terraform doesn't support PKCS#8 format API Keys

[luckeyca]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version and Provider Version

Terraform v1.5.4
on linux_amd64

• provider registry.terraform.io/oracle/oci v5.43.0

Affected Resource(s)

affected_resources = terraform

Terraform Configuration Files

N/A

Expected Behavior

As per issue: oracle/oci-go-sdk#242, terraform should support both PKCS#1 and PKCS#8 API key formats.

Actual Behavior

It doesn't support PKCS#8 format. If the API key is generated using openssl version 3 with the newer header, terraform plan/apply will fail with error: Error: can not create client, bad configuration: did not find a proper configuration for private key.
newer header format:
-----BEGIN ENCRYPTED PRIVATE KEY-----

Once created key with PKCS#1 format using openssl version 1 with the older header, terraform plan/apply works fine.
older header format:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,

Steps to Reproduce

1. openssl genrsa -out ./ociprivatekeyfile -aes256 2048
2. openssl rsa -pubout -in ./ociprivatekeyfile -out ./ociprivatekeyfile_public.pem
3. upload the public key generated from step 2 to oci console under the terraform user id.
4. update ~/.oci/config file with the necessary information
5. run terraform plan to create a simple compartment

if the commands 1&2 were done using openssl version 1, terraform plan will succeed, if using openssl version 3, terraform plan will fail.

Important Factoids

References

[tf-oci-pub]

Thank you for reporting the issue. We observed the affected resources are not provided in the description or it's incorrect. We request you to add it in issue description as mentioned in below format.
Example: affected_resources = oci_core_instance , oci_core_instances

If it's not related to any particular resource then mention affected resource as terraform.
Example: affected_resources = terraform

As this works through automation, request you to follow exact syntax.

[luckeyca]

Hi, updated "affected_resources" as instructed. Please let me know if you need more details.

[luckeyca]

Hi, Please make sure developers tested the following two situations using ENCRYPTED keys, NOT keys without password

1. Deleting the ~/.oci/config file and only left the environment variables as below.

export TF_VAR_fingerprint=
export TF_VAR_user_oci=
export TF_VAR_tenancy_ocid=
export TF_VAR_region=
export TF_VAR_private_key_password=
export TF_VAR_private_key_path=

2. unset all the TF_VAR_ environment variables and only use ~/.oci/config

[luckeyca]

We DO NOT set these settings in the provider block given it's static, but only use ~/.oci/config and TF_VAR_* environment variables. DO need BOTH ~/.oci/config AND TF_VAR_* environment variables work independently for different use cases.