-
Notifications
You must be signed in to change notification settings - Fork 27
ACME provider does trigger cert renewal/replacement despite being below min_days_remaining #15
Comments
Hey @ryan-mf, just noting what we talked about on Hangops so that it's logged: It looks like the renewal is happening, but since there are no resources in this config that depend on the certificate in the immediate config, the cert is being updated silently and the only way you might be able to tell is by observing the outputs. You can also observe this behaviour by using Obviously, a silent update is not what we want to see here. This is happening because all of the heavy lifting is done in refresh (including renewal), due to the fact that there are no attributes that don't force a new resource at this point in time (the only one that should be that way is I am entertaining the option of just destroying the resource by clearing its ID on expiry, like in the upstream TLS provider certificate resources, but I'll need to fully evaluate the implications of this (doing this is basically telling Terraform that the resource has gone away, and it hasn't 100% - tainting the resource would be a better option). Since lego couples authorizations with certificates, this may mean that re-authorization may need to happen, but the benefit will be much better verbosity in these kinds of cases in the Terraform output. |
Thanks for the feedback @vancluever. I definitely didn't realize there would be no output on an update but now that totally makes sense. I'm juggling a bunch right now but my next SSL renewal will come up in a couple weeks so I'll test to make sure the output changes (ie new public key from Letsencrypt) as discussed. Cheers, |
Hey @ryan-mf - just an update on this one - I have been doing some work on TF core that will help facilitate a fix for this issue. You can track the progress at: hashicorp/terraform#14887 That PR will give providers the ability to customize the diff, allowing us to leave the certificate alone on refresh, instead using the custom diff functionality to check the expiry and setting the certificate to computed in the diff when it has expired. This will trigger an update correctly, and also show it in the diff. I expect it will be a few weeks at least before this feature is live but once it is I'll be adding it to the plugin and working on a new release! |
@vancluever awesome, thanks for the update! |
Hey @ryan-mf - you might have seen but custom diff stuff will not be making it into v0.10. However, in the meantime I've just vendored the fork into this repo and I've been playing with it :) and got good progress :) Check it out! I will probably push out a release with this in the next few days but it will need TF v0.10 to run (you could grab a beta to try it out).
|
Thanks to the new experimental custom diff support, we have been able to make the certificate renewal process more verbose: * Adjusting min_days_remaining does not force a new resource anymore, and will take effect immediately. Ref: #13 * More importantly, certificate renewals now show up in the diff - when a certificate has passed its expiry date, it will be set to computed in the diff, which should propagate down the stack to anything else that depends on it (tests pending on this before this goes fully live). Ref: #15 As part of this work, we are now using partial state in Create and Update, to protect against potential errors that could leave the state inconsistent - namely, the certificate missing, which would only be recoverable by a taint.
@vancluever wow that's awesome, thanks! Can't wait to try it out. |
Hey @ryan-mf, version v0.4.0 is now out which fixes this issue - as such closing this now, but let me know if there's any issues (especially since the update to v0.10.0-beta2 as the base). Cheers! |
@vancluever awesome! I haven't moved to Terraform .10 yet but can't wait to be able to utilize this once I do. Thank you! |
I deployed all of my virtual infrastructure over the past few months with Terraform, and pulled in your awesome ACME plugin for managing SSL certs (thanks by the way!).
Today it's almost been 90 days so it's the first time I went to renew the certs. I have min_days_remaining for my certs set to 7 days, so I figured if I just ran terraform apply on my current state, it would realize my cert(s) were less than 7 days from renewal and kick in. Unfortunately it didn't. Here's my related config:
Note that I did find a simple workaround that's due to #13 - I simply dropped min_days_remaining to 6 and re-ran terraform apply and that got the job done. I have a feeling that bug will eventually be fixed though =)
The text was updated successfully, but these errors were encountered: