Terraform: rc3: refreshing state of tls_cert_request fails

For anyone else that hits this. Here's the change. I changed resources.tls_cert_request.* to data.tls_cert_request.*, and update the references to to the resource to instead reference the datasource by also specifying data.tls_cert_request.

It doesn't give this error anymore, but it currently feels more like a breaking change than a deprecation, or maybe just a bug in the deprecation.

Hi @colemickens! As per the upgrade guide the correct approach here is to switch out for using data resources as you've found. Thanks for opening an issue and trying out the release candidates!

Hi,

It even gives error while trying to update stack which does not changes related to tls cert.
We have to use count on tls assets hence we can not currently switched to data type.

Any other workaround to get rid of error?

• tls_cert_request.node-crs.1: no PEM block found in private_key_pem
• tls_cert_request.node-crs.0: no PEM block found in private_key_pem

Similar story here on 0.7.1 - I think this is related to converting from resource to data. After converting to data my state file still had the resource version of tls_cert_request around. If I manually edit the state file & change all tls_cert_request to data.tls_cert_request the error goes away.

Having the same issue. We are using self signed TLS certificates with count parameter (for each node in our cluster) so can't switch to data source yet.

Also, we can only run plan or apply commands with -refresh=false, otherwise we get no PEM block found in private_key_pem error as well.

Hi all,

Sorry for the frustrating back-and-forth here. Discussion elsewhere has made me realize that it was a mistake to convert tls_cert_request to a data source, so in #9035 I'm reverting it back to the previous posture as a managed resource. There were two issues with it as a data source:

• The signature contains a random nonce, and as with all randomness in Terraform it is necessary for us to model it as a managed resource so that the generated value can be retained in the state for future runs, to allow convergence.
• The private key is stored in state as a hash rather than as a literal value, which works okay when we have a resource that is only ever "created" (all of the attributes are ForceNew, so we never update this), but breaks if we try to implement the Read action used for refresh because it can't actually obtain the key from the state on subsequent runs. This was the cause of the problem being reported in this issue.

Once #9035 is merged it will be necessary to revert any configurations using data "tls_cert_request" back to resource "tls_cert_request" and any references from ${data.tls_cert_request.foo.cert_request_pem} back to ${tls_cert_request.foo.cert_request_pem}; I made the decision not to preserve compatibility since the first of the two issues above made the data source formulation essentially useless in practice.

Again I'd like to apologize for this sorry state of affairs. In the haste to get a bunch of read-only resources converted to data sources for the 0.7.0 release I got too carried away and didn't do an appropriate amount of real-world testing on this one.

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.