https://pulumi.com logo
#azure
Title
# azure
h

hundreds-gpu-71155

03/25/2024, 4:54 PM
ok, so I got tired trying to sort out how to use DigiCert, so I'm currently trying to deploy https://github.com/shibayan/keyvault-acmebot (there's existing teraform & bicep examples), and looking at some of the docs, I smell a dynamic provider in my future.
a

adventurous-butcher-54166

04/03/2024, 2:37 PM
Interesting! Hadn't seen this yet. I wanted a Pulumi native way of solving cert renewals recently and ended up gluing together • pulumi-acme (Terraform migrated provider for Lego Acme Client) •
pulumi-azure-native
for importing cert into Key Vault •
pulumi-azuread
for creating a service principal with scoped permissions to only update an acme challenge TXT record for a given DNS zone •
pulumi-tls
for generating the ACME account registration private key •
pulumi-random
for creating a password for the PFX cert •
pyca/cryptography
for converting the PEM cert to the x509-pkcs8 format which Azure services accept One could argue these are too many dependencies but at least it works and I can issue certificates, set up SSL and custom domains in a single Pulumi run for downstream workloads. Would love to have this streamlined.
h

hundreds-gpu-71155

04/03/2024, 3:03 PM
yeah, in my experience pulumi is bad at those process operations? Or the modules I'm using are just bad
a

adventurous-butcher-54166

04/03/2024, 3:29 PM
Yep agree – my initial approach used pulumi-command to execute an acme CLI but that was such a hacky headache – f.x. reading file contents via cat -> stdout to get the outputs back to Pulumi. It's great that someone has created keyvault-acmebot but I'm not too comfortable running an application published by a freelancer with "permanent" credentials/permissions to make changes to my DNS zones – even though those permissions can be scoped down to only allow updating
_acme-challenge
TXT records. But at the same time we're putting a lot of trust into those with write access to all the libraries I mentioned above. Might be contradicting myself here – I guess It's hard to have the cake and eat it too 😄
h

hundreds-gpu-71155

04/03/2024, 3:30 PM
points vaguely at xz
a

adventurous-butcher-54166

04/03/2024, 3:30 PM
Exactly – we can't ever win this battle 🙂