You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Based on how this behavior works using the Azure Portal, the private key should be created but the certificate resource will show a disabled / in-progress state. This would be true until the CSR is downloaded and a signed certificate is merged into the certificate. I believe that the provider should just ensure the certificate private key is created. Additionally, I think that the exported attributes should include the CSR (or accessible via a data source) that can be saved / output to the host where Terraform is ran. There is probably not a good flow for merging this, but I could see that support being added.
This seems to be a supported configuration per the documentation, however there are no unit tests for certificate_policy.issuer_parameters.name = "Unknown". Is this a working implementation?
Can the documentation be updated to better explain how this flow should work?
Actual Behavior
Terraform fails to create the certificate - but in the portal it does exist and is waiting for the signing to occur.
azurerm_key_vault_certificate.test: Still creating... [4m10s elapsed]
Error: Error waiting for Certificate "generated-cert" in Vault "https://test000000000.vault.azure.net/" to become available: couldn't find resource (21 retries)
on test.tf line 68, in resource "azurerm_key_vault_certificate" "test":
68: resource "azurerm_key_vault_certificate" "test" {
Attempts to run a second time results in:
azurerm_key_vault_certificate.example: Creating...
Error: keyvault.BaseClient#CreateCertificate: Failure responding to request: StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="Conflict" Message="A new key vault certificate can not be created or imported while a pending key vault certificate's status is inProgress."
on test.tf line 68, in resource "azurerm_key_vault_certificate" "test":
68: resource "azurerm_key_vault_certificate" "test" {
Steps to Reproduce
terraform apply
The text was updated successfully, but these errors were encountered:
I can confirm this problem. Reason for this is that the terraform resource is waiting for the certificate to have a SID which it will only have once it gets signed by an external CA. So basically the resource is done as soon as a certificate with an 'unknown' issuer has been created. From there on the user needs to download the certificate manually (signing request; csr) and get it signed by an external provider.
From what I can see this was fixed in #6979, so I'm going to close this issue for the moment - but please let us know if upgrading to the latest version of the Provider doesn't work and we'll take another look.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!
hashicorp
locked as resolved and limited conversation to collaborators
Mar 6, 2021
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Community Note
Terraform (and AzureRM Provider) Version
Affected Resource(s)
azurerm_key_vault_certificate
Terraform Configuration Files
Expected Behavior
Based on how this behavior works using the Azure Portal, the private key should be created but the certificate resource will show a disabled / in-progress state. This would be true until the CSR is downloaded and a signed certificate is merged into the certificate. I believe that the provider should just ensure the certificate private key is created. Additionally, I think that the exported attributes should include the CSR (or accessible via a data source) that can be saved / output to the host where Terraform is ran. There is probably not a good flow for merging this, but I could see that support being added.
This seems to be a supported configuration per the documentation, however there are no unit tests for
certificate_policy.issuer_parameters.name = "Unknown"
. Is this a working implementation?Can the documentation be updated to better explain how this flow should work?
Actual Behavior
Terraform fails to create the certificate - but in the portal it does exist and is waiting for the signing to occur.
Attempts to run a second time results in:
Steps to Reproduce
terraform apply
The text was updated successfully, but these errors were encountered: