Channels
#python
Title
# python
a
aloof-tailor-28919
06/24/2022, 11:19 PMHello - we are using Pulumi with Python and AWS. I am trying to set up a Certificate Authority and attach a Certificate to an RDS ClusterInstance, in order to allow SSL/TLS connections to the database instances. In the first step, I create a root Certificate Authority and it signs its own root Certificate. My second step is to create a new Certificate to use for the database instances. That looks like this:
Copy code
rds_certificate = acmpca.Certificate(
'my_rds_certificate',
certificate_authority_arn=certificate_authority.arn,
certificate_signing_request=certificate_authority.certificate_signing_request,
signing_algorithm=CERTIFICATE_SIGNING_ALGORITHM,
template_arn='arn:aws:acm-pca:::template/EndEntityCertificate/V1',
validity=acmpca.CertificateValidityArgs(type='YEARS', value=RDS_CERTIFICATE_VALIDITY_IN_YEARS),
opts=ResourceOptions(depends_on=[certificate_authority_certificate]),
) Copy code
reporting_instance = ClusterInstance(
'clusterinstance-initial',
identifier='clusterinstance-initial',
cluster_identifier=reporting_cluster.id,
instance_class=REPORTING_WRITER_INSTANCE_CLASS,
engine=reporting_cluster.engine,
engine_version=reporting_cluster.engine_version,
performance_insights_enabled=PERFORMANCE_INSIGHTS_ENABLED,
apply_immediately=True,
ca_cert_identifier=rds_certificate.id,
)b
billowy-army-68599
06/29/2022, 5:15 PM
@aloof-tailor-28919 i believe you need to use
rds_certificate.namea
aloof-tailor-28919
06/29/2022, 5:16 PMThank you for responding! Unfortunately, I tried the Certificate "name" property but that did not work, and neither did the "certificate" property. However, I will go and try it again!
b
billowy-army-68599
06/29/2022, 5:16 PM
what error did you get?
are you able to post the full code?
a
aloof-tailor-28919
06/29/2022, 5:24 PMTo be more specific, the Certificate resource does not appear to have a "name" property per documentation at https://www.pulumi.com/registry/packages/aws/api-docs/acmpca/certificate/
So unsurprisingly, I got the error AttributeError: 'Certificate' object has no attribute 'name'
There is an input parameter resource_name, but trying to use that causes the error AttributeError: 'Certificate' object has no attribute 'resource_name'
Additionally, I tried passing the string that was used as the resource_name input. That didn't work either. I'll share the code:
# Certificate Authority for setting up SSL/TLScertificate_authority = acmpca.CertificateAuthority('dataplatform_certificate_authority',certificate_authority_configuration=acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs(key_algorithm=CERTIFICATE_KEY_ALGORITHM,signing_algorithm=CERTIFICATE_SIGNING_ALGORITHM,subject=acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs(common_name=CERTIFICATE_AUTHORITY_SUBJECT,),),permanent_deletion_time_in_days=CERTIFICATE_AUTHORITY_PERMANENT_DELETION_IN_DAYS,type='ROOT',)# Create self-signed root certificate for Certificate Authoritycertificate_authority_root_certificate = acmpca.Certificate('dataplatform_ca_root_certificate',certificate_authority_arn=certificate_authority.arn,certificate_signing_request=certificate_authority.certificate_signing_request,signing_algorithm=CERTIFICATE_SIGNING_ALGORITHM,template_arn='arn:aws:acm-pca:::template/RootCACertificate/V1',validity=acmpca.CertificateValidityArgs(type='YEARS', value=ROOT_CERTIFICATE_VALIDITY_IN_YEARS),)certificate_authority_certificate = acmpca.CertificateAuthorityCertificate('dataplatform_ca_certificate',certificate_authority_arn=certificate_authority.arn,certificate=certificate_authority_root_certificate.certificate,certificate_chain=certificate_authority_root_certificate.certificate_chain,)# Certificate for databaserds_certificate = acmpca.Certificate('dataplatform-rds-certificate',certificate_authority_arn=certificate_authority.arn,certificate_signing_request=certificate_authority.certificate_signing_request,signing_algorithm=CERTIFICATE_SIGNING_ALGORITHM,template_arn='arn:aws:acm-pca:::template/EndEntityCertificate/V1',validity=acmpca.CertificateValidityArgs(type='YEARS', value=RDS_CERTIFICATE_VALIDITY_IN_YEARS),opts=ResourceOptions(depends_on=[certificate_authority_certificate]),)reporting_cluster = Cluster('dataplatform-reportingcluster',engine=REPORTING_ENGINE,engine_version=REPORTING_ENGINE_VERSION,database_name='reportingstore',cluster_identifier=f'dataplatform-reportingcluster',master_password=REPORTING_PASSWORD,master_username=REPORTING_USERNAME,db_subnet_group_name=reporting_subnet_group.name,deletion_protection=STORAGE_DELETION_PROTECTION,skip_final_snapshot=SKIP_SNAPSHOTS,vpc_security_group_ids=[reporting_cluster_security_group.id],db_cluster_parameter_group_name=reporting_cluster_parameter_group.name,enabled_cloudwatch_logs_exports=['postgresql'],allow_major_version_upgrade=True,apply_immediately=True,preferred_maintenance_window=REPORTINGSTORE_MAINTENANCE_WINDOW,kms_key_id=secret_key.arn,storage_encrypted=True,)# writer instancereporting_instance = ClusterInstance('dataplatform-initial',identifier='dataplatform-initial',cluster_identifier=reporting_cluster.id,instance_class=REPORTING_WRITER_INSTANCE_CLASS,engine=reporting_cluster.engine,engine_version=reporting_cluster.engine_version,performance_insights_enabled=REPORTINGSTORE_PERFORMANCE_INSIGHTS_ENABLED,apply_immediately=True,ca_cert_identifier='dataplatform-rds-certificate',opts=ResourceOptions(depends_on=[rds_certificate]),)That caused the error "error modifying RDS Cluster Instance (dataplatform-initial): CertificateNotFound: Certificate not found: dataplatform-rds-certificate" @billowy-army-68599
b
billowy-army-68599
06/29/2022, 6:10 PM
i cant find any ecidence thus works with terraform either...
you're poistive its supported?
a
aloof-tailor-28919
06/29/2022, 6:14 PMI found an example of someone using it in Terraform: https://stackoverflow.com/questions/69726495/aws-rds-cluster-instance-resource-promoted-to-create-before-destroy-despite-life
b
billowy-army-68599
06/29/2022, 6:16 PM
ah, why are you passing the signed certificate to the ca_cert_identifier? shouldn't that be the certificate_authority_certificate name you pass?
in the stackoverflow example you shared, they're just hardcoding the string for the name...
not passing an output to an inout
a
aloof-tailor-28919
06/29/2022, 6:21 PMAgreed about the stackoverflow example. That's why I tried passing the string 'dataplatform-rds-certificate'.
"why are you passing the signed certificate to the ca_cert_identifier? shouldn't that be the certificate_authority_certificate name you pass?" I thought I needed a certificate created with
template_arn='arn:aws:acm-pca:::template/EndEntityCertificate/V1'I just tried changing the certificate_authority_certificate resource_name to 'dataplatform-ca-certificate' and passing that same string to ca_cert_identifier. That produced a similar error,
error modifying RDS Cluster Instance (dataplatform-initial): CertificateNotFound: Certificate not found: dataplatform-ca-certificateb
billowy-army-68599
06/29/2022, 6:34 PM
I will have to try find some time to become familiar with this, I'm afraid. You shouldn't need to pass any strings around at all
a
aloof-tailor-28919
06/29/2022, 6:35 PMThank you for offering to help. Passing strings instead of a property seems un-Pulumi-like