Support for csr as attribute of azurerm_key_vault_certificate

nboaldin commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Instead of having to get the csr from the portal, or outside of terraform, I would like to get it as an attribute of the generated certificate.

New or Affected Resource(s)

*azurerm_key_vault_certificate

Potential Terraform Configuration

variable "apex_domain" {
  type    = string
  default = "example.com"
}

variable "admin_emails" {
  type    = list
  default = ["admin@example.com"]
}

locals {
  apex_dashed = replace(var.apex_domain, ".", "-")
}

data "azurerm_key_vault" "key_vault" {
  #TODO interpolate these
  name                = "some-keyvault-name"
  resource_group_name = "some-resource-group"
}

resource "azurerm_key_vault_certificate" "generated_cert" {
  name         = local.apex_dashed
  key_vault_id = data.azurerm_key_vault.key_vault.id

  certificate_policy {
    issuer_parameters {
      name = "Unknown"
    }

    key_properties {
      exportable = true
      key_size   = 2048
      key_type   = "RSA"
      reuse_key  = true
    }

    lifetime_action {
      action {
        action_type = "EmailContacts"
      }

      trigger {
        days_before_expiry = 30
      }
    }

    secret_properties {
      content_type = "application/x-pem-file"
    }

    x509_certificate_properties {
      # Server Authentication = 1.3.6.1.5.5.7.3.1
      # Client Authentication = 1.3.6.1.5.5.7.3.2
      extended_key_usage = ["1.3.6.1.5.5.7.3.1"]

      key_usage = [
        "cRLSign",
        "dataEncipherment",
        "digitalSignature",
        "keyAgreement",
        "keyCertSign",
        "keyEncipherment",
      ]

      subject_alternative_names {
        dns_names = ["${var.apex_domain}", "*.${var.apex_domain}"]
        emails    = var.admin_emails
      }

      subject            = "CN=${var.apex_domain}"
      validity_in_months = 12
    }
  }
}

resource "cloudflare_origin_ca_certificate" "origin_ca" {
  #This is where I would like the csr
  csr                = azurerm_key_vault_certificate.generated_cert.csr
  hostnames          = ["${var.apex_domain}", "*.${var.apex_domain}"]
  request_type       = "origin-rsa"
  requested_validity = 7
}

output "generated_cert" {
  value = azurerm_key_vault_certificate.generated_cert
}

References

0000

nboaldin commented 2 years ago

It looks like Certificate Operation and Attributes are different structs and returned in different ways depending on the API call. The go sdk returns a Certificate Operation which contains the csr when a cert is generated. https://github.com/Azure/azure-sdk-for-go/blob/8974960430e84d7c5b528266b6d2099a50161c46/sdk/keyvault/azcertificates/models.go#L235

nboaldin commented 2 years ago

Maybe a whole new resource like azurerm_key_vault_pending_certificate would work. I am currently using the az cli with external data to get the csr:az keyvault certificate pending show then local-exec - ing to merge the signed cert: az keyvault certificate pending merge.

Taha-cmd commented 6 months ago

Any update on this issue?

thomas-parrish-axi commented 6 months ago

This would be very cool.

hashicorp / terraform-provider-azurerm