[Enhancement]: aws_acm_certificate should guide how to import certificates including transparency logging

[florian-besser]

Description

Enhance aws_acm_certificate to showcase how a certificate can be imported so that certificate_transparency_logging_preference is ENABLED

Affected Resource(s) and/or Data Source(s)

• aws_acm_certificate
• tls_self_signed_cert

Potential Terraform Configuration

resource "tls_private_key" "ca-private-key" {
  algorithm = "RSA"
}

resource "tls_self_signed_cert" "ca" {
  private_key_pem = tls_private_key.ca-private-key.private_key_pem

  subject {
    common_name = "My own CA"
  }

  validity_period_hours = 24 * 365 * 5
  early_renewal_hours   = 24 * 30

  allowed_uses = ["cert_signing", "crl_signing", "timestamping"]

  is_ca_certificate = true
}

resource "tls_private_key" "server-private-key" {
  algorithm = "RSA"
}

resource "tls_cert_request" "server" {
  private_key_pem = tls_private_key.server-private-key.private_key_pem
  subject {
    common_name = "server"
  }
  dns_names = ["server"]
}

resource "tls_locally_signed_cert" "server" {
  cert_request_pem   = tls_cert_request.server.cert_request_pem
  ca_private_key_pem = tls_private_key.ca-private-key.private_key_pem
  ca_cert_pem        = tls_self_signed_cert.ca.cert_pem

  validity_period_hours = 24 * 365
  early_renewal_hours   = 24 * 30

  allowed_uses       = ["key_encipherment", "digital_signature", "server_auth"]
  set_subject_key_id = true
}

resource "aws_acm_certificate" "vpn-server" {
  certificate_chain = tls_self_signed_cert.ca.cert_pem
  private_key       = tls_private_key.server-private-key.private_key_pem
  certificate_body  = tls_locally_signed_cert.server.cert_pem
  options {
    # Throws error: "options.0.certificate_transparency_logging_preference": conflicts with private_key
    certificate_transparency_logging_preference = "ENABLED"
  }
}

References

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @florian-besser 👋 Thank you for taking the time to raise this! Looking at the schema, some things jump out at me.

First, default value is ENABLED, so you can safely omit this argument, and it will default to your desired setting. The validation currently throws an error if both certificate_transparency_logging_preference and private_key are set. I assume this was in response to this AWS document, and is attempting to force users to leave certificate_transparency_logging_preference enabled if a private_key is set. I think this could be handled a bit more elegantly (and with a more descriptive output), so I'd like to leave this open as an enhancement request.