https://pulumi.com logo
#python
Title
# python
a

aloof-tailor-28919

06/24/2022, 11:19 PM
Hello - we are using Pulumi with Python and AWS. I am trying to set up a Certificate Authority and attach a Certificate to an RDS ClusterInstance, in order to allow SSL/TLS connections to the database instances. In the first step, I create a root Certificate Authority and it signs its own root Certificate. My second step is to create a new Certificate to use for the database instances. That looks like this:
Copy code
rds_certificate = acmpca.Certificate(
    'my_rds_certificate',
    certificate_authority_arn=certificate_authority.arn,
    certificate_signing_request=certificate_authority.certificate_signing_request,
    signing_algorithm=CERTIFICATE_SIGNING_ALGORITHM,
    template_arn='arn:aws:acm-pca:::template/EndEntityCertificate/V1',
    validity=acmpca.CertificateValidityArgs(type='YEARS', value=RDS_CERTIFICATE_VALIDITY_IN_YEARS),
    opts=ResourceOptions(depends_on=[certificate_authority_certificate]),
)
As far as I can tell, step two works - I don't get any errors when running it. My third step is to try to attach that rds_certificate to a ClusterInstance, which looks like this:
Copy code
reporting_instance = ClusterInstance(
    'clusterinstance-initial',
    identifier='clusterinstance-initial',
    cluster_identifier=reporting_cluster.id,
    instance_class=REPORTING_WRITER_INSTANCE_CLASS,
    engine=reporting_cluster.engine,
    engine_version=reporting_cluster.engine_version,
    performance_insights_enabled=PERFORMANCE_INSIGHTS_ENABLED,
    apply_immediately=True,
    ca_cert_identifier=rds_certificate.id,
)
That's where my code fails. I can create the ClusterInstance if I don't include the final parameter, ca_cert_identifier. When I try the above code, I get this error: "InvalidParameterValue: The parameter CertificateIdentifier is not a valid identifier because it is longer than 63 characters." Now, the id value is definitely longer than 63 characters - in fact, it's 142 characters. That's not abnormal for an id value. I am not sure whether I should be passing some other value instead of rds_certificate.id? I tried the Certificate "name" property but that did not work, and neither did the "certificate" property. Everything I can find via searching the web refers to using this parameter in Terraform, where the id value is a value such as 'rds-ca-2017'. However, id values in Pulumi are not so short! Has anyone used the ca_cert_identifier parameter successfully? I would love any advice. Thanks!
b

billowy-army-68599

06/29/2022, 5:15 PM
@aloof-tailor-28919 i believe you need to use
rds_certificate.name
not the id
a

aloof-tailor-28919

06/29/2022, 5:16 PM
Thank you for responding! Unfortunately, I tried the Certificate "name" property but that did not work, and neither did the "certificate" property. However, I will go and try it again!
b

billowy-army-68599

06/29/2022, 5:16 PM
what error did you get?
are you able to post the full code?
a

aloof-tailor-28919

06/29/2022, 5:24 PM
To be more specific, the Certificate resource does not appear to have a "name" property per documentation at https://www.pulumi.com/registry/packages/aws/api-docs/acmpca/certificate/ So unsurprisingly, I got the error AttributeError: 'Certificate' object has no attribute 'name'
There is an input parameter resource_name, but trying to use that causes the error AttributeError: 'Certificate' object has no attribute 'resource_name'
Additionally, I tried passing the string that was used as the resource_name input. That didn't work either. I'll share the code:
# Certificate Authority for setting up SSL/TLS
certificate_authority = acmpca.CertificateAuthority(
'dataplatform_certificate_authority',
certificate_authority_configuration=acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs(
key_algorithm=CERTIFICATE_KEY_ALGORITHM,
signing_algorithm=CERTIFICATE_SIGNING_ALGORITHM,
subject=acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs(
common_name=CERTIFICATE_AUTHORITY_SUBJECT,
),
),
permanent_deletion_time_in_days=CERTIFICATE_AUTHORITY_PERMANENT_DELETION_IN_DAYS,
type='ROOT',
)
# Create self-signed root certificate for Certificate Authority
certificate_authority_root_certificate = acmpca.Certificate(
'dataplatform_ca_root_certificate',
certificate_authority_arn=certificate_authority.arn,
certificate_signing_request=certificate_authority.certificate_signing_request,
signing_algorithm=CERTIFICATE_SIGNING_ALGORITHM,
template_arn='arn:aws:acm-pca:::template/RootCACertificate/V1',
validity=acmpca.CertificateValidityArgs(
type='YEARS', value=ROOT_CERTIFICATE_VALIDITY_IN_YEARS
),
)
certificate_authority_certificate = acmpca.CertificateAuthorityCertificate(
'dataplatform_ca_certificate',
certificate_authority_arn=certificate_authority.arn,
certificate=certificate_authority_root_certificate.certificate,
certificate_chain=certificate_authority_root_certificate.certificate_chain,
)
# Certificate for database
rds_certificate = acmpca.Certificate(
'dataplatform-rds-certificate',
certificate_authority_arn=certificate_authority.arn,
certificate_signing_request=certificate_authority.certificate_signing_request,
signing_algorithm=CERTIFICATE_SIGNING_ALGORITHM,
template_arn='arn:aws:acm-pca:::template/EndEntityCertificate/V1',
validity=acmpca.CertificateValidityArgs(
type='YEARS', value=RDS_CERTIFICATE_VALIDITY_IN_YEARS
),
opts=ResourceOptions(depends_on=[certificate_authority_certificate]),
)
reporting_cluster = Cluster(
'dataplatform-reportingcluster',
engine=REPORTING_ENGINE,
engine_version=REPORTING_ENGINE_VERSION,
database_name='reportingstore',
cluster_identifier=f'dataplatform-reportingcluster',
master_password=REPORTING_PASSWORD,
master_username=REPORTING_USERNAME,
db_subnet_group_name=reporting_subnet_group.name,
deletion_protection=STORAGE_DELETION_PROTECTION,
skip_final_snapshot=SKIP_SNAPSHOTS,
vpc_security_group_ids=[reporting_cluster_security_group.id],
db_cluster_parameter_group_name=reporting_cluster_parameter_group.name,
enabled_cloudwatch_logs_exports=['postgresql'],
allow_major_version_upgrade=True,
apply_immediately=True,
preferred_maintenance_window=REPORTINGSTORE_MAINTENANCE_WINDOW,
kms_key_id=secret_key.arn,
storage_encrypted=True,
)
# writer instance
reporting_instance = ClusterInstance(
'dataplatform-initial',
identifier='dataplatform-initial',
cluster_identifier=reporting_cluster.id,
instance_class=REPORTING_WRITER_INSTANCE_CLASS,
engine=reporting_cluster.engine,
engine_version=reporting_cluster.engine_version,
performance_insights_enabled=REPORTINGSTORE_PERFORMANCE_INSIGHTS_ENABLED,
apply_immediately=True,
ca_cert_identifier='dataplatform-rds-certificate',
opts=ResourceOptions(depends_on=[rds_certificate]),
)
That caused the error "error modifying RDS Cluster Instance (dataplatform-initial): CertificateNotFound: Certificate not found: dataplatform-rds-certificate" @billowy-army-68599
b

billowy-army-68599

06/29/2022, 6:10 PM
i cant find any ecidence thus works with terraform either...
you're poistive its supported?
a

aloof-tailor-28919

06/29/2022, 6:14 PM
b

billowy-army-68599

06/29/2022, 6:16 PM
ah, why are you passing the signed certificate to the ca_cert_identifier? shouldn't that be the certificate_authority_certificate name you pass?
in the stackoverflow example you shared, they're just hardcoding the string for the name...
not passing an output to an inout
a

aloof-tailor-28919

06/29/2022, 6:21 PM
Agreed about the stackoverflow example. That's why I tried passing the string 'dataplatform-rds-certificate'.
"why are you passing the signed certificate to the ca_cert_identifier? shouldn't that be the certificate_authority_certificate name you pass?" I thought I needed a certificate created with
template_arn='arn:aws:acm-pca:::template/EndEntityCertificate/V1'
to attach to the ClusterInstance
I just tried changing the certificate_authority_certificate resource_name to 'dataplatform-ca-certificate' and passing that same string to ca_cert_identifier. That produced a similar error,
error modifying RDS Cluster Instance (dataplatform-initial): CertificateNotFound: Certificate not found: dataplatform-ca-certificate
b

billowy-army-68599

06/29/2022, 6:34 PM
I will have to try find some time to become familiar with this, I'm afraid. You shouldn't need to pass any strings around at all
a

aloof-tailor-28919

06/29/2022, 6:35 PM
Thank you for offering to help. Passing strings instead of a property seems un-Pulumi-like