Muhammad Zaman
Reputation: 117
Terraform Script Copy Certificate from datasource Key Vault to new Key Vault
I am looking to copy a single certificate from Test1-KV to New-KV with teh following code, but I am receiving the following error:
azurerm_key_vault_certificate.new-cert: Creating...
Error: keyvault.BaseClient#CreateCertificate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadParameter" Message="Property policy has invalid value\r\n"
on resources.tf line 91, in resource "azurerm_key_vault_certificate" "new-cert": 91: resource "azurerm_key_vault_certificate" "new-cert" {
Code:
data "azurerm_key_vault" "existing" {
name = "Test1-KV"
resource_group_name = "Test1-RG"
}
data "azurerm_key_vault_certificate" "new-cert" {
name = "new-cert"
key_vault_id = data.azurerm_key_vault.existing.id
}
resource "azurerm_key_vault_certificate" "new-cert" {
name = "new-cert"
key_vault_id = azurerm_key_vault.new-kv.id
certificate_policy {
issuer_parameters {
name = "My CA"
}
key_properties {
exportable = true
key_size = 2048
key_type = "RSA"
reuse_key = true
}
secret_properties {
content_type = "application/x-pkcs12"
}
}
}
//edit part: here is my full code. to copying secrets and certificate into New-KV from Test1-KV.
provider "azurerm" {
version = "~>2.14.0"
features {}
}
resource "azurerm_resource_group" "main" {
name = "${var.prefix}-RG"
location = var.location
}
# --- Get reference to logged on Azure subscription ---
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "NewKV" {
name = "New-KV"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_enabled = true
purge_protection_enabled = false
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
certificate_permissions = [
"create",
"delete",
"deleteissuers",
"get",
"getissuers",
"import",
"list",
"listissuers",
"managecontacts",
"manageissuers",
"setissuers",
"update",
]
key_permissions = [
"backup",
"create",
"decrypt",
"delete",
"encrypt",
"get",
"import",
"list",
"purge",
"recover",
"restore",
"sign",
"unwrapKey",
"update",
"verify",
"wrapKey",
]
secret_permissions = [
"backup",
"delete",
"get",
"list",
"purge",
"recover",
"restore",
"set",
]
}
}
# -------------------- Importing Secrets from Central Key Vault to New-KV ---------------------------
# --- Defining where to import secrets ---
data "azurerm_key_vault" "existing" {
name = "Test1-KV"
resource_group_name = "Test1-RG"
}
# --- telling what to import ---
data "azurerm_key_vault_secret" "Cred" {
name = "Cred"
key_vault_id = data.azurerm_key_vault.existing.id
}
# --- defining where to import ---
resource "azurerm_key_vault_secret" "Cred" {
name = "Cred"
value = data.azurerm_key_vault_secret.Cred.value
key_vault_id = azurerm_key_vault.NewKV.id
}
# ----------------------- Importing Certificate from Central Key Vault Certificates ----------------------------------
// It stores the actual cert as a secret
data "azurerm_key_vault_secret" "New-Cert" {
name = "New-Cert"
key_vault_id = data.azurerm_key_vault.existing.id
}
data "azurerm_key_vault_certificate" "New-Cert" {
name = "New-Cert"
key_vault_id = data.azurerm_key_vault.existing.id
}
resource "azurerm_key_vault_certificate" "New-Cert" {
name = "New-Cert"
key_vault_id = azurerm_key_vault.NewKV.id
certificate {
contents = data.azurerm_key_vault_secret.New-Cert.value
}
certificate_policy {
issuer_parameters {
name = "My Company CA"
}
key_properties {
exportable = true
key_size = 2048
key_type = "RSA"
reuse_key = true
}
lifetime_action {
action {
action_type = "AutoRenew"
}
trigger {
days_before_expiry = 30
}
}
secret_properties {
content_type = "application/x-pkcs12"
}
x509_certificate_properties {
# Server Authentication = 1.3.6.1.5.5.7.3.1
# Client Authentication = 1.3.6.1.5.5.7.3.2
extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
key_usage = [
"digitalSignature",
"keyEncipherment",
]
subject_alternative_names {
dns_names = ["hello-world.io", "Hello-World"]
}
subject = "CN=New-Cert"
validity_in_months = 61
}
}
}
Upvotes: 3
Views: 5574
Answers (2)
Muhammad Zaman
Reputation: 117
the issue is resolved by add below code
data "azurerm_key_vault" "New-KV" {
name = "New-KV"
resource_group_name = "New-RG"
}
data "azurerm_key_vault_secret" "Test1-KV" {
name = "Cert"
key_vault_id = data.azurerm_key_vault.existing.id
}
data "azurerm_key_vault_certificate" "Cert" {
name = "Cert"
key_vault_id = data.azurerm_key_vault.existing.id
}
resource "azurerm_key_vault_certificate" "Cert" {
name = "Cert"
key_vault_id = data.azurerm_key_vault.New-KV.id
certificate {
contents = data.azurerm_key_vault_secret.Test1-KV.value
}
certificate_policy {
issuer_parameters {
name = "self" (instead using original issuer use self)
}
key_properties {
exportable = true
key_size = 2048
key_type = "RSA"
reuse_key = true
}
secret_properties {
content_type = "application/x-pkcs12"
}
}
}
Upvotes: 0
Christian Pearce
Reputation: 1026
Not sure what your error is specifically, but your code is not functional for what you are trying to do. I am providing an example of the first run to create a cert, and the second run to import it into a new kv. The trick is to source the secret generated by the cert to import it. I validate the process worked via the thumbprints.
This is the first main.tf to generate initial kv and cert
provider "azurerm" {
version = "~>2.23.0"
features {}
}
data "azurerm_client_config" "current" {
}
resource "azurerm_resource_group" "example" {
name = "key-vault-certificate-example"
location = "East US"
}
output "certificate_thumbprint" {
value = azurerm_key_vault_certificate.example.thumbprint
}
resource "azurerm_key_vault" "example" {
name = "pearceckvcertexample"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
certificate_permissions = [
"create",
"delete",
"deleteissuers",
"get",
"getissuers",
"import",
"list",
"listissuers",
"managecontacts",
"manageissuers",
"setissuers",
"update",
]
key_permissions = [
"backup",
"create",
"decrypt",
"delete",
"encrypt",
"get",
"import",
"list",
"purge",
"recover",
"restore",
"sign",
"unwrapKey",
"update",
"verify",
"wrapKey",
]
secret_permissions = [
"backup",
"delete",
"get",
"list",
"purge",
"recover",
"restore",
"set",
]
}
tags = {
environment = "Production"
}
}
resource "azurerm_key_vault_certificate" "example" {
name = "generated-cert"
key_vault_id = azurerm_key_vault.example.id
certificate_policy {
issuer_parameters {
name = "Self"
}
key_properties {
exportable = true
key_size = 2048
key_type = "RSA"
reuse_key = true
}
lifetime_action {
action {
action_type = "AutoRenew"
}
trigger {
days_before_expiry = 30
}
}
secret_properties {
content_type = "application/x-pkcs12"
}
x509_certificate_properties {
# Server Authentication = 1.3.6.1.5.5.7.3.1
# Client Authentication = 1.3.6.1.5.5.7.3.2
extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
key_usage = [
"cRLSign",
"dataEncipherment",
"digitalSignature",
"keyAgreement",
"keyCertSign",
"keyEncipherment",
]
subject_alternative_names {
dns_names = ["internal.contoso.com", "domain.hello.world"]
}
subject = "CN=hello-world"
validity_in_months = 12
}
}
}
THis is the second main.tf (different state), to generate a second kv and import the cert from the secret in the original vault.
provider "azurerm" {
version = "~>2.23.0"
features {}
}
data "azurerm_client_config" "current" {
}
data "azurerm_key_vault" "example" {
name = "pearceckvcertexample"
resource_group_name = "key-vault-certificate-example"
}
// It stores the actual cert as a secret
data "azurerm_key_vault_secret" "example" {
name = "generated-cert"
key_vault_id = data.azurerm_key_vault.example.id
}
data "azurerm_key_vault_certificate" "example" {
name = "generated-cert"
key_vault_id = data.azurerm_key_vault.example.id
}
output "certificate_thumbprint" {
value = data.azurerm_key_vault_certificate.example.thumbprint
}
output "certificate_thumbprint2" {
value = azurerm_key_vault_certificate.example.thumbprint
}
resource "azurerm_resource_group" "example" {
name = "key-vault-certificate-example2"
location = "East US"
}
resource "azurerm_key_vault" "example" {
name = "pearceckvcertexample2"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
certificate_permissions = [
"create",
"delete",
"deleteissuers",
"get",
"getissuers",
"import",
"list",
"listissuers",
"managecontacts",
"manageissuers",
"setissuers",
"update",
]
key_permissions = [
"backup",
"create",
"decrypt",
"delete",
"encrypt",
"get",
"import",
"list",
"purge",
"recover",
"restore",
"sign",
"unwrapKey",
"update",
"verify",
"wrapKey",
]
secret_permissions = [
"backup",
"delete",
"get",
"list",
"purge",
"recover",
"restore",
"set",
]
}
tags = {
environment = "Production"
}
}
resource "azurerm_key_vault_certificate" "example" {
name = "generated-cert"
key_vault_id = azurerm_key_vault.example.id
certificate {
contents = data.azurerm_key_vault_secret.example.value
}
certificate_policy {
issuer_parameters {
name = "Self"
}
key_properties {
exportable = true
key_size = 2048
key_type = "RSA"
reuse_key = true
}
lifetime_action {
action {
action_type = "AutoRenew"
}
trigger {
days_before_expiry = 30
}
}
secret_properties {
content_type = "application/x-pkcs12"
}
x509_certificate_properties {
# Server Authentication = 1.3.6.1.5.5.7.3.1
# Client Authentication = 1.3.6.1.5.5.7.3.2
extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
key_usage = [
"cRLSign",
"dataEncipherment",
"digitalSignature",
"keyAgreement",
"keyCertSign",
"keyEncipherment",
]
subject_alternative_names {
dns_names = ["internal.contoso.com", "domain.hello.world"]
}
subject = "CN=hello-world"
validity_in_months = 12
}
}
}
Output from the run:
Apply complete! Resources: 3 added, 0 changed, 0 destroyed.
Outputs:
certificate_thumbprint = 8ADC0C8B2255E7B19FBEFC3B348B7E075D5AB1DA
certificate_thumbprint2 = 8ADC0C8B2255E7B19FBEFC3B348B7E075D5AB1DA
Upvotes: 2
Related Questions
- Terraform with Azure Key Vault to get secret value
- How to copy a certificate from one Azure Key Vault to another?
- How to get key vault certificate value correctly in terraform module to create VPN gateway
- Terraform create a azure key vault
- How to import a an azure web app certificate using terraform from an azure key vault
- How to create secret in existing keyvault with Terraform?
- Create a new version of key vault secret using Terraform
- Terraform Azure provider - How do I add via terraform more than one key and/or secret for my key vault?
- Terraform Script Copy/Populate/Replicate Existing Key Vault Certificate into newly created Key Vault
- Terraform Populate secrets from central key vault