Skip to content

Commit

Permalink
update
Browse files Browse the repository at this point in the history
  • Loading branch information
@badra001
badra001 committed Jan 5, 2024
1 parent 2f5becd commit 5b62d53
Showing 1 changed file with 122 additions and 0 deletions.
122 changes: 122 additions & 0 deletions acmpca/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
<!-- BEGIN_TF_DOCS -->
# About : aws-certificate/acmpca

This module creates an ACM certificate, using the general purpose (ca1) ACM-PCA or short term (ca2) in the local region. It will automatically
include the DNS name in the SAN. You may add additonal SAN fully qualified domain names, URIs, or
in the SAN for an ACM certificate. The [CLI documentation](https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html) indicates
you can use any of the standard types for a SAN (DNS, URI, email, DNS, etc.) along with the [API](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html)
reference. Other documentation states otherwise (TBD -- find link).

It expects an SSM parameter `/enterprise/pki/ca1` for general purpose and `/enterprise/pki/ca2` for short term CA to exist in the account (distributed to all OUs from a central account).
If this parameter does not exist, this module will fail.

It returns:

# Usage
This shows the module call with how you would use it.

```hcl
module "cert" {
source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acm"
certificate_dns = "test.domain.census.gov"
contact_email = "cio.engineering.alert.list@census.gov"
## optional
## add additional names to SAN
# certificate_san = [ "otherdomain.domain.census.gov" ]
}
# associating it with the ALB listener
resource "aws_lb_listener" "app_443" {
count = module.cert.certificate_arn != null ? 1 : 0
load_balancer_arn = aws_lb.app.arn
port = 443
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01"
certificate_arn = module.cert.certificate_arn
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.app.arn
}
}
```

The output value to look at is `certificate_arn`. This is null if the certificate is incomplete or failed to load into ACM, or
the ARN if completed. You'll use the ARN for an AWS LB Listener.

## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
| <a name="requirement_local"></a> [local](#requirement\_local) | >= 2.1.0 |
| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.1.0 |
| <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 3.1.0 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
| <a name="provider_local"></a> [local](#provider\_local) | >= 2.1.0 |
| <a name="provider_null"></a> [null](#provider\_null) | >= 3.1.0 |
| <a name="provider_tls"></a> [tls](#provider\_tls) | >= 3.1.0 |

## Modules

No modules.

## Resources

| Name | Type |
|------|------|
| [aws_acmpca_certificate.certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acmpca_certificate) | resource |
| [local_sensitive_file.certificate_cert](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file) | resource |
| [local_sensitive_file.certificate_cert_chain](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file) | resource |
| [local_sensitive_file.certificate_csr](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file) | resource |
| [local_sensitive_file.certificate_key](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file) | resource |
| [null_source.output_directory](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/source) | resource |
| [tls_cert_request.certificate](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |
| [tls_private_key.certificate](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [aws_ssm_parameter.ca_longterm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
| [aws_ssm_parameter.ca_shortterm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
| <a name="input_certificate_authority_mode"></a> [certificate\_authority\_mode](#input\_certificate\_authority\_mode) | String indicating whether to use the general purpose (general) or short lived (short) CA (general is ca1, short lived is ca2) | `string` | `"general"` | no |
| <a name="input_certificate_authority_template"></a> [certificate\_authority\_template](#input\_certificate\_authority\_template) | String indicating which specific ACMPCA template to use | `string` | `null` | no |
| <a name="input_certificate_cn"></a> [certificate\_cn](#input\_certificate\_cn) | CommonName (CN) to use for certificate, defaults in c=US,o=U.S. Census Bureau,ou=Servers. This will typically be the DNS name. Uses certificate\_dns if not provided. | `string` | `null` | no |
| <a name="input_certificate_dns"></a> [certificate\_dns](#input\_certificate\_dns) | DNS Name to be used for the certificate. For ACM certificate, the subject and CN may not be customized. | `string` | n/a | yes |
| <a name="input_certificate_filename"></a> [certificate\_filename](#input\_certificate\_filename) | Filename for Certificate. Defaults to {certificate\_dns}.crt | `string` | `null` | no |
| <a name="input_certificate_san"></a> [certificate\_san](#input\_certificate\_san) | The Subject Alternate Names (SAN), a list of FQDNs to include in the ACM Certificate. Only DNS names are supported. See docs at https://docs.aws.amazon.com/cli/latest/reference/acm/request-certificate.html | `list(string)` | `[]` | no |
| <a name="input_certificate_subject_overrides"></a> [certificate\_subject\_overrides](#input\_certificate\_subject\_overrides) | Map of c, o, and ou to override certificate signing request settings. Note that only a single OU is permitted. | `map(string)` | `{}` | no |
| <a name="input_certificate_type"></a> [certificate\_type](#input\_certificate\_type) | Selection of type of certificate, either end-entity or subordinate-ca. Note that the subordinate-ca type is not available for the short lived CA mode | `string` | `"end-entity"` | no |
| <a name="input_contact_email"></a> [contact\_email](#input\_contact\_email) | Email address in @census.gov of contact for the certificate. This is strongly recommended to be a group email address. | `string` | n/a | yes |
| <a name="input_create_files"></a> [create\_files](#input\_create\_files) | Flag controlling the creation of output files for the key, CSR, and certificate and bundle. | `bool` | `false` | no |
| <a name="input_csr_filename"></a> [csr\_filename](#input\_csr\_filename) | Filename for Certificate Signing Request (CSR). Defaults to {certificate\_dns}.csr | `string` | `null` | no |
| <a name="input_key_filename"></a> [key\_filename](#input\_key\_filename) | Filename for RSA private key. Defaults to {certificate\_dns}.key | `string` | `null` | no |
| <a name="input_output_file_directory"></a> [output\_file\_directory](#input\_output\_file\_directory) | File path for resultant files when create\_files is used. Defaults to path.root/certs | `string` | `null` | no |
| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
| <a name="input_validity_days"></a> [validity\_days](#input\_validity\_days) | Number of days for which the certificate is valid. For the short lived certificate, this must be <= 7 | `number` | `365` | no |

## Outputs

| Name | Description |
|------|-------------|
| <a name="output_certificate"></a> [certificate](#output\_certificate) | PEM format for signed certificate |
| <a name="output_certificate_chain"></a> [certificate\_chain](#output\_certificate\_chain) | PEM format for certificate chain (issuer through root) |
| <a name="output_certificate_csr"></a> [certificate\_csr](#output\_certificate\_csr) | PEM format Certificate Signing Request |
| <a name="output_certificate_files"></a> [certificate\_files](#output\_certificate\_files) | Map of certificate file names |
| <a name="output_certificate_key"></a> [certificate\_key](#output\_certificate\_key) | PEM format RSA Key |
<!-- END_TF_DOCS -->

0 comments on commit 5b62d53

Please sign in to comment.