0

I want to read Kubernetes secrets and then import those certificates to AWS ACM. Below is my code

#Read master ingress cert
data "kubernetes_secret" "master_cert" {
  metadata {
    name      = "${var.env}-api-gw-ingress"
    namespace = var.env
  }
  binary_data = {
    "tls.key" = ""
    "tls.crt" = ""
    "ca.crt"  = ""
  }
  depends_on  = [kubernetes_manifest.master_ingress]
}

#Upload master ingress cert
resource "aws_acm_certificate" "master_cert" {
  private_key       = base64decode(lookup(data.kubernetes_secret.master_cert.binary_data, "tls.key"))
  certificate_body  = base64decode(lookup(data.kubernetes_secret.master_cert.binary_data, "tls.crt"))
  certificate_chain = base64decode(lookup(data.kubernetes_secret.master_cert.binary_data, "ca.crt" ))
}

But I am getting the below error

Error: error importing ACM Certificate: ValidationException: Provided certificate is not a valid self signed. Please provide either a valid self-signed certi
ficate or certificate chain.
│
│   with aws_acm_certificate.master_cert,
│   on main.tf line 48, in resource "aws_acm_certificate" "master_cert":
│   48: resource "aws_acm_certificate" "master_cert" {

I have checked the certs and the chains are all correct. I would appreciate any help or suggestions.

Thank you

Aman
  • 193
  • 2
  • 15
  • Have you tried assigning the exported resource attributes for the k8s secret to TF outputs to confirm the values are correct? – Matthew Schuchard Feb 01 '22 at 20:30
  • The values are correct but it seems I was not fulfilling the prerequisites. AWS ACM private certs demands that the algorithm has to be the same to generate the certs as for root/intermediate certs. I was creating certs with SHA256 but my intermediate was created by ECDSA. That was the issue. Now it's sorted. And, thank you. – Aman Feb 06 '22 at 19:01

0 Answers0