myjfrog_custom_domain_name detects spurious changes in certificate data after import due to line ending handling #55
Description
Describe the bug
The myjfrog_custom_domain_name resource incorrectly handles certificate data encoding/line endings when comparing state after import. When importing an existing certificate configuration, the provider returns the certificate data with Unix-style line endings (\n). However, when the same certificate data is provided via Terraform variables (even after base64 decoding and line ending normalization), Terraform detects spurious differences and attempts to recreate the resource on every apply.
Requirements for and issue
- A description of the bug
- A fully functioning terraform snippet that can be copy&pasted (no outside files or ENV vars unless that's part of the issue). If this is not supplied, this issue will likely be closed without any effort expended.
- Your version of terraform: 1.13.5
- Your version of terraform provider: jfrog/myjfrog v1.0.2
Steps to Reproduce
- Import an existing certificate: terraform import myjfrog_custom_domain_name.test_cert test-example.com
- Run terraform plan
- Observe that Terraform detects changes in certificate_body, certificate_chain, and certificate_private_key even though the content is identical
Expected behavior
After importing the resource and providing the same certificate data (properly decoded and line-ending normalized), terraform plan should show no changes. The provider should consistently handle certificate data encoding regardless of whether it's from an import or a variable.
Additional context
- The issue persists even when using replace() to normalize \r\n to \n
- The problem appears to be related to how the provider serializes/deserializes certificate data in state
- This forces unnecessary resource recreation or constant drift detection
- Similar certificate resources in other providers (e.g., AWS ACM) handle this correctly by normalizing certificate format internally
terraform {
required_providers {
myjfrog = {
source = "jfrog/myjfrog"
version = "1.0.2"
}
}
}
variable "certificate_public_key_b64" {
type = string
sensitive = false
# Base64-encoded certificate (Windows-style CRLF line endings)
default = ""
}
variable "certificate_private_key_b64" {
type = string
sensitive = true
# Base64-encoded private key (Windows-style CRLF line endings)
default = ""
}
variable "certificate_trust_chain_b64" {
type = string
sensitive = false
# Base64-encoded certificate chain (Windows-style CRLF line endings)
default = ""
}
resource "myjfrog_custom_domain_name" "test_cert" {
certificate_name = "test-example.com"
# Attempt to normalize line endings to match API response
certificate_body = replace(base64decode(var.certificate_public_key_b64), "\r\n", "\n")
certificate_private_key = replace(base64decode(var.certificate_private_key_b64), "\r\n", "\n")
certificate_chain = replace(base64decode(var.certificate_trust_chain_b64), "\r\n", "\n")
domains_under_certificate = [
{
url = "test-example.com"
server_name = "testserver"
type = "platform_base_url"
}
]
}DOMAIN="example.test.com" && \
openssl req -x509 -newkey rsa:2048 -nodes -days 365 \
-subj "/C=US/ST=Test/L=Test/O=Test/CN=$DOMAIN" \
-keyout /tmp/key.pem -out /tmp/cert.pem 2>/dev/null && \
export TF_VAR_certificate_public_key=$(base64 -i /tmp/cert.pem) && \
export TF_VAR_certificate_private_key=$(base64 -i /tmp/key.pem) && \
export TF_VAR_certificate_trust_chain=$(base64 -i /tmp/cert.pem) && \
export TF_VAR_domain_name=$DOMAIN && \
echo "✓ Certificate environment variables exported for $DOMAIN"