Resolve TF state for PKI Multi-Issuer workflows #1973
Conversation
vinay-gopalan
requested review from
stevendpclark,
fairclothjm,
benashz and
a team
| if err != nil { | ||
| return err | ||
| var cert *x509.Certificate | ||
| isIssuerAPISupported := provider.IsAPISupported(meta, provider.VaultVersion111) |
There was a problem hiding this comment.
Prior to multi-issuer support (<= Vault 1.10), this customize diff would read the default CA in PEM format and compare to what was in the TF state. When there is only one issuer, this makes sense since it will be the default. However, for multiple issuers, all Root Cert resources that are not the default issuer will be forced to be recreated. This was leading users into a constant create-destroy cycle when multiple root certs were added in a TF file.
This update now correctly read the specific issuer's certificate in PEM format, and compare to what is in the TF state. If there is a change in the certificate, the Root Cert is recreated. Also, if an issuer is deleted outside of TF, this update correctly resolves the state by recreating the resource.
This PR aims to address/fix the following issues:
key_name,key_ref) not being written to Vault due to inaccurate conditionals.CustomizeDifffunction not accounting for multi-issuer support. Previously, we were comparing the serials for all root certs to thedefaultissuer's PEM certificate. The function has now been updated to read the PEM certificate for a specific issuer with anissuer_idand compare with the correct serialFixes #1943 #1944 #1968
Release note for CHANGELOG: