import the certificate to aws certificate manager

[ozbillwang]

@vancluever

If you don't have write permission for current repo, we can work on your fork first. It is normal.

I put a comment in Hashicorp Terraform (hashicorp/terraform#4782 (comment) )

But I think this should be implemented in provider terraform-provider-acme, more than in terraform core service or terraform provider aws.

So after I get the free certificate from this provder, I need a new resource to import it to aws certificate manager, something as:

resource "acme_import_to_acm" {
  certificate = "${acme_certificate.certificate.certificate_pem}"
  certificate-chain = "${acme_certificate.certificate.issuer_pem}"
  private-key = "${acme_certificate.certificate.private_key_pem}"
}

or directly add a new argument in resource acme_certificate

resource "acme_certificate" "certificate" {
  server_url       = "https://acme-staging.api.letsencrypt.org/directory"
  account_key_pem  = "${tls_private_key.reg_private_key.private_key_pem}"
  certificate_request_pem = "${tls_cert_request.req.cert_request_pem}"

  dns_challenge {
    provider = "route53"
  }

  import = "aws"   # [aws|gce|azure|...]
  ...
}

Can you help?

And need support reimport as well to easily renew the certificate.

Any suggestions to work around with terraform if i don't have this feature currently?

One more tip. When I manually import the PEMs, I need to remove all "\n" first, otherwise, AWS will report problem.

[lsowen]

If you don't need to use ACM, you can instead create an IAM Server Certificate by doing something like:

resource "aws_iam_server_certificate" "my-cert" {
  name_prefix = "my-cert"
  certificate_body = "${acme_certificate.certificate.certificate_pem}"
  certificate_chain = "${acme_certificate.certificate.issuer_pem}"
  private_key = "${tls_private_key.private_key.private_key_pem}"
  lifecycle {
    create_before_destroy = true
  }
  provisioner "local-exec" {
    command = "sleep 10"
  }
}

[vancluever]

@ozbillwang, @lsowen's mentioned method is the correct way to import a certificate created here into AWS. Don't use "ACM" as it's mainly used for managing AWS' own provisioned certificates.

Once you set it up this way it should update naturally as the certificate updates during renewals, etc.

Thanks!

[FernandoMiguel]

this is actually wrong
https://docs.aws.amazon.com/cli/latest/reference/acm/import-certificate.html
https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html

[GeoffMillerAZ]

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html

You can use ACM or IAM to store and deploy server certificates.

ACM is the preferred tool to provision, manage, and deploy your server certificates.

Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM

Additionally, you cannot manage your certificates from the IAM Console.

Those are excerpts from the doc linked above. It seems to be strongly suggested to use the ACM. It would also be nice because you could then see them in the console. Iam server certs don't show anywhere in the console as far as I can tell. But either way, the doc seems to implore you to use ACM over iam server certs and suggests server certs are only there for regions that don't use ACM yet.

It would be great to have an ACM certificate import feature.

[nahuelrebolloneira]

• Plus 1 to this feature

[nikoe14]

+1

[lsowen]

This does seem like it could be a useful feature, but I'm not sure the ACME provider is the right place for it. Instead, seems like a feature request for core terraform to add additional functionality to the aws_acm_certificate resource.

[thisisthetechie]

+1 It would make more sense to include the additional functionality into the aws_acm_certificate resource creation.

[estoesto]

+1

[vancluever]

Hey everyone, apologies for giving outdated info (re: IAM certificates versus ACM). To be honest it's been a while since I've had to deal with certificates within AWS so my own knowledge in that area probably needs a refresh.

I haven't really been looking at this issue that much over the last few months as it's been closed. Further to that, regardless of how you get the certificate into AWS, all of this workflow is still outside of the scope of the ACME provider, ultimately meaning that my original comment and some of the other comments here about this functionality belonging in the AWS provider still stands. To get the certificate data out of this provider, you can use private_key_pem and certificate_pem. What is done with it after that will vary from provider to provider (as AWS is by far not the only cloud this provider can be used with).

Seeing as this issue has been closed for some time and is ultimately inactionable, I'm going to lock the thread. Any questions regarding the AWS provider can be directed to the AWS issue tracker which can be found here.

Thanks!