-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot rotate certificate with routeros_system_certificate import #584
Comments
Hi! resource “routeros_system_certificate” “server_cert” {
name = “server”
common_name = tls_cert_request.server_csr.subject[0].common_name
import {
cert_file_name = routeros_file.server_cert.name
key_file_name = routeros_file.server_key.name
}
depends_on = [routeros_file.server_cert, routeros_file.server_key]
lifecycle {
replace_triggered_by = [
tls_locally_signed_cert.server_cert.cert_pem
]
}
} |
And yes, thanks for the perfect description of the problem :) |
Thanks for the quick reply! You're right, using I wonder though, would it make more sense for And it would also fix another minor annoyance: the certificate import removes the files, so then Terraform recreates those files on the next run even if there are no other changes. So right now my example in the bug description takes two apply runs to reach steady state. |
The contents of the key and certificate can be specified in the scenario. An example is available in the documentation. |
Describe the bug
I'm trying to manage the TLS certificate on a RouterOS 7.16 device with terraform-routeros/routeros 1.65.1. I create the key and certificate externally and then import with Terraform using
routeros_system_certificate
withimport
. The initial import works fine. But when I try to rotate the certificate, the certificate on RouterOS isn't updated, even though therouteros_file
resources do get updated.To Reproduce
This example uses the
hashicorp/tls
provider to implement a basic CA. Then it creates a key and CSR, signs the CSR with the CA, and imports the resulting signed certificate and key into RouterOS. I output the serial of the certificate on RouterOS and the serial of the certificate created by thetls
provider to make it easy to compare.The initial apply works as expected:
And this matches the
serial-number
on the device:Now I'll rotate the certificate by tainting the
tls_locally_signed_cert
to trigger creation of a new certificate:terraform plan
tells me thatrouteros_file.server_key
androuteros_file.server_cert
will created, andtls_locally_signed_cert.server_cert
will be replaced. For some reason it doesn't replace or updaterouteros_system_certificate.server_cert
:And notice that serial numbers don't match any more. The device is still using the old certificate, which we can confirm by running
/certificate/print detail where name="server"
again.Just to be thorough, we can also verify that the uploaded
routeros_file
resources contain the new certificate. Let's import it with a different name to keep it separate:Expected behavior
Updating the imported certificates in Terraform should result in the certificates being updated in RouterOS.
The text was updated successfully, but these errors were encountered: