Follow

Info: Venafi Cloud integration with Terraform

Summary info: Venafi Cloud DevOps integration with Terraform Venafi Provider

https://github.com/Venafi/terraform-provider-venafi

Introduction

The Terraform Venafi Provider allows Terraform users to seamlessly incorporate certificate management into Terraform plans when orchestrating services.

Overview

 


The Venafi Terraform provider is a custom provider that wraps the Venafi govcert library. This library is a lightweight library that performs key generation and interfaces with REST APIs provided by various Venafi products. The provider can be referenced via Terraform plans as any other provider. The following diagram outlines the high-level solution architecture.

 

Registering with Venafi

To register for an account with Venafi, use the ‘curl’ utility to submit a user registration request to Venafi. A confirmation email will be sent to the address in the request. When the request is confirmed, the API key in the email can be provided in your variables file for certificate enrollment.

curl -H 'Content-Type:application/json' -d '{"username":"ctest4wg@venafi.com","userAccountType":"API"}' https://api.beta.venafi.com/v1/useraccounts

Installing the Provider

The Venafi Terraform provider is a third-party provider written in Go. The provider must be compiled and placed on your Terraform host in your path so it can be located by Terraform.

Ensure that you have Go 1.7 and Terraform 0.8.8 or higher installed on your system, as well as git and make installed. The provider has been tested on Centos 7 but should work on any modern Linux or Mac OS.

Build govcert

The govcert library is shipped separately from the Venafi Terraform provider. Clone the govcert library on your system and build it as follows:

go get -u github.com/jteeuwen/go-bindata/...go get github.com/Venafi/govcert/...

 

 [Some build errors will be shown; these can be safely ignored as the built binaries are included in the repo]

Install the Terraform provider

Download and build the Terraform provider as follows:

go get github.com/Venafi/terraform-provider-venafi/...go build

 

Copy the resulting ‘terraform-provider-venafi’ binary to the same location as the ‘terraform’ binary itself.


 

Using the Provider

NOTE: Currently the Venafi Terraform provider does not encrypt private key material that is generated by terraform plans. Be sure to configure the terraform host to restrict unauthorized access.

Create provider

To use the terraform provider create a venafi.tf file. In here you must first create the provider. This would be done by creating a provider block.

provider "venafi" {    api_key = "<API_KEY>"    zone    = "<ZONE>"      //optional. Defaults to 'default'}

Creating a Certificate Signing Request

NOTE: The Venafi Cloud service by default issues certificates intended for test and development purposes. In the default configuration, certificates that are issued will be valid only for the following test domains:

[subdomain].example.com

[subdomain].example.org

[subdomain].example.net

[subdomain].invalid

[subdomain].local

[subdomain].localhost

[subdomain].test

Where [subdomain] is the subdomain of the registered Venafi Cloud user’s email address. For example, if the user registers with email address jdoe@mydemocorp.com, certificate requests submitted to the Venafi Cloud service must match one of the following patterns:

*.mydemocorp.example.com

*.mydemocorp.example.org

*.mydemocorp.example.net

*.mydemocorp.invalid

*.mydemocorp.local

*.mydemocorp.localhost

*.mydemocorp.test

Contact Venafi at support@venafi.com if support for certificates for use in production environments is required.

 

Certificate signing requests can be created using the venafi_csr resource. This resource only has 1 required field.

  • common_name (string)

The following optional fields can also be set

field

type

organizational_unit

string array

organization_name

string

country

string

state

string

locality

string

key_password

string

san_dns

string array

san_email

string array

san_ip

string array

After creation this resource will expose 2 further fields

field

type

private_key_pem

string

csr_pem

string

The following example would output the created private key and csr

provider "venafi" {    api_key = "XXXX" // your Venafi Cloud API key    zone    = "Default"      //optional. Defaults to 'Default'} resource "venafi_csr" "webserver" {    common_name = "web.organization.localhost"    san_dns = ["blog.organization.localhost", "contact.organization.localhost"]    organizational_unit = ["appdev", "webdev"]    state = "London"    country = "UK"} output "csr" {    value = "${venafi_csr.webserver.csr_pem}"} output "csr_private_key" {    value = "${venafi_csr.webserver.private_key_pem}"}

Creating a Certificate / Private Key pair

Certificate signing requests can be created using the venafi_certificate resource. This resource only has 1 required field.

  • common_name (string)

The following optional fields can also be set

field

type

algorithm

string [RSA or ECDSA]

rsa_bits

integer (Used when algorithm=RSA)

ecdsa_curve

string (Used when algorithm=ECDSA)

san_dns

string array

san_email

string array

san_ip

string array

key_password

string

After creation this resource will expose 3 further fields

field

type

private_key_pem

string

chain

string

certificate

string

The following example would output the created private key and csr

provider "venafi" {    api_key = "XXXX" // your Venafi Cloud API key    zone    = "Default"      //optional. Defaults to 'Default'} resource "venafi_certificate" "webserver" {    common_name = "web.organization.localhost"    algorithm = "RSA"    rsa_bits = "2048"    san_dns = [        "web01. organization.localhost",        "web02. organization.localhost"    ]    key_password = "secretpassword"} output "cert_certificate" {    value = "${venafi_certificate.webserver.certificate}"} output "cert_chain" {    value = "${venafi_certificate.webserver.chain}"} output "cert_private_key" {    value = "${venafi_certificate.webserver.private_key_pem}"}

 

Troubleshooting

If the ‘terraform apply’ command fails with an exit code 1, the error is most likely due to using an incorrect API key. Verify the API key is correct, then try again.

 

Known Issues

The current version of the Terraform provider does not output the request ID for submitted certificates. As a result, if there is an issue with the certificate request, the Terraform plan will not display an obvious error to the user. The easiest resolution to this is to output all certificate requests submitted to Venafi Cloud using another REST client and locate the certificate request that was submitted (based on the subject name supplied in the Terraform plan). The certificate request response will contain information that can be used to help troubleshoot the error.

 

curl -H 'Content-Type: application/json' -H 'tppl-api-key: XXXXX https://api.venafi.cloud/v1/certificaterequests

 

 

Was this article helpful?
0 out of 0 found this helpful

Comments