Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generating azurerm_key_vault_certificate with non-integrated CA fails #5589

Closed
mbrancato opened this issue Feb 1, 2020 · 3 comments
Closed

Generating azurerm_key_vault_certificate with non-integrated CA fails #5589

mbrancato opened this issue Feb 1, 2020 · 3 comments
Labels
bug service/key-vault Key Vault

Comments

@mbrancato
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.12.12
+ provider.azurerm v1.42.0

Affected Resource(s)

  • azurerm_key_vault_certificate

Terraform Configuration Files

resource "azurerm_key_vault_certificate" "test" {
  name         = "generated-cert"
  key_vault_id = azurerm_key_vault.test.id

  certificate_policy {
    issuer_parameters {
      name = "Unknown"
    }

    key_properties {
      exportable = true
      key_size   = 2048
      key_type   = "RSA"
      reuse_key  = true
    }

    secret_properties {
      content_type = "application/x-pkcs12"
    }

    x509_certificate_properties {
      extended_key_usage = ["1.3.6.1.5.5.7.3.1"]

      key_usage = [
        "digitalSignature",
        "keyEncipherment",
      ]

      subject_alternative_names {
        dns_names = ["test.domain.com"]
      }

      subject            = "CN=test.domain.com"
      validity_in_months = 12
    }
  }
}

Expected Behavior

Based on how this behavior works using the Azure Portal, the private key should be created but the certificate resource will show a disabled / in-progress state. This would be true until the CSR is downloaded and a signed certificate is merged into the certificate. I believe that the provider should just ensure the certificate private key is created. Additionally, I think that the exported attributes should include the CSR (or accessible via a data source) that can be saved / output to the host where Terraform is ran. There is probably not a good flow for merging this, but I could see that support being added.

This seems to be a supported configuration per the documentation, however there are no unit tests for certificate_policy.issuer_parameters.name = "Unknown". Is this a working implementation?

Can the documentation be updated to better explain how this flow should work?

Actual Behavior

Terraform fails to create the certificate - but in the portal it does exist and is waiting for the signing to occur.

azurerm_key_vault_certificate.test: Still creating... [4m10s elapsed]

Error: Error waiting for Certificate "generated-cert" in Vault "https://test000000000.vault.azure.net/" to become available: couldn't find resource (21 retries)

  on test.tf line 68, in resource "azurerm_key_vault_certificate" "test":
  68: resource "azurerm_key_vault_certificate" "test" {

Attempts to run a second time results in:

azurerm_key_vault_certificate.example: Creating...

Error: keyvault.BaseClient#CreateCertificate: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="Conflict" Message="A new key vault certificate can not be created or imported while a pending key vault certificate's status is inProgress."

  on test.tf line 68, in resource "azurerm_key_vault_certificate" "test":
  68: resource "azurerm_key_vault_certificate" "test" {

Steps to Reproduce

  1. terraform apply
@ThomasZeman
Copy link

I can confirm this problem. Reason for this is that the terraform resource is waiting for the certificate to have a SID which it will only have once it gets signed by an external CA. So basically the resource is done as soon as a certificate with an 'unknown' issuer has been created. From there on the user needs to download the certificate manually (signing request; csr) and get it signed by an external provider.

tombuildsstuff added a commit that referenced this issue May 25, 2020
@tombuildsstuff
Merge pull request #6979 from ThomasZeman/master
fd770c4 
azurerm_key_vault_certificate: fixed 'Unknown' issuer not working Issue #5589
@tombuildsstuff
Copy link
Member

From what I can see this was fixed in #6979, so I'm going to close this issue for the moment - but please let us know if upgrading to the latest version of the Provider doesn't work and we'll take another look.

Thanks!

@ghost
Copy link

ghost commented Mar 6, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

@hashicorp hashicorp locked as resolved and limited conversation to collaborators Mar 6, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug service/key-vault Key Vault
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tombuildsstuff @ThomasZeman @mbrancato @tracypholmes