Updating to version >=4.9.0 tries to recreate my certificates

[Sodki]

What happened?

After upgrading to version 4.9.0 or 4.9.1, the provider tries to recreate my certificates. Version 4.8.0 doesn't have this problem. I've noticed the behaviour with pulumi_tls.SelfSignedCert and pulumi_tls.CertRequest, at least.

Expected Behavior

Upgrading the provider should keep my certificates as they are.

Steps to reproduce

I have the following resources using version 4.8.0:

import pulumi_tls

private_key = pulumi_tls.PrivateKey(
    "test",
    algorithm="RSA",
    rsa_bits=2048,
)

certificate = pulumi_tls.SelfSignedCert(
    "test",
    allowed_uses=[],
    private_key_pem=private_key.private_key_pem,
    validity_period_hours=17532,
    subject={
	"commonName": "test",
    },
    is_ca_certificate=True,
)

When upgrading to version 4.9.0 or 4.9.1 and running Pulumi again, the provider tries to recreate my certificates:

$ pulumi up
Previewing update (test):
     Type                         Name       Plan        Info
     pulumi:pulumi:Stack          test-test              3 messages

Details:

$ pulumi pre --diff
Previewing update (test):
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:test::test::pulumi:pulumi:Stack::test-test]
    +-tls:index/selfSignedCert:SelfSignedCert: (replace)
        [id=163756299127691278443768045046878756806]
        [urn=urn:pulumi:test::test::tls:index/selfSignedCert:SelfSignedCert::test]
        [provider: urn:pulumi:test::test::pulumi:providers:tls::default_4_8_0::3d5fd58d-f2b2-48f4-99cf-0ed04b358a7f => urn:pulumi:test::test::pulumi:providers:tls::default_4_9_1::output<string>]
      + allowedUses        : []
      ~ certPem            : "-----BEGIN CERTIFICATE-----\nMIIC2jCCAcKgAwIBAgIQezJQ5dkkgNHd40eadYDfxjANBgkqhkiG9w0BAQsFADAP\nMQ0wCwYDVQQDEwR0ZXN0MB4XDTIzMDIxNTAwNDkyNloXDTI1MDIxNDEyNDkyNlow\nDzENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nALrdMo22GhLlebnNjQ45FpOOzWXSAu9HKRjHH2Udtaf8BbH5F0t0qUamaGUCaKxt\nT37U7SLDDdmoqiLbTMldxN+SHkh6TmXWJiaygbxBaAhtqwBg3njMlOK123CO8fOW\nb51eD9x9vAIpcX4Tzx3pEglm/Ynmy3PhKr/tO7KBuQsSpBSLj6ciugyi1b98aAp8\nQLHnC9BxQ9SymxCW6FVd9fQJsbh/HHv67NtE/mQeuQa847tGbCW8d7WO6n1U32Gm\nC0E/Ti98b60Y0gYx/Li6MO/2vTHjyKBzmRlEpndy4Cy2qvIHO0UPFE7TVpa7vhHm\nUnZc/Ra8BfICfOZO6pA/kMsCAwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNV\nHQ4EFgQUyrF/T3mhurI5vFt3D5cyhT3HVvQwDQYJKoZIhvcNAQELBQADggEBAIKL\nw3WtXjUU1gEMdoiu+NpoIOP7Mec2RukyWZb7WB2MHWR9KlYKQl3zoNeVlsKvenFR\nd19DHC5zDjjp2Tkls5MG4RuwbprsYcAVF2c2XK1G+SdMxd02lK0KpsbSQqt5DF24\nYhNqurs39+Xm2E4WZuI+HPlAkVcN8p0xr9mZzcyfYOigwasz06rmYhZtJTbc1vs9\n2qqEqTNDCgfNEqj1qCPnhSzrQ9kQlNeAOFNh+irZ1yoAyBLaKSPqthSf0RyX4HYc\nA4gOS+E3+V+ahFcvh04oygJtE3xVdkrNpmMkoI+ueES/TqgRZdq+BFR8veMO5LZV\nW204ENr2roS8jggreAo=\n-----END CERTIFICATE-----\n" => output<string>
        earlyRenewalHours  : 0
      ~ id                 : "163756299127691278443768045046878756806" => output<string>
        isCaCertificate    : true
      ~ keyAlgorithm       : "RSA" => output<string>
        privateKeyPem      : [secret]
        readyForRenewal    : false
      + setAuthorityKeyId  : false
      + setSubjectKeyId    : false
      ~ subject            : {
            commonName        : "test"
          - country           : ""
          - locality          : ""
          - organization      : ""
          - organizationalUnit: ""
          - postalCode        : ""
          - province          : ""
          - serialNumber      : ""
          - streetAddresses   : []
        }
      ~ validityEndTime    : "2025-02-14T12:49:26.124615667Z" => output<string>
        validityPeriodHours: 17532
      ~ validityStartTime  : "2023-02-15T00:49:26.124615667Z" => output<string>
@ previewing update....
Resources:
    +-1 to replace

Output of pulumi about

CLI          
Version      3.55.0
Go Version   go1.20
Go Compiler  gc

Plugins
NAME          VERSION
python        unknown
tls           4.9.1

Host     
OS       fedora
Version  37
Arch     x86_64

This project is written in python: executable='/usr/bin/python3' version='3.11.1


Dependencies:
NAME                 VERSION
pip                  23.0.0
pulumi-tls           4.9.1

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[t0yv0]

Thank you for reporting the issue!

I think I can reproduce the issue with upstream also. The previous Pulumi provider version was based on approximately 3.4.0 of upstream, and the new one is ahead of 4.0.4, but even with these versions TF generates replacement plans. There is also hashicorp/terraform-provider-tls#263

The ideal case for us would be if upstream TF provider implemented state upgrades to seamlessly make these upgrades happen. I'll explore what else we can do in the meanwhile.

terraform {
  required_providers {
    tls = {
      source = "hashicorp/tls"
      # version = "3.4.0"
      version = "4.0.4"
    }
  }
}

resource "tls_private_key" "test_key" {
  algorithm = "RSA"
  rsa_bits = 2048
}

resource "tls_self_signed_cert" "test_cert" {
    allowed_uses = []
    private_key_pem = tls_private_key.test_key.private_key_pem
    validity_period_hours = 17532
    subject {
      common_name = "test"
    }
    is_ca_certificate = true
}

t0yv0@Antons-MacBook-Pro> terraform plan                                                                                                                                                        ~/tmp/2023/02/pulumi-tls-173
tls_private_key.test_key: Refreshing state... [id=dbdaeca811cd34307f45e80da8b5252bdbb639e8]
tls_self_signed_cert.test_cert: Refreshing state... [id=66944529544721065207896626692832922643]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # tls_self_signed_cert.test_cert must be replaced
-/+ resource "tls_self_signed_cert" "test_cert" {
      ~ cert_pem              = <<-EOT
            -----BEGIN CERTIFICATE-----
            MIIC2jCCAcKgAwIBAgIQMl0MItHkoS3z+FJ5k+yMEzANBgkqhkiG9w0BAQsFADAP
            MQ0wCwYDVQQDEwR0ZXN0MB4XDTIzMDIxNTE1NDcwNVoXDTI1MDIxNTAzNDcwNVow
            DzENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
            AKNUeRwxiA3fMrXYO+YbHmHZpEfs1lFfFPI32ux/RYJA2y31/C6wIdNkK8AUcnGw
            sYuURDIVxvv1UuiaOnTaqYfO+I77vtBOAMJiq7WxM6iC4pYwUTM6+07UOFAbkrMO
            M70vY6dS9TAhirexB/Y3vRgJ9G7kiym4PzlKKF3AlYzyFLYPFPCYJZjTPOEaCJ3S
            LaQNNEQT0NufxZfonnqhx02MMKrqyytKU3eT750DQdZISGJGeNEY8ldpOyw0DK8Y
            xTuHqLwSyf7VCbug3qJUp/1yOgh/fZSm+xLgzmA3q5NaDGl4kwHyEAi4xGD2NENq
            c5CgxnxGi7bTPORWJsCB6IcCAwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
            HQ4EFgQUNsO8KZaFrCdG9XXUmdKdhrf352UwDQYJKoZIhvcNAQELBQADggEBAEuC
            7ZAY8X26vBWDUHIBwn+8UjQBmhQHTanlFzXlxshUg0NoDTIeOBnvmenXlchsCga6
            zeDYr08aeUUFA7p6Q9cZfTIGsJXymtyFA8t63e+pIz28IpVonI57jG2AFVlhAtEg
            Y+QvlwyI0NQHTrbjNx/0KjHLgqz2WauWuo+kAEyWsTDQk+nlMJ7SG++CD08GETQN
            xAqwXNCoHKeXHuVpzgRjAFaXN3DBWLe3vb7eeJFeu2sVM1gKhhvWDU5PmBH9Aymr
            ICra39RV6nNwWgNTyfiN4xBvLCbAbFd2viosc0dZo9kk05S8oBHtuPJ7diPEi9GN
            QWl11m2jNREqqUQEkCo=
            -----END CERTIFICATE-----
        EOT -> (known after apply)
      ~ id                    = "66944529544721065207896626692832922643" -> (known after apply)
      ~ key_algorithm         = "RSA" -> (known after apply)
      ~ private_key_pem       = (sensitive value)
      + set_authority_key_id  = false
      + set_subject_key_id    = false
      ~ validity_end_time     = "2025-02-14T22:47:05.022489-05:00" -> (known after apply)
      ~ validity_start_time   = "2023-02-15T10:47:05.022489-05:00" -> (known after apply)
        # (5 unchanged attributes hidden)

      ~ subject { # forces replacement
            # (1 unchanged attribute hidden)
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

[t0yv0]

@Sodki does upgrading to https://github.com/pulumi/pulumi-tls/releases/tag/v4.10.0 fix the problem for you for the moment? We've reverted upstream to last known working version and pushed another v4.x.x tag.

[t0yv0]

The root cause of the issue is hashicorp/terraform-provider-tls#284

At the very least we should have marked the Pulumi upgrade as a major version bump to match the upstream version bump. We may still do so in the future, but unfortunately the manual workarounds from 284 currently do not work on the Pulumi version. I'll need to make this works before attempting the upgrade again.

[Sodki]

Thank you @t0yv0, version 4.10.0 fixes the problem. 👏

[t0yv0]

Thank you! And apologies for this disruption.