diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7d858e9..6dd337e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,7 +3,6 @@
* 1.0.0 -- 2024-01-02
- initial creation
-
* 1.0.1 -- 2024-01-08
- add
- certificate_ip_addresses
@@ -11,3 +10,6 @@
- generate filename if certificate_dns missing and certificate_cn contains non FQDN characters
- update docs
- add submodule acmpca-eks-cert-manager
+
+* 1.0.2 -- 2024-01-10
+ - update docs for acmpca-eks-cert-manager
diff --git a/acmpca-eks-cert-manager/README.md b/acmpca-eks-cert-manager/README.md
index a55081e..88936a8 100644
--- a/acmpca-eks-cert-manager/README.md
+++ b/acmpca-eks-cert-manager/README.md
@@ -5,13 +5,62 @@ This module creates an ACM-PCA certificate, using the `acmpca` submodule in this
EKS setup for cert-manager. See the general [documentation](../acmpca) for more low-level details. All the requirements and pre-requisities
for the for the [acmpca](../acmpca) submodule apply to this submodule.
-This creates a certificate with the subject of **C=US,O=U.S. Census Bureau,OU=PKI-EKS,CN={region\_short} {clustername} Issuer**.
+This creates a certificate with the subject of **C=US,O=U.S. Census Bureau,OU=PKI-EKS,CN={region\_short} {clustername} Issuer**. It does
+not nor will it create any local files, so no longer do you need to add files to `git-secret` or add files to git in `certs/` (as the directory
+is not created).
This module returns:
+- certificate\_tls\_key: the base64 PEM formatted key. This is what you need to use in the helm chart for `tls.key`.
+- certificate\_tls\_crt: the base64 PEM formatted certificate and chain. This is what you need to use in the helm chart for `tls.crt`.
+- certificate\_key: the PEM formatted key. It is here for reference, but should not be needed by `cert-manager`.
+- certificate\_csr: the certificate signing requested. It is here for reference, but should not be needed by `cert-manager`.
+- certificate: the PEM formatted signed certificate from ACM-PCA. It is here for reference, but should not be needed by `cert-manager`.
+- certificate\_chain: the PEM formatted certificate chain (issuer, intermediates, root). It is here for reference, but should not be needed by `cert-manager`.
+
+It takes two arguments, the `cluster_name` and the `contact_email`, which should be a group email address. Currently, and ACM-PCA Certificate
+does not permit the use of Tags, so this email address is intended to be used at a future time through a to-be-established tracking system.
+
+The certificate issued will be good for 365 days. ACM-PCA created for EKS cert-manager does not have an automatic renew capability as it
+is not associated with a supported AWS Service.
# Usage
+## Create Subordinate CA
+
This shows the module call with how you would use it.
+```hcl
+module "subordinate_ca" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca-eks-cert-manager"
+
+ cluster_name = "test-cluster-dev"
+ contact_email = "group-mailing-list@census.gov"
+
+ tags = merge(
+ local.base_tags,
+ local.common_tags,
+ var.account_tags,
+ var.infrastructure_tags,
+ var.application_tags,
+ )
+}
+```
+## Update settings in helm chart
+Update the `tls.crt` and `tls.key` settings to their respective output values from the module.
+
+```hcl
+resource "helm_release" "intermediate-certificate-issuer" {
+ # other code
+ set {
+ name = "tls.crt"
+ value = module.subordinate_ca.certificate_tls_crt
+ }
+ set {
+ name = "tls.key"
+ value = module.subordinate_ca.certificate_tls_key
+ }
+
+```
+
## Requirements
| Name | Version |
@@ -20,6 +69,7 @@ This shows the module call with how you would use it.
| [aws](#requirement\_aws) | >= 5.0 |
| [local](#requirement\_local) | >= 2.1.0 |
| [null](#requirement\_null) | >= 3.1.0 |
+| [random](#requirement\_random) | >= 3.6.0 |
| [tls](#requirement\_tls) | >= 3.1.0 |
## Providers
diff --git a/acmpca-eks-cert-manager/main.tf b/acmpca-eks-cert-manager/main.tf
index 6b0a1fa..ec98f8e 100644
--- a/acmpca-eks-cert-manager/main.tf
+++ b/acmpca-eks-cert-manager/main.tf
@@ -5,13 +5,61 @@
* EKS setup for cert-manager. See the general [documentation](../acmpca) for more low-level details. All the requirements and pre-requisities
* for the for the [acmpca](../acmpca) submodule apply to this submodule.
*
-* This creates a certificate with the subject of **C=US,O=U.S. Census Bureau,OU=PKI-EKS,CN={region_short} {clustername} Issuer**.
+* This creates a certificate with the subject of **C=US,O=U.S. Census Bureau,OU=PKI-EKS,CN={region_short} {clustername} Issuer**. It does
+* not nor will it create any local files, so no longer do you need to add files to `git-secret` or add files to git in `certs/` (as the directory
+* is not created).
*
* This module returns:
+* - certificate_tls_key: the base64 PEM formatted key. This is what you need to use in the helm chart for `tls.key`.
+* - certificate_tls_crt: the base64 PEM formatted certificate and chain. This is what you need to use in the helm chart for `tls.crt`.
+* - certificate_key: the PEM formatted key. It is here for reference, but should not be needed by `cert-manager`.
+* - certificate_csr: the certificate signing requested. It is here for reference, but should not be needed by `cert-manager`.
+* - certificate: the PEM formatted signed certificate from ACM-PCA. It is here for reference, but should not be needed by `cert-manager`.
+* - certificate_chain: the PEM formatted certificate chain (issuer, intermediates, root). It is here for reference, but should not be needed by `cert-manager`.
*
+* It takes two arguments, the `cluster_name` and the `contact_email`, which should be a group email address. Currently, and ACM-PCA Certificate
+* does not permit the use of Tags, so this email address is intended to be used at a future time through a to-be-established tracking system.
+*
+* The certificate issued will be good for 365 days. ACM-PCA created for EKS cert-manager does not have an automatic renew capability as it
+* is not associated with a supported AWS Service.
+*
* # Usage
+* ## Create Subordinate CA
+*
* This shows the module call with how you would use it.
*
+* ```hcl
+* module "subordinate_ca" {
+* source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca-eks-cert-manager"
+*
+* cluster_name = "test-cluster-dev"
+* contact_email = "group-mailing-list@census.gov"
+*
+* tags = merge(
+* local.base_tags,
+* local.common_tags,
+* var.account_tags,
+* var.infrastructure_tags,
+* var.application_tags,
+* )
+* }
+* ```
+* ## Update settings in helm chart
+* Update the `tls.crt` and `tls.key` settings to their respective output values from the module.
+*
+* ```hcl
+* resource "helm_release" "intermediate-certificate-issuer" {
+* # other code
+* set {
+* name = "tls.crt"
+* value = module.subordinate_ca.certificate_tls_crt
+* }
+* set {
+* name = "tls.key"
+* value = module.subordinate_ca.certificate_tls_key
+* }
+*
+* ```
*/
locals {
@@ -38,7 +86,7 @@ module "certificate" {
validity_days = 365
tags = merge(
- var.tags,
local.base_tags,
+ var.tags,
)
}
diff --git a/common/version.tf b/common/version.tf
index 374ba43..02c6357 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "1.0.1"
+ _module_version = "1.0.2"
}