Resource azurerm_key_vault_certificate do not support key_usage='critical' which is required by azurerm_firewall_policy

[fuyong2022]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.1.8

AzureRM Provider Version

3.4.0

Affected Resource(s)/Data Source(s)

azurerm_key_vault_certificate

Terraform Configuration Files

data "azurerm_client_config" "current" {}

resource "azurerm_resource_group" "example" {
  name     = "example-resourcegroup"
  location = "australiaeast"
}

resource "azurerm_key_vault" "example" {
  name                        = "example-keyvault"
  location                    = azurerm_resource_group.example.location
  resource_group_name         = azurerm_resource_group.example.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false

  sku_name = "standard"

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    certificate_permissions = [
      "Get",
      "Create",
      "Delete",
      "Import",
      "List",
      "Update"
    ]

    key_permissions = [
      "Get",
    ]

    secret_permissions = [
      "Get",
    ]

    storage_permissions = [
      "Get",
    ]
  }
}

resource "azurerm_key_vault_certificate" "example" {
  name         = "generated-cert"
  key_vault_id = azurerm_key_vault.example.id

  certificate_policy {
    issuer_parameters {
      name = "Self"
    }

    key_properties {
      exportable = true
      key_size   = 2048
      key_type   = "RSA"
      reuse_key  = true
    }

    lifetime_action {
      action {
        action_type = "AutoRenew"
      }

      trigger {
        days_before_expiry = 30
      }
    }

    secret_properties {
      content_type = "application/x-pkcs12"
    }

    x509_certificate_properties {
      extended_key_usage = ["1.3.6.1.5.5.7.3.1"]

      key_usage = [
        "critical",
        "cRLSign",
        "dataEncipherment",
        "digitalSignature",
        "keyAgreement",
        "keyCertSign",
        "keyEncipherment",
      ]

      subject            = "CN=firewall-policy"
      validity_in_months = 12
    }
  }
}

Debug Output/Panic Output

NA

Expected Behaviour

It should add "critical" to key_usage extended property value list

Actual Behaviour

│ Error: expected certificate_policy.0.x509_certificate_properties.0.key_usage.1 to be one of [cRLSign dataEncipherment decipherOnly digitalSignature encipherOnly keyAgreement keyCertSign keyEncipherment nonRepudiation], got critical

Steps to Reproduce

terraform init terraform validate

Important Factoids

key_usage property "critical" is required by azurerm_firewall_policy

References

https://docs.microsoft.com/en-us/azure/firewall/premium-certificates

[fuyong2022]

As the reference points out, keyUage needs to have "critical" defined.

[ rootCA_ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ interCA_ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:1 keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ server_ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:false keyUsage = critical, digitalSignature extendedKeyUsage = serverAuth

[gmspinheiro]

Still no progress on this?