Reputation: 397
This object has no argument, nested block, or exported attribute named ca_public_key_pem
I'm trying to access the ca_public_key_pem property of my tls_self_signed_cert object, but I'm being told that the property does not exist.
Yet in the source code, and examples for this module, it appears to be present.
output "ca_public_key_pem" {
value = "${chomp(element(concat(tls_private_key.ca.*.public_key_pem, list("")), 0))}" # TODO: Workaround for issue #11210
}
Does anyone have any idea how to get the public key for the CA certificate in PEM format from a tls_self_signed_cert resource?
I'm currently using the module as follows:
resource "tls_private_key" "RootKey" {
algorithm = "RSA"
rsa_bits = 2048
}
resource "tls_self_signed_cert" "SelfSigned" {
key_algorithm = "${tls_private_key.RootKey.algorithm}"
private_key_pem = "${tls_private_key.RootKey.private_key_pem}"
subject {
common_name = "Domain.com"
organization = "Org Name"
}
is_ca_certificate = true
validity_period_hours = 26280
early_renewal_hours = 8760
allowed_uses = ["cert_signing"]
}
and then in my azurerm_virtual_network_gateway configuration, I have the following:
...
vpn_client_configuration {
address_space = ["10.9.0.0/24"]
vpn_client_protocols = ["IkeV2"]
root_certificate {
name = "My-Root-CA"
public_cert_data = "${tls_self_signed_cert.SelfSigned.ca_public_key_pem}"
}
}
I've tried using cert_pem but it's not valid for this property.
Upvotes: 0
Views: 1201
Answers (1)
Reputation: 56839
The azurerm_virtual_network_gateway public_cert_data unusually requires the cert to be in PEM format but without the traditional -----BEGIN CERTIFICATE----- or -----END CERTIFICATE----- markers:
The root_certificate block supports:
name- (Required) A user-defined name of the root certificate.
public_cert_data- (Required) The public certificate of the root certificate authority. The certificate must be provided in Base-64 encoded X.509 format (PEM). In particular, this argument must not include the-----BEGIN CERTIFICATE-----or-----END CERTIFICATE-----markers.
The tls_self_signed_cert resource has the cert_pem attribute that it outputs but this does have the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers.
So if you want to chain these through then you'll need to remove these markers. The easiest way to do this is use the replace function.
A minimal example of this output would look like this:
resource "tls_private_key" "example" {
algorithm = "ECDSA"
ecdsa_curve = "P384"
}
resource "tls_self_signed_cert" "example" {
key_algorithm = "ECDSA"
private_key_pem = "${tls_private_key.example.private_key_pem}"
subject {
common_name = "example.com"
organization = "ACME Examples, Inc"
}
validity_period_hours = 12
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
}
output "cert" {
value = "${tls_self_signed_cert.example.cert_pem}"
}
output "trimmed_cert" {
value = "${replace(replace(tls_self_signed_cert.example.cert_pem, "-----BEGIN CERTIFICATE-----", ""), "-----END CERTIFICATE-----", "")}"
}
Applying this out will output the following:
Outputs:
cert = -----BEGIN CERTIFICATE-----
MIIB1jCCAVygAwIBAgIQR4Z4djFeJNQSPegYFMqhXTAKBggqhkjOPQQDAzAzMRsw
GQYDVQQKExJBQ01FIEV4YW1wbGVzLCBJbmMxFDASBgNVBAMTC2V4YW1wbGUuY29t
MB4XDTE5MTEwMTE2MjUzOFoXDTE5MTEwMjA0MjUzOFowMzEbMBkGA1UEChMSQUNN
RSBFeGFtcGxlcywgSW5jMRQwEgYDVQQDEwtleGFtcGxlLmNvbTB2MBAGByqGSM49
AgEGBSuBBAAiA2IABA5bcywnzZwDjVfK3zSTLUtEiTeA/spOQ3q02816H1jYO28K
Yg1wbyPluC9c8t2H0r2WzDPmdr9iFLo7rjW3v1sCXJOL839YA/CUuwqRexjd8Iuy
jWKa0YNvA5AmbuRsqKM1MDMwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsG
AQUFBwMBMAwGA1UdEwEB/wQCMAAwCgYIKoZIzj0EAwMDaAAwZQIwdBO17wBD/Fud
kcOiVVQvhPV13SRZydLBaXGHABcSBIW4UMv3JqwbJTq/wDF0k0daAjEAyRXu+eHA
+BpJjVEvcZL7V93zMv4tNede8SHpwHm4o/ogjTINlcRnMN6tu+uXiH5I
-----END CERTIFICATE-----
trimmed_cert =
MIIB1jCCAVygAwIBAgIQR4Z4djFeJNQSPegYFMqhXTAKBggqhkjOPQQDAzAzMRsw
GQYDVQQKExJBQ01FIEV4YW1wbGVzLCBJbmMxFDASBgNVBAMTC2V4YW1wbGUuY29t
MB4XDTE5MTEwMTE2MjUzOFoXDTE5MTEwMjA0MjUzOFowMzEbMBkGA1UEChMSQUNN
RSBFeGFtcGxlcywgSW5jMRQwEgYDVQQDEwtleGFtcGxlLmNvbTB2MBAGByqGSM49
AgEGBSuBBAAiA2IABA5bcywnzZwDjVfK3zSTLUtEiTeA/spOQ3q02816H1jYO28K
Yg1wbyPluC9c8t2H0r2WzDPmdr9iFLo7rjW3v1sCXJOL839YA/CUuwqRexjd8Iuy
jWKa0YNvA5AmbuRsqKM1MDMwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsG
AQUFBwMBMAwGA1UdEwEB/wQCMAAwCgYIKoZIzj0EAwMDaAAwZQIwdBO17wBD/Fud
kcOiVVQvhPV13SRZydLBaXGHABcSBIW4UMv3JqwbJTq/wDF0k0daAjEAyRXu+eHA
+BpJjVEvcZL7V93zMv4tNede8SHpwHm4o/ogjTINlcRnMN6tu+uXiH5I
This trimmed output, made from the two replace functions should be usable for the azurerm_virtual_network_gateway public_cert_data parameter.
Upvotes: 2
Related Questions
- Arguments must be maps or objects, got "string"
- A reference to resource type must be followed by at least one attribute access, specifying the resource name
- terraform plan returns the Error: Unsupported argument
- Error: Cannot import non-existent remote object
- Terraform key does not identify an element in this collection
- Why do I get The argument "env" is required, but no definition was found?
- invalid or unknown key: network_security_group_id
- Azure terraform reports Missing resource instance key
- aws_key_pair.kyc_app_public_key: Error import KeyPair: InvalidKey.Format: Key is not in valid OpenSSH public key format
- Terraform Unknown Parameter or Attribute What is it