terraform-provider-azurerm icon indicating copy to clipboard operation
terraform-provider-azurerm copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Support for importing a certificate with output from data.azurerm_key_vault_certificate_data

Open chrismilson opened this issue 4 months ago • 0 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Community Note

  • Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

I create a certificate in one key vault and need to duplicate the certificate into a key vault in another subscription.

Currently there is support to import certificates with the azurerm_key_vault_certificate resource, but it expects the certificate and key to be bundled in a specific format. I would like to have the expected format for import available on the outputs of the certificate_data source.

One way may be to expose a field on the certificate data that is capable of being used as-is in the certificate.contents field on the certificate resource.

Another option may be to expose a field on the certificate data for a pkcs8 encoded key data instead of the pem encoded data that the existing .key field exposes.

New or Affected Resource(s)/Data Source(s)

azurerm_key_vault_certificate data.azurerm_key_vault_certificate_data

Potential Terraform Configuration

resource "azurerm_key_vault_certificate" "original" {
  name         = var.certificate_name
  key_vault_id = var.key_vault_id
  ...
}

data "azurerm_key_vault_certificate_data" "this" {
  name         = var.certificate_name
  key_vault_id = var.key_vault_id
  depends_on   = [azurerm_key_vault_certificate.original]
}

resource "azurerm_key_vault_certificate" "duplicate" {
  provider = azurerm.elsewhere
  name = var.certificate_name
  key_vault_id = var.other_key_vault_id
  
  certificate {
    contents = data.azurerm_key_vault_certificate_data.this.importable_pfx_base64
    
    # OR

    contents = <<-EOT
      ${data.azurerm_key_vault_certificate_data.this.pem}
      ${data.azurerm_key_vault_certificate_data.this.key_pkcs8}
      EOT
    # NB the .key field on the certificate data is in pem format, so is not suitable here
  }
}

References

No response

chrismilson avatar Oct 05 '24 16:10 chrismilson