Importing custom CA Certificate into Terraform provider pod

Your Terraform template might include Terraform modules whose source might be in a source control management system that is secured by your organization's internal certificate. To avoid certificate errors while making calls to Terraform modules follow these steps to add your own CA certificate chain to the existing list of pre-configured certificates.

Run the following command to get the name of the pod that runs the Terraform engine:
```
kubectl -n management-infrastructure-management get pods | grep cam-provider-terraform
```
If this command returns pods that are prefixed with cam-provider-terraform-runtime and cam-provider-terraform-api, then you are running Terraform engine in isolation mode. In this mode, the Terraform runtime runs in separate pod. If this command returns pods that are prefixed only with cam-provider-terraform-api, then you are running the Terraform engine in non-isolation mode.

If Terraform engine is deployed in an isolation mode, then you must apply the rest of the steps to cam-provider-terraform-runtime pod and deployment else apply the steps to cam-provider-terraform-api pod and deployment.
Run the following command to copy the existing CA bundle file from a Terraform engine pod.
```
kubectl -n management-infrastructure-management cp <terraform-engine-pod-name>:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ca-bundle.crt
```
Where <terraform-engine-pod-name> is:
- For Isolation mode: A pod name prefixed with cam-provider-terraform-runtime
- For Non-isolation mode: A pod name prefixed with cam-provider-terraform-api
You might see the following error, ignore it and check whether the file got copied.
```
tar: Removing leading `/' from member names
```

Add your CA certificate to the copied CA bundle file ca-bundle.crt.

Back up the original CA bundle file ca-bundle.crt.
```
cp ca-bundle.crt ca-bundle-original.crt
```

Add your CA certificates (root and any intermediary) to the ca-bundle.crt file.

ca-bundle.crt file has number of certificates as follows:

-----BEGIN CERTIFICATE-----
<certificate_content>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<certificate_content>
-----END CERTIFICATE-----

Append your certificates at the end of the file as follows:

If you have your certificate in a file, then you can execute the following command to append your certificate to ca-bundle.crt

cat <your-ca-cert-file> >> ca-bundle.crt

Create a secret from a modified ca-bundle.crt file.

kubectl create secret generic cam-custom-cert-file --from-file=./ca-bundle.crt -n management-infrastructure-management

Patch the Terraform engine pod deployment file to mount a new volume that contains the created secret file.

a. Create a file cam-provider-terraform-patch.json with the following contents:
```
   {"spec": {"template": {"spec": {"containers": [{"name": "< terraform-engine-deployment>","volumeMounts": [{"mountPath": "/etc/pki/tls/certs","name": "cam-custom-cert-bundle","readOnly": true}]}],"volumes": [{"name": "cam-custom-cert-bundle","secret": {"defaultMode": 420,"secretName": "cam-custom-cert-file"}}]}}}}
```
Where <terraform-engine-deployment> is:
- For Isolation mode: cam-provider-terraform-runtime
- For Non-isolation mode: cam-provider-terraform-api
b. Run the following command to patch the deployment to mount the new CA bundle to Terraform engine pods.
```
  kubectl -n management-infrastructure-management patch deployment <terraform-engine-deployment> --patch "$(cat cam-provider-terraform-patch.json)"
```
Where <terraform-engine-deployment>:
- For Isolation mode: cam-provider-terraform-runtime
- For Non-isolation mode: cam-provider-terraform-api