terraform-provider-confluent: Error: Failed to install provider for Terraform (openpgp: key expired)

When will the update happen today? I guess many are waiting on this fix!

@linouk23 When will the update happen today? I guess many are waiting on this fix!

Update: it looks like believe HashiCorp merged a fix about 14 hours ago which should be available in 1.6.1 TF version (release date TBD).

For the context, we’re not the only TF provider affected by this issue:

• https://github.com/newrelic/terraform-provider-newrelic/issues/2481
• https://github.com/hashicorp/terraform/issues/33984
• https://github.com/vmware/terraform-provider-vra/issues/506
• https://github.com/vmware/terraform-provider-wavefront/issues/126

Thank you! You can also see 1.6.1 on their GitHub: https://github.com/hashicorp/terraform/releases/tag/v1.6.1 too.

I am also facing similar issue

Error: Failed to install provider │ │ Error while installing cyrilgdn/postgresql v1.21.0: error checking │ signature: openpgp: key expired

update: we have reached out to HashiCorp for their assistance, and we should receive an update tomorrow.

FWIW - another workaround is to commit the provider into your git repo, so that your colleagues/CI doesn’t need to install it from the registry

i have temporarily done this to unblock the team:

git add -f ./.terraform/providers/registry.terraform.io/confluentinc

edit: this will add ~50MB of bloat to your git repo! 🔥 (but at least it is only 1 binary + README + LICENSE) edit: we are eager to avoid merging this to main!

@gautam-goudar as a temporary fix, you could downgrade from 1.6.0 Terraform version to an earlier version.

That said, we’re still working on resolving the issue.

update: I’m happy to let you know that HashiCorp has released a new version of terraform: 1.6.1 where they fixed this bug:

cli: Reverted back to previous behavior of ignoring signing key expiration for provider installation, since it’s the provider registry’s responsibility to verify key validity at publication time. [https://github.com/hashicorp/terraform/pull/34004]

I did test it already and it seems to work:

# main.tf
terraform {
  required_providers {
    confluent = {
      source = "confluentinc/confluent"
      version = "1.51.0"
    }
  }
}

provider "confluent" {
  cloud_api_key    = var.confluent_cloud_api_key
  cloud_api_secret = var.confluent_cloud_api_secret
}

data "confluent_organization" "main" {}

and here’s the output:

➜  demo git:(master) ✗ terraform version             
Terraform v1.6.1
on darwin_amd64
➜  demo git:(master) ✗ terraform init   

Initializing the backend...

Initializing provider plugins...
- Finding confluentinc/confluent versions matching "1.51.0"...
- Installing confluentinc/confluent v1.51.0...
- Installed confluentinc/confluent v1.51.0 (signed by a HashiCorp partner, key ID D4A2B1EDB0EC0C8E)

...

Terraform has been successfully initialized!

...

➜  demo git:(master) ✗ terraform apply --auto-approve

data.confluent_organization.main: Reading...
data.confluent_organization.main: Read complete after 2s [id=....-b889-4d72-8948-....]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

In other words, the issue should be resolved if you switch terraform version to 1.6.1 from 1.6.0.

workaround is to use terraform 1.5.7

See https://github.com/hashicorp/terraform/issues/33984#issuecomment-1748712133 looks like the provider owner needs to renew pgp keys

@gautam-goudar there’s an issue on our side, we’re working to fix it, thanks for waiting!