Terraform-provider-azurerm: ContentType is invalid trying to upload a pfx certificate

Created on 6 Apr 2020  ·  3Comments  ·  Source: terraform-providers/terraform-provider-azurerm

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

  • Terraform v0.12.23 and Terraform v0.12.23 (Cloud)
  • provider.azurerm v2.1.0

Affected Resource(s)

  • azurerm_key_vault_certificate

Terraform Configuration Files

resource "azurerm_key_vault" "key_vault_frontend" {
  name                = "vault-frontend-${terraform.workspace}"
  location            = azurerm_resource_group.rg_frontend.location
  resource_group_name = azurerm_resource_group.rg_frontend.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_enabled         = true
  purge_protection_enabled    = false

  sku_name = "standard"

  network_acls {
    default_action = "Allow"
    bypass         = "AzureServices"
  }
}


resource "azurerm_key_vault_access_policy" "key_vault_frontend_policy_admin" {
  key_vault_id = azurerm_key_vault.key_vault_frontend.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = "my-sp-object-id"
    certificate_permissions = [
      "create",
      "delete",
      "deleteissuers",
      "get",
      "getissuers",
      "import",
      "list",
      "listissuers",
      "managecontacts",
      "manageissuers",
      "setissuers",
      "update",
    ]

    key_permissions = [
      "backup",
      "create",
      "decrypt",
      "delete",
      "encrypt",
      "get",
      "import",
      "list",
      "purge",
      "recover",
      "restore",
      "sign",
      "unwrapKey",
      "update",
      "verify",
      "wrapKey",
    ]

    secret_permissions = [
      "backup",
      "delete",
      "get",
      "list",
      "purge",
      "recover",
      "restore",
      "set",
    ]
}

resource "azurerm_key_vault_certificate" "key_vault_cert_frontend" {
  name                = "key-vault-cert-${terraform.workspace}"
  key_vault_id = azurerm_key_vault.key_vault_frontend.id

  certificate {
    contents = filebase64("my-cert-pfx.pfx")
    password = "my-password"
  }

  certificate_policy {
    issuer_parameters {
      name = "Self"
    }

    key_properties {
      exportable = true
      key_size   = 2048
      key_type   = "RSA"
      reuse_key  = false
    }

    secret_properties {
      content_type = "application/x_pkcs12"
    }
  }
}

Debug Output

Panic Output

Expected Behavior

  • Create a key vault and upload a pfx certificate in the vault.

Actual Behavior

  • The key vault is created but the certificate deploy fails with the following error:

Error: keyvault.BaseClient#ImportCertificate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadParameter" Message="Property policy.secret_props has invalid value. ContentType is invalid\r\n"

  • I tried to run the same code in Terraform cli and cloud, same behavior.

  • I uploaded the same pfx through azure portal without problems.

Steps to Reproduce

  1. terraform apply

Important Factoids

References

  • None
question servickeyvault
Source
picture rnmakino

All 3 comments

hi @rnmakino

Thanks for opening this issue.

This forum is intended to be used for feature enhancements and bugs in the Azure Provider - so that we can keep this forum focused on that we generally instead ask that broader questions are raised using one of the Community Resources.
Taking a look through this appears to be an issue with the value of the content_type field - where the value is set to application/x_pkcs12 rather than application/x-pkcs12 (as the Azure API expects) - would you be able to update that and see if that works for you?

Since this should be fixed by updating the configuration rather than being a bug in the Azure Provider I'm going to close this issue for the moment - however if that doesn't work for you please let us know and we'll take another look.
Thanks!

tombuildsstuff picture tombuildsstuff on 6 Apr 2020
👍1

Hi @tombuildsstuff,

Thanks, I made some replacements and probably did in the content type object too, replacing the "_" for "-" works!

rnmakino picture rnmakino on 6 Apr 2020
👍1

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

hashibot[bot] picture hashibot[bot] on 6 May 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tomasaschan picture tomasaschan  ·  3Comments
pdeva picture pdeva  ·  3Comments
steffencircle picture steffencircle  ·  3Comments
Lachlan-White picture Lachlan-White  ·  3Comments
whytoe picture whytoe  ·  3Comments