Importing custom CA Certificate into Terraform provider pod

Your terraform template might include terraform modules whose source might be in a source control management system secured by your organization's internal certificate. To avoid certificate errors while making calls to terraform modules follow the steps below to add your own CA certificate chain to the existing list of pre-configured certificates.

Execute the following command to get the name of the pod that runs the Terraform engine:
```
kubectl -n services get pods | grep cam-provider-terraform
```
If this command returns pods prefixed with cam-provider-terraform-runtime and cam-provider-terraform-api, then you are running Terraform engine in isolation mode. In this mode, the terraform runtime runs in separate pod. If this command returns pods prefixed only with cam-provider-terraform-api, then you are running the terraform engine in non-isolation mode.

If terraform engine is deployed in an isolation mode, then you must apply the rest of the steps to cam-provider-terraform-runtime pod and deployment else apply the steps to cam-provider-terraform-api pod and deployment.

Note: Since the Terraform engine isolation is supported from Cloud Automation Manager 4.2.0.1, prior to version 4.2.0.1 this command returns the pods with only cam-provider-terraform as prefix. So the rest of the steps should be applied to cam-provider-terraform pod and deployment.
Execute the following command to copy the existing CA bundle file from a terraform engine pod.
```
kubectl -n services cp <terraform-engine-pod-name>:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ca-bundle.crt
```
where <terraform-engine-pod-name> is:
- For Isolation mode: A pod name prefixed with cam-provider-terraform-runtime
- Non-isolation mode: A pod name prefixed with cam-provider-terraform-api
- For Cloud Automation Manager versions proior to 4.2.0.1: A pod name prefixed with cam-provider-terraform
You may see the following error, ignore it and check if the file got copied.
```
tar: Removing leading `/' from member names
```

Add your CA certificate to the copied CA bundle file ca-bundle.crt.

First backup the original CA bundle file ca-bundle.crt.
```
cp ca-bundle.crt ca-bundle-original.crt
```

Add your CA certificates (root and any intermediary) to the ca-bundle.crt file.

ca-bundle.crt file has number of certificates as follows:

-----BEGIN CERTIFICATE-----
<certificate_content>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<certificate_content>
-----END CERTIFICATE-----

Append your certificates at the end of the file as follows:

If you have your certificate in a file, then you can execute the following command to append your certificate to ca-bundle.crt

cat <your-ca-cert-file> >> ca-bundle.crt

Create a secret from modified ca-bundle.crt file.

kubectl create secret generic cam-custom-cert-file --from-file=./ca-bundle.crt -n services

Patch the Terraform engine pod deployment file to mount a new volume that contains the above created secret file.

a. Create a file cam-provider-terraform-patch.json with the following contents:

   {"spec": {"template": {"spec": {"containers": [{"name": "< terraform-engine-deployment>","volumeMounts": [{"mountPath": "/etc/pki/tls/certs","name": "cam-custom-cert-bundle",    "readOnly": true}]}],"volumes": [{"name": "cam-custom-cert-bundle","secret": {"defaultMode": 420,"secretName": "cam-custom-cert-file"}}]}}}}

where <terraform-engine-deployment> is:

Isolation mode: cam-provider-terraform-runtime
Non-isolation mode: cam-provider-terraform-api
Cloud Automation Manager versions proior to 4.2.0.0 : cam-provider-terraform

Example:

Isolation Mode:

{"spec": {"template": {"spec": {"containers": [{"name": "cam-provider-terraform-runtime","volumeMounts": [{"mountPath": "/etc/pki/tls/certs","name": "cam-custom-cert-bundle",    "readOnly": true}]}],"volumes": [{"name": "cam-custom-cert-bundle","secret": {"defaultMode": 420,"secretName": "cam-custom-cert-file"}}]}}}}

Non-Isolation mode:

{"spec": {"template": {"spec": {"containers": [{"name": "cam-provider-terraform-api","volumeMounts": [{"mountPath": "/etc/pki/tls/certs","name": "cam-custom-cert-bundle",        "readOnly": true}]}],"volumes": [{"name": "cam-custom-cert-bundle","secret": {"defaultMode": 420,"secretName": "cam-custom-cert-file"}}]}}}}

Prior to 4.2.0.1:

{"spec": {"template": {"spec": {"containers": [{"name": "cam-provider-terraform","volumeMounts": [{"mountPath": "/etc/pki/tls/certs","name": "cam-custom-cert-bundle",        "readOnly": true}]}],"volumes": [{"name": "cam-custom-cert-bundle","secret": {"defaultMode": 420,"secretName": "cam-custom-cert-file"}}]}}}}

b. Execute the following command to patch the deployment to mount the new CA bundle to terraform engine pods.

```
kubectl -n services patch deployment "<terraform-engine-deployment> --patch "$(cat cam-provider-terraform-patch.json)"
```

where <terraform-engine-deployment>:

Isolation mode: cam-provider-terraform-runtime
Non-isolation mode: cam-provider-terraform-api
Cloud Automation Manager versions proior to 4.2.0.0: cam-provider-terraform

Example:

Isolation Mode:

kubectl -n services patch deployment cam-provider-terraform-runtime --patch "$(cat cam-provider-terraform-patch.json)"

Non-Isolation mode:

kubectl -n services patch deployment cam-provider-terraform-api --patch "$(cat cam-provider-terraform-patch.json)"

Prior to Cloud Automation Manager 4.2.0.1:

kubectl -n services patch deployment cam-provider-terraform --patch "$(cat cam-provider-terraform-patch.json)"