To be able to use a wildcard certificate I need to go throug Pulumi Community #general

To be able to use a wildcard certificate I need to...

sticky-exabyte-94099

01/09/2022, 8:23 AM

To be able to use a wildcard certificate I need to go through the steps shown in the Azure portal on the image. My question how do I add it to keyVault in Pulumi? I got the following code when importing the cert

Copy code

CertificateOrder = new CertificateOrder("mycert", new CertificateOrderArgs
{
    AutoRenew = true,
    KeySize = 2048,
    Location = "global",
    Name = "mycert",
    ProductType = "WildCard",
    ResourceGroupName ="myresourcegroup",
    ValidityInYears = 1,
});

but there is no keyVaultId to be found. But Web.Certificate has KeyVaultId

Copy code

var cert= new AzureNative.Web.Certificate("cert", new AzureNative.Web.CertificateArgs
{
  KeyVaultId = KeyVault.Id,
  ...
}

So how can I hook them together? I should probably use https://www.pulumi.com/registry/packages/azure/api-docs/keyvault/certificate/ Correct? But how?

Copy code

var exampleCertificate = new Azure.KeyVault.Certificate("exampleCertificate", new Azure.KeyVault.CertificateArgs
{
    KeyVaultId = KeyVault.Id,
    KeyVaultCertificate = new Azure.KeyVault.Inputs.CertificateCertificateArgs
    {
        Contents = "??", //what would go in here? CertificateOrder.?
        Password = "??"
    }
});

There is a keyvault connection it seams but how do I set it?

Copy code

var thereIsAKeyVaultConnection = CertificateOrder.Certificates.First().Apply(x => x.KeyVaultId);

sticky-exabyte-94099

01/09/2022, 10:03 AM

Just to try I did things manually in the UI and got a "application/x-pkcs12" secret into the keyVault. I then exported it with

pulumi import azure:keyvault/secret:Secret CertificateOrderSecret "<https://vault723aa5a.vault.azure.net/secrets/.../>..."

and got code for the secret to import. My question now is, is it enough? And it created an Output.CreateSecret() with a long value that I guess I should not add to source code like that and should use

pulumi config set mycert longvaluehere -secret

sticky-exabyte-94099

01/10/2022, 10:15 PM

@great-queen-39697 trather his one

great-queen-39697

01/10/2022, 10:18 PM

So there's a

keyvault

module in the API: https://www.pulumi.com/registry/packages/azure-native/api-docs/keyvault/

great-queen-39697

01/10/2022, 10:19 PM

(note that I'm in the native provider, not the classic one)

great-queen-39697

01/10/2022, 10:22 PM

So, if I'm reading the API docs correctly, KeyVault is one of the Azure services: https://azure.microsoft.com/en-us/services/key-vault/. So you need KeyVault turned on in your Azure system (which is something you need to go through Azure's docs for: https://docs.microsoft.com/en-us/azure/key-vault/general/overview). And then you're using this API to work with the Vault itself: https://www.pulumi.com/registry/packages/azure-native/api-docs/keyvault/vault/.

👍 1

sticky-exabyte-94099

01/10/2022, 10:23 PM

Yes I want to be in the native stack I found out today. And Ill look at this tomorrow but now its almost 24:00 were I live so Ill get back to this tomorrow. I apreciate all your help!

great-queen-39697

01/10/2022, 10:26 PM

No worries! Feel free to leave me questions when you do get back on; async works for me.

green-intern-53931

01/13/2022, 5:07 PM

Hi @sticky-exabyte-94099 were you able to solve this? Please share. Thanks

green-intern-53931

01/13/2022, 5:10 PM

I created a key vault resource following https://www.pulumi.com/registry/packages/azure-native/api-docs/keyvault/vault/ and passed the id to web.certificate but got this error

Copy code

certificate (azure-native:web:Certificate)
error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="The parameter Properties.KeyVaultId has an invalid value." Details=[{"Message":"The parameter Properties.KeyVaultId has an invalid value."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"51008","Message":"The parameter Properties.KeyVaultId has an invalid value.","MessageTemplate":"The parameter {0} has an invalid value.","Parameters":["Properties.KeyVaultId"]}}]

great-queen-39697

01/13/2022, 5:19 PM

How are you getting the ID? Can you share a bit of code?

sticky-exabyte-94099

01/20/2022, 12:23 PM

@green-intern-53931 hi sorry I had to postpone working on this since it was taking to much effort. But now I'm sitting down again and will try this all out again... when I have this working (or not) I´ll ping you here again

green-intern-53931

01/20/2022, 12:37 PM

Thanks @sticky-exabyte-94099 Hi @great-queen-39697 I get the Id from the key vault resource like this

keyVaultId: vault.id

Copy code

import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";

const certificate = new azure_native.web.Certificate("certificate", {
    hostNames: ["ServerCert"],
    location: "East US",
    name: "testc6282",
    password: "<password>",
    resourceGroupName: "testrg123",
    keyVaultId: vault.id;
});

create the key vault resource like this

Copy code

import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";

const vault = new azure_native.keyvault.Vault("vault", {
    location: "westus",
    properties: {
        accessPolicies: [{
            objectId: "00000000-0000-0000-0000-000000000000",
            permissions: {
                certificates: [
                    "get",
                    "list",
                    "delete",
                    "create",
                    "import",
                    "update",
                    "managecontacts",
                    "getissuers",
                    "listissuers",
                    "setissuers",
                    "deleteissuers",
                    "manageissuers",
                    "recover",
                    "purge",
                ],
                keys: [
                    "encrypt",
                    "decrypt",
                    "wrapKey",
                    "unwrapKey",
                    "sign",
                    "verify",
                    "get",
                    "list",
                    "create",
                    "update",
                    "import",
                    "delete",
                    "backup",
                    "restore",
                    "recover",
                    "purge",
                ],
                secrets: [
                    "get",
                    "list",
                    "set",
                    "delete",
                    "backup",
                    "restore",
                    "recover",
                    "purge",
                ],
            },
            tenantId: "00000000-0000-0000-0000-000000000000",
        }],
        enabledForDeployment: true,
        enabledForDiskEncryption: true,
        enabledForTemplateDeployment: true,
        sku: {
            family: "A",
            name: "standard",
        },
        tenantId: "00000000-0000-0000-0000-000000000000",
    },
    resourceGroupName: "sample-resource-group",
    vaultName: "sample-vault",
});

4 Views

Open in Slack

Previous Next