required_version = "~> 1.3"
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.57"
    }
  }
}

provider "azurerm" {
  features {
    key_vault {
      purge_soft_delete_on_destroy = true
    }
  }
}

data "azurerm_client_config" "current" {}

module "prerequisites" {
  source   = "../prerequisites"
  location = var.location
  name     = var.name
  tags     = var.tags
}

# This keyvault is NOT firewalled.
resource "azurerm_key_vault" "example" {
  name                      = var.name
  location                  = var.location
  resource_group_name       = module.prerequisites.resource_group_name
  enable_rbac_authorization = true

  tenant_id                  = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days = 7
  purge_protection_enabled   = false

  sku_name = "standard"

  tags = var.tags
}

# This will give the current user admin permissions on the key vault
resource "azurerm_role_assignment" "current_user" {
    scope                = azurerm_key_vault.example.id
    role_definition_name = "Key Vault Administrator"
    principal_id         = data.azurerm_client_config.current.object_id
}

resource "azurerm_key_vault_certificate" "example" {
  name         = var.name
  key_vault_id = azurerm_key_vault.example.id

  certificate_policy {
    issuer_parameters {
      name = "Self"
    }

    key_properties {
      exportable = true
      key_size   = 2048
      key_type   = "RSA"
      reuse_key  = false
    }

    lifetime_action {
      action {
        action_type = "AutoRenew"
      }

      trigger {
        days_before_expiry = 30
      }
    }

    secret_properties {
      content_type = "application/x-pem-file"
    }

    x509_certificate_properties {
      extended_key_usage = [
        "1.3.6.1.5.5.7.3.1",
        "1.3.6.1.5.5.7.3.2"
      ]

      key_usage = [
        "cRLSign",
        "dataEncipherment",
        "digitalSignature",
        "keyAgreement",
        "keyCertSign",
        "keyEncipherment",
      ]

      subject            = "CN=example.com"
      validity_in_months = 12
    }
  }
  depends_on = [ azurerm_role_assignment.current_user ]
}

resource "azurerm_role_assignment" "example" {
  scope                = azurerm_key_vault.example.id
  role_definition_name = "Key Vault Secrets User"
  principal_id         = module.prerequisites.managed_identity_principal_id
}

resource "azurerm_nginx_deployment" "example" {
  name                     = var.name
  resource_group_name      = module.prerequisites.resource_group_name
  sku                      = var.sku
  location                 = var.location
  diagnose_support_enabled = false

  identity {
    type         = "UserAssigned"
    identity_ids = [module.prerequisites.managed_identity_id]
  }

  frontend_public {
    ip_address = [module.prerequisites.public_ip_address_id]
  }
  network_interface {
    subnet_id = module.prerequisites.subnet_id
  }

  tags = var.tags
}

resource "azurerm_nginx_certificate" "example" {
  name                     = var.name
  nginx_deployment_id      = azurerm_nginx_deployment.example.id
  key_virtual_path         = "/etc/nginx/ssl/test.key"
  certificate_virtual_path = "/etc/nginx/ssl/test.crt"
  key_vault_secret_id      = azurerm_key_vault_certificate.example.secret_id
}

resource "azurerm_nginx_configuration" "example" {
  nginx_deployment_id = azurerm_nginx_deployment.example.id
  root_file           = "/etc/nginx/nginx.conf"

  config_file {
    content      = filebase64("${path.module}/nginx.conf")
    virtual_path = "/etc/nginx/nginx.conf"
  }

  config_file {
    content      = filebase64("${path.module}/api.conf")
    virtual_path = "/etc/nginx/site/api.conf"
  }

  depends_on = [
    azurerm_nginx_certificate.example
  ]
}

Debug Output/Panic Output

2023-06-06T22:50:34.872Z [ERROR] provider.terraform-provider-azurerm_v3.59.0_x5: Response contains error diagnostic: tf_proto_version=5.3 tf_req_id=18fa81dc-326d-43dd-b958-aac0dc5f7e6f tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/diag/diagnostics.go:55 diagnostic_detail="deleting Certificate (Subscription: "ee920d60-90f3-4a92-b5e7-bb284c3a6ce2"
Resource Group Name: "tf-22bc9-e2e-tf-xzpd4e"
Nginx Deployment Name: "tf-22bc9-e2e-tf-xzpd4e"
Certificate Name: "tf-22bc9-e2e-tf-xzpd4e"): polling after CertificatesDelete: context deadline exceeded" diagnostic_severity=ERROR diagnostic_summary="deleting Certificate (Subscription: "ee920d60-90f3-4a92-b5e7-bb284c3a6ce2"
Resource Group Name: "tf-22bc9-e2e-tf-xzpd4e"
Nginx Deployment Name: "tf-22bc9-e2e-tf-xzpd4e"
Certificate Name: "tf-22bc9-e2e-tf-xzpd4e"): polling after CertificatesDelete: context deadline exceeded" tf_provider_addr=provider tf_resource_type=azurerm_nginx_certificate @module=sdk.proto timestamp=2023-06-06T15:50:34.872-0700
2023-06-06T22:50:34.882Z [ERROR] vertex "azurerm_nginx_certificate.example (destroy)" error: deleting Certificate (Subscription: "ee920d60-90f3-4a92-b5e7-bb284c3a6ce2"
Resource Group Name: "tf-22bc9-e2e-tf-xzpd4e"
Nginx Deployment Name: "tf-22bc9-e2e-tf-xzpd4e"
Certificate Name: "tf-22bc9-e2e-tf-xzpd4e"): polling after CertificatesDelete: context deadline exceeded

Error: deleting Certificate (Subscription: "ee920d60-90f3-4a92-b5e7-bb284c3a6ce2"
Resource Group Name: "tf-22bc9-e2e-tf-xzpd4e"
Nginx Deployment Name: "tf-22bc9-e2e-tf-xzpd4e"
Certificate Name: "tf-22bc9-e2e-tf-xzpd4e"): polling after CertificatesDelete: context deadline exceeded

deleting Certificate (Subscription: "ee920d60-90f3-4a92-b5e7-bb284c3a6ce2"
Resource Group Name: "tf-22bc9-e2e-tf-xzpd4e"
Nginx Deployment Name: "tf-22bc9-e2e-tf-xzpd4e"
Certificate Name: "tf-22bc9-e2e-tf-xzpd4e"): polling after
CertificatesDelete: context deadline exceeded

Expected Behaviour

Certificate should be deleted and recreated only on changes to the 'name' field.

Actual Behaviour

Certificate is deleted and recreated on all changes to attributes of the certificate

Steps to Reproduce

• Create deployment using this example.
• Create new certificate in AKV
• Add override.tf file in your working directory containing your new certificate URI

resource "azurerm_nginx_certificate" "example" {
                name                     = var.name
                nginx_deployment_id      = azurerm_nginx_deployment.example.id
                key_virtual_path         = "/etc/nginx/ssl/test.key"
                certificate_virtual_path = "/etc/nginx/ssl/test.crt"
                key_vault_secret_id      = "{NEW_SECRET_URI}"
}

• Run terraform plan + apply with in same working directory

Important Factoids

No response

References

https://github.com/nginxinc/nalb-shared/issues/838

[agazeley]

I am filing this issue as a member of the product team for NGINXaaS for Azure. We are interested in knowing why the implementation is this way based on the OpenAPI spec. Is it necessary to have a PATCH endpoint in order for the Terraform team to implement update behavior? Is it possible to mark as to not recreate? We are looking to open a dialogue with the Azure Terraform team around improving our products Terraform experience for our customers.

[UnwashedMeme]

The argument is currently marked as ForceNew

terraform-provider-azurerm/internal/services/nginx/nginx_certificate_resource.go

Line 63 in a57b897

ForceNew: true,

The underlying API PUT method is safe for create or update and changing this field on an an existing certificate. Is it safe to just change ForceNew: false for this argument?

[wuxu92]

@agazeley @UnwashedMeme thanks for filing this. This resource did not implement the Update for missing knowledge of which parts are updateable in the swagger. besides your information above, could you please make sure if all or parts of key_virtual_path, certificate_virtual_path and key_vault_secret_id are updatable? I'll submit a PR to support the update then.

please have a check that if all these field are required when create a nginx certificate resource too. thanks.

[agazeley]

@agazeley @UnwashedMeme thanks for filing this. This resource did not implement the Update for missing knowledge of which parts are updateable in the swagger. besides your information above, could you please make sure if all or parts of key_virtual_path, certificate_virtual_path and key_vault_secret_id are updatable? I'll submit a PR to support the update then.

please have a check that if all these field are required when create a nginx certificate resource too. thanks.

All of those fields are able to be updated. Thank you for the quick fix! Left one minor comment on the PR.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.