forked from CircleCI-Public/server-terraform
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
123 lines (100 loc) · 2.87 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# This creates self-signed certs to encrypt the traffic between Nomad server and clients
terraform {
required_providers {
tls = {
source = "hashicorp/tls"
version = "~> 3.1"
}
}
}
locals {
cert_validity_period = 876600 # 100 years, basically doesn't expire
nomad_server_endpoint = "${var.nomad_server_hostname}:${var.nomad_server_port}"
}
resource "tls_private_key" "nomad_ca" {
algorithm = "RSA"
}
resource "tls_self_signed_cert" "nomad_ca" {
key_algorithm = tls_private_key.nomad_ca.algorithm
private_key_pem = tls_private_key.nomad_ca.private_key_pem
subject {
common_name = "Nomad CircleCI CA"
organization = "CircleCI"
organizational_unit = "Server"
street_address = ["201 Spear St", "#1200"]
locality = "San Francisco"
province = "CA"
country = "US"
postal_code = "94105"
}
validity_period_hours = local.cert_validity_period
allowed_uses = [
"cert_signing",
"crl_signing",
]
is_ca_certificate = true
}
resource "tls_private_key" "nomad_client" {
algorithm = "RSA"
}
resource "tls_cert_request" "nomad_client" {
key_algorithm = tls_private_key.nomad_client.algorithm
private_key_pem = tls_private_key.nomad_client.private_key_pem
subject {
common_name = local.nomad_server_endpoint
organization = "nomad:client"
}
dns_names = [
"client.global.nomad",
"localhost",
]
ip_addresses = [
"127.0.0.1",
]
}
resource "tls_locally_signed_cert" "nomad_client" {
cert_request_pem = tls_cert_request.nomad_client.cert_request_pem
ca_key_algorithm = tls_private_key.nomad_ca.algorithm
ca_private_key_pem = tls_private_key.nomad_ca.private_key_pem
ca_cert_pem = tls_self_signed_cert.nomad_ca.cert_pem
validity_period_hours = local.cert_validity_period
allowed_uses = [
"client_auth",
"digital_signature",
"key_agreement",
"key_encipherment",
"server_auth",
]
}
resource "tls_private_key" "nomad_server" {
algorithm = "RSA"
}
resource "tls_cert_request" "nomad_server" {
key_algorithm = tls_private_key.nomad_server.algorithm
private_key_pem = tls_private_key.nomad_server.private_key_pem
subject {
common_name = local.nomad_server_endpoint
organization = "nomad:client"
}
dns_names = [
"server.global.nomad",
"localhost",
]
ip_addresses = [
"127.0.0.1",
]
}
resource "tls_locally_signed_cert" "nomad_server" {
cert_request_pem = tls_cert_request.nomad_server.cert_request_pem
ca_key_algorithm = tls_private_key.nomad_ca.algorithm
ca_private_key_pem = tls_private_key.nomad_ca.private_key_pem
ca_cert_pem = tls_self_signed_cert.nomad_ca.cert_pem
validity_period_hours = local.cert_validity_period
allowed_uses = [
"client_auth",
"digital_signature",
"key_agreement",
"key_encipherment",
"server_auth",
]
}