Terraform Incapsula provider fails to create custom certificate resource

Question

We are trying to use Terraform Incapsula privider to manage Imperva site and custom certificate resources.

We are able to create Imperva site resources but certificate resource creation fails.

Our use-case is to get the certificate from Azure KeyVault and import it to Imperva using Incapsula Privider. We get the certificate from KeyVault using Terraform "azurerm_key_vault_secret" data source. It returns the certificate as Base64 string that we pass as "certificate" parameter into Terraform "incapsula_custom_certificate" resource along with siteID that was created using Terraform "incapsula_site" resource. When we run "terraform apply" we get the error below.

incapsula_custom_certificate.custom-certificate: Creating...

Error: Error from Incapsula service when adding custom certificate for site_id ******807: {"res":2,"res_message":"Invalid input","debug_info":{"certificate":"invalid certificate or passphrase","id-info":"13007"}}

  on main.tf line 36, in resource "incapsula_custom_certificate" "custom-certificate":
  36: resource "incapsula_custom_certificate" "custom-certificate" {

We tried reading the certificate from PFX file in Base64 encoding using Terraform "filebase64" function, but we get the same error.

Here is our Terraform code:

provider "azurerm" {
  version = "=2.12.0"
  features {}
}

data "azurerm_key_vault_secret" "imperva_api_id" {
    name = var.imperva-api-id
    key_vault_id = var.kv.id
}

data "azurerm_key_vault_secret" "imperva_api_key" {
    name = var.imperva-api-key
    key_vault_id = var.kv.id
}

data "azurerm_key_vault_secret" "cert" {
  name = var.certificate_name
  key_vault_id = var.kv.id
}

provider "incapsula" {
  api_id = data.azurerm_key_vault_secret.imperva_api_id.value
  api_key = data.azurerm_key_vault_secret.imperva_api_key.value
}

resource "incapsula_site" "site" {
  domain = var.client_facing_fqdn
  send_site_setup_emails = true
  site_ip                = var.tm_cname
  force_ssl              = true
}

resource "incapsula_custom_certificate" "custom-certificate" {
  site_id = incapsula_site.site.id
  certificate =  data.azurerm_key_vault_secret.cert.value
  #certificate =   filebase64("certificate.pfx")
}

We were able to import the same PFX certificate file using the same Site ID, Imperva API ID and Key by calling directly Imperva API from a Python script.

The certificate doesn't have a passphase.

Are we doing something wrong or is this an Incapsula provider issue?

score 0 · Answer 1 · answered Jun 09 '20 at 15:36

0

Looking through the source code of the provider it looks like it is already performing a base64 encode operation as part of the AddCertificate function, which means using the Terraform filebase64 function is double-encoding the certificate.

Instead, I think it should look like this:

resource "incapsula_custom_certificate" "custom-certificate" {
  site_id = incapsula_site.site.id
  certificate = file("certificate.pfx")
}

answered Jun 09 '20 at 15:36

pk__

231
1
7

When trying to read .pfx file as @pk__ suggested, I get following error: Error: Error in function call on main.tf line 45, in resource "incapsula_custom_certificate" "custom-certificate": 45: certificate = file("certificate.pfx") Call to function "file" failed: contents of certificate.pfx are not valid UTF-8; use the filebase64 function to obtain the Base64 encoded contents or the other file functions (e.g. filemd5, filesha256) to obtain file hashing results instead. – victor voloceai Jun 10 '20 at 19:03
I also tried to read pfx file using "local_file" data source "certificate = data.local_file.cer.content" but it results in this error: Error: Error from Incapsula service when adding custom certificate for site_id *******07: {"res":2,"res_message":"Invalid input","debug_info":{"certificate":"invalid certificate or passphrase","id-info":"13008"}} – victor voloceai Jun 10 '20 at 19:40

score 0 · Answer 2 · edited Jun 10 '20 at 16:22

0

If the returned value from azure is base64 then something like this could work too.

certificate = base64decode(data.azurerm_key_vault_secret.cert.value)

edited Jun 10 '20 at 16:22

David Buck

3,752
35
31
35

answered Jun 10 '20 at 15:35

Joe Moore

1

When I try to decode the value returned from Azure as @Joe Moore recommended I get following error: Error: Error in function call on main.tf line 48, in resource "incapsula_custom_certificate" "custom-certificate": 48: certificate = base64decode(data.azurerm_key_vault_secret.cert.value) |---------------- | data.azurerm_key_vault_secret.cert.value is "***********************" Call to function "base64decode" failed: the result of decoding the the provided string is not valid UTF-8. – victor voloceai Jun 10 '20 at 19:01

score 0 · Answer 3 · answered Jun 10 '20 at 19:49

0

Have you tried creating a self-signed cert, converting it to PFX with a passphrase, and using that?

I ask because Azure's PFX output has a blank/non-existent passphrase, and I've had issues with a handful of tools over the years that simply won't import a PFX unless you set a passphrase.

answered Jun 10 '20 at 19:49

John Delisle

83
1
9

I've tried your suggestion - created self-signed certificated and exported it as PFX file with a passphrase. When I tied to upload it by passing the passphrase (using Incapsula provider) I get the same error as I described in my question above. – victor voloceai Jun 18 '20 at 13:58

Terraform Incapsula provider fails to create custom certificate resource

3 Answers3