From 00d4673093174e89568435fae56d0517485f353f Mon Sep 17 00:00:00 2001 From: apichick Date: Thu, 27 Jun 2024 15:05:35 +0200 Subject: [PATCH] Added certificate-manager module (#2387) --- README.md | 2 +- modules/README.md | 1 + modules/certificate-manager/README.md | 263 ++++++++++++++++++ modules/certificate-manager/main.tf | 85 ++++++ modules/certificate-manager/outputs.tf | 38 +++ modules/certificate-manager/variables.tf | 106 +++++++ modules/certificate-manager/versions.tf | 27 ++ .../map-with-managed-cert-ca-service.yaml | 142 ++++++++++ .../map-with-managed-cert-dns-authz.yaml | 62 +++++ .../map-with-managed-cert-lb-authz.yaml | 51 ++++ .../examples/map-with-self-managed-cert.yaml | 79 ++++++ .../examples/self-managed-cert.yaml | 62 +++++ 12 files changed, 917 insertions(+), 1 deletion(-) create mode 100644 modules/certificate-manager/README.md create mode 100644 modules/certificate-manager/main.tf create mode 100644 modules/certificate-manager/outputs.tf create mode 100644 modules/certificate-manager/variables.tf create mode 100644 modules/certificate-manager/versions.tf create mode 100644 tests/modules/certificate_manager/examples/map-with-managed-cert-ca-service.yaml create mode 100644 tests/modules/certificate_manager/examples/map-with-managed-cert-dns-authz.yaml create mode 100644 tests/modules/certificate_manager/examples/map-with-managed-cert-lb-authz.yaml create mode 100644 tests/modules/certificate_manager/examples/map-with-self-managed-cert.yaml create mode 100644 tests/modules/certificate_manager/examples/self-managed-cert.yaml diff --git a/README.md b/README.md index 63be2293..942ebdb2 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ Currently available modules: - **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [COS container](./modules/cloud-config-container/cos-generic-metadata/) (coredns, mysql, onprem, squid), [GKE cluster](./modules/gke-cluster-standard), [GKE hub](./modules/gke-hub), [GKE nodepool](./modules/gke-nodepool), [GCVE private cloud](./modules/gcve-private-cloud) - **data** - [Analytics Hub](./modules/analytics-hub), [BigQuery dataset](./modules/bigquery-dataset), [Bigtable instance](./modules/bigtable-instance), [Dataplex](./modules/dataplex), [Dataplex DataScan](./modules/dataplex-datascan), [Cloud SQL instance](./modules/cloudsql-instance), [Spanner instance](./modules/spanner-instance), [Firestore](./modules/firestore), [Data Catalog Policy Tag](./modules/data-catalog-policy-tag), [Data Catalog Tag](./modules/data-catalog-tag), [Data Catalog Tag Template](./modules/data-catalog-tag-template), [Datafusion](./modules/datafusion), [Dataproc](./modules/dataproc), [GCS](./modules/gcs), [Pub/Sub](./modules/pubsub), [Dataform Repository](./modules/dataform-repository/) - **development** - [API Gateway](./modules/api-gateway), [Apigee](./modules/apigee), [Artifact Registry](./modules/artifact-registry), [Container Registry](./modules/container-registry), [Cloud Source Repository](./modules/source-repository), [Workstation cluster](./modules/workstation-cluster) -- **security** - [Binauthz](./modules/binauthz/), [KMS](./modules/kms), [SecretManager](./modules/secret-manager), [VPC Service Control](./modules/vpc-sc) +- **security** - [Binauthz](./modules/binauthz/), [KMS](./modules/kms), [SecretManager](./modules/secret-manager), [VPC Service Control](./modules/vpc-sc), [Certificate Manager](./modules/certificate-manager/) - **serverless** - [Cloud Function v1](./modules/cloud-function-v1), [Cloud Function v2](./modules/cloud-function-v2), [Cloud Run](./modules/cloud-run), [Cloud Run v2](./modules/cloud-run-v2) For more information and usage examples see each module's README file. diff --git a/modules/README.md b/modules/README.md index b5f5a9b1..8f21a90c 100644 --- a/modules/README.md +++ b/modules/README.md @@ -113,6 +113,7 @@ These modules are used in the examples included in this repository. If you are u - [SecretManager](./secret-manager) - [VPC Service Control](./vpc-sc) - [Secure Web Proxy](./net-swp) +- [Certificate Manager](./certificate-manager) ## Serverless diff --git a/modules/certificate-manager/README.md b/modules/certificate-manager/README.md new file mode 100644 index 00000000..e878609f --- /dev/null +++ b/modules/certificate-manager/README.md @@ -0,0 +1,263 @@ +# Certificate manager + +This module allows you to create a certificate manager map and associated entries, certificates, DNS authorizations and issueance configs. Map and associated entries creation is optional. + +## Examples + +### Self-managed certificate + +```hcl +resource "tls_private_key" "private_key" { + algorithm = "RSA" + rsa_bits = 2048 +} + +resource "tls_self_signed_cert" "cert" { + private_key_pem = tls_private_key.private_key.private_key_pem + subject { + common_name = "example.com" + organization = "ACME Examples, Inc" + } + validity_period_hours = 720 + allowed_uses = [ + "key_encipherment", + "digital_signature", + "server_auth", + ] +} + +module "certificate-manager" { + source = "./fabric/modules/certificate-manager" + project_id = var.project_id + certificates = { + my-certificate-1 = { + self_managed = { + pem_certificate = tls_self_signed_cert.cert.cert_pem + pem_private_key = tls_private_key.private_key.private_key_pem + } + } + } +} +# tftest modules=1 resources=3 inventory=self-managed-cert.yaml +``` + +### Certificate map with 1 entry with 1 self-managed certificate + +```hcl +resource "tls_private_key" "private_key" { + algorithm = "RSA" + rsa_bits = 2048 +} + +resource "tls_self_signed_cert" "cert" { + private_key_pem = tls_private_key.private_key.private_key_pem + subject { + common_name = "example.com" + organization = "ACME Examples, Inc" + } + validity_period_hours = 720 + allowed_uses = [ + "key_encipherment", + "digital_signature", + "server_auth", + ] +} + +module "certificate-manager" { + source = "./fabric/modules/certificate-manager" + project_id = var.project_id + map = { + name = "my-certificate-map" + description = "My certificate map" + entries = { + mydomain-mycompany-org = { + certificates = [ + "my-certificate-1" + ] + hostname = "mydomain.mycompany.org" + } + } + } + certificates = { + my-certificate-1 = { + self_managed = { + pem_certificate = tls_self_signed_cert.cert.cert_pem + pem_private_key = tls_private_key.private_key.private_key_pem + } + } + } +} +# tftest modules=1 resources=5 inventory=map-with-self-managed-cert.yaml + +``` + +### Certificate map with 1 entry with 1 managed certificate with load balancer authorization + +```hcl +module "certificate-manager" { + source = "./fabric/modules/certificate-manager" + project_id = var.project_id + map = { + name = "my-certificate-map" + description = "My certificate map" + entries = { + mydomain-mycompany-org = { + certificates = [ + "my-certificate-1" + ] + matcher = "PRIMARY" + } + } + } + certificates = { + my-certificate-1 = { + managed = { + domains = ["mydomain.mycompany.org"] + } + } + } +} +# tftest modules=1 resources=3 inventory=map-with-managed-cert-lb-authz.yaml +``` + +### Certificate map with 1 entry with 1 managed certificate with DNS authorization + +```hcl +module "certificate-manager" { + source = "./fabric/modules/certificate-manager" + project_id = var.project_id + map = { + name = "my-certificate-map" + description = "My certificate map" + entries = { + mydomain-mycompany-org = { + certificates = [ + "my-certificate-1" + ] + matcher = "PRIMARY" + } + } + } + certificates = { + my-certificate-1 = { + managed = { + domains = ["mydomain.mycompany.org"] + dns_authorizations = ["mydomain-mycompany-org"] + } + } + } + dns_authorizations = { + mydomain-mycompany-org = { + type = "PER_PROJECT_RECORD" + domain = "mydomain.mycompany.org" + } + } +} +# tftest modules=1 resources=4 inventory=map-with-managed-cert-dns-authz.yaml +``` + +### Certificate map with 1 entry with 1 managed certificate with issued by a CA Service instance + +```hcl +resource "google_privateca_ca_pool" "pool" { + name = "ca-pool" + project = var.project_id + location = "us-central1" + tier = "ENTERPRISE" +} + +resource "google_privateca_certificate_authority" "ca_authority" { + project = var.project_id + location = "us-central1" + pool = google_privateca_ca_pool.pool.name + certificate_authority_id = "ca-authority" + config { + subject_config { + subject { + organization = "My Company" + common_name = "my-company-authority" + } + subject_alt_name { + dns_names = ["mycompany.org"] + } + } + x509_config { + ca_options { + is_ca = true + } + key_usage { + base_key_usage { + cert_sign = true + crl_sign = true + } + extended_key_usage { + server_auth = true + } + } + } + } + key_spec { + algorithm = "RSA_PKCS1_4096_SHA256" + } + deletion_protection = false + skip_grace_period = true + ignore_active_certificates_on_deletion = true +} + +module "certificate-manager" { + source = "./fabric/modules/certificate-manager" + project_id = var.project_id + map = { + name = "my-certificate-map" + description = "My certificate map" + entries = { + mydomain-mycompany-org = { + certificates = [ + "my-certificate-1" + ] + matcher = "PRIMARY" + } + } + } + certificates = { + my-certificate-1 = { + managed = { + domains = ["mydomain.mycompany.org"] + issuance_config = "my-issuance-config" + } + } + } + issuance_configs = { + my-issuance-config = { + ca_pool = google_privateca_ca_pool.pool.id + key_algorithm = "ECDSA_P256" + lifetime = "1814400s" + rotation_window_percentage = 34 + } + } + depends_on = [ + google_privateca_certificate_authority.ca_authority + ] +} +# tftest modules=1 resources=6 inventory=map-with-managed-cert-ca-service.yaml +``` + +## Variables + +| name | description | type | required | default | +|---|---|:---:|:---:|:---:| +| [project_id](variables.tf#L102) | Project id. | string | ✓ | | +| [certificates](variables.tf#L17) | Certificates. | map(object({…})) | | {} | +| [dns_authorizations](variables.tf#L53) | DNS authorizations. | map(object({…})) | | {} | +| [issuance_configs](variables.tf#L66) | Issuance configs. | map(object({…})) | | {} | +| [map](variables.tf#L80) | Map attributes. | object({…}) | | null | + +## Outputs + +| name | description | sensitive | +|---|---|:---:| +| [certificate_ids](outputs.tf#L17) | Certificate ids. | | +| [certificates](outputs.tf#L22) | Certificates. | | +| [map](outputs.tf#L27) | Map. | | +| [map_id](outputs.tf#L32) | Map id. | | + diff --git a/modules/certificate-manager/main.tf b/modules/certificate-manager/main.tf new file mode 100644 index 00000000..e5bb5b59 --- /dev/null +++ b/modules/certificate-manager/main.tf @@ -0,0 +1,85 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "google_certificate_manager_certificate_map" "map" { + count = var.map == null ? 0 : 1 + project = var.project_id + name = var.map.name + description = var.map.description + labels = var.map.labels +} + +resource "google_certificate_manager_certificate_map_entry" "entries" { + for_each = try(var.map.entries, {}) + project = google_certificate_manager_certificate_map.map[0].project + name = each.key + description = each.value.description + map = google_certificate_manager_certificate_map.map[0].name + labels = each.value.labels + certificates = [for v in each.value.certificates : google_certificate_manager_certificate.certificates[v].id] + hostname = each.value.hostname + matcher = each.value.matcher +} + +resource "google_certificate_manager_certificate" "certificates" { + for_each = var.certificates + project = var.project_id + name = each.key + description = each.value.description + scope = each.value.scope + labels = each.value.labels + dynamic "managed" { + for_each = each.value.managed == null ? [] : [""] + content { + domains = each.value.managed.domains + dns_authorizations = each.value.managed.dns_authorizations + issuance_config = each.value.managed.issuance_config + } + } + dynamic "self_managed" { + for_each = each.value.self_managed == null ? [] : [""] + content { + pem_certificate = each.value.self_managed.pem_certificate + pem_private_key = each.value.self_managed.pem_private_key + } + } +} + +resource "google_certificate_manager_dns_authorization" "dns_authorizations" { + for_each = var.dns_authorizations + project = var.project_id + name = each.key + location = each.value.location + description = each.value.description + type = each.value.type + domain = each.value.domain +} + +resource "google_certificate_manager_certificate_issuance_config" "default" { + for_each = var.issuance_configs + project = var.project_id + name = each.key + description = each.value.description + certificate_authority_config { + certificate_authority_service_config { + ca_pool = each.value.ca_pool + } + } + lifetime = each.value.lifetime + rotation_window_percentage = each.value.rotation_window_percentage + key_algorithm = each.value.key_algorithm + labels = each.value.labels +} diff --git a/modules/certificate-manager/outputs.tf b/modules/certificate-manager/outputs.tf new file mode 100644 index 00000000..43eb9f3f --- /dev/null +++ b/modules/certificate-manager/outputs.tf @@ -0,0 +1,38 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "certificate_ids" { + description = "Certificate ids." + value = { for k, v in google_certificate_manager_certificate.certificates : k => v.id } +} + +output "certificates" { + description = "Certificates." + value = google_certificate_manager_certificate.certificates +} + +output "map" { + description = "Map." + value = var.map == null ? null : google_certificate_manager_certificate_map.map[0] +} + +output "map_id" { + description = "Map id." + value = var.map == null ? null : google_certificate_manager_certificate_map.map[0].id +} + + + diff --git a/modules/certificate-manager/variables.tf b/modules/certificate-manager/variables.tf new file mode 100644 index 00000000..05a8f514 --- /dev/null +++ b/modules/certificate-manager/variables.tf @@ -0,0 +1,106 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "certificates" { + description = "Certificates." + type = map(object({ + description = optional(string) + labels = optional(map(string), {}) + location = optional(string) + scope = optional(string) + self_managed = optional(object({ + pem_certificate = string + pem_private_key = string + })) + managed = optional(object({ + domains = list(string) + dns_authorizations = optional(list(string)) + issuance_config = optional(string) + })) + })) + default = {} + nullable = false + + validation { + condition = alltrue([for k, v in var.certificates : ( + v.self_managed != null && v.managed == null + || v.self_managed == null && v.managed != null + )]) + error_message = "Either a self-managed or a managed configuration must be specified for a certificate." + } + validation { + condition = alltrue([for k, v in var.certificates : v.managed == null ? true : + !(v.managed.dns_authorizations != null + && v.managed.issuance_config != null) + ]) + error_message = "Both DNS authorizations and issuance cannot be specified." + } +} + +variable "dns_authorizations" { + description = "DNS authorizations." + type = map(object({ + domain = string + description = optional(string) + location = optional(string) + type = optional(string) + labels = optional(map(string)) + })) + default = {} + nullable = false +} + +variable "issuance_configs" { + description = "Issuance configs." + type = map(object({ + ca_pool = string + description = optional(string) + key_algorithm = string + labels = optional(map(string), {}) + lifetime = string + rotation_window_percentage = number + })) + default = {} + nullable = false +} + +variable "map" { + description = "Map attributes." + type = object({ + name = string + description = optional(string) + labels = optional(map(string), {}) + entries = optional(map(object({ + description = optional(string) + hostname = optional(string) + labels = optional(map(string), {}) + matcher = optional(string) + certificates = list(string) + })), {}) + }) + default = null + + validation { + condition = var.map == null ? true : alltrue([for k, v in var.map.entries : v.hostname == null && v.matcher != null || v.hostname != null && v.matcher == null]) + error_message = "Either hostname or matcher must be specified for an entry." + } +} + +variable "project_id" { + description = "Project id." + type = string +} + diff --git a/modules/certificate-manager/versions.tf b/modules/certificate-manager/versions.tf new file mode 100644 index 00000000..d1f29b96 --- /dev/null +++ b/modules/certificate-manager/versions.tf @@ -0,0 +1,27 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +terraform { + required_version = ">= 1.7.4" + required_providers { + google = { + source = "hashicorp/google" + version = ">= 5.34.0, < 6.0.0" # tftest + } + google-beta = { + source = "hashicorp/google-beta" + version = ">= 5.34.0, < 6.0.0" # tftest + } + } +} diff --git a/tests/modules/certificate_manager/examples/map-with-managed-cert-ca-service.yaml b/tests/modules/certificate_manager/examples/map-with-managed-cert-ca-service.yaml new file mode 100644 index 00000000..2a5a0756 --- /dev/null +++ b/tests/modules/certificate_manager/examples/map-with-managed-cert-ca-service.yaml @@ -0,0 +1,142 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + google_privateca_ca_pool.pool: + issuance_policy: [] + labels: null + location: us-central1 + name: ca-pool + project: project-id + publishing_options: [] + tier: ENTERPRISE + timeouts: null + google_privateca_certificate_authority.ca_authority: + certificate_authority_id: ca-authority + config: + - subject_config: + - subject: + - common_name: my-company-authority + country_code: null + locality: null + organization: My Company + organizational_unit: null + postal_code: null + province: null + street_address: null + subject_alt_name: + - dns_names: + - mycompany.org + email_addresses: null + ip_addresses: null + uris: null + subject_key_id: [] + x509_config: + - additional_extensions: [] + aia_ocsp_servers: null + ca_options: + - is_ca: true + max_issuer_path_length: null + non_ca: null + zero_max_issuer_path_length: null + key_usage: + - base_key_usage: + - cert_sign: true + content_commitment: null + crl_sign: true + data_encipherment: null + decipher_only: null + digital_signature: null + encipher_only: null + key_agreement: null + key_encipherment: null + extended_key_usage: + - client_auth: null + code_signing: null + email_protection: null + ocsp_signing: null + server_auth: true + time_stamping: null + unknown_extended_key_usages: [] + name_constraints: [] + policy_ids: [] + deletion_protection: false + desired_state: null + gcs_bucket: null + ignore_active_certificates_on_deletion: true + key_spec: + - algorithm: RSA_PKCS1_4096_SHA256 + cloud_kms_key_version: null + labels: null + lifetime: 315360000s + location: us-central1 + pem_ca_certificate: null + pool: ca-pool + project: project-id + skip_grace_period: true + subordinate_config: [] + timeouts: null + type: SELF_SIGNED + module.certificate-manager.google_certificate_manager_certificate.certificates["my-certificate-1"]: + description: null + labels: null + location: global + managed: + - dns_authorizations: null + domains: + - mydomain.mycompany.org + issuance_config: my-issuance-config + name: my-certificate-1 + project: project-id + scope: null + self_managed: [] + timeouts: null + module.certificate-manager.google_certificate_manager_certificate_issuance_config.default["my-issuance-config"]: + certificate_authority_config: + - certificate_authority_service_config: + - {} + description: null + key_algorithm: ECDSA_P256 + labels: null + lifetime: 1814400s + location: global + name: my-issuance-config + project: project-id + rotation_window_percentage: 34 + timeouts: null + module.certificate-manager.google_certificate_manager_certificate_map.map[0]: + description: My certificate map + labels: null + name: my-certificate-map + project: project-id + timeouts: null + module.certificate-manager.google_certificate_manager_certificate_map_entry.entries["mydomain-mycompany-org"]: + description: null + hostname: null + labels: null + map: my-certificate-map + matcher: PRIMARY + name: mydomain-mycompany-org + project: project-id + timeouts: null + +counts: + google_certificate_manager_certificate: 1 + google_certificate_manager_certificate_issuance_config: 1 + google_certificate_manager_certificate_map: 1 + google_certificate_manager_certificate_map_entry: 1 + google_privateca_ca_pool: 1 + google_privateca_certificate_authority: 1 + modules: 1 + resources: 6 \ No newline at end of file diff --git a/tests/modules/certificate_manager/examples/map-with-managed-cert-dns-authz.yaml b/tests/modules/certificate_manager/examples/map-with-managed-cert-dns-authz.yaml new file mode 100644 index 00000000..5864dd7f --- /dev/null +++ b/tests/modules/certificate_manager/examples/map-with-managed-cert-dns-authz.yaml @@ -0,0 +1,62 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.certificate-manager.google_certificate_manager_certificate.certificates["my-certificate-1"]: + description: null + labels: null + location: global + managed: + - dns_authorizations: + - mydomain-mycompany-org + domains: + - mydomain.mycompany.org + issuance_config: null + name: my-certificate-1 + project: project-id + scope: null + self_managed: [] + timeouts: null + module.certificate-manager.google_certificate_manager_certificate_map.map[0]: + description: My certificate map + labels: null + name: my-certificate-map + project: project-id + timeouts: null + module.certificate-manager.google_certificate_manager_certificate_map_entry.entries["mydomain-mycompany-org"]: + description: null + hostname: null + labels: null + map: my-certificate-map + matcher: PRIMARY + name: mydomain-mycompany-org + project: project-id + timeouts: null + module.certificate-manager.google_certificate_manager_dns_authorization.dns_authorizations["mydomain-mycompany-org"]: + description: null + domain: mydomain.mycompany.org + labels: null + location: global + name: mydomain-mycompany-org + project: project-id + timeouts: null + type: PER_PROJECT_RECORD + +counts: + google_certificate_manager_certificate: 1 + google_certificate_manager_certificate_map: 1 + google_certificate_manager_certificate_map_entry: 1 + google_certificate_manager_dns_authorization: 1 + modules: 1 + resources: 4 \ No newline at end of file diff --git a/tests/modules/certificate_manager/examples/map-with-managed-cert-lb-authz.yaml b/tests/modules/certificate_manager/examples/map-with-managed-cert-lb-authz.yaml new file mode 100644 index 00000000..f153637a --- /dev/null +++ b/tests/modules/certificate_manager/examples/map-with-managed-cert-lb-authz.yaml @@ -0,0 +1,51 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.certificate-manager.google_certificate_manager_certificate.certificates["my-certificate-1"]: + description: null + labels: null + location: global + managed: + - dns_authorizations: null + domains: + - mydomain.mycompany.org + issuance_config: null + name: my-certificate-1 + project: project-id + scope: null + self_managed: [] + timeouts: null + module.certificate-manager.google_certificate_manager_certificate_map.map[0]: + description: My certificate map + labels: null + name: my-certificate-map + project: project-id + timeouts: null + module.certificate-manager.google_certificate_manager_certificate_map_entry.entries["mydomain-mycompany-org"]: + description: null + hostname: null + labels: null + map: my-certificate-map + matcher: PRIMARY + name: mydomain-mycompany-org + project: project-id + timeouts: null + +counts: + google_certificate_manager_certificate: 1 + google_certificate_manager_certificate_map: 1 + google_certificate_manager_certificate_map_entry: 1 + modules: 1 + resources: 3 \ No newline at end of file diff --git a/tests/modules/certificate_manager/examples/map-with-self-managed-cert.yaml b/tests/modules/certificate_manager/examples/map-with-self-managed-cert.yaml new file mode 100644 index 00000000..804cbaf0 --- /dev/null +++ b/tests/modules/certificate_manager/examples/map-with-self-managed-cert.yaml @@ -0,0 +1,79 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.certificate-manager.google_certificate_manager_certificate.certificates["my-certificate-1"]: + description: null + labels: null + location: global + managed: [] + name: my-certificate-1 + project: project-id + scope: null + self_managed: + - certificate_pem: null + private_key_pem: null + timeouts: null + module.certificate-manager.google_certificate_manager_certificate_map.map[0]: + description: My certificate map + labels: null + name: my-certificate-map + project: project-id + timeouts: null + module.certificate-manager.google_certificate_manager_certificate_map_entry.entries["mydomain-mycompany-org"]: + description: null + hostname: mydomain.mycompany.org + labels: null + map: my-certificate-map + matcher: null + name: mydomain-mycompany-org + project: project-id + timeouts: null + tls_private_key.private_key: + algorithm: RSA + ecdsa_curve: P224 + rsa_bits: 2048 + tls_self_signed_cert.cert: + allowed_uses: + - key_encipherment + - digital_signature + - server_auth + dns_names: null + early_renewal_hours: 0 + ip_addresses: null + is_ca_certificate: false + ready_for_renewal: false + set_authority_key_id: false + set_subject_key_id: false + subject: + - common_name: example.com + country: null + locality: null + organization: ACME Examples, Inc + organizational_unit: null + postal_code: null + province: null + serial_number: null + street_address: null + uris: null + validity_period_hours: 720 + +counts: + google_certificate_manager_certificate: 1 + google_certificate_manager_certificate_map: 1 + google_certificate_manager_certificate_map_entry: 1 + modules: 1 + resources: 5 + tls_private_key: 1 + tls_self_signed_cert: 1 \ No newline at end of file diff --git a/tests/modules/certificate_manager/examples/self-managed-cert.yaml b/tests/modules/certificate_manager/examples/self-managed-cert.yaml new file mode 100644 index 00000000..a80aac79 --- /dev/null +++ b/tests/modules/certificate_manager/examples/self-managed-cert.yaml @@ -0,0 +1,62 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.certificate-manager.google_certificate_manager_certificate.certificates["my-certificate-1"]: + description: null + labels: null + location: global + managed: [] + name: my-certificate-1 + project: project-id + scope: null + self_managed: + - certificate_pem: null + private_key_pem: null + timeouts: null + tls_private_key.private_key: + algorithm: RSA + ecdsa_curve: P224 + rsa_bits: 2048 + tls_self_signed_cert.cert: + allowed_uses: + - key_encipherment + - digital_signature + - server_auth + dns_names: null + early_renewal_hours: 0 + ip_addresses: null + is_ca_certificate: false + ready_for_renewal: false + set_authority_key_id: false + set_subject_key_id: false + subject: + - common_name: example.com + country: null + locality: null + organization: ACME Examples, Inc + organizational_unit: null + postal_code: null + province: null + serial_number: null + street_address: null + uris: null + validity_period_hours: 720 + +counts: + google_certificate_manager_certificate: 1 + modules: 1 + resources: 3 + tls_private_key: 1 + tls_self_signed_cert: 1 \ No newline at end of file