-
Notifications
You must be signed in to change notification settings - Fork 152
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Manually changing CA certificate in AWS TLS inspection prevents further Pulumi updates #4237
Comments
This looks like it may be specific to AWS. Moving to the aws repo for further triage. |
@aaronnguyenwh thanks for reporting this! When you run |
@corymhall Yes, I did. But |
@aaronnguyenwh do you have an example of creating the certificate? I'm trying, but can't figure out how to create one that networkfirewall accepts. |
@corymhall our usage is very similar to this snippet: import * as aws from "@pulumi/aws";
import * as tls from "@pulumi/tls";
const rootCA = new aws.acmpca.CertificateAuthority("root-ca", {
type: "ROOT",
certificateAuthorityConfiguration: {
keyAlgorithm: "RSA_4096",
signingAlgorithm: "SHA512WITHRSA",
subject: {
commonName: "Root CA",
},
},
permanentDeletionTimeInDays: 7,
});
const key = new tls.PrivateKey("key", {algorithm: "RSA"});
const csr = new tls.CertRequest('csr', {
privateKeyPem: key.privateKeyPem,
subject: {
commonName: 'Network Firewall',
},
});
const tlsCert = new aws.acm.Certificate("tls-cert", {
certificateAuthorityArn: rootCA.arn,
privateKey: key.privateKeyPem,
certificateSigningRequest: csr.certRequestPem,
});
// then you can use `tlsCert` for TLS inspection configuration More insights on some of the restrictions TLS inspection has CA certificate - Outbound SSL/TLS inspection
|
Unfortunately I'm unable to get anything working. I get an error from networkfirewall. It would help to have a self contained example that we can deploy to reproduce, otherwise I can try to get something working as time permits.
|
@corymhall can you try doing this manually with
openssl genpkey -algorithm RSA -out rootCA.key -pass pass:password -pkeyopt rsa_keygen_bits:4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt -passin pass:password -subj "/C=US/ST=State/L=City/O=Organization/OU=OrgUnit/CN=RootCA"
openssl genpkey -algorithm RSA -out subordinateCA-1.key -pkeyopt rsa_keygen_bits:4096
openssl req -new -key subordinateCA-1.key -out subordinateCA-1.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=OrgUnit/CN=SubordinateCA"
openssl x509 -req -in subordinateCA-1.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out subordinateCA-1.crt -days 3650 -sha256 -extfile subordinateCA.cnf -extensions v3_ca -passin pass:password
cat rootCA.crt subordinateCA-1.crt > subordinateCAChain-1.pem
openssl genpkey -algorithm RSA -out subordinateCA-2.key -pkeyopt rsa_keygen_bits:4096
openssl req -new -key subordinateCA-2.key -out subordinateCA-2.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=OrgUnit/CN=SubordinateCA"
openssl x509 -req -in subordinateCA-2.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out subordinateCA-2.crt -days 3650 -sha256 -extfile subordinateCA.cnf -extensions v3_ca -passin pass:password
cat rootCA.crt subordinateCA-2.crt > subordinateCAChain-2.pem
|
It seems like the update token isn't being updated. When you do a refresh after manually changing the tls certificate in the console, the update token does not change when looking at the stack export for that tls inspection resource. |
What happened?
When manually modifying the "CA certificate for outbound SSL/TLS inspection" in AWS TLS inspection configurations, Pulumi won't be able to make further changes to the
CertificateAuthorityArn
.Example
Steps:
certificateAuthorityArn
tocertArn1
via PulumicertArn2
certificateAuthorityArn
tocertArn1
Expected Behavior: The CA Arn is changed to
certArn1
in both Pulumi and AWS ConsoleActual Behavior: Pulumi returns error
Workaround: The only known solution is to remove the resource entirely and provision it again
Output of
pulumi about
The text was updated successfully, but these errors were encountered: