Skip to content

fix(iam_ssh_key): do not read public key in resource #2695

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

fix(iam_ssh_key): do not read public key in resource #2695

wants to merge 2 commits into from

Conversation

@Codelax
Copy link
Member

@Codelax Codelax commented Aug 7, 2024

This caused the value to differ from requested input and this can lead to issue in terraform if the value is used in other resources.
Also as it cannot be updated, it seems right to assume the local key is the correct key

@Codelax Codelax added bug iam IAM issues, bugs and feature requests labels Aug 7, 2024
@Codelax Codelax self-assigned this Aug 7, 2024
@Codelax Codelax mentioned this pull request Aug 7, 2024
Closed
@codecov-commenter
Copy link

codecov-commenter commented Aug 7, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 68.00000% with 8 lines in your changes missing coverage. Please review.

Project coverage is 67.69%. Comparing base (fe86049) to head (ad2803f).
Report is 471 commits behind head on master.

Files with missing lines Patch % Lines
internal/services/iam/ssh_key_data_source.go 68.42% 5 Missing and 1 partial ⚠️
internal/services/iam/ssh_key.go 66.66% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2695      +/-   ##
==========================================
- Coverage   71.43%   67.69%   -3.74%     
==========================================
  Files         277      339      +62     
  Lines       35875    40108    +4233     
==========================================
+ Hits        25628    27153    +1525     
- Misses       8028    10647    +2619     
- Partials     2219     2308      +89

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

remyleone
remyleone reviewed Aug 7, 2024
View reviewed changes
@remyleone remyleone marked this pull request as draft August 7, 2024 14:04
@remyleone
Copy link
Member

remyleone commented Aug 7, 2024

Could you do additional testing to ensure that the formatting happening in the terraform state is consistant with the key stored on the IAM backend?

@remyleone remyleone added the priority:highest Bugs filled by customers, security issues label Nov 12, 2024
@Codelax
fix(iam_ssh_key): do not read public key in resource
615ba46 
This caused the value to differ from requested input and this can lead to issue in terraform if the value is used in other resources.
Also as it cannot be updated, it seems right to assume the local key is the correct key
@Codelax
document state behavior
ad2803f
@Codelax Codelax force-pushed the fix/iam-ssh-key-public-key-formatted branch from 2816600 to ad2803f Compare December 6, 2024 13:39
@Codelax
Copy link
Member Author

Codelax commented Dec 6, 2024
edited
Loading

My test config to reproduce issue:

provider "scaleway" {
  alias = "project"
}

resource "scaleway_account_project" "project" {
  provider = scaleway.project
}

provider "scaleway" {
  project_id = scaleway_account_project.project.id
}

resource "scaleway_iam_ssh_key" "key1" {
  public_key = "<key with comment>"
}

resource "scaleway_iam_ssh_key" "key2" {
  public_key = "<key with comment>"
}

locals {
  ssh_keys_hash = sha256(join(",", [
    scaleway_iam_ssh_key.key1.public_key,
    scaleway_iam_ssh_key.key2.public_key,
  ]))
}

resource "scaleway_vpc_public_gateway_ip" "ip" {}

resource "scaleway_vpc_public_gateway" "main" {
  ip_id = scaleway_vpc_public_gateway_ip.ip.id
  name             = "public_gateway_demo"
  type             = "VPC-GW-S"
  tags             = ["demo", "terraform"]
  bastion_enabled  = true
  bastion_port     = 61000
  refresh_ssh_keys = local.ssh_keys_hash
}
╷
│ Error: Provider produced inconsistent final plan
│
│ When expanding the plan for scaleway_vpc_public_gateway.main to include new values learned so far during apply, provider "registry.terraform.io/scaleway/scaleway" produced an invalid new value for
│ .refresh_ssh_keys: was cty.StringVal("eef68507164b6240c5762450b95ce55db6cc42881993925ae07f199c44799753"), but now cty.StringVal("b904cb7ca20b3fecf6270a011ba0fedc68d83493f0a93b5b003dcc98fd8e9493").
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵

@Codelax
Copy link
Member Author

Codelax commented Dec 6, 2024

Terraform does not allow required fields to be computed. This means that we cannot rely on API for its formatting of the key.
I don't think we should try to implement API behavior locally in a StateFunc. I don't see any other solution, I'm open to ideas.

In my given config, we can use a variable to store key and use this variable for key creation and hashing.

@Codelax Codelax closed this Dec 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@remyleone remyleone remyleone left review comments

Assignees

@Codelax Codelax

Labels

bug iam IAM issues, bugs and feature requests priority:highest Bugs filled by customers, security issues

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Codelax @codecov-commenter @remyleone