generated from particuleio/terraform-module-template
-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.tf
90 lines (76 loc) · 3.47 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# Main module resources
resource "tls_private_key" "ca" {
algorithm = try(var.ca.algorithm, "ECDSA")
ecdsa_curve = try(var.ca.algorithm, "ECDSA") == "ECDSA" ? try(var.ca.ecdsa_curve, "P384") : null
rsa_bits = try(var.ca.algorithm, "ECDSA") == "RSA" ? try(var.ca.rsa_bits, 4096) : null
}
resource "tls_self_signed_cert" "ca" {
private_key_pem = tls_private_key.ca.private_key_pem
is_ca_certificate = true
subject {
common_name = try(var.ca.subject.common_name, "certificate-authority")
organization = try(var.ca.subject.organization, null)
organizational_unit = try(var.ca.subject.organizational_unit, null)
street_address = try(var.ca.subject.street_address, null)
locality = try(var.ca.subject.locality, null)
province = try(var.ca.subject.province, null)
country = try(var.ca.subject.country, null)
postal_code = try(var.ca.subject.postal_code, null)
serial_number = try(var.ca.subject.serial_number, null)
}
validity_period_hours = try(var.ca.validity_period_hours, 87600)
early_renewal_hours = try(var.ca.early_renewal_hours, 2160)
allowed_uses = try(var.ca.allowed_uses, [
"cert_signing",
"crl_signing",
"code_signing",
"server_auth",
"client_auth",
"digital_signature",
"key_encipherment",
])
}
resource "tls_private_key" "certificate" {
for_each = var.certificates
algorithm = try(each.value.algorithm, "ECDSA")
ecdsa_curve = try(each.value.algorithm, "ECDSA") == "ECDSA" ? try(each.value.ecdsa_curve, "P384") : null
rsa_bits = try(each.value.algorithm, "ECDSA") == "RSA" ? try(each.value.rsa_bits, 4096) : null
}
resource "tls_cert_request" "certificate" {
for_each = var.certificates
private_key_pem = tls_private_key.certificate[each.key].private_key_pem
subject {
common_name = try(each.value.subject.common_name, null)
organization = try(each.value.subject.organization, null)
organizational_unit = try(each.value.subject.organizational_unit, null)
street_address = try(each.value.subject.street_address, null)
locality = try(each.value.subject.locality, null)
province = try(each.value.subject.province, null)
country = try(each.value.subject.country, null)
postal_code = try(each.value.subject.postal_code, null)
serial_number = try(each.value.subject.serial_number, null)
}
dns_names = try(each.value.dns_names, [])
ip_addresses = try(each.value.ip_addresses, [])
uris = try(each.value.uris, [])
}
resource "tls_locally_signed_cert" "certificate" {
for_each = var.certificates
cert_request_pem = tls_cert_request.certificate[each.key].cert_request_pem
ca_private_key_pem = tls_private_key.ca.private_key_pem
ca_cert_pem = tls_self_signed_cert.ca.cert_pem
validity_period_hours = try(each.value.validity_period_hours, 8740)
early_renewal_hours = try(each.value.early_renewal_hours, 720)
allowed_uses = try(each.value.allowed_uses, [])
}
resource "pkcs12_from_pem" "certificate" {
for_each = var.certificates
password = random_password.certificate[each.key].result
cert_pem = tls_locally_signed_cert.certificate[each.key].cert_pem
private_key_pem = tls_private_key.certificate[each.key].private_key_pem
ca_pem = tls_self_signed_cert.ca.cert_pem
}
resource "random_password" "certificate" {
for_each = var.certificates
length = 32
}