Support for exporting Azure resource identifier for azurerm_key_vault_certificate

[andyadamides]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently azurerm_key_vault_certificate resource, does not support exporting the Azure resource id for a certificate that is in an Azure Key Vault. It only exports the HTTPS link for that certificate, i.e. https://<kv_name>.vault.azure.net/certificates/<cert_name>.

The Azure KV Certificate id is of this form:
/subscriptions/<sub_id>/resourceGroups/<rg_id>/providers/Microsoft.KeyVault/vaults/<kv_name>/certificates/<cert_name>

Not having the Azure certificate id can cause downstream issues such as when trying to do fine-grained individual IAM role assignments to the certificate level, since the scope in azurerm_role_assignment does not support the HTTPS format.

New or Affected Resource(s)/Data Source(s)

azurerm_key_vault_certificate

Potential Terraform Configuration

output "kv_cert_raw_id" {
  value       = azurerm_key_vault_certificate.kv_certificate.raw_id
  description = "The Key Vault Certificate Azure Resource Raw ID."
}

References

No response

[wuxu92]

hi @andyadamides is there any document or definition about the Azure resource manager ID for the KeyVault certificate? I find no such id from all APIs about certificates.

[andyadamides]

hi @andyadamides is there any document or definition about the Azure resource manager ID for the KeyVault certificate? I find no such id from all APIs about certificates.

It was very hard for me to find one, but the way I did it was:

1. In the Azure Portal I went in the IAM part of a certificate I created
2. Added a role assignment for that certificate again manually from the portal
3. The, using the az cli: az role assignment list --all and this returned the role assignment for the certificate I had just added in the portal with this scope: "scope": "/subscriptions/<sub_id>/resourceGroups/<rg_name>/providers/Microsoft.KeyVault/vaults/<kv_name>/certificates/<cert_name>". This scope is the Azure resource manager ID for the keyvault certificate.

[andyadamides]

Hi , i see that is now added which is great news, but the secret part of the certificate is also required in the same way.

This is created in the same resource manager convention for other key vault secrets but cannot get it directly in any other way from the azurerm_key_vault_certificate module (to properly built the dependencies in TF):

"/subscriptions/<sub_id>/resourceGroups/<rg_name>/providers/Microsoft.KeyVault/vaults/<kv_name>/secrets/<cert_name>"

Could you also add this one as it is needed for downstream role assignments?

[wuxu92]

Hi @andyadamides could you use data-sources/key_vault_secret#resource_id to get the resource id of secret?

[andyadamides]

Hi @andyadamides could you use data-sources/key_vault_secret#resource_id to get the resource id of secret?

But I cannot do this all in the same TF script: create a certificate using azurerm_key_vault_certificate, then use the above "data" block to get the secret(even if it is available, because this secret is not even shown in the azure portal in Secrets), and then in the same script use it in downstream resources(in my case azurerm_role_assignment)

[andyadamides]

@wuxu92 wdyt?

[wuxu92]

Hi @andyadamides could you please share an example configuration of your azurerm_key_vaule_certificate? i tried with my local env and did not get the secret field of the certificate resource.

[andyadamides]

Hi @andyadamides could you please share an example configuration of your azurerm_key_vaule_certificate? i tried with my local env and did not get the secret field of the certificate resource.

resource "azurerm_key_vault_certificate" "kv_certificate" {
  name         = module.naming_kv_certificate.result
  key_vault_id = var.key_vault_resource_id

  certificate_policy {
    issuer_parameters {
      name = var.issuer_parameters_issuer_name
    }

    key_properties {
      exportable = true
      key_size   = 2048
      key_type   = "RSA"
      reuse_key  = true
    }

    lifetime_action {
      action {
        action_type = var.lifetime_action
      }

      trigger {
        days_before_expiry = var.lifetime_action_days_before_expiry
      }
    }

    secret_properties {
      content_type = "application/x-pkcs12"
    }

    x509_certificate_properties {

      extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
      key_usage          = [
    "cRLSign",
    "dataEncipherment",
    "digitalSignature",
    "keyAgreement",
    "keyCertSign",
    "keyEncipherment",
    "nonRepudiation",
  ]

      subject_alternative_names {
        dns_names = var.san_dns_names
      }

      subject            = "CN=____"
      validity_in_months = var.x509_cert_key_validity_months
    }
  }


}

[wuxu92]

there is an empty secret field in the certificate by your configuration.. could you please create a new issue to describe your problem instead of continuning this thread?

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.