Skip to content

Latest commit

 

History

History
263 lines (241 loc) · 8.73 KB

File metadata and controls

263 lines (241 loc) · 8.73 KB

Certificate manager

This module allows you to create a certificate manager map and associated entries, certificates, DNS authorizations and issueance configs. Map and associated entries creation is optional.

Examples

Self-managed certificate

resource "tls_private_key" "private_key" {
  algorithm = "RSA"
  rsa_bits  = 2048
}

resource "tls_self_signed_cert" "cert" {
  private_key_pem = tls_private_key.private_key.private_key_pem
  subject {
    common_name  = "example.com"
    organization = "ACME Examples, Inc"
  }
  validity_period_hours = 720
  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "server_auth",
  ]
}

module "certificate-manager" {
  source     = "./fabric/modules/certificate-manager"
  project_id = var.project_id
  certificates = {
    my-certificate-1 = {
      self_managed = {
        pem_certificate = tls_self_signed_cert.cert.cert_pem
        pem_private_key = tls_private_key.private_key.private_key_pem
      }
    }
  }
}
# tftest modules=1 resources=3 inventory=self-managed-cert.yaml

Certificate map with 1 entry with 1 self-managed certificate

resource "tls_private_key" "private_key" {
  algorithm = "RSA"
  rsa_bits  = 2048
}

resource "tls_self_signed_cert" "cert" {
  private_key_pem = tls_private_key.private_key.private_key_pem
  subject {
    common_name  = "example.com"
    organization = "ACME Examples, Inc"
  }
  validity_period_hours = 720
  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "server_auth",
  ]
}

module "certificate-manager" {
  source     = "./fabric/modules/certificate-manager"
  project_id = var.project_id
  map = {
    name        = "my-certificate-map"
    description = "My certificate map"
    entries = {
      mydomain-mycompany-org = {
        certificates = [
          "my-certificate-1"
        ]
        hostname = "mydomain.mycompany.org"
      }
    }
  }
  certificates = {
    my-certificate-1 = {
      self_managed = {
        pem_certificate = tls_self_signed_cert.cert.cert_pem
        pem_private_key = tls_private_key.private_key.private_key_pem
      }
    }
  }
}
# tftest modules=1 resources=5 inventory=map-with-self-managed-cert.yaml

Certificate map with 1 entry with 1 managed certificate with load balancer authorization

module "certificate-manager" {
  source     = "./fabric/modules/certificate-manager"
  project_id = var.project_id
  map = {
    name        = "my-certificate-map"
    description = "My certificate map"
    entries = {
      mydomain-mycompany-org = {
        certificates = [
          "my-certificate-1"
        ]
        matcher = "PRIMARY"
      }
    }
  }
  certificates = {
    my-certificate-1 = {
      managed = {
        domains = ["mydomain.mycompany.org"]
      }
    }
  }
}
# tftest modules=1 resources=3 inventory=map-with-managed-cert-lb-authz.yaml

Certificate map with 1 entry with 1 managed certificate with DNS authorization

module "certificate-manager" {
  source     = "./fabric/modules/certificate-manager"
  project_id = var.project_id
  map = {
    name        = "my-certificate-map"
    description = "My certificate map"
    entries = {
      mydomain-mycompany-org = {
        certificates = [
          "my-certificate-1"
        ]
        matcher = "PRIMARY"
      }
    }
  }
  certificates = {
    my-certificate-1 = {
      managed = {
        domains            = ["mydomain.mycompany.org"]
        dns_authorizations = ["mydomain-mycompany-org"]
      }
    }
  }
  dns_authorizations = {
    mydomain-mycompany-org = {
      type   = "PER_PROJECT_RECORD"
      domain = "mydomain.mycompany.org"
    }
  }
}
# tftest modules=1 resources=4 inventory=map-with-managed-cert-dns-authz.yaml

Certificate map with 1 entry with 1 managed certificate with issued by a CA Service instance

resource "google_privateca_ca_pool" "pool" {
  name     = "ca-pool"
  project  = var.project_id
  location = "us-central1"
  tier     = "ENTERPRISE"
}

resource "google_privateca_certificate_authority" "ca_authority" {
  project                  = var.project_id
  location                 = "us-central1"
  pool                     = google_privateca_ca_pool.pool.name
  certificate_authority_id = "ca-authority"
  config {
    subject_config {
      subject {
        organization = "My Company"
        common_name  = "my-company-authority"
      }
      subject_alt_name {
        dns_names = ["mycompany.org"]
      }
    }
    x509_config {
      ca_options {
        is_ca = true
      }
      key_usage {
        base_key_usage {
          cert_sign = true
          crl_sign  = true
        }
        extended_key_usage {
          server_auth = true
        }
      }
    }
  }
  key_spec {
    algorithm = "RSA_PKCS1_4096_SHA256"
  }
  deletion_protection                    = false
  skip_grace_period                      = true
  ignore_active_certificates_on_deletion = true
}

module "certificate-manager" {
  source     = "./fabric/modules/certificate-manager"
  project_id = var.project_id
  map = {
    name        = "my-certificate-map"
    description = "My certificate map"
    entries = {
      mydomain-mycompany-org = {
        certificates = [
          "my-certificate-1"
        ]
        matcher = "PRIMARY"
      }
    }
  }
  certificates = {
    my-certificate-1 = {
      managed = {
        domains         = ["mydomain.mycompany.org"]
        issuance_config = "my-issuance-config"
      }
    }
  }
  issuance_configs = {
    my-issuance-config = {
      ca_pool                    = google_privateca_ca_pool.pool.id
      key_algorithm              = "ECDSA_P256"
      lifetime                   = "1814400s"
      rotation_window_percentage = 34
    }
  }
  depends_on = [
    google_privateca_certificate_authority.ca_authority
  ]
}
# tftest modules=1 resources=6 inventory=map-with-managed-cert-ca-service.yaml

Variables

name description type required default
project_id Project id. string
certificates Certificates. map(object({…})) {}
dns_authorizations DNS authorizations. map(object({…})) {}
issuance_configs Issuance configs. map(object({…})) {}
map Map attributes. object({…}) null

Outputs

name description sensitive
certificate_ids Certificate ids.
certificates Certificates.
map Map.
map_id Map id.