Feature Request: Support AWS Certificate Manager Private Certificate Authorities

[bflad]

Amazon has released a new service, AWS Certificate Manager Private Certificate Authority (ACM PCA), which is a managed CA service. https://aws.amazon.com/about-aws/whats-new/2018/04/introducing-aws-certificate-manager-private-certificate-authority/

Please vote on this issue by adding a 👍 reaction to the original issue to help prioritize interest. If you're interested in implementing this feature request, please comment below.

Prerequisites:

• aws-sdk-go v1.13.28: deps: Bump aws-sdk-go@v1.13.28 and vendor acmpca, fms, and secretsmanager SDKs #4048
• meta.(*AWSClient).acmpcaconn: provider: Support acmpca, fms, and secretsmanager connections #4049

Terraform Version

terraform 0.10+

New Resource(s)

• aws_acmpca_certificate_authority

Terraform Configuration Files

# Example implementation, may change when developed
resource "aws_acmpca_certificate_authority" "example" {
  certificate_authority_configuration { # Required
  	key_algorithm     = ""
  	signing_algorithm = ""

  	subject {
      common_name                 = ""
      country                     = ""
      distinguised_name_qualifier = ""
      generation_qualifier        = ""
      given_name                  = ""
      initials                    = ""
      locality                    = ""
      organization                = ""
      organizational_unit         = ""
      pseudonym                   = ""
      state                       = ""
      surname                     = ""
      title                       = ""
  	}
  }
  
  revocation_configuration { # Optional
    crl_configuration {
      custom_cname       = ""
      enabled            = true
      expiration_in_days = 1
      s3_bucket_name     = "${aws_s3_bucket.example.name}"
    }
  }
}

Expected Behavior

Resource creates, updates, and deletes ACM private certificate authorities.

Actual Behavior

New feature.

References

• https://docs.aws.amazon.com/acm-pca/latest/userguide/
• https://docs.aws.amazon.com/sdk-for-go/api/service/acmpca/#ACMPCA.CreateCertificateAuthority

[Andr3wHur5t]

@bflad what are your thoughts on naming it aws_acm_private_certificate_authority?

The ca component of acmpca seems redundant given the certificate_authority post fix.

I also think this would more closely match other ACM resources as well, ref aws_acm_certificate and aws_acm_certificate_validation.

Thanks for putting together this issue, Is there anything I help get this feature implemented?

[bflad]

I believe its important to denote PCA as a separate service and the naming comes directly from the SDK. It operates under a different endpoint that potentially acts differently than regular ACM. Certificate issuance may also require a separate resource. See also the waf vs wafregional resources.

[bflad]

I'll be picking up this feature request and can provide updates in the coming days (or maybe even a pull request 😉 ).

[bflad]

New aws_acmpca_certificate_authority resource and data source PR: #4458

[bflad]

The new aws_acmpca_certificate_authority resource and data source will be released in v1.18.0 of the AWS provider later today.

[bflad]

This has been released in version 1.18.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!