New Data Source: azurerm_key_vault_certificate_data

[KSiig]

Currently it is only possible to get the raw certificate in hex format. This allows users to get the certificate in PEM format, and get the key. This gives the possibility of creating a Service Principal certificate with a Key Vault Certificate.

Fixes #8072

[jackofallops]

Hi @KSiig

Thanks for this PR. I'm afraid the changes here would represent a breaking change to this Data Source as the use of GetSecret requires additional KeyVault access policy settings that are not guaranteed to be present for users of the data source. To support this functionality, this would need to be a new Data Source that can be used independently by users that need these additional property items.

[KSiig]

Hi @jackofallops

Of course, didn't cross my mind. Would it make sense to create a data source called azurerm_key_vault_certificate_data? Keeping it consistent with the name already present in the existing resource, but also keeping it open enough to add more properties than just the PEM format and the private key in the future.

[drwoods]

@KSiig Can you update the PR to resolve the merge conflicts?
We're needing this solution too to support a use case of using KeyVault to store Digi Certs that can be retrieved by Terraform when creating an ingress-nginx in AKS.

[CaptainStealthy]

@KSiig At the risk of this sounding like a "me too", is there any further progress on this PR? I finally stumbled upon this PR and #8072 after hours of Googling.

I've been wondering since yesterday why the azuread provider won't accept my Key Vault certificate. I am going to see if I can find a workaround, but it would be really nice if this issue could be resolved soon. 😞

cc @tombuildsstuff

[KSiig]

Sorry everyone for the delay. I've had to deal with a lot of stuff these past many months. I will try and create the new azurerm_key_vault_certificate_data data source, and hopefully push changes to this PR within the next few days.

[CaptainStealthy]

No problem at all, things happen. Thanks!

[hazzik]

Really you should use azurerm_key_vault_secret instead of certificate.

[jackofallops]

Hi @KSiig - Apologies it's taken so long to get back to this, I hope you don't mind I pushed some changes rather than reviewing and requesting them after all this time. I'll get the tests run and we'll hopefully get this into today's release if everything passes.

[jackofallops]

Test passing:

[katbyte]

LGTM 👍

[ghost]

This has been released in version 2.47.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.47.0"
}
# ... other configuration ...

[KSiig]

Hi @jackofallops, no I don't mind at all! I'm still relatively new to both Go and working on Terraform providers, so I half-expected there to be needed changes. I've looked through them and will try to remember them for another time 👍

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!