* 1.2.0 -- 2024-09-11

- acmpca - add `import_to_acm` (false) to allow for the certificate to be imported into ACM for the purpose of tracking expiration, as acmpca certs are not visible in the account - acmpca-eks-cert-manager - add `import_to_acm` (true) - acmpca-iam-rolesanywhere - add `import_to_acm` (true)
terraform-modules · Sep 11, 2024 · 54567f1 · 54567f1
1 parent 5e879d6
commit 54567f1
Show file tree

Hide file tree

Showing 11 changed files with 45 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -27,3 +27,11 @@
 
 * 1.1.0 -- 2024-05-17
   - acmpca-iam-rolesanywhere new submodule
+
+* 1.2.0 -- 2024-09-11
+  - acmpca
+    - add `import_to_acm` (false) to allow for the certificate to be imported into ACM for the purpose of tracking expiration, as acmpca certs are not visible in the account
+  - acmpca-eks-cert-manager
+    - add `import_to_acm` (true) 
+  - acmpca-iam-rolesanywhere
+    - add `import_to_acm` (true) 
diff --git a/acmpca-eks-cert-manager/README.md b/acmpca-eks-cert-manager/README.md
@@ -106,6 +106,7 @@ resource "helm_release" "intermediate-certificate-issuer" {
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS Cluster Name | `any` | `null` | no |
 | <a name="input_contact_email"></a> [contact\_email](#input\_contact\_email) | Email address in @census.gov of contact for the certificate.  This is strongly recommended to be a group email address. | `string` | n/a | yes |
+| <a name="input_import_to_acm"></a> [import\_to\_acm](#input\_import\_to\_acm) | Flag to import certificate to ACM, used primarily for tracking expiration and establishing contact details | `bool` | `true` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
 | <a name="input_validity_days"></a> [validity\_days](#input\_validity\_days) | Number of days for which the certificate is valid. For the short lived certificate, this must be <= 7 | `number` | `365` | no |

diff --git a/acmpca-eks-cert-manager/main.tf b/acmpca-eks-cert-manager/main.tf
@@ -90,6 +90,7 @@ module "certificate" {
   certificate_type              = "subordinate-ca"
   certificate_subject_overrides = { ou = "PKI-EKS" }
   validity_days                 = 365
+  import_to_acm                 = var.import_to_acm
 
   tags = merge(
     local.base_tags,

diff --git a/acmpca-eks-cert-manager/variables.tf b/acmpca-eks-cert-manager/variables.tf
@@ -18,3 +18,9 @@ variable "validity_days" {
     error_message = "validity_days must be larger than 0."
   }
 }
+
+variable "import_to_acm" {
+  description = "Flag to import certificate to ACM, used primarily for tracking expiration and establishing contact details"
+  type        = bool
+  default     = true
+}
diff --git a/acmpca-iam-rolesanywhere/README.md b/acmpca-iam-rolesanywhere/README.md
@@ -130,6 +130,7 @@ certificate_subject = {
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
 | <a name="input_certificate_subject_ou"></a> [certificate\_subject\_ou](#input\_certificate\_subject\_ou) | Specific OU to use in the certificate subject. Default is 'IAM RolesAnywhere {account\_id}' | `string` | `null` | no |
 | <a name="input_contact_email"></a> [contact\_email](#input\_contact\_email) | Email address in @census.gov of contact for the certificate.  This is strongly recommended to be a group email address. | `string` | n/a | yes |
+| <a name="input_import_to_acm"></a> [import\_to\_acm](#input\_import\_to\_acm) | Flag to import certificate to ACM, used primarily for tracking expiration and establishing contact details | `bool` | `true` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_role_name"></a> [role\_name](#input\_role\_name) | IAM RolesAnywhere Role Name (including r- prefix if necessary) | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |

diff --git a/acmpca-iam-rolesanywhere/main.tf b/acmpca-iam-rolesanywhere/main.tf
@@ -123,6 +123,7 @@ module "certificate" {
   certificate_type              = "end-entity"
   certificate_subject_overrides = { ou = local.certificate_subject_ou }
   validity_days                 = var.validity_days
+  import_to_acm                 = var.import_to_acm
 
   tags = merge(
     local.base_tags,

diff --git a/acmpca-iam-rolesanywhere/variables.tf b/acmpca-iam-rolesanywhere/variables.tf
@@ -31,3 +31,8 @@ variable "certificate_subject_ou" {
   default     = null
 }
 
+variable "import_to_acm" {
+  description = "Flag to import certificate to ACM, used primarily for tracking expiration and establishing contact details"
+  type        = bool
+  default     = true
+}
diff --git a/acmpca/README.md b/acmpca/README.md
@@ -59,6 +59,7 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_acm_certificate.certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource |
 | [aws_acmpca_certificate.certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acmpca_certificate) | resource |
 | [local_sensitive_file.certificate_cert](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file) | resource |
 | [local_sensitive_file.certificate_cert_chain](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file) | resource |
@@ -96,6 +97,7 @@ No modules.
 | <a name="input_contact_email"></a> [contact\_email](#input\_contact\_email) | Email address in @census.gov of contact for the certificate.  This is strongly recommended to be a group email address. | `string` | n/a | yes |
 | <a name="input_create_files"></a> [create\_files](#input\_create\_files) | Flag controlling the creation of output files for the key, CSR, and certificate and bundle. | `bool` | `false` | no |
 | <a name="input_csr_filename"></a> [csr\_filename](#input\_csr\_filename) | Filename for Certificate Signing Request (CSR). Defaults to {certificate\_dns}.csr | `string` | `null` | no |
+| <a name="input_import_to_acm"></a> [import\_to\_acm](#input\_import\_to\_acm) | Flag to import certificate to ACM, used primarily for tracking expiration and establishing contact details | `bool` | `false` | no |
 | <a name="input_key_filename"></a> [key\_filename](#input\_key\_filename) | Filename for RSA private key. Defaults to {certificate\_dns}.key | `string` | `null` | no |
 | <a name="input_output_file_directory"></a> [output\_file\_directory](#input\_output\_file\_directory) | File path for resultant files when create\_files is used. Defaults to path.root/certs | `string` | `null` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |

diff --git a/acmpca/certificate.tf b/acmpca/certificate.tf
@@ -159,3 +159,16 @@ locals {
   c_cert_subject     = try(local.c_cert_fields.subject != "") ? { for x in split(",", local.c_cert_fields.subject) : (split("=", x)[0]) => split("=", x)[1] } : {}
   c_cert_subject_map = { for k, v in local.c_cert_subject : lookup(local.subject_fields, k, k) => v }
 }
+
+resource "aws_acm_certificate" "certificate" {
+  count             = var.import_to_acm ? 1 : 0
+  private_key       = tls_private_key.certificate.private_key_pem
+  certificate_body  = aws_acmpca_certificate.certificate.certificate
+  certificate_chain = local.certificate_chain
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    { "boc:pki:mail" = var.contact_email },
+  )
+}
diff --git a/acmpca/variables.tf b/acmpca/variables.tf
@@ -114,3 +114,9 @@ variable "certificate_type" {
     error_message = "certificate_type must be one of 'end-entity' | 'subordinate-ca'."
   }
 }
+
+variable "import_to_acm" {
+  description = "Flag to import certificate to ACM, used primarily for tracking expiration and establishing contact details"
+  type        = bool
+  default     = false
+}
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.1.0"
+  _module_version = "1.2.0"
 }