Terraform Apply does not work on the first execution but works on the second execution when using the TLS provider.
Opened this issue · 1 comments
Terraform CLI and Provider Versions
Terraform v1.7.5
on linux_amd64
- provider registry.terraform.io/hashicorp/local v2.5.1
- provider registry.terraform.io/hashicorp/tls v4.0.5
Terraform Configuration
resource "local_file" "key_data" {
filename = "/tmp/.pki/private_key.pem"
content = tls_private_key.private_key.private_key_pem
file_permission = "0400"
}
resource "tls_private_key" "private_key" {
algorithm = "RSA"
rsa_bits = 2048
}
resource "tls_cert_request" "csr" {
private_key_pem = file("/tmp/.pki/private_key.pem")
depends_on = [ local_file.key_data ]
subject {
common_name = "flexit.com"
organization = "FlexIT Consulting Services"
}
}
Expected Behavior
The resources should have be created
Actual Behavior
On the first time of execution of "Terraform apply" it will lead to an error, but again, running the command without any changes will not lead to any errors.
Terraform used the selected providers to generate the following execution plan.
Resource actions are indicated with the following symbols:
- create
Terraform will perform the following actions:
local_file.key_data will be created
- resource "local_file" "key_data" {
- content = (sensitive value)
- content_base64sha256 = (known after apply)
- content_base64sha512 = (known after apply)
- content_md5 = (known after apply)
- content_sha1 = (known after apply)
- content_sha256 = (known after apply)
- content_sha512 = (known after apply)
- directory_permission = "0777"
- file_permission = "0400"
- filename = "/tmp/.pki/private_key.pem"
- id = (known after apply)
}
tls_cert_request.csr will be created
- resource "tls_cert_request" "csr" {
-
cert_request_pem = (known after apply)
-
id = (known after apply)
-
key_algorithm = (known after apply)
-
subject {
- common_name = "flexit.com"
- organization = "FlexIT Consulting Services"
}
}
-
tls_private_key.private_key will be created
- resource "tls_private_key" "private_key" {
- algorithm = "RSA"
- ecdsa_curve = "P224"
- id = (known after apply)
- private_key_openssh = (sensitive value)
- private_key_pem = (sensitive value)
- private_key_pem_pkcs8 = (sensitive value)
- public_key_fingerprint_md5 = (known after apply)
- public_key_fingerprint_sha256 = (known after apply)
- public_key_openssh = (known after apply)
- public_key_pem = (known after apply)
- rsa_bits = 2048
}
Plan: 3 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
tls_private_key.private_key: Creating...
tls_private_key.private_key: Creation complete after 0s [id=25af835c9684099533320c17d0ee4208bdf7809d]
local_file.key_data: Creating...
local_file.key_data: Creation complete after 0s [id=297e2a6a0f059da4c9746f569f44965c29f986a8]
╷
│ Error: Provider produced inconsistent final plan
│
│ When expanding the plan for tls_cert_request.csr to include new values learned so
│ far during apply, provider "registry.terraform.io/hashicorp/tls" produced an invalid
│ new value for .private_key_pem: inconsistent values for sensitive attribute.
│
│ This is a bug in the provider, which should be reported in the provider's own issue
│ tracker.
╵
Steps to Reproduce
terraform apply
How much impact is this issue causing?
Medium
Logs
No response
Additional Information
No response
Code of Conduct
- I agree to follow this project's Code of Conduct
Hey there @RAK5HITHM 👋🏻, thanks for reporting the issue and sorry you're running into trouble here.
From first glance, that error seems to suggest that the file function used in tls_cert_request
is returning different data from the /tmp/.pki/private_key.pem
file between plan and apply (maybe the file already exists on the system running the apply). Running your configuration from scratch I get an error like:
$ terraform validate
╷
│ Error: Invalid function argument
│
│ on main.tf line 13, in resource "tls_cert_request" "csr":
│ 13: private_key_pem = file("/tmp/.pki/private_key.pem")
│ ├────────────────
│ │ while calling file(path)
│
│ Invalid value for "path" parameter: no file exists at "/tmp/.pki/private_key.pem"; this function works only with files that are
│ distributed as part of the configuration source code, so if this file will be created by a resource in this configuration you must
│ instead obtain this result from an attribute of that resource.
The file
function will run at plan time and collect the data of the file before the local_file.key_data
is created.
If your goal is to utilize the PEM data created from the tls_private_key.private_key
resource you can rely on the data that Terraform already knows about in the attributes, something like:
resource "tls_private_key" "private_key" {
algorithm = "RSA"
rsa_bits = 2048
}
resource "tls_cert_request" "csr" {
private_key_pem = tls_private_key.private_key.private_key_pem
subject {
common_name = "flexit.com"
organization = "FlexIT Consulting Services"
}
}