Terraform-provider-aws: Feature: Add ability to issue a `aws_acm_certificate` from a private CA (`acmcpa`)

Created on 14 Aug 2018  ยท  9Comments  ยท  Source: hashicorp/terraform-provider-aws

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Support for issuing certificates (aws_acm_certificate) with a private CA (`aws_acmpca_certificate_authority) from the certificate manager.

Currently there is no option to pass in the arn of a private CA in order to issue a private certificate instead of a default public one.

I can tackle this myself if I didn't miss something.

New or Affected Resource(s)

  • aws_acm_certificate

Potential Terraform Configuration

resource "aws_acm_certificate" "cert" {
  domain_name       = "internal.example.com"
  certificate_authority_arn = "arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012"
}

References

  • https://docs.aws.amazon.com/sdk-for-go/api/service/acm/#RequestCertificateInput

    • enhancement servicacm
    Source
    picture TFaga
    👍37

    Most helpful comment

    When will this feature get released? Are there any alternative to generate private certificate using the current version of terraform?

    picture gitchandran on 20 Oct 2018
    👍7

    All 9 comments

    Hi @TFaga Thanks for submitting this feature request.

    Its important to note that ACM and ACMPCA are different at the SDK level and use different API endpoints. For implementing this support, we will want to create a completely separate resource to handle these concerns. ๐Ÿ‘

    bflad picture bflad on 15 Aug 2018

    Hi @bflad

    Thanks for getting back. From my understanding, the certificates found in the acm-pca endpoint serve a different purpose then the ones mentioned in this issue (aws_acm_certificate). They are only for issuing certificates you generated locally and sent the CSR to the PCA. AWS never gets the private keys and as such are not managed by AWS at all. You can only revoke them AFAIK.

    If however, you want to generate a managed certificates from a PCA that functions the same as the public certificates (i.e. keys managed by AWS and usable in integrated services), you need to issue the certificate with the acm client and pass in a PCA arn, which currently you cannot do with terraform.

    So to summarize we could do two things:

    • Add the certificate_authority_arnproperty to the aws_acm_certificate in order to enable issuing private managed certificates from a PCA,
    • Create a new resource (e.g. acm_acmpca_certificate) which represents the other type of certificate (unmanaged), which is created with an external CSR.
    TFaga picture TFaga on 16 Aug 2018

    Ah ha! Okay I see what you mean there is a difference between these two:

    In your case, you are correct that for the first case, we can (and should ๐Ÿ˜„ ) do this with the existing resource. The second will need to be a separate resource. My apologies for the confusion.

    bflad picture bflad on 16 Aug 2018
    👍2

    When will this feature get released? Are there any alternative to generate private certificate using the current version of terraform?

    gitchandran picture gitchandran on 20 Oct 2018
    👍7

    Hi is there any news on being able to use aws_acm_certificate to issue private certificates, Can use aws_acmpca_certificate_authority for creating a pca but dont seem to be able to use this through tf at mo?

    bhemmings picture bhemmings on 24 Apr 2019
    👍1

    @bflad Please ensure the 2 PRs for this issue are properly reviewed asap. This functionality has been available in the AWS SDK for over a year now. TF is generally better about staying on top of new features.

    texdc picture texdc on 1 Aug 2019

    Hi folks ๐Ÿ‘‹ Support for issuing private certificates via a new certificate_authority_arn argument in the aws_acm_certificate resource has been merged and will release with version 2.23.0 of the Terraform AWS Provider, later this week.

    If you're interesting in additional functionality, such as issuing ACM PCA certificates (not through ACM), please file new feature request issues for further triage. Thanks.

    bflad picture bflad on 6 Aug 2019
    👍1

    This has been released in version 2.23.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

    For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

    hashibot[bot] picture hashibot[bot] on 7 Aug 2019

    I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.

    If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

    hashibot[bot] picture hashibot[bot] on 2 Nov 2019
    Was this page helpful?
    0 / 5 - 0 ratings

    Related issues

    hashibot picture hashibot  ยท  3Comments
    blaltarriba picture blaltarriba  ยท  3Comments
    hashibot picture hashibot  ยท  3Comments
    gothrek22 picture gothrek22  ยท  3Comments
    ccslamstack picture ccslamstack  ยท  3Comments