oci_certificates_management_certificate_authority doesnt work #2485
Description
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version and Provider Version
Terraform v1.13.5
on darwin_amd64
+ provider registry.terraform.io/oracle/oci v7.25.0
Affected Resource(s)
oci_certificates_management_certificate_authority
Terraform Configuration Files
resource "oci_certificates_management_certificate_authority" "this" {
name = "test9"
compartment_id = "ocid1.compartment.oc1..xxx"
kms_key_id = "ocid1.key.oc1.uk-cardiff-1.gnuqykieaadq4.xxx"
certificate_authority_config {
config_type = "ROOT_CA_GENERATED_INTERNALLY"
signing_algorithm = "SHA512_WITH_RSA"
subject {
common_name = "test9"
}
validity {
time_of_validity_not_after = "2035-11-16T00:00:00.000Z"
}
}
certificate_authority_rules {
certificate_authority_max_validity_duration = "P3650D"
leaf_certificate_max_validity_duration = "P90D"
rule_type = "CERTIFICATE_AUTHORITY_ISSUANCE_EXPIRY_RULE"
}
}
Debug Output
I manually created the resource and then ran terraform import to see why terraform wasnt working and the result shows that terraform is trying to create a different configuration to what is expected.
# module.certificate_authority.oci_certificates_management_certificate_authority.this must be replaced
-/+ resource "oci_certificates_management_certificate_authority" "this" {
~ config_type = "ROOT_CA_GENERATED_INTERNALLY" -> (known after apply)
~ current_version = [
- {
- certificate_authority_id = "ocid1.certificateauthority.oc1.uk-cardiff-1.xxx"
- revocation_status = []
- serial_number = "xxxxx"
- stages = [
- "CURRENT",
- "LATEST",
]
- time_created = "2025-11-17 07:23:28.447 +0000 UTC"
- validity = [
- {
- time_of_validity_not_after = "2035-11-16 00:00:00 +0000 UTC"
- time_of_validity_not_before = "2025-11-17 07:23:28 +0000 UTC"
},
]
- version_number = "1"
# (3 unchanged attributes hidden)
},
] -> (known after apply)
~ defined_tags = {
- "Oracle-Tags.CreatedBy" = "invicaramicrosoftazuread/[email protected]"
- "Oracle-Tags.CreatedOn" = "2025-11-17T07:23:28.254Z"
} -> (known after apply)
~ freeform_tags = {} -> (known after apply)
~ id = "ocid1.certificateauthority.oc1.uk-cardiff-1.xxxxx" -> (known after apply)
+ issuer_certificate_authority_id = (known after apply)
+ lifecycle_details = (known after apply)
name = "test9"
~ signing_algorithm = "SHA512_WITH_RSA" -> (known after apply)
~ state = "ACTIVE" -> (known after apply)
~ subject = [
- {
- common_name = "test9"
# (16 unchanged attributes hidden)
},
] -> (known after apply)
~ time_created = "2025-11-17 07:23:28.433 +0000 UTC" -> (known after apply)
+ time_of_deletion = (known after apply)
# (2 unchanged attributes hidden)
+ certificate_authority_config {
+ config_type = "ROOT_CA_GENERATED_INTERNALLY"
+ signing_algorithm = "SHA512_WITH_RSA" # forces replacement
+ subject { # forces replacement
+ common_name = "test9" # forces replacement
}
+ validity {
+ time_of_validity_not_after = "2035-11-16T00:00:00.000Z"
}
}
# (1 unchanged block hidden)
}
Expected Behavior
It should work...
Actual Behavior
Terraform applies a different json payload than what is returned from the API, and thus the two do not match.
Steps to Reproduce
terraform apply