-
Notifications
You must be signed in to change notification settings - Fork 0
/
pki.tf
63 lines (52 loc) · 2.36 KB
/
pki.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
locals {
is_pki = lower(var.secret_engine) == "pki"
}
//
// Root CA
//
# configure pki secret as root CA
resource "vault_pki_secret_backend_root_cert" "root_ca" {
count = local.is_pki ? (lower(var.pki_config.cert_type) == "root" ? 1 : 0) : 0
backend = vault_mount.secret_mount[0].path
type = "internal"
common_name = var.pki_root_cert.common_name
alt_names = var.pki_root_cert.alternative_names
ttl = var.pki_root_cert.ttl_seconds
key_bits = 2048
key_type = "rsa"
format = "pem"
}
# configure root CA config_urls (refer to README for more details)
resource "vault_pki_secret_backend_config_urls" "config_urls" {
count = local.is_pki ? (lower(var.pki_config.cert_type) == "root" ? 1 : 0) : 0
backend = vault_mount.secret_mount[0].path
issuing_certificates = ["${var.pki_root_cert.vault_address}/v1/${vault_mount.secret_mount[0].path}/ca"]
crl_distribution_points = ["${var.pki_root_cert.vault_address}/v1/${vault_mount.secret_mount[0].path}/crl"]
}
## Intermediate CA
##
# CSR
resource "vault_pki_secret_backend_intermediate_cert_request" "intermediat_ca_csr" {
count = local.is_pki ? (lower(var.pki_config.cert_type) == "intermediate" ? 1 : 0) : 0
backend = vault_mount.secret_mount[0].path
type = "internal"
common_name = var.pki_intermediate_ca.common_name
alt_names = var.pki_intermediate_ca.alternative_names
key_bits = 2048
key_type = "rsa"
format = "pem"
}
# Signs certificate with root CA
resource "vault_pki_secret_backend_root_sign_intermediate" "intermediate_ca" {
count = local.is_pki ? (lower(var.pki_config.cert_type) == "intermediate" ? 1 : 0) : 0
backend = var.pki_intermediate_ca.signing_ca_mount_path
csr = vault_pki_secret_backend_intermediate_cert_request.intermediat_ca_csr[0].csr
common_name = var.pki_intermediate_ca.common_name
ttl = var.pki_intermediate_ca.ttl_seconds
}
# Set the generated intermediate CA as the signing CA
resource "vault_pki_secret_backend_intermediate_set_signed" "set_intermediate_ca" {
count = local.is_pki ? (lower(var.pki_config.cert_type) == "intermediate" ? 1 : 0) : 0
backend = vault_mount.secret_mount[0].path
certificate = "${vault_pki_secret_backend_root_sign_intermediate.intermediate_ca[0].certificate}\n${vault_pki_secret_backend_root_sign_intermediate.intermediate_ca[0].issuing_ca}"
}