provider/aws: Add IAM Server Certificate resource

[catsby]

Adds a new AWS Resource, IAM Server Certificate:

• http://docs.aws.amazon.com/IAM/latest/UserGuide/ManagingServerCerts.html#VerifyCertObject

Server certs uploaded to IAM can be used in a few places:

• AWS Elastic Beanstalk
• Elastic Load Balancing
• CloudFront
• AWS OpsWorks

Adding docs now, wanted to open for any thoughts from @phinze

UPDATE: docs added, squashed

[cbednarski]

v could be named certChain or similar for clarity.

[catsby]

the v, ok is a kind of established convention here. Because of GetOk("certificate_chain"), inside the block it's pretty clear what that value represents. I'm not strictly opposed to changing it though, but I think it's OK as is since the variable is so short lived 😄

[radeksimko]

I agree with @catsby here. It's a short lived variable - exactly one line.

[phinze]

Looks great! 👍

[alex0z1]

looks like it does not work as expected when certificate_chain
it always tries to recreate aws_iam_server_certificate resource (but it actually creates it in AWS)
and in https listeners in console instead of name of cert "Invalid-Certificate" appears

[catsby]

They @alekseymykhailov – the certificate_chain attribute is ForceNew, meaning any change forces a delete and re-create of the aws_iam_server_certificate resource. Do you have a configuration handy that demonstrates this? Be sure to omit any sensitive secrets, if you do.

Thanks!

[alex0z1]

@catsby it happens (delete and re-create) even if I don't change certificate_chain. Terraform always re-create certificate on AWS

here is my test configuration

provider "aws" {
    access_key = "XXXX"
    secret_key = "XXXXXXXX"
    region     = "us-east-1"
}


resource "aws_iam_server_certificate" "test_cert" {
    name = "some_test_cert"
    certificate_body = "${file("certs/crt")}"
    private_key = "${file("certs/key")}"
    certificate_chain = "${file("certs/chain")}"
}

here is how to reproduce:

$ terraform destroy
Do you really want to destroy?
  Terraform will delete all your managed infrastructure.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

aws_iam_server_certificate.test_cert: Refreshing state... (ID: xxx)
aws_iam_server_certificate.test_cert: Destroying...
aws_iam_server_certificate.test_cert: Destruction complete

Apply complete! Resources: 0 added, 0 changed, 1 destroyed.

$ terraform plan
Refreshing Terraform state prior to plan...


The Terraform execution plan has been generated and is shown below.
Resources are shown in alphabetical order for quick scanning. Green resources
will be created (or destroyed and then created if an existing resource
exists), yellow resources are being changed in-place, and red resources
will be destroyed.

Note: You didn't specify an "-out" parameter to save this plan, so when
"apply" is called, Terraform can't guarantee this is what will execute.

+ aws_iam_server_certificate.test_cert
    arn:               "" => "<computed>"
    certificate_body:  "" => "dd8981cddfc3f3bd8f0bfe63d4f1fc4fb2b50022"
    certificate_chain: "" => "-----BEGIN CERTIFICATE-----\n<CERT_BODY..........>\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n<CERT_BODY........>\n-----END CERTIFICATE-----\n"
    name:              "" => "some_test_cert"
    private_key:       "" => "ee40ce70bd10cfe59e9dca6d8ad3d7df3adbe98b"

$ terraform apply
aws_iam_server_certificate.test_cert: Creating...
  arn:               "" => "<computed>"
  certificate_body:  "" => "dd8981cddfc3f3bd8f0bfe63d4f1fc4fb2b50022"
  certificate_chain: "" =>  "-----BEGIN CERTIFICATE-----\n<CERT_BODY..........>\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n<CERT_BODY........>\n-----END CERTIFICATE-----\n"
  name:              "" => "some_test_cert"
  private_key:       "" => "ee40ce70bd10cfe59e9dca6d8ad3d7df3adbe98b"
aws_iam_server_certificate.test_cert: Creation complete

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

The state of your infrastructure has been saved to the path
below. This state is required to modify and destroy your
infrastructure, so keep it safe. To inspect the complete state
use the `terraform show` command.

State path: terraform.tfstate

after this step I can retrieve cert using aws cli
aws iam get-server-certificate --server-certificate-name some_test_cert
but if I try to use cert resource with ELB https listener, AWS console shows me "Invalid-Certificate" in the Listeners tab instead of "some_test_cert", but I can find it in the drop down menu and select it

so now I'm doing terraform plan again. NOTE:I did not change anything on AWS side and did not change my local cert/key/chain files

$ terraform plan
Refreshing Terraform state prior to plan...

aws_iam_server_certificate.test_cert: Refreshing state... (ID: xxx)

The Terraform execution plan has been generated and is shown below.
Resources are shown in alphabetical order for quick scanning. Green resources
will be created (or destroyed and then created if an existing resource
exists), yellow resources are being changed in-place, and red resources
will be destroyed.

Note: You didn't specify an "-out" parameter to save this plan, so when
"apply" is called, Terraform can't guarantee this is what will execute.

-/+ aws_iam_server_certificate.test_cert
    arn:               "arn:aws:iam::XXXXXXX:server-certificate/some_test_cert" => "<computed>"
    certificate_body:  "dd8981cddfc3f3bd8f0bfe63d4f1fc4fb2b50022" => "dd8981cddfc3f3bd8f0bfe63d4f1fc4fb2b50022"
    certificate_chain: "-----BEGIN CERTIFICATE-----\n<CERT_BODY.....>\n-----BEGIN CERTIFICATE-----\n<CERT_BODY>\n-----END CERTIFICATE-----" => "-----BEGIN CERTIFICATE-----\n<CERT_BODY...>\n-----BEGIN CERTIFICATE-----\n<CERT_BODY....>\n-----END CERTIFICATE-----\n" (forces new resource)
    name:              "some_test_cert" => "some_test_cert"
    private_key:       "ee40ce70bd10cfe59e9dca6d8ad3d7df3adbe98b" => "ee40ce70bd10cfe59e9dca6d8ad3d7df3adbe98b"

here you can see that terraform shows me that certificate_chain changed (looks like it just appended chain file to existent data again - I had 2 certs in chain, now terraform shows 4 .. just noticed this)
and on apply , terraform will recreate cert again

now terraform apply (note that now it shows 2 certs in chain instead of 4 in "plan" output):

$ terraform apply
aws_iam_server_certificate.test_cert: Refreshing state... (ID: xxx)
aws_iam_server_certificate.test_cert: Destroying...
aws_iam_server_certificate.test_cert: Destruction complete
aws_iam_server_certificate.test_cert: Creating...
  arn:               "" => "<computed>"
  certificate_body:  "" => "dd8981cddfc3f3bd8f0bfe63d4f1fc4fb2b50022"
  certificate_chain: "" => "-----BEGIN CERTIFICATE-----\n<CERT_BODY....>=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n<CERT_BODY....>\n-----END CERTIFICATE-----\n"
  name:              "" => "some_test_cert"
  private_key:       "" => "ee40ce70bd10cfe59e9dca6d8ad3d7df3adbe98b"
aws_iam_server_certificate.test_cert: Creation complete

Apply complete! Resources: 1 added, 0 changed, 1 destroyed.

The state of your infrastructure has been saved to the path
below. This state is required to modify and destroy your
infrastructure, so keep it safe. To inspect the complete state
use the `terraform show` command.

State path: terraform.tfstate

[catsby]

hey @alekseymykhailov – so sorry for the silence here. I believe the issue you're reporting here was addressed in #2411. I hope you're not hitting this issue anymore, but please let me know if you are!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.