This object has no argument, nested block, or exported attribute named ca_public_key_pem

0
votes

I'm trying to access the ca_public_key_pem property of my tls_self_signed_cert object, but I'm being told that the property does not exist.

Yet in the source code, and examples for this module, it appears to be present.

GitHub Source Code

output "ca_public_key_pem" {
  value = "${chomp(element(concat(tls_private_key.ca.*.public_key_pem, list("")), 0))}" # TODO: Workaround for issue #11210
}

Does anyone have any idea how to get the public key for the CA certificate in PEM format from a tls_self_signed_cert resource?

I'm currently using the module as follows:

resource "tls_private_key" "RootKey" {
    algorithm = "RSA"
    rsa_bits  = 2048
}

resource "tls_self_signed_cert" "SelfSigned" {
    key_algorithm   = "${tls_private_key.RootKey.algorithm}"
    private_key_pem = "${tls_private_key.RootKey.private_key_pem}"

    subject {
        common_name  = "Domain.com"
        organization = "Org Name"
    }

    is_ca_certificate     = true
    validity_period_hours = 26280
    early_renewal_hours   = 8760
    allowed_uses          = ["cert_signing"]
}

and then in my azurerm_virtual_network_gateway configuration, I have the following:

...
    vpn_client_configuration {
        address_space        = ["10.9.0.0/24"]
        vpn_client_protocols = ["IkeV2"]

        root_certificate {
            name             = "My-Root-CA"
            public_cert_data = "${tls_self_signed_cert.SelfSigned.ca_public_key_pem}"
        }
    }

I've tried using cert_pem but it's not valid for this property.

1
terraformterraform-provider-azure
How are you using this module? - ydaetskcoR
have updated the question with my usage. Thanks. - Gareth Oates
Can you also include the azurerm_virtual_network_gateway definition too please? - ydaetskcoR
I don't understand how that will aid in the solving of the problem? Can you please explain. The virtual gateway is already setup and running without problem. It's just adding the root_certificate public_cert_data property that is causing it to fail. - Gareth Oates
Yeah, it looks like you're using the output from the tls_self_signed_cert resource wrong from your error but it's impossible to tell without seeing it. The general guidance is that your question should include a minimal reproducible example that people can run and reproduce your error exactly. Without that it's impossible to determine what's wrong. Alternatively if you can reproduce the same error from an even more minimal configuration without a azurerm_virtual_network_gateway resource then that would be even better. - ydaetskcoR

1 Answers

2
votes

The azurerm_virtual_network_gateway public_cert_data unusually requires the cert to be in PEM format but without the traditional -----BEGIN CERTIFICATE----- or -----END CERTIFICATE----- markers:

The root_certificate block supports:

  • name - (Required) A user-defined name of the root certificate.

  • public_cert_data - (Required) The public certificate of the root certificate authority. The certificate must be provided in Base-64 encoded X.509 format (PEM). In particular, this argument must not include the -----BEGIN CERTIFICATE----- or -----END CERTIFICATE----- markers.

The tls_self_signed_cert resource has the cert_pem attribute that it outputs but this does have the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers.

So if you want to chain these through then you'll need to remove these markers. The easiest way to do this is use the replace function.

A minimal example of this output would look like this:

resource "tls_private_key" "example" {
  algorithm   = "ECDSA"
  ecdsa_curve = "P384"
}

resource "tls_self_signed_cert" "example" {
  key_algorithm   = "ECDSA"
  private_key_pem = "${tls_private_key.example.private_key_pem}"

  subject {
    common_name  = "example.com"
    organization = "ACME Examples, Inc"
  }

  validity_period_hours = 12

  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "server_auth",
  ]
}

output "cert" {
  value = "${tls_self_signed_cert.example.cert_pem}"
}

output "trimmed_cert" {
  value = "${replace(replace(tls_self_signed_cert.example.cert_pem, "-----BEGIN CERTIFICATE-----", ""), "-----END CERTIFICATE-----", "")}"
}

Applying this out will output the following:

Outputs:

cert = -----BEGIN CERTIFICATE-----
MIIB1jCCAVygAwIBAgIQR4Z4djFeJNQSPegYFMqhXTAKBggqhkjOPQQDAzAzMRsw
GQYDVQQKExJBQ01FIEV4YW1wbGVzLCBJbmMxFDASBgNVBAMTC2V4YW1wbGUuY29t
MB4XDTE5MTEwMTE2MjUzOFoXDTE5MTEwMjA0MjUzOFowMzEbMBkGA1UEChMSQUNN
RSBFeGFtcGxlcywgSW5jMRQwEgYDVQQDEwtleGFtcGxlLmNvbTB2MBAGByqGSM49
AgEGBSuBBAAiA2IABA5bcywnzZwDjVfK3zSTLUtEiTeA/spOQ3q02816H1jYO28K
Yg1wbyPluC9c8t2H0r2WzDPmdr9iFLo7rjW3v1sCXJOL839YA/CUuwqRexjd8Iuy
jWKa0YNvA5AmbuRsqKM1MDMwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsG
AQUFBwMBMAwGA1UdEwEB/wQCMAAwCgYIKoZIzj0EAwMDaAAwZQIwdBO17wBD/Fud
kcOiVVQvhPV13SRZydLBaXGHABcSBIW4UMv3JqwbJTq/wDF0k0daAjEAyRXu+eHA
+BpJjVEvcZL7V93zMv4tNede8SHpwHm4o/ogjTINlcRnMN6tu+uXiH5I
-----END CERTIFICATE-----

trimmed_cert = 
MIIB1jCCAVygAwIBAgIQR4Z4djFeJNQSPegYFMqhXTAKBggqhkjOPQQDAzAzMRsw
GQYDVQQKExJBQ01FIEV4YW1wbGVzLCBJbmMxFDASBgNVBAMTC2V4YW1wbGUuY29t
MB4XDTE5MTEwMTE2MjUzOFoXDTE5MTEwMjA0MjUzOFowMzEbMBkGA1UEChMSQUNN
RSBFeGFtcGxlcywgSW5jMRQwEgYDVQQDEwtleGFtcGxlLmNvbTB2MBAGByqGSM49
AgEGBSuBBAAiA2IABA5bcywnzZwDjVfK3zSTLUtEiTeA/spOQ3q02816H1jYO28K
Yg1wbyPluC9c8t2H0r2WzDPmdr9iFLo7rjW3v1sCXJOL839YA/CUuwqRexjd8Iuy
jWKa0YNvA5AmbuRsqKM1MDMwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsG
AQUFBwMBMAwGA1UdEwEB/wQCMAAwCgYIKoZIzj0EAwMDaAAwZQIwdBO17wBD/Fud
kcOiVVQvhPV13SRZydLBaXGHABcSBIW4UMv3JqwbJTq/wDF0k0daAjEAyRXu+eHA
+BpJjVEvcZL7V93zMv4tNede8SHpwHm4o/ogjTINlcRnMN6tu+uXiH5I

This trimmed output, made from the two replace functions should be usable for the azurerm_virtual_network_gateway public_cert_data parameter.