From 80b95bcae8920a911d1816ff0e9f96c07c522313 Mon Sep 17 00:00:00 2001
From: Ben Larabie <ben.larabie@cds-snc.ca>
Date: Tue, 10 Sep 2024 10:56:29 -0400
Subject: [PATCH] Refactoring VPN to use AWS private certificate authority
 (#1522)

* Refactoring VPN to use AWS private certificate authority

* permanent deletion

* formatting
---
 aws/eks/vpn.tf | 72 ++++++++++++++++++++++++++++----------------------
 1 file changed, 40 insertions(+), 32 deletions(-)

diff --git a/aws/eks/vpn.tf b/aws/eks/vpn.tf
index 5a654ed86..b53981330 100644
--- a/aws/eks/vpn.tf
+++ b/aws/eks/vpn.tf
@@ -51,45 +51,53 @@ module "gha_vpn" {
   billing_tag_value = "notification-canada-ca-${var.env}"
 }
 
+resource "aws_acm_certificate" "client_vpn" {
+  certificate_authority_arn = aws_acmpca_certificate_authority.client_vpn.arn
+  domain_name               = "${var.env}.notification.canada.ca"
 
-#
-# Certificate used for VPN communication
-#
-resource "tls_private_key" "client_vpn" {
-  algorithm = "RSA"
-  rsa_bits  = 2048
-}
-
-resource "tls_self_signed_cert" "client_vpn" {
-  private_key_pem       = tls_private_key.client_vpn.private_key_pem
-  validity_period_hours = 43800 # 5 years
-  early_renewal_hours   = 672   # Generate new cert if Terraform is run within 4 weeks of expiry
+  tags = {
+    Environment = var.env
+  }
 
-  subject {
-    common_name = "vpn.${var.env}.notification.canada.ca"
+  lifecycle {
+    create_before_destroy = true
   }
+}
+
+resource "aws_acmpca_certificate_authority_certificate" "client_vpn" {
+  certificate_authority_arn = aws_acmpca_certificate_authority.client_vpn.arn
 
-  allowed_uses = [
-    "key_encipherment",
-    "digital_signature",
-    "server_auth",
-    "ipsec_end_system",
-    "ipsec_tunnel",
-    "any_extended",
-    "cert_signing",
-  ]
+  certificate       = aws_acmpca_certificate.client_vpn.certificate
+  certificate_chain = aws_acmpca_certificate.client_vpn.certificate_chain
 }
 
-resource "aws_acm_certificate" "client_vpn" {
-  private_key      = tls_private_key.client_vpn.private_key_pem
-  certificate_body = tls_self_signed_cert.client_vpn.cert_pem
+resource "aws_acmpca_certificate" "client_vpn" {
+  certificate_authority_arn   = aws_acmpca_certificate_authority.client_vpn.arn
+  certificate_signing_request = aws_acmpca_certificate_authority.client_vpn.certificate_signing_request
+  signing_algorithm           = "SHA512WITHRSA"
 
-  tags = {
-    Name       = "notification-canada-ca"
-    CostCenter = "notification-canada-ca-${var.env}"
+  template_arn = "arn:${data.aws_partition.current.partition}:acm-pca:::template/RootCACertificate/V1"
+
+  validity {
+    type  = "YEARS"
+    value = 5
   }
+}
 
-  lifecycle {
-    create_before_destroy = true
+resource "aws_acmpca_certificate_authority" "client_vpn" {
+  type = "ROOT"
+
+  certificate_authority_configuration {
+    key_algorithm     = "RSA_4096"
+    signing_algorithm = "SHA512WITHRSA"
+
+    subject {
+      common_name = "notification.canada.ca"
+    }
   }
-}
\ No newline at end of file
+
+  permanent_deletion_time_in_days = 7
+}
+
+
+data "aws_partition" "current" {}