-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Resource" to sign aws_acmpca_certificate_authority with #5552
Comments
For what its worth, the ACMPCA SDK refers to this as the "Certificate Authority Certificate" so we would likely prefer to match the upstream naming. Looking at the SDK call, it seems we will need to support three arguments: resource "aws_acmpca_certificate_authority_certificate" "example" {
certificate_authority_arn = "${aws_acmpca_certificate_authority.example.arn}"
certificate = ""
certificate_chain = ""
} |
Yeah, I was telling myself that's what the actual issued certificate resources were gonna be called but I guess those would more likely be One potential weirdness is the deletion behavior of this resource, because I don't think ACM PCA lets you "decertify" a PCA, so resource deletion would likely be a no-op. |
How are others currently handling activating their AWS CAs with Terraform until this issue is resolved? |
@CharlieC3 I think an option here would be to use a null resource with localexec and running the |
@sarkis
|
alternative workaround if you want to install a (this is the same way that the console GUI does it if you choose "install ca cert" after creating the PCA - I checked the API calls it makes with dev tools)
needless to say, I'm hopeful to see #13684 etc. get merged :) |
Ran into this issue aws/aws-cli#5011 when trying the above approach. Went with this instead:
./activate-pca.sh
and then as the above example. |
Discovering the need for this was slightly jarring given how AWS says:
When making a new root CA, I can't use Terraform? |
This has been released in version 3.32.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Community Note
Description
Currently, the
aws_acmpca_certificate_authority
resource exists (thanks @bflad) but it leaves the CA in an unusable state, pending a signature from a parent CA of some sort. Right now we have to go inject that signed certificate ourselves and then the ACM PCA is usable. Having a terraform "virtual resource" for this process would streamline this process because then we can just rerun terraform.Furthermore, for testing, we could also use terraform's nice TLS module to sign the ACMPCA CSR automatically as part of the workflow, and then proceed for example to generate certificates with something like @TFaga's #5550.
New or Affected Resource(s)
aws_acmpca_certificate_authority_signature
(I don't know what to call it, really)Potential Terraform Configuration
The text was updated successfully, but these errors were encountered: