ok, so I got tired trying to sort out how to use DigiCert, so I'm currently trying to deploy https://github.com/shibayan/keyvault-acmebot (there's existing teraform & bicep examples), and looking at some of the docs, I smell a dynamic provider in my future.

Interesting! Hadn't seen this yet. I wanted a Pulumi native way of solving cert renewals recently and ended up gluing together • pulumi-acme (Terraform migrated provider for Lego Acme Client) •

pulumi-azure-native

for importing cert into Key Vault •

pulumi-azuread

for creating a service principal with scoped permissions to only update an acme challenge TXT record for a given DNS zone •

pulumi-tls

for generating the ACME account registration private key •

pulumi-random

for creating a password for the PFX cert •

pyca/cryptography

for converting the PEM cert to the x509-pkcs8 format which Azure services accept One could argue these are too many dependencies but at least it works and I can issue certificates, set up SSL and custom domains in a single Pulumi run for downstream workloads. Would love to have this streamlined.

yeah, in my experience pulumi is bad at those process operations? Or the modules I'm using are just bad

Yep agree – my initial approach used pulumi-command to execute an acme CLI but that was such a hacky headache – f.x. reading file contents via cat -> stdout to get the outputs back to Pulumi. It's great that someone has created keyvault-acmebot but I'm not too comfortable running an application published by a freelancer with "permanent" credentials/permissions to make changes to my DNS zones – even though those permissions can be scoped down to only allow updating

_acme-challenge

TXT records. But at the same time we're putting a lot of trust into those with write access to all the libraries I mentioned above. Might be contradicting myself here – I guess It's hard to have the cake and eat it too 😄

Exactly – we can't ever win this battle 🙂