Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_iam_user_ssh_key incorrectly reports updating of the key value #10160

Closed
hamstah opened this issue Nov 16, 2016 · 1 comment
Closed

aws_iam_user_ssh_key incorrectly reports updating of the key value #10160

hamstah opened this issue Nov 16, 2016 · 1 comment
Labels
bug provider/aws

Comments

@hamstah
Copy link

hamstah commented Nov 16, 2016
edited
Loading

Terraform Version

terraform 0.7.7
(looking at the source in master and changelog this should affect 0.7.11 as well)

Affected Resource(s)

aws_iam_user_ssh_key

Terraform Configuration Files

First generate 2 ssh keys and save them as first and second in the current folder

ssh-keygen -t rsa -c first
ssh-keygen -t rsa -c second

resource "aws_iam_user" "nico" {
    name = "nico"
}

resource "aws_iam_user_ssh_key" "nico" {
  username   = "${aws_iam_user.nico.name}"
  encoding   = "PEM"
  public_key = "${file("./first.pub")}"
}

Apply the change.
The key has now been uploaded and attached to the user.

Now change the file from first.pub to second.pub

Run terraform plan
It will show that the resource is going to be updated because the public_key field is different. You can see the first -> second in the plan, as expected.

Run terraform apply
It will show you the change has been applied successfully.

Running terraform plan shows that there are no more change to apply.

Fetch the key with the aws cli

aws iam list-public-ssh-key --user-name nico
aws iam get-public-ssh-key --user-name nico --ssh-public-key-id <id>

and see that the key is the first one, not the second.

This is because the AWS api doesn't allow an update to the public_key field, only the status, as documented here https://docs.aws.amazon.com/cli/latest/reference/iam/update-ssh-public-key.html

Looking at the terraform code https://github.com/hashicorp/terraform/blob/master/builtin/providers/aws/resource_aws_iam_user_ssh_key.go#L102 You can see that the resource is only updated if status has changed. The debug log shows

2016/11/16 15:18:22 [DEBUG] Checking resource noop: aws_iam_user_ssh_key.nico2
2016/11/16 15:18:22 [DEBUG] No diff, not a noop

Debug Output

I have logs but they have a lot of resources in them and scrubbing them will take time.
Given the code and the fact that the bug is easy to reproduce I don't think my logs are required, but let me know if you need them.

Expected Behavior

Since the field can't be updated, terraform should flag the resource in the plan and force the user to delete and recreate it. Automatically deleting and recreating the key is another option but would result in a different id generated which might not be safe?

In any case it shouldn't look like the key was updated successfully.

Actual Behavior

See above

Steps to Reproduce

See above
@hashibot hashibot mentioned this issue Jun 13, 2017
Closed
@ghost
Copy link

ghost commented Apr 10, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 10, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug provider/aws
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mitchellh @hamstah @hashibot