After a lot of struggle and eventually, with the help of this post: I Get usable P12 bundle/private key from Terraform google_service_account_key resource, it is evident that Terraform doesn't support p12 keystores as such.
My requirement: I am using TF's Kubernetes provider to create a deployment. In that, I have to set a secret using the test.p12 file. Terraform expects files to be UTF-8 encoded. But my p12 Keystore is not UTF-8 encoded. Simple encoding and decoding results in UTF-8 errors.
My approach:
- Encode the p12 keystore using
cat test.p12 | base64 -w0 > encodeout.txtinto a text file that is UTF-8 encoded. Stored it as a terraform variable, encoded_p12. - Next, I pass this file below
resource "kubernetes_secret_v1" "test_keystore" {
metadata {
name = "test-keystore"
namespace = test
}
type = "Opaque"
data = {
"test.p12" = base64decode(var.encoded_p12)
}
}
But here it will fail as terraform doesn't decode to a valid p12 file that is UTF-8 encoded.
- So, first decode the encoded_p12 as below-
resource "local_file" "decodep12" {
content = var.encoded_p12
filename = "decoded_p12.p12"
provisioner "local-exec" {
command = "openssl enc -d -base64 -in "${content}" ${filename}"
}
}
- The trying to pass this dynamically created decoded file as
resource "kubernetes_secret_v1" "app_keystore" {
metadata {
name = "test-keystore"
namespace = test
}
type = "Opaque"
data = {
"test.p12" = file(${filename})
}
}
Will this approach work or any corrections in it or any better solution to address it? The limitation is I cannot directly pass the .p12 file to the data block.
There's a much simpler option.
The kubernetes_secret_v1 resource has a binary_data argument for cases like this, which pairs well with the filebase64 function in the Terraform language: