Hello abulanov,
Can you please try to refresh the lab and take it again as the file might not be created?
Tried out for the second time, and it works now. May be it was a lab issue. Thank you.
Welcome and happy learning
Hello,
For me, it doesn’t work despite refreshing the lab. Please find below the main.tf file and the error message.
Main.tf:
resource “local_file” “key_data” {
filename = "/tmp/.pki/private_key.pem"
content = tls_private_key.private_key.private_key_pem
file_permission = "0400"
}
resource “tls_private_key” “private_key” {
algorithm = “RSA”
rsa_bits = 4096
}
resource “tls_cert_request” “csr” {
key_algorithm = “RSA”
private_key_pem = file(“/tmp/.pki/private_key.pem”)
depends_on = [ local_file.key_data ]
subject {
common_name = "flexit.com"
organization = "FlexIT Consulting Services"
}
}
Error:
iac-server $ terraform validate
Error: Invalid Configuration for Read-Only Attribute
on main.tf line 11, in resource “tls_cert_request” “csr”:
11: key_algorithm = “RSA”
Cannot set value for this attribute as the provider has marked it as
read-only. Remove the configuration line setting the value.
Refer to the provider documentation or contact the provider developers for
additional information about configurable and read-only attributes that are
supported.
iac-server $
2 Likes
+1 same problem.
The key_algorithm = “RSA” atribute is only read-only at version 4.0 from the tls_cert_request resource.
To avoid the Problem add the folowing code
terraform {
required_providers {
tls = {
source = “hashicorp/tls”
version = “3.3.0”
}
}
}
then terraform init , terraform plan , terraform apply
1 Like
It needs to be added to the main.tf but you need to replace the “” after copy-paste.
Unfortunately, it throws a new error now.
Warning: Argument is deprecated
on main.tf line 12, in resource "tls_cert_request" "csr":
12: key_algorithm = "RSA"
This is now ignored, as the key algorithm is inferred from the
`private_key_pem`.
Error: Resource instance managed by newer provider version
The current state of tls_private_key.private_key was created by a newer
provider version than is currently selected. Upgrade the tls provider to work
with this state.
HI @devops.amitdas @tobias.darmawi @nico.johann
There are two errors with the validation - when you fix the first, then the second appears
-
Error: Unsupported argument- changedsa_bitstorsa_bits -
Error: Invalid Configuration for Read-Only Attribute- Terraform gives you this error when you try to provide a value for an attribute that is declared read-only by the provider. That’s not just for this provider, but any provider. Read-only attributes cannot be set in configuration, only referred to.
Correct fix is to remove the attribute, then it will validate.
Once the CSR resource has been applied, other resources can read the value of key_algorithm to discover what algorithm was chosen by the provider.
Note that changing the provider version to one that has a read/write version of the attribute isn’t what the lab is asking you to do 
https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request#read-only
1 Like
I really did not understand your explanation. Can you Please elaborate and tell how we can get rid of the Error: Invalid Configuration for Read-Only Attribute error.
Thank you.
You get rid of the error by removing the attribute entirely!
With the version 4 of this provider (which is the version used by the lab), it is not valid to give that attribute a value. The provider chooses it automatically. It is not writable, just like a read only file is not writable. Assigning a value in the configuration file is writing.
@Alistair_KodeKloud You are right. It worked after changing the code a bit
resource "local_file" "key_data" {
filename = "/tmp/.pki/private_key.pem"
content = tls_private_key.private_key.private_key_pem
file_permission = "0400"
}
resource "tls_private_key" "private_key" {
algorithm = "RSA"
rsa_bits = 4096
}
resource "tls_cert_request" "csr" {
## key_algorithm = "RSA"
private_key_pem = file("/tmp/.pki/private_key.pem")
depends_on = [ local_file.key_data ]
subject {
common_name = "flexit.com"
organization = "FlexIT Consulting Services"
}
}
2 Likes
Thanks a lot buddy!!
That worked smoothly
The lab expects you to comment (Not delete or Modify) the line as follow ## key_algorithm = “RSA”
1 Like
I have been trying to comment with single # & it did not work… however double # works. What is the different btw single & double # usage pls?
1 Like
Hello everybody,
Thanks for these pieces of information. Really helpful for me too. As I also got stuck on that part of the question.
resource “local_file” “key_data” {
filename = “/tmp/.pki/private_key.pem”
content = tls_private_key.private_key.private_key_pem
file_permission = “0400”
}
resource “tls_private_key” “private_key” {
algorithm = “RSA”
rsa_bits = 4096
}
resource “tls_cert_request” “csr” {
key_algorithm= “RSA”
private_key_pem= file(“/tmp/.pki/private_key.pem”)
depends_on = [ local_file.key_data ]
subject {
common_name = “flexit.com”
organization = “FlexIT Consulting Services”
}
}
still not able to run the code getting below error
Invalid Configuration for Read-Only Attribute
on main.tf line 11, in resource “tls_cert_request” “csr”:
11: key_algorithm= “RSA”
Cannot set value for this attribute as the provider has marked it as
read-only. Remove the configuration line setting the value.
Refer to the provider documentation or contact the provider developers for
additional information about configurable and read-only attributes that are
supported.
Hi, I’m raising the topic again, doesn’t work for me either, even after I put ## before key_algorithm. It passes well for terraform plan command, but when I run terraform apply it says this:
“Error: Provider produced inconsistent final plan
│
│ When expanding the plan for tls_cert_request.csr to include new values learned so
│ far during apply, provider “Terraform Registry” produced an
│ invalid new value for .private_key_pem: inconsistent values for sensitive
│ attribute.
│
│ This is a bug in the provider, which should be reported in the provider’s own
│ issue tracker.”
Can someone help?
Does this solution no longer work?