Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Not possible to disable certificate_transparency_logging_preference in aws provider #10167

Closed
zioalex opened this issue Sep 19, 2019 · 5 comments
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/acm Issues and PRs that pertain to the acm service. upstream Addresses functionality related to the cloud provider.

Comments

@zioalex
Copy link

zioalex commented Sep 19, 2019

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.9

  • provider.aws v2.28.1
  • provider.local v1.3.0
  • provider.null v2.1.2

Affected Resource(s)

  • aws_acm_certificate

Terraform Configuration Files

resource "aws_acm_certificate" "cloudhsm_client_cert" {
  private_key      = "${data.local_file.client_key_file.content}"
  certificate_body = "${data.local_file.client_cert_file.content}"
  certificate_chain = "${data.local_file.cloudhsm_cert_chain.content}"
  # see herehttps://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-transparency
  # and here https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html?shortFooter=true#best-practices-transparency
  options {
    certificate_transparency_logging_preference = "DISABLED"
  }
}

Debug Output

It is not possible to include it due to sensitive data.

Panic Output

Expected Behavior

The new ACM certificate will be created with the certificate_transparency_logging_preference option disabled.
I'd been forced to add this option because if I do not, every time I apply the code I get:

  # aws_acm_certificate.cloudhsm_client_cert must be replaced
-/+ resource "aws_acm_certificate" "cloudhsm_client_cert" {
      ~ arn                       = "arn:aws:acm:XXXXXXXXXXXXXXXXXXX" -> (known after apply)
      ~ certificate_body          = "YYYYYYYYYYYYYYYYYYY" -> (known after apply)
      ~ certificate_chain         = "ZZZZZZZZZZZZZZZZZ" -> (known after apply)
      ~ domain_name               = "client1.domain.tld" -> (known after apply)
      ~ domain_validation_options = [] -> (known after apply)
      ~ id                        = "arn:aws:acm:XXXXXXXXXXXXXXXXXXXXXXXXX" -> (known after apply)
      ~ private_key               = (sensitive value)
      ~ subject_alternative_names = [] -> (known after apply)
      - tags                      = {} -> null
      ~ validation_emails         = [] -> (known after apply)
      ~ validation_method         = "NONE" -> (known after apply)

      - options {
          - certificate_transparency_logging_preference = "DISABLED" -> null # forces replacement
        }
    }

recreating every time the certificate.

If I run a plan I get:

  # aws_acm_certificate.cloudhsm_server_cert will be created
  + resource "aws_acm_certificate" "cloudhsm_server_cert" {
      + arn                       = (known after apply)
      + certificate_body          = (known after apply)
      + certificate_chain         = (known after apply)
      + domain_name               = (known after apply)
      + domain_validation_options = (known after apply)
      + id                        = (known after apply)
      + private_key               = (sensitive value)
      + subject_alternative_names = (known after apply)
      + validation_emails         = (known after apply)
      + validation_method         = (known after apply)

      + options {
          + certificate_transparency_logging_preference = "DISABLED"
        }
    }

I see here 2 different problems:

  1. If the option is not defined the resource will be recreated because it sees:
    certificate_transparency_logging_preference = "DISABLED" -> null # forces replacement

  2. If I try to set such option to DISABLED I get:
    Error: "options.0.certificate_transparency_logging_preference": conflicts with private_key

looking the code here https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_acm_certificate.go
I see (line 129):

Elem: &schema.Resource{
					Schema: map[string]*schema.Schema{
						"certificate_transparency_logging_preference": {
							Type:          schema.TypeString,
							Optional:      true,
							Default:       acm.CertificateTransparencyLoggingPreferenceEnabled,
							ForceNew:      true,
							ConflictsWith: []string{"private_key", "certificate_body", "certificate_chain"},
							ValidateFunc: validation.StringInSlice([]string{
								acm.CertificateTransparencyLoggingPreferenceEnabled,
								acm.CertificateTransparencyLoggingPreferenceDisabled,
							}, false),
						},
					},
				},

even though I Didn't find any reason for the ConflictsWith.

Actual Behavior

Error: "options.0.certificate_transparency_logging_preference": conflicts with private_key

  on main.tf line 117, in resource "aws_acm_certificate" "cloudhsm_server_cert":
 117: resource "aws_acm_certificate" "cloudhsm_server_cert" {

Error: "options.0.certificate_transparency_logging_preference": conflicts with private_key

  on main.tf line 128, in resource "aws_acm_certificate" "cloudhsm_client_cert":
 128: resource "aws_acm_certificate" "cloudhsm_client_cert" {

Steps to Reproduce

Add the option certificate_transparency_logging_preference in the aws_acm_certificate definition:

options {
    certificate_transparency_logging_preference = "DISABLED"
  }
  1. terraform apply

Important Factoids

References

  • #0000
@ghost ghost added the service/acm Issues and PRs that pertain to the acm service. label Sep 19, 2019
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Sep 19, 2019
@JulianCBC
Copy link

If those certificates are used by a load balancer, then replacing them doesn't work as it tries to delete them without removing them from the load balancer. See #10233.

These issues effectively prevent people from using LetsEncrypt derived certificates with load balancers on AWS. E.g. for test or development environments.

@JulianCBC
Copy link

You can hack around the issue of the certificate being re-created every time by adding a lifecycle block like this to make it ignore the options block:

resource "aws_acm_certificate" "certificate" {
  private_key       = var.private_key_pem
  certificate_body  = var.certificate_pem
  certificate_chain = var.issuer_pem

  lifecycle {
    ignore_changes = [
      options,
    ]
  }
}

@mattburgess
Copy link
Collaborator

As the author of the code that introduced this issue I'd like to apologize/explain :)

As you noted from the console, when you initially import a certificate, CT Logging is enabled (and at import time you have no way of changing this). Only after the fact, can you update the options on the certificate to disable CT Logging. However, at this point your certificate may already have been added to the public CT logs. So, disabling CT Logging may not have the effect you think it will, as explained at https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-transparency:

Once a certificate has been logged, it cannot be removed from the log. Opting out at that point will have no effect.

The console is mirroring the AWS API exactly here, which I'll admit would appear to be somewhat lacking. As explained at https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_acm_certificate.go#L117-L144 when you import a certificate, there's no way in the API to specify whether you want to opt in or out of CT Logging, and the default is to be opted in.

I could look at issuing an UpdateCertificateOptions() call if the certificate_transparency_logging_preference argument is set to DISABLED on imported certs but I worry that might lead people to assume the certificate isn't in any public CT Logs when it might be. I'll admit though, that I don't know how automatic that process of publishing is...maybe if the options are updated quickly enough after the import then they never will make it to the CT Logs?

@bflad bflad added enhancement Requests to existing resources that expand the functionality or scope. upstream Addresses functionality related to the cloud provider. and removed needs-triage Waiting for first response or review from a maintainer. labels May 26, 2020
@bflad
Copy link
Contributor

bflad commented May 26, 2020

Hi folks 👋 Thank you @zioalex for filing the issue and thank you @mattburgess for the detailed explanation above.

Given that the ACM API effectively does not support preventing Certificate Transparency logs being sent during the ImportCertificate API call and that calling UpdateCertificateOptions after the fact will not remove the Certificate Transparency logs, we would be very hesitant to relax the Terraform resource restriction of specifying the option to disable the logs. We would not want to give the impression that this configuration works as expected to prevent the Certificate Transparency logs from appearing at all, which seems it would prompt security and bug reports against the Terraform AWS Provider.

As such, we are going to close this issue for now, since the ACM API requires potential updates. Once the API has been updated, we can revisit this request in the Terraform AWS Provider. 👍

Our best recommendation would be to contact AWS via a new support case or via your Technical Account Manager (if you have one), to recommend ImportCertificate API support include the ability to never send the Certificate Transparency logs.

@bflad bflad closed this as completed May 26, 2020
@ghost
Copy link

ghost commented Jun 26, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Jun 26, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/acm Issues and PRs that pertain to the acm service. upstream Addresses functionality related to the cloud provider.
Projects
None yet
Development

No branches or pull requests

4 participants