From 428fbdaa410bc6a076ad3209db7ef2db1f6d75ec Mon Sep 17 00:00:00 2001 From: Ben Larabie Date: Tue, 10 Sep 2024 10:43:21 -0400 Subject: [PATCH 1/3] Refactoring VPN to use AWS private certificate authority --- aws/eks/vpn.tf | 70 +++++++++++++++++++++++++++----------------------- 1 file changed, 38 insertions(+), 32 deletions(-) diff --git a/aws/eks/vpn.tf b/aws/eks/vpn.tf index 5a654ed86..74aa4fc53 100644 --- a/aws/eks/vpn.tf +++ b/aws/eks/vpn.tf @@ -51,45 +51,51 @@ module "gha_vpn" { billing_tag_value = "notification-canada-ca-${var.env}" } +resource "aws_acm_certificate" "client_vpn" { + certificate_authority_arn = aws_acmpca_certificate_authority.client_vpn.arn + domain_name = "${var.env}.notification.canada.ca" -# -# Certificate used for VPN communication -# -resource "tls_private_key" "client_vpn" { - algorithm = "RSA" - rsa_bits = 2048 -} - -resource "tls_self_signed_cert" "client_vpn" { - private_key_pem = tls_private_key.client_vpn.private_key_pem - validity_period_hours = 43800 # 5 years - early_renewal_hours = 672 # Generate new cert if Terraform is run within 4 weeks of expiry + tags = { + Environment = var.env + } - subject { - common_name = "vpn.${var.env}.notification.canada.ca" + lifecycle { + create_before_destroy = true } +} + +resource "aws_acmpca_certificate_authority_certificate" "client_vpn" { + certificate_authority_arn = aws_acmpca_certificate_authority.client_vpn.arn - allowed_uses = [ - "key_encipherment", - "digital_signature", - "server_auth", - "ipsec_end_system", - "ipsec_tunnel", - "any_extended", - "cert_signing", - ] + certificate = aws_acmpca_certificate.client_vpn.certificate + certificate_chain = aws_acmpca_certificate.client_vpn.certificate_chain } -resource "aws_acm_certificate" "client_vpn" { - private_key = tls_private_key.client_vpn.private_key_pem - certificate_body = tls_self_signed_cert.client_vpn.cert_pem +resource "aws_acmpca_certificate" "client_vpn" { + certificate_authority_arn = aws_acmpca_certificate_authority.client_vpn.arn + certificate_signing_request = aws_acmpca_certificate_authority.client_vpn.certificate_signing_request + signing_algorithm = "SHA512WITHRSA" - tags = { - Name = "notification-canada-ca" - CostCenter = "notification-canada-ca-${var.env}" + template_arn = "arn:${data.aws_partition.current.partition}:acm-pca:::template/RootCACertificate/V1" + + validity { + type = "YEARS" + value = 5 } +} - lifecycle { - create_before_destroy = true +resource "aws_acmpca_certificate_authority" "client_vpn" { + type = "ROOT" + + certificate_authority_configuration { + key_algorithm = "RSA_4096" + signing_algorithm = "SHA512WITHRSA" + + subject { + common_name = "notification.canada.ca" + } } -} \ No newline at end of file +} + + +data "aws_partition" "current" {} From 7beaad73bd08ec55627179e8df1f17741fc3f2ec Mon Sep 17 00:00:00 2001 From: Ben Larabie Date: Tue, 10 Sep 2024 10:50:33 -0400 Subject: [PATCH 2/3] permanent deletion --- aws/eks/vpn.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/aws/eks/vpn.tf b/aws/eks/vpn.tf index 74aa4fc53..71abea243 100644 --- a/aws/eks/vpn.tf +++ b/aws/eks/vpn.tf @@ -95,6 +95,8 @@ resource "aws_acmpca_certificate_authority" "client_vpn" { common_name = "notification.canada.ca" } } + + permanent_deletion_time_in_days = 7 } From 60b97e8c4e47aef10ac3b84fc25fa9f5b2948608 Mon Sep 17 00:00:00 2001 From: Ben Larabie Date: Tue, 10 Sep 2024 10:51:55 -0400 Subject: [PATCH 3/3] formatting --- aws/eks/vpn.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aws/eks/vpn.tf b/aws/eks/vpn.tf index 71abea243..b53981330 100644 --- a/aws/eks/vpn.tf +++ b/aws/eks/vpn.tf @@ -52,8 +52,8 @@ module "gha_vpn" { } resource "aws_acm_certificate" "client_vpn" { - certificate_authority_arn = aws_acmpca_certificate_authority.client_vpn.arn - domain_name = "${var.env}.notification.canada.ca" + certificate_authority_arn = aws_acmpca_certificate_authority.client_vpn.arn + domain_name = "${var.env}.notification.canada.ca" tags = { Environment = var.env