Added certificate-manager module (#2387)
This commit is contained in:
parent
85c1b7c156
commit
00d4673093
|
@ -35,7 +35,7 @@ Currently available modules:
|
||||||
- **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [COS container](./modules/cloud-config-container/cos-generic-metadata/) (coredns, mysql, onprem, squid), [GKE cluster](./modules/gke-cluster-standard), [GKE hub](./modules/gke-hub), [GKE nodepool](./modules/gke-nodepool), [GCVE private cloud](./modules/gcve-private-cloud)
|
- **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [COS container](./modules/cloud-config-container/cos-generic-metadata/) (coredns, mysql, onprem, squid), [GKE cluster](./modules/gke-cluster-standard), [GKE hub](./modules/gke-hub), [GKE nodepool](./modules/gke-nodepool), [GCVE private cloud](./modules/gcve-private-cloud)
|
||||||
- **data** - <!-- [AlloyDB instance](./modules/alloydb-instance), --> [Analytics Hub](./modules/analytics-hub), [BigQuery dataset](./modules/bigquery-dataset), [Bigtable instance](./modules/bigtable-instance), [Dataplex](./modules/dataplex), [Dataplex DataScan](./modules/dataplex-datascan), [Cloud SQL instance](./modules/cloudsql-instance), [Spanner instance](./modules/spanner-instance), [Firestore](./modules/firestore), [Data Catalog Policy Tag](./modules/data-catalog-policy-tag), [Data Catalog Tag](./modules/data-catalog-tag), [Data Catalog Tag Template](./modules/data-catalog-tag-template), [Datafusion](./modules/datafusion), [Dataproc](./modules/dataproc), [GCS](./modules/gcs), [Pub/Sub](./modules/pubsub), [Dataform Repository](./modules/dataform-repository/)
|
- **data** - <!-- [AlloyDB instance](./modules/alloydb-instance), --> [Analytics Hub](./modules/analytics-hub), [BigQuery dataset](./modules/bigquery-dataset), [Bigtable instance](./modules/bigtable-instance), [Dataplex](./modules/dataplex), [Dataplex DataScan](./modules/dataplex-datascan), [Cloud SQL instance](./modules/cloudsql-instance), [Spanner instance](./modules/spanner-instance), [Firestore](./modules/firestore), [Data Catalog Policy Tag](./modules/data-catalog-policy-tag), [Data Catalog Tag](./modules/data-catalog-tag), [Data Catalog Tag Template](./modules/data-catalog-tag-template), [Datafusion](./modules/datafusion), [Dataproc](./modules/dataproc), [GCS](./modules/gcs), [Pub/Sub](./modules/pubsub), [Dataform Repository](./modules/dataform-repository/)
|
||||||
- **development** - [API Gateway](./modules/api-gateway), [Apigee](./modules/apigee), [Artifact Registry](./modules/artifact-registry), [Container Registry](./modules/container-registry), [Cloud Source Repository](./modules/source-repository), [Workstation cluster](./modules/workstation-cluster)
|
- **development** - [API Gateway](./modules/api-gateway), [Apigee](./modules/apigee), [Artifact Registry](./modules/artifact-registry), [Container Registry](./modules/container-registry), [Cloud Source Repository](./modules/source-repository), [Workstation cluster](./modules/workstation-cluster)
|
||||||
- **security** - [Binauthz](./modules/binauthz/), [KMS](./modules/kms), [SecretManager](./modules/secret-manager), [VPC Service Control](./modules/vpc-sc)
|
- **security** - [Binauthz](./modules/binauthz/), [KMS](./modules/kms), [SecretManager](./modules/secret-manager), [VPC Service Control](./modules/vpc-sc), [Certificate Manager](./modules/certificate-manager/)
|
||||||
- **serverless** - [Cloud Function v1](./modules/cloud-function-v1), [Cloud Function v2](./modules/cloud-function-v2), [Cloud Run](./modules/cloud-run), [Cloud Run v2](./modules/cloud-run-v2)
|
- **serverless** - [Cloud Function v1](./modules/cloud-function-v1), [Cloud Function v2](./modules/cloud-function-v2), [Cloud Run](./modules/cloud-run), [Cloud Run v2](./modules/cloud-run-v2)
|
||||||
|
|
||||||
For more information and usage examples see each module's README file.
|
For more information and usage examples see each module's README file.
|
||||||
|
|
|
@ -113,6 +113,7 @@ These modules are used in the examples included in this repository. If you are u
|
||||||
- [SecretManager](./secret-manager)
|
- [SecretManager](./secret-manager)
|
||||||
- [VPC Service Control](./vpc-sc)
|
- [VPC Service Control](./vpc-sc)
|
||||||
- [Secure Web Proxy](./net-swp)
|
- [Secure Web Proxy](./net-swp)
|
||||||
|
- [Certificate Manager](./certificate-manager)
|
||||||
|
|
||||||
## Serverless
|
## Serverless
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,263 @@
|
||||||
|
# Certificate manager
|
||||||
|
|
||||||
|
This module allows you to create a certificate manager map and associated entries, certificates, DNS authorizations and issueance configs. Map and associated entries creation is optional.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
### Self-managed certificate
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
resource "tls_private_key" "private_key" {
|
||||||
|
algorithm = "RSA"
|
||||||
|
rsa_bits = 2048
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "tls_self_signed_cert" "cert" {
|
||||||
|
private_key_pem = tls_private_key.private_key.private_key_pem
|
||||||
|
subject {
|
||||||
|
common_name = "example.com"
|
||||||
|
organization = "ACME Examples, Inc"
|
||||||
|
}
|
||||||
|
validity_period_hours = 720
|
||||||
|
allowed_uses = [
|
||||||
|
"key_encipherment",
|
||||||
|
"digital_signature",
|
||||||
|
"server_auth",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
module "certificate-manager" {
|
||||||
|
source = "./fabric/modules/certificate-manager"
|
||||||
|
project_id = var.project_id
|
||||||
|
certificates = {
|
||||||
|
my-certificate-1 = {
|
||||||
|
self_managed = {
|
||||||
|
pem_certificate = tls_self_signed_cert.cert.cert_pem
|
||||||
|
pem_private_key = tls_private_key.private_key.private_key_pem
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# tftest modules=1 resources=3 inventory=self-managed-cert.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
### Certificate map with 1 entry with 1 self-managed certificate
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
resource "tls_private_key" "private_key" {
|
||||||
|
algorithm = "RSA"
|
||||||
|
rsa_bits = 2048
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "tls_self_signed_cert" "cert" {
|
||||||
|
private_key_pem = tls_private_key.private_key.private_key_pem
|
||||||
|
subject {
|
||||||
|
common_name = "example.com"
|
||||||
|
organization = "ACME Examples, Inc"
|
||||||
|
}
|
||||||
|
validity_period_hours = 720
|
||||||
|
allowed_uses = [
|
||||||
|
"key_encipherment",
|
||||||
|
"digital_signature",
|
||||||
|
"server_auth",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
module "certificate-manager" {
|
||||||
|
source = "./fabric/modules/certificate-manager"
|
||||||
|
project_id = var.project_id
|
||||||
|
map = {
|
||||||
|
name = "my-certificate-map"
|
||||||
|
description = "My certificate map"
|
||||||
|
entries = {
|
||||||
|
mydomain-mycompany-org = {
|
||||||
|
certificates = [
|
||||||
|
"my-certificate-1"
|
||||||
|
]
|
||||||
|
hostname = "mydomain.mycompany.org"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
certificates = {
|
||||||
|
my-certificate-1 = {
|
||||||
|
self_managed = {
|
||||||
|
pem_certificate = tls_self_signed_cert.cert.cert_pem
|
||||||
|
pem_private_key = tls_private_key.private_key.private_key_pem
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# tftest modules=1 resources=5 inventory=map-with-self-managed-cert.yaml
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
### Certificate map with 1 entry with 1 managed certificate with load balancer authorization
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
module "certificate-manager" {
|
||||||
|
source = "./fabric/modules/certificate-manager"
|
||||||
|
project_id = var.project_id
|
||||||
|
map = {
|
||||||
|
name = "my-certificate-map"
|
||||||
|
description = "My certificate map"
|
||||||
|
entries = {
|
||||||
|
mydomain-mycompany-org = {
|
||||||
|
certificates = [
|
||||||
|
"my-certificate-1"
|
||||||
|
]
|
||||||
|
matcher = "PRIMARY"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
certificates = {
|
||||||
|
my-certificate-1 = {
|
||||||
|
managed = {
|
||||||
|
domains = ["mydomain.mycompany.org"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# tftest modules=1 resources=3 inventory=map-with-managed-cert-lb-authz.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
### Certificate map with 1 entry with 1 managed certificate with DNS authorization
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
module "certificate-manager" {
|
||||||
|
source = "./fabric/modules/certificate-manager"
|
||||||
|
project_id = var.project_id
|
||||||
|
map = {
|
||||||
|
name = "my-certificate-map"
|
||||||
|
description = "My certificate map"
|
||||||
|
entries = {
|
||||||
|
mydomain-mycompany-org = {
|
||||||
|
certificates = [
|
||||||
|
"my-certificate-1"
|
||||||
|
]
|
||||||
|
matcher = "PRIMARY"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
certificates = {
|
||||||
|
my-certificate-1 = {
|
||||||
|
managed = {
|
||||||
|
domains = ["mydomain.mycompany.org"]
|
||||||
|
dns_authorizations = ["mydomain-mycompany-org"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
dns_authorizations = {
|
||||||
|
mydomain-mycompany-org = {
|
||||||
|
type = "PER_PROJECT_RECORD"
|
||||||
|
domain = "mydomain.mycompany.org"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# tftest modules=1 resources=4 inventory=map-with-managed-cert-dns-authz.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
### Certificate map with 1 entry with 1 managed certificate with issued by a CA Service instance
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
resource "google_privateca_ca_pool" "pool" {
|
||||||
|
name = "ca-pool"
|
||||||
|
project = var.project_id
|
||||||
|
location = "us-central1"
|
||||||
|
tier = "ENTERPRISE"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_privateca_certificate_authority" "ca_authority" {
|
||||||
|
project = var.project_id
|
||||||
|
location = "us-central1"
|
||||||
|
pool = google_privateca_ca_pool.pool.name
|
||||||
|
certificate_authority_id = "ca-authority"
|
||||||
|
config {
|
||||||
|
subject_config {
|
||||||
|
subject {
|
||||||
|
organization = "My Company"
|
||||||
|
common_name = "my-company-authority"
|
||||||
|
}
|
||||||
|
subject_alt_name {
|
||||||
|
dns_names = ["mycompany.org"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
x509_config {
|
||||||
|
ca_options {
|
||||||
|
is_ca = true
|
||||||
|
}
|
||||||
|
key_usage {
|
||||||
|
base_key_usage {
|
||||||
|
cert_sign = true
|
||||||
|
crl_sign = true
|
||||||
|
}
|
||||||
|
extended_key_usage {
|
||||||
|
server_auth = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
key_spec {
|
||||||
|
algorithm = "RSA_PKCS1_4096_SHA256"
|
||||||
|
}
|
||||||
|
deletion_protection = false
|
||||||
|
skip_grace_period = true
|
||||||
|
ignore_active_certificates_on_deletion = true
|
||||||
|
}
|
||||||
|
|
||||||
|
module "certificate-manager" {
|
||||||
|
source = "./fabric/modules/certificate-manager"
|
||||||
|
project_id = var.project_id
|
||||||
|
map = {
|
||||||
|
name = "my-certificate-map"
|
||||||
|
description = "My certificate map"
|
||||||
|
entries = {
|
||||||
|
mydomain-mycompany-org = {
|
||||||
|
certificates = [
|
||||||
|
"my-certificate-1"
|
||||||
|
]
|
||||||
|
matcher = "PRIMARY"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
certificates = {
|
||||||
|
my-certificate-1 = {
|
||||||
|
managed = {
|
||||||
|
domains = ["mydomain.mycompany.org"]
|
||||||
|
issuance_config = "my-issuance-config"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
issuance_configs = {
|
||||||
|
my-issuance-config = {
|
||||||
|
ca_pool = google_privateca_ca_pool.pool.id
|
||||||
|
key_algorithm = "ECDSA_P256"
|
||||||
|
lifetime = "1814400s"
|
||||||
|
rotation_window_percentage = 34
|
||||||
|
}
|
||||||
|
}
|
||||||
|
depends_on = [
|
||||||
|
google_privateca_certificate_authority.ca_authority
|
||||||
|
]
|
||||||
|
}
|
||||||
|
# tftest modules=1 resources=6 inventory=map-with-managed-cert-ca-service.yaml
|
||||||
|
```
|
||||||
|
<!-- BEGIN TFDOC -->
|
||||||
|
## Variables
|
||||||
|
|
||||||
|
| name | description | type | required | default |
|
||||||
|
|---|---|:---:|:---:|:---:|
|
||||||
|
| [project_id](variables.tf#L102) | Project id. | <code>string</code> | ✓ | |
|
||||||
|
| [certificates](variables.tf#L17) | Certificates. | <code title="map(object({ description = optional(string) labels = optional(map(string), {}) location = optional(string) scope = optional(string) self_managed = optional(object({ pem_certificate = string pem_private_key = string })) managed = optional(object({ domains = list(string) dns_authorizations = optional(list(string)) issuance_config = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
|
| [dns_authorizations](variables.tf#L53) | DNS authorizations. | <code title="map(object({ domain = string description = optional(string) location = optional(string) type = optional(string) labels = optional(map(string)) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
|
| [issuance_configs](variables.tf#L66) | Issuance configs. | <code title="map(object({ ca_pool = string description = optional(string) key_algorithm = string labels = optional(map(string), {}) lifetime = string rotation_window_percentage = number }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
|
| [map](variables.tf#L80) | Map attributes. | <code title="object({ name = string description = optional(string) labels = optional(map(string), {}) entries = optional(map(object({ description = optional(string) hostname = optional(string) labels = optional(map(string), {}) matcher = optional(string) certificates = list(string) })), {}) })">object({…})</code> | | <code>null</code> |
|
||||||
|
|
||||||
|
## Outputs
|
||||||
|
|
||||||
|
| name | description | sensitive |
|
||||||
|
|---|---|:---:|
|
||||||
|
| [certificate_ids](outputs.tf#L17) | Certificate ids. | |
|
||||||
|
| [certificates](outputs.tf#L22) | Certificates. | |
|
||||||
|
| [map](outputs.tf#L27) | Map. | |
|
||||||
|
| [map_id](outputs.tf#L32) | Map id. | |
|
||||||
|
<!-- END TFDOC -->
|
|
@ -0,0 +1,85 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2024 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
resource "google_certificate_manager_certificate_map" "map" {
|
||||||
|
count = var.map == null ? 0 : 1
|
||||||
|
project = var.project_id
|
||||||
|
name = var.map.name
|
||||||
|
description = var.map.description
|
||||||
|
labels = var.map.labels
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_certificate_manager_certificate_map_entry" "entries" {
|
||||||
|
for_each = try(var.map.entries, {})
|
||||||
|
project = google_certificate_manager_certificate_map.map[0].project
|
||||||
|
name = each.key
|
||||||
|
description = each.value.description
|
||||||
|
map = google_certificate_manager_certificate_map.map[0].name
|
||||||
|
labels = each.value.labels
|
||||||
|
certificates = [for v in each.value.certificates : google_certificate_manager_certificate.certificates[v].id]
|
||||||
|
hostname = each.value.hostname
|
||||||
|
matcher = each.value.matcher
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_certificate_manager_certificate" "certificates" {
|
||||||
|
for_each = var.certificates
|
||||||
|
project = var.project_id
|
||||||
|
name = each.key
|
||||||
|
description = each.value.description
|
||||||
|
scope = each.value.scope
|
||||||
|
labels = each.value.labels
|
||||||
|
dynamic "managed" {
|
||||||
|
for_each = each.value.managed == null ? [] : [""]
|
||||||
|
content {
|
||||||
|
domains = each.value.managed.domains
|
||||||
|
dns_authorizations = each.value.managed.dns_authorizations
|
||||||
|
issuance_config = each.value.managed.issuance_config
|
||||||
|
}
|
||||||
|
}
|
||||||
|
dynamic "self_managed" {
|
||||||
|
for_each = each.value.self_managed == null ? [] : [""]
|
||||||
|
content {
|
||||||
|
pem_certificate = each.value.self_managed.pem_certificate
|
||||||
|
pem_private_key = each.value.self_managed.pem_private_key
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_certificate_manager_dns_authorization" "dns_authorizations" {
|
||||||
|
for_each = var.dns_authorizations
|
||||||
|
project = var.project_id
|
||||||
|
name = each.key
|
||||||
|
location = each.value.location
|
||||||
|
description = each.value.description
|
||||||
|
type = each.value.type
|
||||||
|
domain = each.value.domain
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_certificate_manager_certificate_issuance_config" "default" {
|
||||||
|
for_each = var.issuance_configs
|
||||||
|
project = var.project_id
|
||||||
|
name = each.key
|
||||||
|
description = each.value.description
|
||||||
|
certificate_authority_config {
|
||||||
|
certificate_authority_service_config {
|
||||||
|
ca_pool = each.value.ca_pool
|
||||||
|
}
|
||||||
|
}
|
||||||
|
lifetime = each.value.lifetime
|
||||||
|
rotation_window_percentage = each.value.rotation_window_percentage
|
||||||
|
key_algorithm = each.value.key_algorithm
|
||||||
|
labels = each.value.labels
|
||||||
|
}
|
|
@ -0,0 +1,38 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2024 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
output "certificate_ids" {
|
||||||
|
description = "Certificate ids."
|
||||||
|
value = { for k, v in google_certificate_manager_certificate.certificates : k => v.id }
|
||||||
|
}
|
||||||
|
|
||||||
|
output "certificates" {
|
||||||
|
description = "Certificates."
|
||||||
|
value = google_certificate_manager_certificate.certificates
|
||||||
|
}
|
||||||
|
|
||||||
|
output "map" {
|
||||||
|
description = "Map."
|
||||||
|
value = var.map == null ? null : google_certificate_manager_certificate_map.map[0]
|
||||||
|
}
|
||||||
|
|
||||||
|
output "map_id" {
|
||||||
|
description = "Map id."
|
||||||
|
value = var.map == null ? null : google_certificate_manager_certificate_map.map[0].id
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,106 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2024 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
variable "certificates" {
|
||||||
|
description = "Certificates."
|
||||||
|
type = map(object({
|
||||||
|
description = optional(string)
|
||||||
|
labels = optional(map(string), {})
|
||||||
|
location = optional(string)
|
||||||
|
scope = optional(string)
|
||||||
|
self_managed = optional(object({
|
||||||
|
pem_certificate = string
|
||||||
|
pem_private_key = string
|
||||||
|
}))
|
||||||
|
managed = optional(object({
|
||||||
|
domains = list(string)
|
||||||
|
dns_authorizations = optional(list(string))
|
||||||
|
issuance_config = optional(string)
|
||||||
|
}))
|
||||||
|
}))
|
||||||
|
default = {}
|
||||||
|
nullable = false
|
||||||
|
|
||||||
|
validation {
|
||||||
|
condition = alltrue([for k, v in var.certificates : (
|
||||||
|
v.self_managed != null && v.managed == null
|
||||||
|
|| v.self_managed == null && v.managed != null
|
||||||
|
)])
|
||||||
|
error_message = "Either a self-managed or a managed configuration must be specified for a certificate."
|
||||||
|
}
|
||||||
|
validation {
|
||||||
|
condition = alltrue([for k, v in var.certificates : v.managed == null ? true :
|
||||||
|
!(v.managed.dns_authorizations != null
|
||||||
|
&& v.managed.issuance_config != null)
|
||||||
|
])
|
||||||
|
error_message = "Both DNS authorizations and issuance cannot be specified."
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "dns_authorizations" {
|
||||||
|
description = "DNS authorizations."
|
||||||
|
type = map(object({
|
||||||
|
domain = string
|
||||||
|
description = optional(string)
|
||||||
|
location = optional(string)
|
||||||
|
type = optional(string)
|
||||||
|
labels = optional(map(string))
|
||||||
|
}))
|
||||||
|
default = {}
|
||||||
|
nullable = false
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "issuance_configs" {
|
||||||
|
description = "Issuance configs."
|
||||||
|
type = map(object({
|
||||||
|
ca_pool = string
|
||||||
|
description = optional(string)
|
||||||
|
key_algorithm = string
|
||||||
|
labels = optional(map(string), {})
|
||||||
|
lifetime = string
|
||||||
|
rotation_window_percentage = number
|
||||||
|
}))
|
||||||
|
default = {}
|
||||||
|
nullable = false
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "map" {
|
||||||
|
description = "Map attributes."
|
||||||
|
type = object({
|
||||||
|
name = string
|
||||||
|
description = optional(string)
|
||||||
|
labels = optional(map(string), {})
|
||||||
|
entries = optional(map(object({
|
||||||
|
description = optional(string)
|
||||||
|
hostname = optional(string)
|
||||||
|
labels = optional(map(string), {})
|
||||||
|
matcher = optional(string)
|
||||||
|
certificates = list(string)
|
||||||
|
})), {})
|
||||||
|
})
|
||||||
|
default = null
|
||||||
|
|
||||||
|
validation {
|
||||||
|
condition = var.map == null ? true : alltrue([for k, v in var.map.entries : v.hostname == null && v.matcher != null || v.hostname != null && v.matcher == null])
|
||||||
|
error_message = "Either hostname or matcher must be specified for an entry."
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "project_id" {
|
||||||
|
description = "Project id."
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
# Copyright 2024 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
terraform {
|
||||||
|
required_version = ">= 1.7.4"
|
||||||
|
required_providers {
|
||||||
|
google = {
|
||||||
|
source = "hashicorp/google"
|
||||||
|
version = ">= 5.34.0, < 6.0.0" # tftest
|
||||||
|
}
|
||||||
|
google-beta = {
|
||||||
|
source = "hashicorp/google-beta"
|
||||||
|
version = ">= 5.34.0, < 6.0.0" # tftest
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,142 @@
|
||||||
|
# Copyright 2024 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
values:
|
||||||
|
google_privateca_ca_pool.pool:
|
||||||
|
issuance_policy: []
|
||||||
|
labels: null
|
||||||
|
location: us-central1
|
||||||
|
name: ca-pool
|
||||||
|
project: project-id
|
||||||
|
publishing_options: []
|
||||||
|
tier: ENTERPRISE
|
||||||
|
timeouts: null
|
||||||
|
google_privateca_certificate_authority.ca_authority:
|
||||||
|
certificate_authority_id: ca-authority
|
||||||
|
config:
|
||||||
|
- subject_config:
|
||||||
|
- subject:
|
||||||
|
- common_name: my-company-authority
|
||||||
|
country_code: null
|
||||||
|
locality: null
|
||||||
|
organization: My Company
|
||||||
|
organizational_unit: null
|
||||||
|
postal_code: null
|
||||||
|
province: null
|
||||||
|
street_address: null
|
||||||
|
subject_alt_name:
|
||||||
|
- dns_names:
|
||||||
|
- mycompany.org
|
||||||
|
email_addresses: null
|
||||||
|
ip_addresses: null
|
||||||
|
uris: null
|
||||||
|
subject_key_id: []
|
||||||
|
x509_config:
|
||||||
|
- additional_extensions: []
|
||||||
|
aia_ocsp_servers: null
|
||||||
|
ca_options:
|
||||||
|
- is_ca: true
|
||||||
|
max_issuer_path_length: null
|
||||||
|
non_ca: null
|
||||||
|
zero_max_issuer_path_length: null
|
||||||
|
key_usage:
|
||||||
|
- base_key_usage:
|
||||||
|
- cert_sign: true
|
||||||
|
content_commitment: null
|
||||||
|
crl_sign: true
|
||||||
|
data_encipherment: null
|
||||||
|
decipher_only: null
|
||||||
|
digital_signature: null
|
||||||
|
encipher_only: null
|
||||||
|
key_agreement: null
|
||||||
|
key_encipherment: null
|
||||||
|
extended_key_usage:
|
||||||
|
- client_auth: null
|
||||||
|
code_signing: null
|
||||||
|
email_protection: null
|
||||||
|
ocsp_signing: null
|
||||||
|
server_auth: true
|
||||||
|
time_stamping: null
|
||||||
|
unknown_extended_key_usages: []
|
||||||
|
name_constraints: []
|
||||||
|
policy_ids: []
|
||||||
|
deletion_protection: false
|
||||||
|
desired_state: null
|
||||||
|
gcs_bucket: null
|
||||||
|
ignore_active_certificates_on_deletion: true
|
||||||
|
key_spec:
|
||||||
|
- algorithm: RSA_PKCS1_4096_SHA256
|
||||||
|
cloud_kms_key_version: null
|
||||||
|
labels: null
|
||||||
|
lifetime: 315360000s
|
||||||
|
location: us-central1
|
||||||
|
pem_ca_certificate: null
|
||||||
|
pool: ca-pool
|
||||||
|
project: project-id
|
||||||
|
skip_grace_period: true
|
||||||
|
subordinate_config: []
|
||||||
|
timeouts: null
|
||||||
|
type: SELF_SIGNED
|
||||||
|
module.certificate-manager.google_certificate_manager_certificate.certificates["my-certificate-1"]:
|
||||||
|
description: null
|
||||||
|
labels: null
|
||||||
|
location: global
|
||||||
|
managed:
|
||||||
|
- dns_authorizations: null
|
||||||
|
domains:
|
||||||
|
- mydomain.mycompany.org
|
||||||
|
issuance_config: my-issuance-config
|
||||||
|
name: my-certificate-1
|
||||||
|
project: project-id
|
||||||
|
scope: null
|
||||||
|
self_managed: []
|
||||||
|
timeouts: null
|
||||||
|
module.certificate-manager.google_certificate_manager_certificate_issuance_config.default["my-issuance-config"]:
|
||||||
|
certificate_authority_config:
|
||||||
|
- certificate_authority_service_config:
|
||||||
|
- {}
|
||||||
|
description: null
|
||||||
|
key_algorithm: ECDSA_P256
|
||||||
|
labels: null
|
||||||
|
lifetime: 1814400s
|
||||||
|
location: global
|
||||||
|
name: my-issuance-config
|
||||||
|
project: project-id
|
||||||
|
rotation_window_percentage: 34
|
||||||
|
timeouts: null
|
||||||
|
module.certificate-manager.google_certificate_manager_certificate_map.map[0]:
|
||||||
|
description: My certificate map
|
||||||
|
labels: null
|
||||||
|
name: my-certificate-map
|
||||||
|
project: project-id
|
||||||
|
timeouts: null
|
||||||
|
module.certificate-manager.google_certificate_manager_certificate_map_entry.entries["mydomain-mycompany-org"]:
|
||||||
|
description: null
|
||||||
|
hostname: null
|
||||||
|
labels: null
|
||||||
|
map: my-certificate-map
|
||||||
|
matcher: PRIMARY
|
||||||
|
name: mydomain-mycompany-org
|
||||||
|
project: project-id
|
||||||
|
timeouts: null
|
||||||
|
|
||||||
|
counts:
|
||||||
|
google_certificate_manager_certificate: 1
|
||||||
|
google_certificate_manager_certificate_issuance_config: 1
|
||||||
|
google_certificate_manager_certificate_map: 1
|
||||||
|
google_certificate_manager_certificate_map_entry: 1
|
||||||
|
google_privateca_ca_pool: 1
|
||||||
|
google_privateca_certificate_authority: 1
|
||||||
|
modules: 1
|
||||||
|
resources: 6
|
|
@ -0,0 +1,62 @@
|
||||||
|
# Copyright 2024 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
values:
|
||||||
|
module.certificate-manager.google_certificate_manager_certificate.certificates["my-certificate-1"]:
|
||||||
|
description: null
|
||||||
|
labels: null
|
||||||
|
location: global
|
||||||
|
managed:
|
||||||
|
- dns_authorizations:
|
||||||
|
- mydomain-mycompany-org
|
||||||
|
domains:
|
||||||
|
- mydomain.mycompany.org
|
||||||
|
issuance_config: null
|
||||||
|
name: my-certificate-1
|
||||||
|
project: project-id
|
||||||
|
scope: null
|
||||||
|
self_managed: []
|
||||||
|
timeouts: null
|
||||||
|
module.certificate-manager.google_certificate_manager_certificate_map.map[0]:
|
||||||
|
description: My certificate map
|
||||||
|
labels: null
|
||||||
|
name: my-certificate-map
|
||||||
|
project: project-id
|
||||||
|
timeouts: null
|
||||||
|
module.certificate-manager.google_certificate_manager_certificate_map_entry.entries["mydomain-mycompany-org"]:
|
||||||
|
description: null
|
||||||
|
hostname: null
|
||||||
|
labels: null
|
||||||
|
map: my-certificate-map
|
||||||
|
matcher: PRIMARY
|
||||||
|
name: mydomain-mycompany-org
|
||||||
|
project: project-id
|
||||||
|
timeouts: null
|
||||||
|
module.certificate-manager.google_certificate_manager_dns_authorization.dns_authorizations["mydomain-mycompany-org"]:
|
||||||
|
description: null
|
||||||
|
domain: mydomain.mycompany.org
|
||||||
|
labels: null
|
||||||
|
location: global
|
||||||
|
name: mydomain-mycompany-org
|
||||||
|
project: project-id
|
||||||
|
timeouts: null
|
||||||
|
type: PER_PROJECT_RECORD
|
||||||
|
|
||||||
|
counts:
|
||||||
|
google_certificate_manager_certificate: 1
|
||||||
|
google_certificate_manager_certificate_map: 1
|
||||||
|
google_certificate_manager_certificate_map_entry: 1
|
||||||
|
google_certificate_manager_dns_authorization: 1
|
||||||
|
modules: 1
|
||||||
|
resources: 4
|
|
@ -0,0 +1,51 @@
|
||||||
|
# Copyright 2024 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
values:
|
||||||
|
module.certificate-manager.google_certificate_manager_certificate.certificates["my-certificate-1"]:
|
||||||
|
description: null
|
||||||
|
labels: null
|
||||||
|
location: global
|
||||||
|
managed:
|
||||||
|
- dns_authorizations: null
|
||||||
|
domains:
|
||||||
|
- mydomain.mycompany.org
|
||||||
|
issuance_config: null
|
||||||
|
name: my-certificate-1
|
||||||
|
project: project-id
|
||||||
|
scope: null
|
||||||
|
self_managed: []
|
||||||
|
timeouts: null
|
||||||
|
module.certificate-manager.google_certificate_manager_certificate_map.map[0]:
|
||||||
|
description: My certificate map
|
||||||
|
labels: null
|
||||||
|
name: my-certificate-map
|
||||||
|
project: project-id
|
||||||
|
timeouts: null
|
||||||
|
module.certificate-manager.google_certificate_manager_certificate_map_entry.entries["mydomain-mycompany-org"]:
|
||||||
|
description: null
|
||||||
|
hostname: null
|
||||||
|
labels: null
|
||||||
|
map: my-certificate-map
|
||||||
|
matcher: PRIMARY
|
||||||
|
name: mydomain-mycompany-org
|
||||||
|
project: project-id
|
||||||
|
timeouts: null
|
||||||
|
|
||||||
|
counts:
|
||||||
|
google_certificate_manager_certificate: 1
|
||||||
|
google_certificate_manager_certificate_map: 1
|
||||||
|
google_certificate_manager_certificate_map_entry: 1
|
||||||
|
modules: 1
|
||||||
|
resources: 3
|
|
@ -0,0 +1,79 @@
|
||||||
|
# Copyright 2023 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
values:
|
||||||
|
module.certificate-manager.google_certificate_manager_certificate.certificates["my-certificate-1"]:
|
||||||
|
description: null
|
||||||
|
labels: null
|
||||||
|
location: global
|
||||||
|
managed: []
|
||||||
|
name: my-certificate-1
|
||||||
|
project: project-id
|
||||||
|
scope: null
|
||||||
|
self_managed:
|
||||||
|
- certificate_pem: null
|
||||||
|
private_key_pem: null
|
||||||
|
timeouts: null
|
||||||
|
module.certificate-manager.google_certificate_manager_certificate_map.map[0]:
|
||||||
|
description: My certificate map
|
||||||
|
labels: null
|
||||||
|
name: my-certificate-map
|
||||||
|
project: project-id
|
||||||
|
timeouts: null
|
||||||
|
module.certificate-manager.google_certificate_manager_certificate_map_entry.entries["mydomain-mycompany-org"]:
|
||||||
|
description: null
|
||||||
|
hostname: mydomain.mycompany.org
|
||||||
|
labels: null
|
||||||
|
map: my-certificate-map
|
||||||
|
matcher: null
|
||||||
|
name: mydomain-mycompany-org
|
||||||
|
project: project-id
|
||||||
|
timeouts: null
|
||||||
|
tls_private_key.private_key:
|
||||||
|
algorithm: RSA
|
||||||
|
ecdsa_curve: P224
|
||||||
|
rsa_bits: 2048
|
||||||
|
tls_self_signed_cert.cert:
|
||||||
|
allowed_uses:
|
||||||
|
- key_encipherment
|
||||||
|
- digital_signature
|
||||||
|
- server_auth
|
||||||
|
dns_names: null
|
||||||
|
early_renewal_hours: 0
|
||||||
|
ip_addresses: null
|
||||||
|
is_ca_certificate: false
|
||||||
|
ready_for_renewal: false
|
||||||
|
set_authority_key_id: false
|
||||||
|
set_subject_key_id: false
|
||||||
|
subject:
|
||||||
|
- common_name: example.com
|
||||||
|
country: null
|
||||||
|
locality: null
|
||||||
|
organization: ACME Examples, Inc
|
||||||
|
organizational_unit: null
|
||||||
|
postal_code: null
|
||||||
|
province: null
|
||||||
|
serial_number: null
|
||||||
|
street_address: null
|
||||||
|
uris: null
|
||||||
|
validity_period_hours: 720
|
||||||
|
|
||||||
|
counts:
|
||||||
|
google_certificate_manager_certificate: 1
|
||||||
|
google_certificate_manager_certificate_map: 1
|
||||||
|
google_certificate_manager_certificate_map_entry: 1
|
||||||
|
modules: 1
|
||||||
|
resources: 5
|
||||||
|
tls_private_key: 1
|
||||||
|
tls_self_signed_cert: 1
|
|
@ -0,0 +1,62 @@
|
||||||
|
# Copyright 2023 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
values:
|
||||||
|
module.certificate-manager.google_certificate_manager_certificate.certificates["my-certificate-1"]:
|
||||||
|
description: null
|
||||||
|
labels: null
|
||||||
|
location: global
|
||||||
|
managed: []
|
||||||
|
name: my-certificate-1
|
||||||
|
project: project-id
|
||||||
|
scope: null
|
||||||
|
self_managed:
|
||||||
|
- certificate_pem: null
|
||||||
|
private_key_pem: null
|
||||||
|
timeouts: null
|
||||||
|
tls_private_key.private_key:
|
||||||
|
algorithm: RSA
|
||||||
|
ecdsa_curve: P224
|
||||||
|
rsa_bits: 2048
|
||||||
|
tls_self_signed_cert.cert:
|
||||||
|
allowed_uses:
|
||||||
|
- key_encipherment
|
||||||
|
- digital_signature
|
||||||
|
- server_auth
|
||||||
|
dns_names: null
|
||||||
|
early_renewal_hours: 0
|
||||||
|
ip_addresses: null
|
||||||
|
is_ca_certificate: false
|
||||||
|
ready_for_renewal: false
|
||||||
|
set_authority_key_id: false
|
||||||
|
set_subject_key_id: false
|
||||||
|
subject:
|
||||||
|
- common_name: example.com
|
||||||
|
country: null
|
||||||
|
locality: null
|
||||||
|
organization: ACME Examples, Inc
|
||||||
|
organizational_unit: null
|
||||||
|
postal_code: null
|
||||||
|
province: null
|
||||||
|
serial_number: null
|
||||||
|
street_address: null
|
||||||
|
uris: null
|
||||||
|
validity_period_hours: 720
|
||||||
|
|
||||||
|
counts:
|
||||||
|
google_certificate_manager_certificate: 1
|
||||||
|
modules: 1
|
||||||
|
resources: 3
|
||||||
|
tls_private_key: 1
|
||||||
|
tls_self_signed_cert: 1
|
Loading…
Reference in New Issue