I am unable to get this right even after checking the hint given to answer the question.
The key algorithm used by tls-cert-request is ECDSA but the private-key is of type RSA is the hint. I changed the key algorithm to RSA but it still doesn’t work. I looked up for answers online on the terraform website too but I am unable to understand what needs to be done to make this work.
Can someone help me here?
Hello @MK1234
In this question, all you have to do is to change the key algorithm used for cert_request from “ECDSA” to “RSA” as shown in the screenshot below
Thanks, Same mistake I did.
Now its working after correcting Algorithm to RSA on both resource block
Here, when we say terraform apply atfirst tls_key will run and after that local_file and after tls_cert is the correct flow?
yes, exactly this is the flow.
Still doesn’t work for me.
resource "local_file" "key_data" {
filename = "/tmp/.pki/private_key.pem"
content = tls_private_key.private_key.private_key_pem
file_permission = "0400"
}
resource "tls_private_key" "private_key" {
algorithm = "RSA"
rsa_bits = 4096
}
resource "tls_cert_request" "csr" {
key_algorithm = "RSA"
private_key_pem = file("/tmp/.pki/private_key.pem")
depends_on = [ local_file.key_data ]
subject {
common_name = "flexit.com"
organization = "FlexIT Consulting Services"
}
}
The result is:
iac-server $ terraform plan
Error: Invalid function argument
on main.tf line 13, in resource "tls_cert_request" "csr":
13: private_key_pem = file("/tmp/.pki/private_key.pem")
Invalid value for "path" parameter: no file exists at
/tmp/.pki/private_key.pem; this function works only with files that are
distributed as part of the configuration source code, so if this file will be
created by a resource in this configuration you must instead obtain this
result from an attribute of that resource.
iac-server $
Could you help me with it?
Hello abulanov,
Can you please try to refresh the lab and take it again as the file might not be created?
Tried out for the second time, and it works now. May be it was a lab issue. Thank you.
Welcome and happy learning
Hello,
For me, it doesn’t work despite refreshing the lab. Please find below the main.tf file and the error message.
Main.tf:
resource “local_file” “key_data” {
filename = "/tmp/.pki/private_key.pem"
content = tls_private_key.private_key.private_key_pem
file_permission = "0400"
}
resource “tls_private_key” “private_key” {
algorithm = “RSA”
rsa_bits = 4096
}
resource “tls_cert_request” “csr” {
key_algorithm = “RSA”
private_key_pem = file(“/tmp/.pki/private_key.pem”)
depends_on = [ local_file.key_data ]
subject {
common_name = "flexit.com"
organization = "FlexIT Consulting Services"
}
}
Error:
iac-server $ terraform validate
Error: Invalid Configuration for Read-Only Attribute
on main.tf line 11, in resource “tls_cert_request” “csr”:
11: key_algorithm = “RSA”
Cannot set value for this attribute as the provider has marked it as
read-only. Remove the configuration line setting the value.
Refer to the provider documentation or contact the provider developers for
additional information about configurable and read-only attributes that are
supported.
iac-server $
+1 same problem.
The key_algorithm = “RSA” atribute is only read-only at version 4.0 from the tls_cert_request resource.
To avoid the Problem add the folowing code
terraform {
required_providers {
tls = {
source = “hashicorp/tls”
version = “3.3.0”
}
}
}
then terraform init , terraform plan , terraform apply
It needs to be added to the main.tf but you need to replace the “” after copy-paste.
Unfortunately, it throws a new error now.
Warning: Argument is deprecated
on main.tf line 12, in resource "tls_cert_request" "csr":
12: key_algorithm = "RSA"
This is now ignored, as the key algorithm is inferred from the
`private_key_pem`.
Error: Resource instance managed by newer provider version
The current state of tls_private_key.private_key was created by a newer
provider version than is currently selected. Upgrade the tls provider to work
with this state.
HI @devops.amitdas @tobias.darmawi @nico.johann
There are two errors with the validation - when you fix the first, then the second appears
Error: Unsupported argument - change dsa_bits to rsa_bits
Error: Invalid Configuration for Read-Only Attribute - Terraform gives you this error when you try to provide a value for an attribute that is declared read-only by the provider. That’s not just for this provider, but any provider. Read-only attributes cannot be set in configuration, only referred to.Once the CSR resource has been applied, other resources can read the value of key_algorithm to discover what algorithm was chosen by the provider.
Note that changing the provider version to one that has a read/write version of the attribute isn’t what the lab is asking you to do 
https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request#read-only
I really did not understand your explanation. Can you Please elaborate and tell how we can get rid of the Error: Invalid Configuration for Read-Only Attribute error.
Thank you.
You get rid of the error by removing the attribute entirely!
With the version 4 of this provider (which is the version used by the lab), it is not valid to give that attribute a value. The provider chooses it automatically. It is not writable, just like a read only file is not writable. Assigning a value in the configuration file is writing.
@Alistair_KodeKloud You are right. It worked after changing the code a bit
resource "local_file" "key_data" {
filename = "/tmp/.pki/private_key.pem"
content = tls_private_key.private_key.private_key_pem
file_permission = "0400"
}
resource "tls_private_key" "private_key" {
algorithm = "RSA"
rsa_bits = 4096
}
resource "tls_cert_request" "csr" {
## key_algorithm = "RSA"
private_key_pem = file("/tmp/.pki/private_key.pem")
depends_on = [ local_file.key_data ]
subject {
common_name = "flexit.com"
organization = "FlexIT Consulting Services"
}
}
Thanks a lot buddy!!
That worked smoothly
The lab expects you to comment (Not delete or Modify) the line as follow ## key_algorithm = “RSA”