### Terraform Version ```shell Terraform v1.5.7 on darwin_amd64 + provider registry.terraform.io/hashicorp/tls v4.0.6 ``` ### Terraform Configuration Files ```terraform resource "tls_private_key" "key" { algorithm = "ED25519" } resource "tls_self_signed_cert" "cert" { private_key_pem = tls_private_key.key.private_key_pem validity_period_hours = 0 allowed_uses = [] } ``` ### Debug Output . ### Expected Behavior The `ready_for_renewal` attribute should be shown with a `forces replacement` comment. Even though its value does not change, it forces the resource to be replaced due to [this line](https://github.com/hashicorp/terraform-provider-tls/blob/b3b0b1385e312673a6d86dad1e430dad80f84acd/internal/provider/common_cert.go#L299) in the provider. ### Actual Behavior When running `terraform plan`, it is unclear why the certificate is being replaced because the attribute forcing the replacement is hidden: ```txt tls_private_key.key: Refreshing state... [id=645bcc302e999c30e780c2c673a8b38803a5c161] tls_self_signed_cert.cert: Refreshing state... [id=95418850290231087350800214566494560444] Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: -/+ destroy and then create replacement Terraform will perform the following actions: # tls_self_signed_cert.cert must be replaced -/+ resource "tls_self_signed_cert" "cert" { ~ cert_pem = <<-EOT -----BEGIN CERTIFICATE----- MIHNMIGAoAMCAQICEEfJAInXcv5Nkq+XPa4YYLwwBQYDK2VwMAAwHhcNMjQxMTI1 MjAxMTUzWhcNMjQxMTI1MjAxMTUzWjAAMCowBQYDK2VwAyEAVk4SSSMuXfcd0ZXE sa2XXFZMXjJNfAJEeHAVrYQdTkyjEDAOMAwGA1UdEwEB/wQCMAAwBQYDK2VwA0EA Evd8VovJCZyA8SHtBYU+cJvMWJ+7lhfDkDTfK2tGuq6cDeBxsCbv2m7oRepYS48k 0zV20I3X9ymaKnul/8UkDA== -----END CERTIFICATE----- EOT -> (known after apply) ~ id = "95418850290231087350800214566494560444" -> (known after apply) ~ key_algorithm = "ED25519" -> (known after apply) ~ validity_end_time = "2024-11-25T21:11:53.935539+01:00" -> (known after apply) ~ validity_start_time = "2024-11-25T21:11:53.935539+01:00" -> (known after apply) # (8 unchanged attributes hidden) } Plan: 1 to add, 0 to change, 1 to destroy. ``` ### Steps to Reproduce 1. `terraform init` 1. `terraform apply` 1. `terraform plan` ### Additional Context The TLS certificate with a `validity_period_hours = 0` is a bit of an edge case, but the problem is (likely) more general: unchanged attributes manually marked as `RequiresReplace` by providers are hidden in the plan, although they are important to understand the actions Terraform takes. ### References _No response_