zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added certificate-manager module (#2387)

This commit is contained in:
apichick 2024-06-27 15:05:35 +02:00 committed by GitHub
parent 85c1b7c156
commit 00d4673093
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
12 changed files with 917 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -35,7 +35,7 @@ Currently available modules:
- **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [COS container](./modules/cloud-config-container/cos-generic-metadata/) (coredns, mysql, onprem, squid), [GKE cluster](./modules/gke-cluster-standard), [GKE hub](./modules/gke-hub), [GKE nodepool](./modules/gke-nodepool), [GCVE private cloud](./modules/gcve-private-cloud)
- **data** - <!-- [AlloyDB instance](./modules/alloydb-instance), --> [Analytics Hub](./modules/analytics-hub), [BigQuery dataset](./modules/bigquery-dataset), [Bigtable instance](./modules/bigtable-instance), [Dataplex](./modules/dataplex), [Dataplex DataScan](./modules/dataplex-datascan), [Cloud SQL instance](./modules/cloudsql-instance), [Spanner instance](./modules/spanner-instance), [Firestore](./modules/firestore), [Data Catalog Policy Tag](./modules/data-catalog-policy-tag), [Data Catalog Tag](./modules/data-catalog-tag), [Data Catalog Tag Template](./modules/data-catalog-tag-template), [Datafusion](./modules/datafusion), [Dataproc](./modules/dataproc), [GCS](./modules/gcs), [Pub/Sub](./modules/pubsub), [Dataform Repository](./modules/dataform-repository/)
- **development** - [API Gateway](./modules/api-gateway), [Apigee](./modules/apigee), [Artifact Registry](./modules/artifact-registry), [Container Registry](./modules/container-registry), [Cloud Source Repository](./modules/source-repository), [Workstation cluster](./modules/workstation-cluster)
- **security** - [Binauthz](./modules/binauthz/), [KMS](./modules/kms), [SecretManager](./modules/secret-manager), [VPC Service Control](./modules/vpc-sc)
- **security** - [Binauthz](./modules/binauthz/), [KMS](./modules/kms), [SecretManager](./modules/secret-manager), [VPC Service Control](./modules/vpc-sc), [Certificate Manager](./modules/certificate-manager/)
- **serverless** - [Cloud Function v1](./modules/cloud-function-v1), [Cloud Function v2](./modules/cloud-function-v2), [Cloud Run](./modules/cloud-run), [Cloud Run v2](./modules/cloud-run-v2)
For more information and usage examples see each module's README file.

1
modules/README.md
View File

@ -113,6 +113,7 @@ These modules are used in the examples included in this repository. If you are u
- [SecretManager](./secret-manager)
- [VPC Service Control](./vpc-sc)
- [Secure Web Proxy](./net-swp)
- [Certificate Manager](./certificate-manager)
## Serverless

263
modules/certificate-manager/README.md Normal file
View File

@ -0,0 +1,263 @@
# Certificate manager
This module allows you to create a certificate manager map and associated entries, certificates, DNS authorizations and issueance configs. Map and associated entries creation is optional.
## Examples
### Self-managed certificate
```hcl
resource "tls_private_key" "private_key" {
algorithm = "RSA"
rsa_bits = 2048
}
resource "tls_self_signed_cert" "cert" {
private_key_pem = tls_private_key.private_key.private_key_pem
subject {
common_name = "example.com"
organization = "ACME Examples, Inc"
}
validity_period_hours = 720
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
}
module "certificate-manager" {
source = "./fabric/modules/certificate-manager"
project_id = var.project_id
certificates = {
my-certificate-1 = {
self_managed = {
pem_certificate = tls_self_signed_cert.cert.cert_pem
pem_private_key = tls_private_key.private_key.private_key_pem
}
}
}
}
# tftest modules=1 resources=3 inventory=self-managed-cert.yaml
```
### Certificate map with 1 entry with 1 self-managed certificate
```hcl
resource "tls_private_key" "private_key" {
algorithm = "RSA"
rsa_bits = 2048
}
resource "tls_self_signed_cert" "cert" {
private_key_pem = tls_private_key.private_key.private_key_pem
subject {
common_name = "example.com"
organization = "ACME Examples, Inc"
}
validity_period_hours = 720
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
}
module "certificate-manager" {
source = "./fabric/modules/certificate-manager"
project_id = var.project_id
map = {
name = "my-certificate-map"
description = "My certificate map"
entries = {
mydomain-mycompany-org = {
certificates = [
"my-certificate-1"
]
hostname = "mydomain.mycompany.org"
}
}
}
certificates = {
my-certificate-1 = {
self_managed = {
pem_certificate = tls_self_signed_cert.cert.cert_pem
pem_private_key = tls_private_key.private_key.private_key_pem
}
}
}
}
# tftest modules=1 resources=5 inventory=map-with-self-managed-cert.yaml
```
### Certificate map with 1 entry with 1 managed certificate with load balancer authorization
```hcl
module "certificate-manager" {
source = "./fabric/modules/certificate-manager"
project_id = var.project_id
map = {
name = "my-certificate-map"
description = "My certificate map"
entries = {
mydomain-mycompany-org = {
certificates = [
"my-certificate-1"
]
matcher = "PRIMARY"
}
}
}
certificates = {
my-certificate-1 = {
managed = {
domains = ["mydomain.mycompany.org"]
}
}
}
}
# tftest modules=1 resources=3 inventory=map-with-managed-cert-lb-authz.yaml
```
### Certificate map with 1 entry with 1 managed certificate with DNS authorization
```hcl
module "certificate-manager" {
source = "./fabric/modules/certificate-manager"
project_id = var.project_id
map = {
name = "my-certificate-map"
description = "My certificate map"
entries = {
mydomain-mycompany-org = {
certificates = [
"my-certificate-1"
]
matcher = "PRIMARY"
}
}
}
certificates = {
my-certificate-1 = {
managed = {
domains = ["mydomain.mycompany.org"]
dns_authorizations = ["mydomain-mycompany-org"]
}
}
}
dns_authorizations = {
mydomain-mycompany-org = {
type = "PER_PROJECT_RECORD"
domain = "mydomain.mycompany.org"
}
}
}
# tftest modules=1 resources=4 inventory=map-with-managed-cert-dns-authz.yaml
```
### Certificate map with 1 entry with 1 managed certificate with issued by a CA Service instance
```hcl
resource "google_privateca_ca_pool" "pool" {
name = "ca-pool"
project = var.project_id
location = "us-central1"
tier = "ENTERPRISE"
}
resource "google_privateca_certificate_authority" "ca_authority" {
project = var.project_id
location = "us-central1"
pool = google_privateca_ca_pool.pool.name
certificate_authority_id = "ca-authority"
config {
subject_config {
subject {
organization = "My Company"
common_name = "my-company-authority"
}
subject_alt_name {
dns_names = ["mycompany.org"]
}
}
x509_config {
ca_options {
is_ca = true
}
key_usage {
base_key_usage {
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = true
}
}
}
}
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
deletion_protection = false
skip_grace_period = true
ignore_active_certificates_on_deletion = true
}
module "certificate-manager" {
source = "./fabric/modules/certificate-manager"
project_id = var.project_id
map = {
name = "my-certificate-map"
description = "My certificate map"
entries = {
mydomain-mycompany-org = {
certificates = [
"my-certificate-1"
]
matcher = "PRIMARY"
}
}
}
certificates = {
my-certificate-1 = {
managed = {
domains = ["mydomain.mycompany.org"]
issuance_config = "my-issuance-config"
}
}
}
issuance_configs = {
my-issuance-config = {
ca_pool = google_privateca_ca_pool.pool.id
key_algorithm = "ECDSA_P256"
lifetime = "1814400s"
rotation_window_percentage = 34
}
}
depends_on = [
google_privateca_certificate_authority.ca_authority
]
}
# tftest modules=1 resources=6 inventory=map-with-managed-cert-ca-service.yaml
```
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [project_id](variables.tf#L102) | Project id. | <code>string</code> | ✓ | |
| [certificates](variables.tf#L17) | Certificates. | <code title="map&#40;object&#40;&#123;&#10; description &#61; optional&#40;string&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; location &#61; optional&#40;string&#41;&#10; scope &#61; optional&#40;string&#41;&#10; self_managed &#61; optional&#40;object&#40;&#123;&#10; pem_certificate &#61; string&#10; pem_private_key &#61; string&#10; &#125;&#41;&#41;&#10; managed &#61; optional&#40;object&#40;&#123;&#10; domains &#61; list&#40;string&#41;&#10; dns_authorizations &#61; optional&#40;list&#40;string&#41;&#41;&#10; issuance_config &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [dns_authorizations](variables.tf#L53) | DNS authorizations. | <code title="map&#40;object&#40;&#123;&#10; domain &#61; string&#10; description &#61; optional&#40;string&#41;&#10; location &#61; optional&#40;string&#41;&#10; type &#61; optional&#40;string&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [issuance_configs](variables.tf#L66) | Issuance configs. | <code title="map&#40;object&#40;&#123;&#10; ca_pool &#61; string&#10; description &#61; optional&#40;string&#41;&#10; key_algorithm &#61; string&#10; labels &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; lifetime &#61; string&#10; rotation_window_percentage &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [map](variables.tf#L80) | Map attributes. | <code title="object&#40;&#123;&#10; name &#61; string&#10; description &#61; optional&#40;string&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; entries &#61; optional&#40;map&#40;object&#40;&#123;&#10; description &#61; optional&#40;string&#41;&#10; hostname &#61; optional&#40;string&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; matcher &#61; optional&#40;string&#41;&#10; certificates &#61; list&#40;string&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
## Outputs
| name | description | sensitive |
|---|---|:---:|
| [certificate_ids](outputs.tf#L17) | Certificate ids. | |
| [certificates](outputs.tf#L22) | Certificates. | |
| [map](outputs.tf#L27) | Map. | |
| [map_id](outputs.tf#L32) | Map id. | |
<!-- END TFDOC -->

85
modules/certificate-manager/main.tf Normal file
View File

@ -0,0 +1,85 @@
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
resource "google_certificate_manager_certificate_map" "map" {
count = var.map == null ? 0 : 1
project = var.project_id
name = var.map.name
description = var.map.description
labels = var.map.labels
}
resource "google_certificate_manager_certificate_map_entry" "entries" {
for_each = try(var.map.entries, {})
project = google_certificate_manager_certificate_map.map[0].project
name = each.key
description = each.value.description
map = google_certificate_manager_certificate_map.map[0].name
labels = each.value.labels
certificates = [for v in each.value.certificates : google_certificate_manager_certificate.certificates[v].id]
hostname = each.value.hostname
matcher = each.value.matcher
}
resource "google_certificate_manager_certificate" "certificates" {
for_each = var.certificates
project = var.project_id
name = each.key
description = each.value.description
scope = each.value.scope
labels = each.value.labels
dynamic "managed" {
for_each = each.value.managed == null ? [] : [""]
content {
domains = each.value.managed.domains
dns_authorizations = each.value.managed.dns_authorizations
issuance_config = each.value.managed.issuance_config
}
}
dynamic "self_managed" {
for_each = each.value.self_managed == null ? [] : [""]
content {
pem_certificate = each.value.self_managed.pem_certificate
pem_private_key = each.value.self_managed.pem_private_key
}
}
}
resource "google_certificate_manager_dns_authorization" "dns_authorizations" {
for_each = var.dns_authorizations
project = var.project_id
name = each.key
location = each.value.location
description = each.value.description
type = each.value.type
domain = each.value.domain
}
resource "google_certificate_manager_certificate_issuance_config" "default" {
for_each = var.issuance_configs
project = var.project_id
name = each.key
description = each.value.description
certificate_authority_config {
certificate_authority_service_config {
ca_pool = each.value.ca_pool
}
}
lifetime = each.value.lifetime
rotation_window_percentage = each.value.rotation_window_percentage
key_algorithm = each.value.key_algorithm
labels = each.value.labels
}

38
modules/certificate-manager/outputs.tf Normal file
View File

@ -0,0 +1,38 @@
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "certificate_ids" {
description = "Certificate ids."
value = { for k, v in google_certificate_manager_certificate.certificates : k => v.id }
}
output "certificates" {
description = "Certificates."
value = google_certificate_manager_certificate.certificates
}
output "map" {
description = "Map."
value = var.map == null ? null : google_certificate_manager_certificate_map.map[0]
}
output "map_id" {
description = "Map id."
value = var.map == null ? null : google_certificate_manager_certificate_map.map[0].id
}

106
modules/certificate-manager/variables.tf Normal file
View File

@ -0,0 +1,106 @@
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "certificates" {
description = "Certificates."
type = map(object({
description = optional(string)
labels = optional(map(string), {})
location = optional(string)
scope = optional(string)
self_managed = optional(object({
pem_certificate = string
pem_private_key = string
}))
managed = optional(object({
domains = list(string)
dns_authorizations = optional(list(string))
issuance_config = optional(string)
}))
}))
default = {}
nullable = false
validation {
condition = alltrue([for k, v in var.certificates : (
v.self_managed != null && v.managed == null
|| v.self_managed == null && v.managed != null
)])
error_message = "Either a self-managed or a managed configuration must be specified for a certificate."
}
validation {
condition = alltrue([for k, v in var.certificates : v.managed == null ? true :
!(v.managed.dns_authorizations != null
&& v.managed.issuance_config != null)
])
error_message = "Both DNS authorizations and issuance cannot be specified."
}
}
variable "dns_authorizations" {
description = "DNS authorizations."
type = map(object({
domain = string
description = optional(string)
location = optional(string)
type = optional(string)
labels = optional(map(string))
}))
default = {}
nullable = false
}
variable "issuance_configs" {
description = "Issuance configs."
type = map(object({
ca_pool = string
description = optional(string)
key_algorithm = string
labels = optional(map(string), {})
lifetime = string
rotation_window_percentage = number
}))
default = {}
nullable = false
}
variable "map" {
description = "Map attributes."
type = object({
name = string
description = optional(string)
labels = optional(map(string), {})
entries = optional(map(object({
description = optional(string)
hostname = optional(string)
labels = optional(map(string), {})
matcher = optional(string)
certificates = list(string)
})), {})
})
default = null
validation {
condition = var.map == null ? true : alltrue([for k, v in var.map.entries : v.hostname == null && v.matcher != null || v.hostname != null && v.matcher == null])
error_message = "Either hostname or matcher must be specified for an entry."
}
}
variable "project_id" {
description = "Project id."
type = string
}

27
modules/certificate-manager/versions.tf Normal file
View File

@ -0,0 +1,27 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
terraform {
required_version = ">= 1.7.4"
required_providers {
google = {
source = "hashicorp/google"
version = ">= 5.34.0, < 6.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 5.34.0, < 6.0.0" # tftest
}
}
}

142
tests/modules/certificate_manager/examples/map-with-managed-cert-ca-service.yaml Normal file
View File

@ -0,0 +1,142 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
google_privateca_ca_pool.pool:
issuance_policy: []
labels: null
location: us-central1
name: ca-pool
project: project-id
publishing_options: []
tier: ENTERPRISE
timeouts: null
google_privateca_certificate_authority.ca_authority:
certificate_authority_id: ca-authority
config:
- subject_config:
- subject:
- common_name: my-company-authority
country_code: null
locality: null
organization: My Company
organizational_unit: null
postal_code: null
province: null
street_address: null
subject_alt_name:
- dns_names:
- mycompany.org
email_addresses: null
ip_addresses: null
uris: null
subject_key_id: []
x509_config:
- additional_extensions: []
aia_ocsp_servers: null
ca_options:
- is_ca: true
max_issuer_path_length: null
non_ca: null
zero_max_issuer_path_length: null
key_usage:
- base_key_usage:
- cert_sign: true
content_commitment: null
crl_sign: true
data_encipherment: null
decipher_only: null
digital_signature: null
encipher_only: null
key_agreement: null
key_encipherment: null
extended_key_usage:
- client_auth: null
code_signing: null
email_protection: null
ocsp_signing: null
server_auth: true
time_stamping: null
unknown_extended_key_usages: []
name_constraints: []
policy_ids: []
deletion_protection: false
desired_state: null
gcs_bucket: null
ignore_active_certificates_on_deletion: true
key_spec:
- algorithm: RSA_PKCS1_4096_SHA256
cloud_kms_key_version: null
labels: null
lifetime: 315360000s
location: us-central1
pem_ca_certificate: null
pool: ca-pool
project: project-id
skip_grace_period: true
subordinate_config: []
timeouts: null
type: SELF_SIGNED
module.certificate-manager.google_certificate_manager_certificate.certificates["my-certificate-1"]:
description: null
labels: null
location: global
managed:
- dns_authorizations: null
domains:
- mydomain.mycompany.org
issuance_config: my-issuance-config
name: my-certificate-1
project: project-id
scope: null
self_managed: []
timeouts: null
module.certificate-manager.google_certificate_manager_certificate_issuance_config.default["my-issuance-config"]:
certificate_authority_config:
- certificate_authority_service_config:
- {}
description: null
key_algorithm: ECDSA_P256
labels: null
lifetime: 1814400s
location: global
name: my-issuance-config
project: project-id
rotation_window_percentage: 34
timeouts: null
module.certificate-manager.google_certificate_manager_certificate_map.map[0]:
description: My certificate map
labels: null
name: my-certificate-map
project: project-id
timeouts: null
module.certificate-manager.google_certificate_manager_certificate_map_entry.entries["mydomain-mycompany-org"]:
description: null
hostname: null
labels: null
map: my-certificate-map
matcher: PRIMARY
name: mydomain-mycompany-org
project: project-id
timeouts: null
counts:
google_certificate_manager_certificate: 1
google_certificate_manager_certificate_issuance_config: 1
google_certificate_manager_certificate_map: 1
google_certificate_manager_certificate_map_entry: 1
google_privateca_ca_pool: 1
google_privateca_certificate_authority: 1
modules: 1
resources: 6

62
tests/modules/certificate_manager/examples/map-with-managed-cert-dns-authz.yaml Normal file
View File

@ -0,0 +1,62 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.certificate-manager.google_certificate_manager_certificate.certificates["my-certificate-1"]:
description: null
labels: null
location: global
managed:
- dns_authorizations:
- mydomain-mycompany-org
domains:
- mydomain.mycompany.org
issuance_config: null
name: my-certificate-1
project: project-id
scope: null
self_managed: []
timeouts: null
module.certificate-manager.google_certificate_manager_certificate_map.map[0]:
description: My certificate map
labels: null
name: my-certificate-map
project: project-id
timeouts: null
module.certificate-manager.google_certificate_manager_certificate_map_entry.entries["mydomain-mycompany-org"]:
description: null
hostname: null
labels: null
map: my-certificate-map
matcher: PRIMARY
name: mydomain-mycompany-org
project: project-id
timeouts: null
module.certificate-manager.google_certificate_manager_dns_authorization.dns_authorizations["mydomain-mycompany-org"]:
description: null
domain: mydomain.mycompany.org
labels: null
location: global
name: mydomain-mycompany-org
project: project-id
timeouts: null
type: PER_PROJECT_RECORD
counts:
google_certificate_manager_certificate: 1
google_certificate_manager_certificate_map: 1
google_certificate_manager_certificate_map_entry: 1
google_certificate_manager_dns_authorization: 1
modules: 1
resources: 4

51
tests/modules/certificate_manager/examples/map-with-managed-cert-lb-authz.yaml Normal file
View File

@ -0,0 +1,51 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.certificate-manager.google_certificate_manager_certificate.certificates["my-certificate-1"]:
description: null
labels: null
location: global
managed:
- dns_authorizations: null
domains:
- mydomain.mycompany.org
issuance_config: null
name: my-certificate-1
project: project-id
scope: null
self_managed: []
timeouts: null
module.certificate-manager.google_certificate_manager_certificate_map.map[0]:
description: My certificate map
labels: null
name: my-certificate-map
project: project-id
timeouts: null
module.certificate-manager.google_certificate_manager_certificate_map_entry.entries["mydomain-mycompany-org"]:
description: null
hostname: null
labels: null
map: my-certificate-map
matcher: PRIMARY
name: mydomain-mycompany-org
project: project-id
timeouts: null
counts:
google_certificate_manager_certificate: 1
google_certificate_manager_certificate_map: 1
google_certificate_manager_certificate_map_entry: 1
modules: 1
resources: 3

79
tests/modules/certificate_manager/examples/map-with-self-managed-cert.yaml Normal file
View File

@ -0,0 +1,79 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.certificate-manager.google_certificate_manager_certificate.certificates["my-certificate-1"]:
description: null
labels: null
location: global
managed: []
name: my-certificate-1
project: project-id
scope: null
self_managed:
- certificate_pem: null
private_key_pem: null
timeouts: null
module.certificate-manager.google_certificate_manager_certificate_map.map[0]:
description: My certificate map
labels: null
name: my-certificate-map
project: project-id
timeouts: null
module.certificate-manager.google_certificate_manager_certificate_map_entry.entries["mydomain-mycompany-org"]:
description: null
hostname: mydomain.mycompany.org
labels: null
map: my-certificate-map
matcher: null
name: mydomain-mycompany-org
project: project-id
timeouts: null
tls_private_key.private_key:
algorithm: RSA
ecdsa_curve: P224
rsa_bits: 2048
tls_self_signed_cert.cert:
allowed_uses:
- key_encipherment
- digital_signature
- server_auth
dns_names: null
early_renewal_hours: 0
ip_addresses: null
is_ca_certificate: false
ready_for_renewal: false
set_authority_key_id: false
set_subject_key_id: false
subject:
- common_name: example.com
country: null
locality: null
organization: ACME Examples, Inc
organizational_unit: null
postal_code: null
province: null
serial_number: null
street_address: null
uris: null
validity_period_hours: 720
counts:
google_certificate_manager_certificate: 1
google_certificate_manager_certificate_map: 1
google_certificate_manager_certificate_map_entry: 1
modules: 1
resources: 5
tls_private_key: 1
tls_self_signed_cert: 1

62
tests/modules/certificate_manager/examples/self-managed-cert.yaml Normal file
View File

@ -0,0 +1,62 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.certificate-manager.google_certificate_manager_certificate.certificates["my-certificate-1"]:
description: null
labels: null
location: global
managed: []
name: my-certificate-1
project: project-id
scope: null
self_managed:
- certificate_pem: null
private_key_pem: null
timeouts: null
tls_private_key.private_key:
algorithm: RSA
ecdsa_curve: P224
rsa_bits: 2048
tls_self_signed_cert.cert:
allowed_uses:
- key_encipherment
- digital_signature
- server_auth
dns_names: null
early_renewal_hours: 0
ip_addresses: null
is_ca_certificate: false
ready_for_renewal: false
set_authority_key_id: false
set_subject_key_id: false
subject:
- common_name: example.com
country: null
locality: null
organization: ACME Examples, Inc
organizational_unit: null
postal_code: null
province: null
serial_number: null
street_address: null
uris: null
validity_period_hours: 720
counts:
google_certificate_manager_certificate: 1
modules: 1
resources: 3
tls_private_key: 1
tls_self_signed_cert: 1