Sample for KeyVault

[Kralizek]

Would it be possible to have a sample where the certificate is imported into KeyVault?

Right now I'm getting the certificate added every time I run terraform apply

[xaviermignot]

Interesting, I'm trying to see how I can combine the use of Key Vault, Let's Encrypt and Terraform.
I'll keep you posted if I manage to get something working 🤞

[xaviermignot]

Well, I have a first step working on this branch.
It's a first step as the certificate is self-signed and generated by Azure Key Vault, not imported. My initial goal was to make Azure Key Vault work with Let's Encrypt to generate a valid certificate, but it's quite tricky to do using Terraform for now as the provider can't retrieve CSRs natively and fails to create the "pending" certificate.
Another option could be to still use the acme provider to fully generate the certificate with Let's Encrypt, and then import it into the Key Vault. My only remaining issue with that is the private key required for registration: I would like to store it in the vault instead of the state and still need to figure how to do that properly.

[Kralizek]

Do you also have the problem of KV wanting to create a new certificate at every apply?

[Kralizek]

I've created a repro of my setup: https://github.com/Kralizek/AzureKeyVaultLetsEncrypt

Funny enough, I don't get the issue with the KV certificate being created on each apply. 😔

[xaviermignot]

Do you also have the problem of KV wanting to create a new certificate at every apply?

Not really, at least not from what I remember. It depends on the provider, for the acme provider the certificate is renewed during an apply if the certificate is closed to expiration. So as long as you're applying your configuration regularly, the certificate will be renewed, but not on each apply.

Actually I was asked a question in the comments of my blog post, and replied with a link to this paragraph in the acme provider docs.

[Kralizek]

I'm having the issue when running apply back to back.

[xaviermignot]

I've created a repro of my setup: https://github.com/Kralizek/AzureKeyVaultLetsEncrypt

Funny enough, I don't get the issue with the KV certificate being created on each apply. 😔

Nice, the KeyVault.Acmebot repo is a good find ! From what I see it spins Durable Azure Functions to handle certificate renewal in a Key Vault (that you could bring or letting the provider create for you). It could be done by the Key Vault itself if the certificate is generated by the vault and not imported in it, that's what I tried to achieve with the CSR but it's tricky with Terraform (it can be done using Azure CLI check this blog post.

Also I see you are using a fork of the acme Terraform provider I'm using, but it still uses the same attribute (min_days_remaining) so renewal should be handled in the same way.

[Kralizek]

I realized I was using a fork when collecting the links to add in the readme. I'll try switching to the parent provider and see if the issue is solved in my concrete application.

Anyway it's interesting that the apply problem doesn't manifest in this repro.

[xaviermignot]

I have just run a bunch of applies back to back and no change is done by Terraform, and the thumbprint in the App Service certificate doesn't change so I can confirm I don't encounter this issue :-/

[Kralizek]

Thanks :)

[Kralizek]

I eventually found out where the double apply problem was coming from and fixed it by having the KV in the same subscription of where the certificate is used.