APIC Certificate Import Support - (DCNE-145)

[scotttyso]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

aci_rest_managed doesn't handle sensitive values well. So, the request is to support APIC GUI Certifcate Creation/Import to be able to mask sensitive values.

New or Affected Resource(s) + ACI Class(es):

• aci_apic_trustpoint + fv:pkiTP
• aci_apic_keyring + fv:pkiKeyRing
• aci_apic_oper_keyring + fv:commRsKeyRing

APIC version and APIC Platform

• V 6.0.2 and on-prem.

Potential Terraform Configuration

YAML Variables

fabric:
  policies:
    pod:
      apic_certificates:
       -  activate_certificate: false
          var_identity: 0
          modulus: 2048
          name: '**REQUIRED**'
          trustpoint: '**REQUIRED**'

locals = {
  apic_certificates = [
    for v in lookup(local.pod, "apic_certificates") : {
      activate_certificate = v.activate_certificate
      modulus              = v.modulus
      name                 = v.name
      trustpoint           = v.trustpoint
      var_identity         = v.var_identity
    }
  ]
}
/*_____________________________________________________________________________________________________________________

API Information:
 - Class: "pkiTP"
 - Distinguished Name: "uni/userext/pkiext/keyring-{{name}}"
GUI Location:
 - Fabric > Fabric Policies > Policies > Pod > Management Access: default
_______________________________________________________________________________________________________________________
*/
resource "aci_rest_managed" "apic_trustpoint" {
  for_each   = { for v in local.apic_certificates : v.trustpoint => v if length(regexall("[1-2]", v.var_identifier)) > 0 }
  class_name = "pkiTP"
  dn         = "uni/userext/pkiext/tp-${each.key}"
  content = {
    certChain = length(regexall("1", each.value.var_identity)
      ) > 0 ? "${var.apic_intermediate_plus_root_ca_1}" : length(
      regexall("2", each.value.var_identity)
    ) > 0 ? "${var.apic_intermediate_plus_root_ca_2}" : ""
    descr = ""
    name  = each.key
  }
}

resource "aci_rest_managed" "apic_keyring" {
  for_each   = { for v in local.apic_certificates : v.name => v if length(regexall("[1-2]", v.var_identifier)) > 0 }
  class_name = "pkiKeyRing"
  dn         = "uni/userext/pkiext/keyring-${each.key}"
  content = {
    adminState = "completed"
    cert = length(regexall("1", each.value.var_identity)
      ) > 0 ? "${var.apic_certificate_1}" : length(
      regexall("2", each.value.var_identity)
    ) > 0 ? "${var.apic_certificate_2}" : ""
    descr = ""
    key = length(regexall("1", each.value.var_identity)
      ) > 0 ? "${var.apic_private_key_1}" : length(
      regexall("2", each.value.var_identity)
    ) > 0 ? "${var.apic_private_key_2}" : ""
    modulus = "mod${each.value.modulus}"
    name    = each.key
    regen   = "no"
    tp      = each.value.trustpoint
  }
}

resource "aci_rest_managed" "apic_oper_keyring" {
  for_each   = { for v in local.apic_certificates : v.name => v if v.activate_certificate == true }
  class_name = "commRsKeyRing"
  dn         = "uni/fabric/comm-default/https/rsKeyRing"
  content = {
    tnPkiKeyRingName = each.key
  }
}

References

• #0000

[shrsr]

The below two resources are also referred in #1134 and #1135 which are linked to PR #1145
aci_apic_trustpoint + fv:pkiTP
aci_apic_keyring + fv:pkiKeyRing

aci_apic_oper_keyring + fv:commRsKeyRing will have a new PR