Terraform Incapsula provider fails to create custom certificate resource

Question

We are trying to use Terraform Incapsula privider to manage Imperva site and custom certificate resources.

We are able to create Imperva site resources but certificate resource creation fails.

Our use-case is to get the certificate from Azure KeyVault and import it to Imperva using Incapsula Privider. We get the certificate from KeyVault using Terraform "azurerm_key_vault_secret" data source. It returns the certificate as Base64 string that we pass as "certificate" parameter into Terraform "incapsula_custom_certificate" resource along with siteID that was created using Terraform "incapsula_site" resource. When we run "terraform apply" we get the error below.

incapsula_custom_certificate.custom-certificate: Creating...

Error: Error from Incapsula service when adding custom certificate for site_id ******807: {"res":2,"res_message":"Invalid input","debug_info":{"certificate":"invalid certificate or passphrase","id-info":"13007"}}

  on main.tf line 36, in resource "incapsula_custom_certificate" "custom-certificate":
  36: resource "incapsula_custom_certificate" "custom-certificate" { 

We tried reading the certificate from PFX file in Base64 encoding using Terraform "filebase64" function, but we get the same error.

Here is our Terraform code:

provider "azurerm" {
  version = "=2.12.0"
  features {}
}

data "azurerm_key_vault_secret" "imperva_api_id" {
    name = var.imperva-api-id
    key_vault_id = var.kv.id
}

data "azurerm_key_vault_secret" "imperva_api_key" {
    name = var.imperva-api-key
    key_vault_id = var.kv.id
}

data "azurerm_key_vault_secret" "cert" {
  name = var.certificate_name
  key_vault_id = var.kv.id
}

provider "incapsula" {
  api_id = data.azurerm_key_vault_secret.imperva_api_id.value
  api_key = data.azurerm_key_vault_secret.imperva_api_key.value
}

resource "incapsula_site" "site" {
  domain = var.client_facing_fqdn
  send_site_setup_emails = true
  site_ip                = var.tm_cname
  force_ssl              = true
}

resource "incapsula_custom_certificate" "custom-certificate" {
  site_id = incapsula_site.site.id
  certificate =  data.azurerm_key_vault_secret.cert.value
  #certificate =   filebase64("certificate.pfx")
}

We were able to import the same PFX certificate file using the same Site ID, Imperva API ID and Key by calling directly Imperva API from a Python script.

The certificate doesn't have a passphase.

Are we doing something wrong or is this an Incapsula provider issue?

Answer 1

Looking through the source code of the provider it looks like it is already performing a base64 encode operation as part of the AddCertificate function, which means using the Terraform filebase64 function is double-encoding the certificate.

Instead, I think it should look like this:

resource "incapsula_custom_certificate" "custom-certificate" {
  site_id = incapsula_site.site.id
  certificate = file("certificate.pfx")
}

Answer 2

If the returned value from azure is base64 then something like this could work too.

certificate = base64decode(data.azurerm_key_vault_secret.cert.value)

Answer 3

Have you tried creating a self-signed cert, converting it to PFX with a passphrase, and using that?

I ask because Azure's PFX output has a blank/non-existent passphrase, and I've had issues with a handful of tools over the years that simply won't import a PFX unless you set a passphrase.