0

I am a rookie to Terraform and I have a blocker with this code. I followed the terraform documentation that advised to issue a renewable certificate using an ACM PCA, create a aws_acm_certificate with the parameter certificate_authority_arn. My goal is to create root CA with ACMPCA, install the CA certificate and use ACM to request the private CA. Although the ACM resource deployed, it's in failed status and I got the Error below and I don’t know how to resolve the issue.

Code

provider "aws" {
    region = "us-east-1"
}




# Create a root CA with ACM PCA
resource "aws_acmpca_certificate_authority" "pca_cert" {
    type = "ROOT"
    certificate_authority_configuration {
        key_algorithm     = "RSA_2048"
        signing_algorithm = "SHA256WITHRSA"

        subject {
            common_name = "cf-demo.com"
        }
    }
    permanent_deletion_time_in_days = 7
}

# Install the root CA certificate
resource "aws_acmpca_certificate_authority_certificate" "cert_authority_certificate" {
    certificate_authority_arn = aws_acmpca_certificate_authority.pca_cert.arn
    certificate               = aws_acm_certificate.demo_acm_cert.arn
}


# Use ACM to request the certificate
resource "aws_acm_certificate" "demo_acm_cert" {
    domain_name       = "cf-demo.com"
    certificate_authority_arn = aws_acmpca_certificate_authority.pca_cert.arn
}


# Grant permissions to ACM to access the certificate authority
resource "aws_acmpca_permission" "root_ca_permission" {
    certificate_authority_arn = aws_acmpca_certificate_authority.pca_cert.arn
    actions                   = ["IssueCertificate", "GetCertificate", "ListPermissions"]
    principal                 = "acm.amazonaws.com"
}

Error:

Error: associating ACM PCA Certificate with Certificate Authority (arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx): ValidationException: 1 validation error detected: Value at 'certificate' failed to satisfy constraint: Member must satisfy regular expression pattern: -----BEGIN CERTIFICATE-----\r?\n([A-Za-z0-9/+]{64}\r?\n)*[A-Za-z0-9/+]{1,64}={0,2}\r?\n-----END CERTIFICATE-----(\r?\n)?.
│       status code: 400, request id: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx
│ 
│   with aws_acmpca_certificate_authority_certificate.cert_authority_certificate,
│   on cert.tf line 32, in resource "aws_acmpca_certificate_authority_certificate" "cert_authority_certificate":
│   32: resource "aws_acmpca_certificate_authority_certificate" "cert_authority_certificate" {

I attempted at using "aws_acmpca_certificate" resource together with "aws_acm_certificate" but that i got "Error: Cycle".

S Parker
  • 1
  • 1

1 Answers1

2

The aws_acmpca_certificate_authority_certificate resource's certificate parameter expects an actual certificate, not an ARN. Use the certificate attribute of the pca_cert instead of the arn attribute.

# Install the root CA certificate
resource "aws_acmpca_certificate_authority_certificate" "cert_authority_certificate" {
    certificate_authority_arn = aws_acmpca_certificate_authority.pca_cert.arn
    certificate               = aws_acmpca_certificate_authority.pca_cert.certificate
}
Robert Hafner
  • 3,364
  • 18
  • 23
  • Per [documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate#attributes-reference) , `certificate` is not an attribute for `ACM` hence I got the error below. `>` │ Error: Unsupported attribute │ │ on cert.tf line 34, in resource "aws_acmpca_certificate_authority_certificate" "cert_authority_certificate": │ 34: certificate = aws_acm_certificate.demo_acm_cert.certificate │ │ This object has no argument, nested block, or exported attribute named "certificate". `>` – S Parker Apr 21 '23 at 19:28
  • I updated the answer- you're not supposed to use the acm_certificate there, you're supposed to use the aws_acmpca_certificate_authority resource. – Robert Hafner Apr 21 '23 at 19:46