我正在尝试访问ca_public_key_pem对象的tls_self_signed_cert属性,但被告知该属性不存在。
但是在源代码和该模块的示例中,它似乎已经存在。
output "ca_public_key_pem" {
value = "${chomp(element(concat(tls_private_key.ca.*.public_key_pem, list("")), 0))}" # TODO: Workaround for issue #11210
}
有人知道如何从tls_self_signed_cert资源中获取PEM格式的CA证书的公钥吗?
我当前正在使用以下模块:
resource "tls_private_key" "RootKey" {
algorithm = "RSA"
rsa_bits = 2048
}
resource "tls_self_signed_cert" "SelfSigned" {
key_algorithm = "${tls_private_key.RootKey.algorithm}"
private_key_pem = "${tls_private_key.RootKey.private_key_pem}"
subject {
common_name = "Domain.com"
organization = "Org Name"
}
is_ca_certificate = true
validity_period_hours = 26280
early_renewal_hours = 8760
allowed_uses = ["cert_signing"]
}
,然后在我的azurerm_virtual_network_gateway配置中,我有以下内容:
...
vpn_client_configuration {
address_space = ["10.9.0.0/24"]
vpn_client_protocols = ["IkeV2"]
root_certificate {
name = "My-Root-CA"
public_cert_data = "${tls_self_signed_cert.SelfSigned.ca_public_key_pem}"
}
}
我尝试使用cert_pem,但此属性无效。
答案 0 :(得分:1)
azurerm_virtual_network_gateway public_cert_data通常要求证书为PEM格式,但没有传统的-----BEGIN CERTIFICATE-----或-----END CERTIFICATE-----标记:
root_certificate块支持:
name-(必需)用户定义的根证书名称。
public_cert_data-(必需)根的公共证书 证书颁发机构。证书必须在Base-64中提供 编码的X.509格式(PEM)。特别是,该论点不得 包括-----BEGIN CERTIFICATE-----或-----END CERTIFICATE-----标记。
tls_self_signed_cert资源具有它输出的cert_pem属性,但是它确实具有-----BEGIN CERTIFICATE-----和-----END CERTIFICATE-----标记。
因此,如果要链接这些链接,则需要删除这些标记。最简单的方法是使用replace函数。
此输出的最小示例如下:
resource "tls_private_key" "example" {
algorithm = "ECDSA"
ecdsa_curve = "P384"
}
resource "tls_self_signed_cert" "example" {
key_algorithm = "ECDSA"
private_key_pem = "${tls_private_key.example.private_key_pem}"
subject {
common_name = "example.com"
organization = "ACME Examples, Inc"
}
validity_period_hours = 12
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
}
output "cert" {
value = "${tls_self_signed_cert.example.cert_pem}"
}
output "trimmed_cert" {
value = "${replace(replace(tls_self_signed_cert.example.cert_pem, "-----BEGIN CERTIFICATE-----", ""), "-----END CERTIFICATE-----", "")}"
}
应用此命令将输出以下内容:
Outputs:
cert = -----BEGIN CERTIFICATE-----
MIIB1jCCAVygAwIBAgIQR4Z4djFeJNQSPegYFMqhXTAKBggqhkjOPQQDAzAzMRsw
GQYDVQQKExJBQ01FIEV4YW1wbGVzLCBJbmMxFDASBgNVBAMTC2V4YW1wbGUuY29t
MB4XDTE5MTEwMTE2MjUzOFoXDTE5MTEwMjA0MjUzOFowMzEbMBkGA1UEChMSQUNN
RSBFeGFtcGxlcywgSW5jMRQwEgYDVQQDEwtleGFtcGxlLmNvbTB2MBAGByqGSM49
AgEGBSuBBAAiA2IABA5bcywnzZwDjVfK3zSTLUtEiTeA/spOQ3q02816H1jYO28K
Yg1wbyPluC9c8t2H0r2WzDPmdr9iFLo7rjW3v1sCXJOL839YA/CUuwqRexjd8Iuy
jWKa0YNvA5AmbuRsqKM1MDMwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsG
AQUFBwMBMAwGA1UdEwEB/wQCMAAwCgYIKoZIzj0EAwMDaAAwZQIwdBO17wBD/Fud
kcOiVVQvhPV13SRZydLBaXGHABcSBIW4UMv3JqwbJTq/wDF0k0daAjEAyRXu+eHA
+BpJjVEvcZL7V93zMv4tNede8SHpwHm4o/ogjTINlcRnMN6tu+uXiH5I
-----END CERTIFICATE-----
trimmed_cert =
MIIB1jCCAVygAwIBAgIQR4Z4djFeJNQSPegYFMqhXTAKBggqhkjOPQQDAzAzMRsw
GQYDVQQKExJBQ01FIEV4YW1wbGVzLCBJbmMxFDASBgNVBAMTC2V4YW1wbGUuY29t
MB4XDTE5MTEwMTE2MjUzOFoXDTE5MTEwMjA0MjUzOFowMzEbMBkGA1UEChMSQUNN
RSBFeGFtcGxlcywgSW5jMRQwEgYDVQQDEwtleGFtcGxlLmNvbTB2MBAGByqGSM49
AgEGBSuBBAAiA2IABA5bcywnzZwDjVfK3zSTLUtEiTeA/spOQ3q02816H1jYO28K
Yg1wbyPluC9c8t2H0r2WzDPmdr9iFLo7rjW3v1sCXJOL839YA/CUuwqRexjd8Iuy
jWKa0YNvA5AmbuRsqKM1MDMwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsG
AQUFBwMBMAwGA1UdEwEB/wQCMAAwCgYIKoZIzj0EAwMDaAAwZQIwdBO17wBD/Fud
kcOiVVQvhPV13SRZydLBaXGHABcSBIW4UMv3JqwbJTq/wDF0k0daAjEAyRXu+eHA
+BpJjVEvcZL7V93zMv4tNede8SHpwHm4o/ogjTINlcRnMN6tu+uXiH5I
由两个replace函数组成的经过调整的输出应可用于azurerm_virtual_network_gateway public_cert_data参数。