Feature: Add ability to issue a aws_acm_certificate from a private CA (acmcpa)

[TFaga]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Support for issuing certificates (aws_acm_certificate) with a private CA (`aws_acmpca_certificate_authority) from the certificate manager.

Currently there is no option to pass in the arn of a private CA in order to issue a private certificate instead of a default public one.

I can tackle this myself if I didn't miss something.

New or Affected Resource(s)

• aws_acm_certificate

Potential Terraform Configuration

resource "aws_acm_certificate" "cert" {
  domain_name       = "internal.example.com"
  certificate_authority_arn = "arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012"
}

References

• https://docs.aws.amazon.com/sdk-for-go/api/service/acm/#RequestCertificateInput

[bflad]

Hi @TFaga Thanks for submitting this feature request.

Its important to note that ACM and ACMPCA are different at the SDK level and use different API endpoints. For implementing this support, we will want to create a completely separate resource to handle these concerns. 👍

[TFaga]

Hi @bflad

Thanks for getting back. From my understanding, the certificates found in the acm-pca endpoint serve a different purpose then the ones mentioned in this issue (aws_acm_certificate). They are only for issuing certificates you generated locally and sent the CSR to the PCA. AWS never gets the private keys and as such are not managed by AWS at all. You can only revoke them AFAIK.

If however, you want to generate a managed certificates from a PCA that functions the same as the public certificates (i.e. keys managed by AWS and usable in integrated services), you need to issue the certificate with the acm client and pass in a PCA arn, which currently you cannot do with terraform.

So to summarize we could do two things:

• Add the certificate_authority_arnproperty to the aws_acm_certificate in order to enable issuing private managed certificates from a PCA,
• Create a new resource (e.g. acm_acmpca_certificate) which represents the other type of certificate (unmanaged), which is created with an external CSR.

[bflad]

Ah ha! Okay I see what you mean there is a difference between these two:

• Certificates requested through ACM and issued with the PCA, handled via the ACM RequestCertificate SDK call as you originally referenced
• Certificates issued by PCA, handled via the ACMPCA IssueCertificate SDK call

In your case, you are correct that for the first case, we can (and should 😄 ) do this with the existing resource. The second will need to be a separate resource. My apologies for the confusion.

[gitchandran]

When will this feature get released? Are there any alternative to generate private certificate using the current version of terraform?

[bhemmings]

Hi is there any news on being able to use aws_acm_certificate to issue private certificates, Can use aws_acmpca_certificate_authority for creating a pca but dont seem to be able to use this through tf at mo?

[texdc]

@bflad Please ensure the 2 PRs for this issue are properly reviewed asap. This functionality has been available in the AWS SDK for over a year now. TF is generally better about staying on top of new features.

[bflad]

Hi folks 👋 Support for issuing private certificates via a new certificate_authority_arn argument in the aws_acm_certificate resource has been merged and will release with version 2.23.0 of the Terraform AWS Provider, later this week.

If you're interesting in additional functionality, such as issuing ACM PCA certificates (not through ACM), please file new feature request issues for further triage. Thanks.

[ghost]

This has been released in version 2.23.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!