search

vancluever / terraform-provider-acme

Terraform ACME provider
https://registry.terraform.io/providers/vancluever/acme/latest
Mozilla Public License 2.0
223 stars 73 forks source link

Terraform destroy return "The account has been deactivated" #396

Closed morangux closed 4 months ago

morangux commented 5 months ago

From time to time we are getting the following error when running terrafor destroy : Error: acme: error: 401 :: POST :: https://acme.zerossl.com/v2/DV90/revokeCert :: urn:ietf:params:acme:error:unauthorized :: The account has been deactivated We are working towards zerossl to create certificates. Here is the configuration we are using to create the certificate: backend.tf

terraform { required_providers { acme = { source = "vancluever/acme" version = "2.20.2" } } }

data "aws_route53_zone" "k8" { name = var.base_domain }

resource "tls_private_key" "private_key" { algorithm = "RSA" }

resource "acme_registration" "reg" { account_key_pem = tls_private_key.private_key.private_key_pem email_address = "devops@run.ai"

external_account_binding { key_id = var.key_id hmac_base64 = var.hmac_base64 } }

resource "acme_certificate" "certificate" { account_key_pem = acme_registration.reg.account_key_pem common_name = "api.${var.cluster_name}.${var.base_domain}" subject_alternative_names = ["*.apps.${var.cluster_name}.${var.base_domain}"]

dns_challenge { provider = "route53" config = { AWS_HOSTED_ZONE_ID = data.aws_route53_zone.k8.zone_id AWS_ACCESS_KEY_ID = var.aws_access_key AWS_SECRET_ACCESS_KEY = var.aws_secret_key } } }

resource "kubernetes_secret_v1" "certificate" { metadata { name = "certificate" namespace = "openshift-ingress" }

data = { "tls.crt" = "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}" "tls.key" = acme_certificate.certificate.private_key_pem } depends_on = [acme_certificate.certificate] }

resource "kubernetes_config_map_v1" "custom_ca" { metadata { name = "custom-ca" namespace = "openshift-config" }

data = { "ca-bundle.crt" = "${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}" } depends_on = [acme_certificate.certificate] }

resource "null_resource" "patch_ingress" { provisioner "local-exec" { command = <<EOF kubectl --kubeconfig ${path.root}/kube_config.yaml patch ingresscontroller default -n openshift-ingress-operator --type=merge -p '{"spec":{"defaultCertificate":{"name":"certificate"}}}' EOF } depends_on = [kubernetes_secret_v1.certificate] }

resource "null_resource" "patch_proxy" { provisioner "local-exec" { command = <<EOF kubectl --kubeconfig ${path.root}/kube_config.yaml patch proxy/cluster --type=merge -p '{"spec":{"trustedCA":{"name":"custom-ca"}}}' EOF } depends_on = [kubernetes_config_map_v1.custom_ca, null_resource.patch_ingress] }

resource "time_sleep" "wait" { depends_on = [null_resource.patch_ingress] create_duration = "600s" }

vancluever commented 5 months ago

Thanks @morangux, I think it might be okay to add 401 to the codes here. I'll add this on the next major maintenance sweep (which should be soon actually)!

Cheers!