[英]Terraform Incapsula provider fails to create custom certificate resource
We are trying to use Terraform Incapsula privider to manage Imperva site and custom certificate resources.我们正在尝试使用 Terraform Incapsula privider 来管理 Imperva 站点和自定义证书资源。
We are able to create Imperva site resources but certificate resource creation fails.我们能够创建 Imperva 站点资源,但证书资源创建失败。
Our use-case is to get the certificate from Azure KeyVault and import it to Imperva using Incapsula Privider.我们的用例是从 Azure KeyVault 获取证书并使用 Incapsula Privider 将其导入 Imperva。 We get the certificate from KeyVault using Terraform "azurerm_key_vault_secret" data source.
我们使用 Terraform "azurerm_key_vault_secret" 数据源从 KeyVault 获取证书。 It returns the certificate as Base64 string that we pass as "certificate" parameter into Terraform "incapsula_custom_certificate" resource along with siteID that was created using Terraform "incapsula_site" resource.
它将证书作为 Base64 字符串返回,我们将其作为“certificate”参数传递到 Terraform“incapsula_custom_certificate”资源以及使用 Z303E96F80576360D0C7B07AE_BZZincapula 资源创建的 siteID。 When we run "terraform apply" we get the error below.
当我们运行“terraform apply”时,我们会收到以下错误。
incapsula_custom_certificate.custom-certificate: Creating...
Error: Error from Incapsula service when adding custom certificate for site_id ******807: {"res":2,"res_message":"Invalid input","debug_info":{"certificate":"invalid certificate or passphrase","id-info":"13007"}}
on main.tf line 36, in resource "incapsula_custom_certificate" "custom-certificate":
36: resource "incapsula_custom_certificate" "custom-certificate" {
We tried reading the certificate from PFX file in Base64 encoding using Terraform "filebase64" function, but we get the same error.我们尝试使用 Terraform "filebase64" function 以 Base64 编码从 PFX 文件中读取证书,但我们得到了相同的错误。
Here is our Terraform code:这是我们的 Terraform 代码:
provider "azurerm" {
version = "=2.12.0"
features {}
}
data "azurerm_key_vault_secret" "imperva_api_id" {
name = var.imperva-api-id
key_vault_id = var.kv.id
}
data "azurerm_key_vault_secret" "imperva_api_key" {
name = var.imperva-api-key
key_vault_id = var.kv.id
}
data "azurerm_key_vault_secret" "cert" {
name = var.certificate_name
key_vault_id = var.kv.id
}
provider "incapsula" {
api_id = data.azurerm_key_vault_secret.imperva_api_id.value
api_key = data.azurerm_key_vault_secret.imperva_api_key.value
}
resource "incapsula_site" "site" {
domain = var.client_facing_fqdn
send_site_setup_emails = true
site_ip = var.tm_cname
force_ssl = true
}
resource "incapsula_custom_certificate" "custom-certificate" {
site_id = incapsula_site.site.id
certificate = data.azurerm_key_vault_secret.cert.value
#certificate = filebase64("certificate.pfx")
}
We were able to import the same PFX certificate file using the same Site ID, Imperva API ID and Key by calling directly Imperva API from a Python script.通过从 Python 脚本直接调用 Imperva API,我们能够使用相同的站点 ID、Imperva API ID 和密钥导入相同的 PFX 证书文件。
The certificate doesn't have a passphase.证书没有passphase。
Are we doing something wrong or is this an Incapsula provider issue?我们是在做错什么,还是这是 Incapsula 提供程序的问题?
Looking through the source code of the provider it looks like it is already performing a base64 encode operation as part of the AddCertificate function, which means using the Terraform filebase64 function is double-encoding the certificate. Looking through the source code of the provider it looks like it is already performing a base64 encode operation as part of the AddCertificate function, which means using the Terraform filebase64 function is double-encoding the certificate.
Instead, I think it should look like this:相反,我认为它应该是这样的:
resource "incapsula_custom_certificate" "custom-certificate" {
site_id = incapsula_site.site.id
certificate = file("certificate.pfx")
}
If the returned value from azure is base64 then something like this could work too.如果 azure 的返回值是 base64 那么这样的东西也可以工作。
certificate = base64decode(data.azurerm_key_vault_secret.cert.value)
Have you tried creating a self-signed cert, converting it to PFX with a passphrase, and using that?您是否尝试过创建自签名证书、使用密码将其转换为 PFX 并使用它?
I ask because Azure's PFX output has a blank/non-existent passphrase, and I've had issues with a handful of tools over the years that simply won't import a PFX unless you set a passphrase.我问是因为 Azure 的 PFX output 有一个空白/不存在的密码短语,而且多年来我遇到了一些工具的问题,除非你设置密码短语,否则它们根本不会导入 PFX。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.