Large validity periods cause a NotAfter date before the NotBefore date

[NeilW]

Terraform CLI and Provider Versions

$ terraform version
Terraform v1.3.6
on linux_amd64

• provider registry.terraform.io/brightbox/brightbox v3.4.3
• provider registry.terraform.io/hashicorp/cloudinit v2.3.5
• provider registry.terraform.io/hashicorp/null v3.2.3
• provider registry.terraform.io/hashicorp/random v3.6.3
• provider registry.terraform.io/hashicorp/tls v4.0.6

Terraform Configuration

locals {
  validity_period           = 2562048
  cluster_fqdn              = "${var.cluster_name}.${var.cluster_domainname}"
}

resource "tls_self_signed_cert" "k8s_ca" {
  private_key_pem = tls_private_key.k8s_ca.private_key_pem

  subject {
    common_name         = "apiserver"
    organizational_unit = local.cluster_fqdn
  }

  validity_period_hours = local.validity_period

  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "cert_signing",
  ]

  is_ca_certificate = true
}

Expected Behavior

There should have been a validity error thrown because 2562048 in hours is too big to fit in a time.Duration type.

Actual Behavior

The value overflowed and became negative leading to a NotAfter date before the Not Before date.

WARNING: could not validate bounds for certificate CA: the certificate has expired: NotBefore: 2024-09-13 09:51:20 +0000 UTC, NotAfter: 1732-06-04 10:16:46 +0000 UTC

Steps to Reproduce

1. terraform apply

How much impact is this issue causing?

Low

Logs

No response

Additional Information

The calculation is at

terraform-provider-tls/internal/provider/common_cert.go

Line 126 in 6a38629

template.NotAfter = template.NotBefore.Add(time.Duration(validityPeriodHours) * time.Hour)

Missing validity check at

terraform-provider-tls/internal/provider/resource_self_signed_cert.go

Line 68 in 6a38629

Validators: []validator.Int64{

Code of Conduct

• I agree to follow this project's Code of Conduct