Thumbprint is not provided as an attribute for azurerm_key_vault_certificate

[ghost]

This issue was originally opened by @oliver-hermann as hashicorp/terraform#18768. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Hello,

I'm currently setting up a terraform script which involves creating a Service Fabric Cluster via AzureRM (azurerm_service_fabric_cluster). I also need two certificates for the cluster, but creating a certificate through Terraforms AzureRM interface (azurerm_key_vault_certificate) doesn't yield a thumbprint of the certificate, which is necessary for the Service Fabric Cluster.

So now I'm wondering, is this a missing feature of azurerm_key_vault_certificate? Or am I overlooking something?

I am aware of the possibility to get the thumbprint outside of the script, via Powershell for example. I'm looking for a way to have the whole deployment contained within my Terraform script though.

Is there any other way to achieve this?

Thank you very much in advance!
Regards, Oliver

[tombuildsstuff]

hey @oliver-hermann

Thanks for opening this issue :)

We don't support this property on the azurerm_key_vault_certificate data source/resource at this time - however taking a quick look I believe this might be the cert.X509Thumbprint property in the SDK, would you be able to confirm if that's the thumbprint you're looking for?

Thanks!

[oliver-hermann]

Hey @tombuildsstuff,

The X509Thumbprint property is definitely what i am looking for. I do not have a Go environment set up here, but looking at the SDK source I'm certain that this is the right property.

Thanks for the quick response, also thanks for the nice good first issue tag, I feel honored :)

[steve-hawkins]

I've had a hacky data external resource using the Azure CLI doing this for me for a while now

Not checked the SDK, but the Azure CLI json response brings the following back:-

C:\source> az keyvault certificate show --id https://cisteve-sf.vault.azure.
net/certificates/service-fabric-client/5c0463ba2a5d4b6aadb3c443bac6b2a3
{
  "attributes": {
    "created": "2018-09-07T15:17:53+00:00",
    "enabled": true,
    "expires": "2019-09-07T15:17:52+00:00",
    "notBefore": "2018-09-07T15:07:52+00:00",
    "recoveryLevel": "Purgeable",
    "updated": "2018-09-07T15:17:53+00:00"
  },
  "cer": "MIIDdDCCAlygAwIBAgIQVVqZFx1mQ4ijPG1xJFZLmjANBgkqhkiG9w0BAQsFADA3MTUwMwYDVQQDEyxjYnVrLWNhcmRzLWNpc3RldmUudWt3ZXN0LmNsb3VkYXBwLmF6dXJlLmNvbTAeFw0xODA5MDcxNTA3NTJaFw0xOTA5MDcxNTE3NTJaMDcxNTAzBgNVBAMTLGNidWstY2FyZHMtY2lzdGV2ZS51a3dlc3QuY2xvdWRhcHAuYXp1cmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsPtFzgGxKmX2aGuGtIjE4Z3W49y1HNPnyVjG8Md5yVRA32K8tSKCx2QY756v3fQL3/PGXa1IxONSBKoCHuDhsyAGzYGTifdTVezJ1SDOJ+o9MYXMr4E056EK7nGU22F+0sfj2qrEACKKkDztnvsa1AEKIfcDIUngdEXZeNdl48/jTsKAYoqckN6WsGKmSECn+lh0Quq93r9c1leszruv//X+l8NyK19ucPqQpFo88ujaZWig/HPZTqn8ggIQ6EX6qjr4bboLgDynJnwDfPPe0BUEd3bLTZFsLuyYKXI8YMt7cVV81wd5ZRnbEq8TagRYwvK4t10Lhc1IaEDsGX1lSQIDAQABo3wwejAOBgNVHQ8BAf8EBAMCAb4wCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUKL1WMRCL9Gto2UzQEQutSPj7/ywwHQYDVR0OBBYEFCi9VjEQi/RraNlM0BELrUj4+/8sMA0GCSqGSIb3DQEBCwUAA4IBAQClwY+NBE4F5u7BW/HNTbmJ7DG4dST+RK1XFjRfRgc5RRxMIwXGVFD2ENvQkC1hQxQh76ftLvX5ev0SE+vGmdafBKZhkBwFlPGdAo1/qeTb3CfvHlVIkAm6unjW8v1U1mWHIMtBG5FnpsW7Yg1ByJxptbRcnQJhKdgTg5Dvdyi3N9Z5GwEa71zvlkh9DdHCmuhtGAVzNK61azqUaH8/usp/+TaHQ4DqEPzXuNg/ZMoz9TQkHxKrwiMqq0lc62Nv1Z1SI3kHvQGn+T3tPesPQOV2nk13fX+6ZFLyb4lmAwkErAxVnXS1qL3Ko/ZqpFuRYH5EoUX/BWd3UiU646Ks8dwT",
  "contentType": null,
  "id": "https://cisteve-sf.vault.azure.net/certificates/service-fabric-client/5c0463ba2a5d4b6aadb3c443bac6b2a3",
  "kid": "https://cisteve-sf.vault.azure.net/keys/service-fabric-client/5c0463ba2a5d4b6aadb3c443bac6b2a3",
  "policy": null,
  "sid": "https://cisteve-sf.vault.azure.net/secrets/service-fabric-client/5c0463ba2a5d4b6aadb3c443bac6b2a3",
  "tags": {},
  "x509Thumbprint": "Z0n+Bjubk2ZIQLJoPWiRlL2uKhI=",
  "x509ThumbprintHex": "6749FE063B9B93664840B2683D689194BDAE2A12"
}

don't worry these were temporary details, but as you can see x509Thumbprint and x509ThumbprintHex are both returned.

x509ThumbprintHex is the value required in the azurerm_service_fabric_cluster resource

I've not picked up GoLang before, but looking at the SDK it only returns the Base64 encoded value

I'm going to try and play around with the Azure Go SDK to see what is what

[steve-hawkins]

so I have tried the following, but not getting what I expect back:-

x509Thumbprint := string(*cert.X509Thumbprint)

x509ThumbprintHex, err := base64.URLEncoding.DecodeString(x509Thumbprint)
if err != nil {
	return err
}

d.Set("thumbprint", x509ThumbprintHex)

• azurerm_key_vault_certificate.service_fabric_client: azurerm_key_vault_certificate.service_fabric_client: illegal base64 data at input byte 24

@tombuildsstuff any ideas?

[steve-hawkins]

@tombuildsstuff OK got it, like I said fresh and new to Go:-

x509Thumbprint, err := base64.RawURLEncoding.DecodeString(string(*cert.X509Thumbprint))
if err != nil {
	return err
}

x509ThumbprintHex := hex.EncodeToString(x509Thumbprint)

d.Set("thumbprint", x509ThumbprintHex)

I'll raise a PR shortly

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!