search

PaloAltoNetworks / terraform-provider-panos

Terraform Panos provider
https://www.terraform.io/docs/providers/panos/
MIT License
89 stars 73 forks source link

Feature Request: Import ssl certificates #252

Closed ablotim closed 2 years ago

ablotim commented 3 years ago

Is your feature request related to a problem?

We already use terraform to create our acme/letsencrypt certificates and distribute them to k8s. It would be nice to be able to push to our Palo Alto system in the same way, eg. for globalprotect. In the Palo Alto config it should create an entry under "shared certificate".

Describe the solution you'd like

Ideally it should be equally simpel as other systems that use the same certificates, eg.

resource "acme_certificate" "certificate" {
  account_key_pem = ...
  common_name     = "mycert.example.com"
  dns_challenge { ... }
}

resource "kubernetes_secret" "secret" {
  metadata {
    name      = "mycert.example.com"
  }
  data = {
    "ca.crt"  = acme_certificate.certificate.issuer_pem
    "tls.crt" = acme_certificate.certificate.certificate_pem
    "tls.key" = acme_certificate.certificate.private_key_pem
  }
}

resource "panos_tls_certificate" "cert" {
  name = "mycert"
  data = {
    "ca.crt"  = acme_certificate.certificate.issuer_pem
    "tls.crt" = acme_certificate.certificate.certificate_pem
    "tls.key" = acme_certificate.certificate.private_key_pem
  }
}

after which you can you "mycert" in other configs like globalprotect, and it will be updated automatically together with the other certificates.

Describe alternatives you've considered

acme.sh can already push to panos, which works great. However, in everyday use we found a terraform solution to be more reliable, not so much because of any issues with acme.sh, but because any issues are much more visible when terraform throws a fit whenever anyone tries to update any infrastructure.

Additional context

For internal usage it's fine to use an internal-only ca. For things like globalprotect however, a 'real' certificate is much better. It would be nice if we could manage it automatically.

kthix commented 3 years ago

+1

mammalmaster commented 3 years ago

+1

mattrobinsonsre commented 3 years ago

👍

amemni commented 2 years ago

@shinmog or anyone else could successfully use the new resource "panos_certificate_import" ? I get a "Failed to extract certificate" whereas I can import certificates in the Panorama GUI using same files and passphrase. Thanks !!

shinmog commented 2 years ago

@amemni

Open a new issue please. Commenting on closed issues reduces visibility.

shinmog commented 2 years ago

@amemni

To answer your question tho, yes, I've tested this with both PEM and PKCS12 style certificates and it's worked for me. If it's not working for you, please be sure to include your plan file for the import in your new issue removing the passphrase.

ivica3730k commented 1 year ago

It has been years but if anyone needs an example of how to use acme_cerficate with kubernetes_secret trough terraform... this is the example ^^^

thanks @ablotim