terraform-provider-postgresql icon indicating copy to clipboard operation
terraform-provider-postgresql copied to clipboard

Published 20 hours ago verified publisher icon cyrilgdn

Injecting RDS cert bundle for `sslrootcert` argument of provider

Open dontspamterry opened this issue 4 years ago • 7 comments

Howdy!

Thanks for this provider! I'm using Aurora Postgresql 12.4 and would like to inject the RDS cert bundle (from https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem) that I have stored in Secrets Manager as plain text. I am using the Terraform data lookup for aws_secretsmanager_secret and aws_secretsmanager_secret_version to lookup the secret and get its value, respectively. My secret lookup and provider config look like:

data "aws_secretsmanager_secret" "rds_cert_bundle" {
  name = "/rds/cert/bundle"
}

data "aws_secretsmanager_secret_version" "rds_cert_bundle_version" {
  secret_id = data.aws_secretsmanager_secret.rds_cert_bundle.id
}

provider "postgresql" {
  host             = var.metadb_cluster_endpoint
  port             = var.metadb_port
  database         = "postgres"
  username         = var.metadb_user
  password         = var.metadb_password
  superuser        = false
  sslmode          = "verify-full"
  sslrootcert      = data.aws_secretsmanager_secret_version.rds_cert_bundle_version.secret_string
  connect_timeout  = 15
  expected_version = "12.4"
}

When I run a plan, I receive the error:

Error: missing "=" after "MIIEBzCCAu+gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVT" in connection info string"

The newlines separating the cert contents are causing problems as I do not get this issue if I specify a local path pointing to the downloaded cert bundle. Is it even possible to inject the cert bundle via a secret?

Terraform Version

Terraform 0.14.8

Affected Resource(s)

provider "postresql"

Terraform Configuration Files

See code above

Debug Output

See code above

Panic Output

n/a

Expected Behavior

Not sure. Would like to find out if I can inject a cert bundle from a Secrets Manager lookup.

Actual Behavior

Error: missing "=" after "MIIEBzCCAu+gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVT" in connection info string"

Steps to Reproduce

The error above occurs when I perform a terraform plan

References

https://github.com/cyrilgdn/terraform-provider-postgresql/issues/8

dontspamterry avatar Apr 21 '21 17:04 dontspamterry

AFAIK, sslrootcert is the path to the CA file,, not the CA PEM itself.

lawliet89 avatar May 12 '21 10:05 lawliet89

AFAIK, sslrootcert is the path to the CA file,, not the CA PEM itself.

Hi @lawliet89 , yes, sslrootcert is the path to the CA file. I was curious if another avenue existed to inject the PEM. It's not really an issue as we plan to apply the terraform via CICD and can easily bake the PEM into our image or download it as part of a pre-requisite step in the pipeline. Will close this issue out.

dontspamterry avatar May 12 '21 14:05 dontspamterry

Please reopen this issue. It's possible to work around this, but it's very useful to fill sslrootcert from the output of a different resource without creating a file. There is no option to do it in a plain terraform.

SovakPaleny avatar May 12 '21 18:05 SovakPaleny

reopened, per your request @SovakPaleny :smiley:

dontspamterry avatar May 12 '21 18:05 dontspamterry

Agreed that it's nice to be able to provide it via a PEM string. I think a workaround you can try now is to use a local_file, but not sure if that will work with provider configuration.

lawliet89 avatar May 13 '21 00:05 lawliet89

Hi,

Thanks for opening this issue and sorry for the response delay.

The libpq librabry requires a path to the certificate, I'll check if the provider could store the pem in a temporary file but I need to check if there's an easy way to clean it at the end and I also prefer to ask to Terraform's developers if it's recommended or not.

There is no option to do it in a plain terraform.

I think a workaround you can try now is to use a local_file, but not sure if that will work with provider configuration.

Meanwhile you can indeed create a local_file to store the cert, it'll work with in plain Terraform.

cyrilgdn avatar May 21 '21 14:05 cyrilgdn

Hi @cyrilgdn, thank you for the information. local_file does not work, sorry. In case of ca change, you are not able to execute the plan because the plan preparation for PostgreSQL resources will use the current file on disk (if exists at that time) that is stale, so the plan will fail. Of course, you can execute terraform apply -target ... on the local_file resource before each execution of the plan, but it's not a good workaround at all. I may miss something, but I do not see any other terraform-native solution besides creating a file on the disk by the provider. The bad solution is to create this file on each libpq execution, but still way better than local_file. Thank you very much for your effort to find a working solution.

SovakPaleny avatar May 21 '21 14:05 SovakPaleny