Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DXE-2805 terrform import akamai_edge_hostname not importing certificate #338

Open
BAu0002 opened this issue Aug 26, 2022 · 13 comments
Open

Comments

@BAu0002
Copy link

BAu0002 commented Aug 26, 2022

I'm trying to import an Enhanced TLS edge hostname.
I ran a code like:
terraform import akamai_edge_hostname.example ehn_123,ctr_1-AB123,grp_123

When I run plan it show's the resource going to be deleted and reconstructed.

akamai_edge_hostname.hostname must be replaced

-/+ resource "akamai_edge_hostname" "hostname" {
+ certificate = # forces replacement
~ contract = "ctr_1-AB123" -> (known after apply)
~ group = "grp_123" -> (known after apply)
~ id = "ehn_123" -> (known after apply)
...
}

Am I missing something?

@wzagrajcz
Copy link
Contributor

Hello @BAu0002,
Thank You for bringing that to our attention. That looks like an issue on our side as running plan straight after import should not show any changes.
Can You please provide snippet of Your configuration so we can solve Your issue?

Thanks and best regards,
Wojciech

@BAu0002
Copy link
Author

BAu0002 commented Aug 30, 2022

resource "akamai_edge_hostname" "hostname" {
product_id = <product.id>
contract_id = <contract.id>
group_id = <group.id>
ip_behavior = "IPV6_COMPLIANCE"
edge_hostname = var.edgeHostname
certificate = var.certificateEnrollmentId > 0 ? var.certificateEnrollmentId : null
}

@rue-ddujnic
Copy link

I ran into the same issue. To work around it, I pulled the state, manually edited it, and pushed it back up.

To have a terraform plan see No Changes on the resource, I had to update these three fields so that they matched what the Akamai Console displayed.

  • certificate
  • ip_behavior
  • product_id

@Slonimskaia Slonimskaia changed the title terrform import akamai_edge_hostname not importing certificate DXE-1520 terrform import akamai_edge_hostname not importing certificate Sep 21, 2022
@mimazaka
Copy link
Contributor

We dropped product id and certificate from import. Also tested and seems to be repaired in scope of issue ip_behavior.

@james-downing
Copy link

I'm currently creating some Akamai Terraform modules and have come across this for the akamai_edge_hostname resource.

Initially I ran into the same must be replaced issue which led me here. As @mimazaka mentioned, after pulling the state locally I can see certificate and product_id have been set to null and an empty string. :

...
"certificate": null,
"product_id": "",

My original implementation set certificate to the enrollment id of the edge hostnames original certificate, e.g.:
To create the edge hostname foo.host.edgekey.net pass in the enrollment_id for foo.host. Passing in this value still results in the recreation attempt, through looking at the existing edge hostname within the console this is the only id I can see related to the edge hostname.

Setting product_id = "" and certificate = null within the resource does result in no changes however will this still work when attempting to create new edge hostnames? If so, the edge hostname docs should be updated to reflect this please.

@Slonimskaia
Copy link
Contributor

Hi @james-downing,

thank you for pointing it out. It seems that there are still some issues on this resource. We need some time for investigation and will get back to you soon.

Best regards,
Tatiana Slonimkaia

@Slonimskaia Slonimskaia changed the title DXE-1520 terrform import akamai_edge_hostname not importing certificate DXE-2805 terrform import akamai_edge_hostname not importing certificate Jun 22, 2023
@vegardengen
Copy link

vegardengen commented Jul 20, 2023

I think this bug is likely related to the issue I ran into today.

I created edge hostname resources referencing an old certificate which was not to be used for this edge hostname. We don't manage the certifiicates in terraform for now.

When updating the edge hostname resource, I got this during plan:

-/+ resource "akamai_edge_hostname" "XXXX" {
      ~ certificate   = <old> -> <new> # forces replacement
      ~ contract      = "XXXXXX" -> (known after apply)
      ~ group         = "XXXXXX" -> (known after apply)
      ~ id            = "XXXXXXX" -> (known after apply)
      ~ product       = "prd_Site_Accel" -> (known after apply)
        # (5 unchanged attributes hidden)
    }
then during apply:
akamai_edge_hostname.XXXXXX: Destroying... [id=XXXXXX]
akamai_edge_hostname.XXXXXX-no: Destruction complete after 0s
akamai_property_activation.XXXXXXX: Modifying... [id=XXXXXX:PRODUCTION]
akamai_edge_hostname.XXXXXXX: Creating...
akamai_edge_hostname.XXXXXXX: Creation complete after 2s [id=XXXXXX]

I see that the edge hostname is still using the old certificate.

@james-downing
Copy link

Similarly to what @vegardengen noticed, we recently had the requirement of creating new edge hostnames while still managing imported hostnames. Obviously this isn't possible when setting:

...
"certificate": null,
"product_id": "",

By setting the correct certificate and product_id values, any new edge_hostnames were correctly generated. All of the previously imported hostnames were due for replacement (Being destroyed and recreated) by Terraform. These all completed successfully according to Terraform however within the Akamai UI I believe they haven't actually been updated at all.

@hypnotisttom
Copy link

hypnotisttom commented Feb 1, 2024

We dropped product id and certificate from import. Also tested and seems to be repaired in scope of issue ip_behavior.

This is definitely causing a problem for us.

Without the product and certificate in the import, the EHN wants to replace when we update the contacts on the certificate.
We cannot exclude the cert in lifecycle rules because there are valid times to update the ehn when the cert ID does change.
We cannot have the EHN replace itself due to cert contact updates.

An EHN provisioned by the TF does show the cert and product in the state, so we would expect the import to bring those fields in as well.

How should we go about solving this?

@mimazaka @aka-mark

@david-raine
Copy link

bump. This is also a PITA for us. Though the ehn destroy/create is fast enough, it always results in a change notice for us, indicating that something changed.

@lkowalsk-akamai-com
Copy link
Contributor

There were some changes in this area that should make things more clear:
"Added validation to raise an error if the creation of the akamai_edge_hostname resource is attempted with an existing edge hostname.
Added validation to raise an error during the update of akamai_edge_hostname resource for the immutable fields: 'product_id' and 'certificate'."

@hypnotisttom
Copy link

hypnotisttom commented Apr 2, 2024

Hi @lkowalsk-akamai-com,

In testing this on v6.0.0, the validations make the issue worse.

The import was not fixed, so product_id and certificate are missing from state upon import, thus the first plan after import triggers the validation.

Preliminary testing on 5.6.0 was leaning towards the EHNs not actually regenerating thus not actually forcing a replacement like the plan was saying. So, fixing it from detecting a drift was one option. We were waiting to confirm our suspicions and could run the apply in this case if the EHN wasn't regenerated.

However, I do like the validation method. The only thing is we need import of EHNs to bring in those two fields, otherwise the validation will trigger immediately upon import, and there's no workaround for us.

I have attempted both a plan of the 5.6 force-replacement using 6.0 and got the validation error; I have also attempted a state rm and import of the EHN on 6.0 and got the validation.

We need a way for import to work.

Please advise.

Thanks!

CC: @aka-mark

@aka-mark
Copy link
Member

aka-mark commented Apr 4, 2024

Re-opening to review updated comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests