使用 terraform 的 AWS 私有证书颁发机构(安装根 CA 证书)

问题描述 投票:0回答:1

团队

我正在尝试创建 AWS PCA(要将其用于任何地方的 IAM 角色),安装 CA 证书并使用 ACM 请求私有证书。我在哪里遇到以下错误,我在这里缺少什么?

版本:

Terraform v1.3.2
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v5.0.1

代码:

resource "aws_acmpca_certificate_authority" "private_ca_authority" {
  permanent_deletion_time_in_days = 7
  type                            = "ROOT"
  certificate_authority_configuration {
    key_algorithm     = local.key_algorithm
    signing_algorithm = local.signing_algorithm
    subject {
      common_name  = local.common_name
      organization = local.org
    }
  }
  tags = local.tags
}

resource "aws_acmpca_permission" "private_ca_permission" {
  certificate_authority_arn = aws_acmpca_certificate_authority.private_ca_authority.arn
  actions                   = ["IssueCertificate", "GetCertificate", "ListPermissions"]
  principal                 = "acm.amazonaws.com"
}

data "aws_partition" "current" {}

resource "aws_acmpca_certificate" "private_ca_cert" {
  certificate_authority_arn   = aws_acmpca_certificate_authority.private_ca_authority.arn
  certificate_signing_request = aws_acmpca_certificate_authority.private_ca_authority.certificate_signing_request
  signing_algorithm           = local.signing_algorithm

  template_arn = "arn:${data.aws_partition.current.partition}:acm-pca:::template/RootCACertificate/V1"

  validity {
    type  = "YEARS"
    value = local.private_cert_validity
  }
}

resource "aws_acmpca_certificate_authority_certificate" "pca_authority_cert" {
  certificate_authority_arn = aws_acmpca_certificate_authority.private_ca_authority.arn
  certificate               = aws_acmpca_certificate.private_ca_cert.certificate
  certificate_chain         = aws_acmpca_certificate.private_ca_cert.certificate_chain
}

resource "aws_acm_certificate" "request_cert" {
  domain_name               = local.common_name
  certificate_authority_arn = aws_acmpca_certificate_authority.private_ca_authority.arn
  key_algorithm             = local.key_algorithm

  tags = local.tags

  lifecycle {
    create_before_destroy = true
  }

}

错误:

resource "aws_acm_certificate" "request_cert" {
    arn                       = "arn:aws:acm:us-east-1:<>:certificate/ac0c10e9-a84d-4172-b0f9-cf165402cd1e"
    certificate_authority_arn = "arn:aws:acm-pca:us-east-1:<>:certificate-authority/9b42320f-1fb8-45be-98cc-f4d784b95108"
    domain_name               = "domain"
    domain_validation_options = []
    id                        = "arn:aws:acm:us-east-1:<>:certificate/ac0c10e9-a84d-4172-b0f9-cf165402cd1e"
    key_algorithm             = "RSA_2048"
    pending_renewal           = false
    renewal_eligibility       = "INELIGIBLE"
    renewal_summary           = []
    status                    = "FAILED"
    subject_alternative_names = [
        "domain",
    ]

用户界面错误:

为 AWS 私有证书颁发机构手动“安装 CA 证书”时,“aws_acm_certificate.request_cert”能够使用 ACM 创建证书。

amazon-web-services terraform terraform-provider-aws aws-acm
1个回答
0
投票

添加等待 request_cert 的时间后效果很好。

resource "aws_acmpca_certificate_authority_certificate" "pca_authority_cert" {
  certificate_authority_arn = aws_acmpca_certificate_authority.private_ca_authority.arn
  certificate               = aws_acmpca_certificate.private_ca_cert.certificate
  certificate_chain         = aws_acmpca_certificate.private_ca_cert.certificate_chain
}

resource "time_sleep" "wait_30_seconds" {
  create_duration = "30s"
  depends_on      = [aws_acmpca_certificate_authority_certificate.pca_authority_cert]
}


resource "aws_acm_certificate" "request_cert" {
  domain_name               = local.common_name
  certificate_authority_arn = aws_acmpca_certificate_authority.private_ca_authority.arn
  key_algorithm             = local.key_algorithm

  tags = local.tags

  lifecycle {
    create_before_destroy = true
  }

  depends_on = [time_sleep.wait_30_seconds]
}
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.