A TFScript to connect to Vault , generate a PKI cert and use that cert as the seed for a pfx file

vault4pfx.hcl

variable "vault_host" {
  description = "Vault hostname"
  default     = "vault.ric-lnd-stack.ric.aws.hashidemos.io"
}
terraform {
  backend "remote" {
    organization = "hc-emea-sentinel-demo"
    workspaces {
      name = "vault-integration"
    }
  }
}
provider "vault" {
  address = "https://${var.vault_host}:8200"
}
resource "vault_pki_secret_backend_cert" "app" {
  backend = "pki"
  name = "consul-service"
  common_name = "ricardo.service.consul"
  ttl = 60
}
resource "local_file" "cert" {
    sensitive_content = vault_pki_secret_backend_cert.app.certificate
    filename = "${path.module}/cert.pem"
}
resource "local_file" "private_key" {
    sensitive_content = vault_pki_secret_backend_cert.app.private_key
    filename = "${path.module}/cert.key"
}
resource "null_resource" "openssl" {
  triggers = {
    certs = vault_pki_secret_backend_cert.app.certificate
  }
  provisioner "local-exec" {
command = <<EOH
openssl pkcs12 -export -out ${path.module}/security.pfx -inkey ${path.module}/cert.key -in ${path.module}/cert.pem -passout pass:foobar;
EOH
    # interpreter = ["bash"]
  }
}
data "local_file" "pfx" {
    filename = "${path.module}/security.pfx"
    depends_on = [null_resource.openssl]
}
output "cert" {
  value = "${vault_pki_secret_backend_cert.app.certificate}"
}
output "private_key" {
  value = "${vault_pki_secret_backend_cert.app.private_key}"
}
output "private_key_type" {
  value = "${vault_pki_secret_backend_cert.app.private_key_type}"
}
output "pfx" {
    value = data.local_file.pfx.content_base64
}