update docs for acmpca-eks-cert-manager

CHANGELOG.md

@@ -3,11 +3,13 @@
 * 1.0.0 -- 2024-01-02
   - initial creation
 
-
 * 1.0.1 -- 2024-01-08
   - add
     - certificate_ip_addresses
     - certificate_uris
     - generate filename if certificate_dns missing and certificate_cn contains non FQDN characters
     - update docs
     - add submodule acmpca-eks-cert-manager
+
+* 1.0.2 -- 2024-01-10
+  - update docs for acmpca-eks-cert-manager

acmpca-eks-cert-manager/README.md

@@ -5,13 +5,62 @@ This module creates an ACM-PCA certificate, using the `acmpca` submodule in this
 EKS setup for cert-manager.  See the general [documentation](../acmpca) for more low-level details.  All the requirements and pre-requisities
 for the for the [acmpca](../acmpca) submodule apply to this submodule.
 
-This creates a certificate with the subject of **C=US,O=U.S. Census Bureau,OU=PKI-EKS,CN={region\_short} {clustername} Issuer**.
+This creates a certificate with the subject of **C=US,O=U.S. Census Bureau,OU=PKI-EKS,CN={region\_short} {clustername} Issuer**.  It does
+not nor will it create any local files, so no longer do you need to add files to `git-secret` or add files to git in `certs/` (as the directory
+is not created).
 
 This module returns:
+- certificate\_tls\_key: the base64 PEM formatted key.  This is what you need to use in the helm chart for `tls.key`.
+- certificate\_tls\_crt: the base64 PEM formatted certificate and chain.  This is what you need to use in the helm chart for `tls.crt`.
+- certificate\_key: the PEM formatted key. It is here for reference, but should not be needed by `cert-manager`.
+- certificate\_csr: the certificate signing requested.  It is here for reference, but should not be needed by `cert-manager`.
+- certificate: the PEM formatted signed certificate from ACM-PCA.  It is here for reference, but should not be needed by `cert-manager`.
+- certificate\_chain: the PEM formatted certificate chain (issuer, intermediates, root).  It is here for reference, but should not be needed by `cert-manager`.
+
+It takes two arguments, the `cluster_name` and the `contact_email`, which should be a group email address.  Currently, and ACM-PCA Certificate
+does not permit the use of Tags, so this email address is intended to be used at a future time through a to-be-established tracking system.
+
+The certificate issued will be good for 365 days.  ACM-PCA created for EKS cert-manager does not have an automatic renew capability as it
+is not associated with a supported AWS Service.
 
 # Usage
+## Create Subordinate CA
+
 This shows the module call with how you would use it.
 
+```hcl
+module "subordinate_ca" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca-eks-cert-manager"
+
+  cluster_name  = "test-cluster-dev"
+  contact_email = "group-mailing-list@census.gov"
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.account_tags,
+    var.infrastructure_tags,
+    var.application_tags,
+  )
+}
+```
+## Update settings in helm chart
+Update the `tls.crt` and `tls.key` settings to their respective output values from the module.
+
+```hcl
+resource "helm_release" "intermediate-certificate-issuer" {
+  # other code
+  set {
+    name  = "tls.crt"
+    value = module.subordinate_ca.certificate_tls_crt
+  }
+  set {
+    name  = "tls.key"
+    value = module.subordinate_ca.certificate_tls_key
+  }
+
+```
+
 ## Requirements
 
 | Name | Version |
@@ -20,6 +69,7 @@ This shows the module call with how you would use it.
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | >= 2.1.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.1.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.6.0 |
 | <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 3.1.0 |
 
 ## Providers

acmpca-eks-cert-manager/main.tf

@@ -5,13 +5,61 @@
 * EKS setup for cert-manager.  See the general [documentation](../acmpca) for more low-level details.  All the requirements and pre-requisities
 * for the for the [acmpca](../acmpca) submodule apply to this submodule.
 * 
-* This creates a certificate with the subject of **C=US,O=U.S. Census Bureau,OU=PKI-EKS,CN={region_short} {clustername} Issuer**.
+* This creates a certificate with the subject of **C=US,O=U.S. Census Bureau,OU=PKI-EKS,CN={region_short} {clustername} Issuer**.  It does
+* not nor will it create any local files, so no longer do you need to add files to `git-secret` or add files to git in `certs/` (as the directory
+* is not created).
 * 
 * This module returns:
+* - certificate_tls_key: the base64 PEM formatted key.  This is what you need to use in the helm chart for `tls.key`.
+* - certificate_tls_crt: the base64 PEM formatted certificate and chain.  This is what you need to use in the helm chart for `tls.crt`.
+* - certificate_key: the PEM formatted key. It is here for reference, but should not be needed by `cert-manager`.
+* - certificate_csr: the certificate signing requested.  It is here for reference, but should not be needed by `cert-manager`.
+* - certificate: the PEM formatted signed certificate from ACM-PCA.  It is here for reference, but should not be needed by `cert-manager`.
+* - certificate_chain: the PEM formatted certificate chain (issuer, intermediates, root).  It is here for reference, but should not be needed by `cert-manager`.
 *
+* It takes two arguments, the `cluster_name` and the `contact_email`, which should be a group email address.  Currently, and ACM-PCA Certificate
+* does not permit the use of Tags, so this email address is intended to be used at a future time through a to-be-established tracking system.
+*
+* The certificate issued will be good for 365 days.  ACM-PCA created for EKS cert-manager does not have an automatic renew capability as it
+* is not associated with a supported AWS Service.
+* 
 * # Usage
+* ## Create Subordinate CA
+* 
 * This shows the module call with how you would use it.
 *
+* ```hcl
+* module "subordinate_ca" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca-eks-cert-manager"
+* 
+*   cluster_name  = "test-cluster-dev"
+*   contact_email = "group-mailing-list@census.gov"
+* 
+*   tags = merge(
+*     local.base_tags,
+*     local.common_tags,
+*     var.account_tags,
+*     var.infrastructure_tags,
+*     var.application_tags,
+*   )
+* }
+* ```
+* ## Update settings in helm chart
+* Update the `tls.crt` and `tls.key` settings to their respective output values from the module.
+* 
+* ```hcl
+* resource "helm_release" "intermediate-certificate-issuer" {
+*   # other code
+*   set {
+*     name  = "tls.crt"
+*     value = module.subordinate_ca.certificate_tls_crt
+*   }
+*   set {
+*     name  = "tls.key"
+*     value = module.subordinate_ca.certificate_tls_key
+*   }
+* 
+* ```
 */
 
 locals {
@@ -38,7 +86,7 @@ module "certificate" {
   validity_days                 = 365
 
   tags = merge(
-    var.tags,
     local.base_tags,
+    var.tags,
   )
 }

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.0.1"
+  _module_version = "1.0.2"
 }