add acmpca-eks-cert-manager

acmpca-eks-cert-manager/.terraform-docs.yml

@@ -0,0 +1 @@
+../.terraform-docs.yml

acmpca-eks-cert-manager/README.md

@@ -0,0 +1,65 @@
+<!-- BEGIN_TF_DOCS -->
+# About : aws-certificate/acmpca-eks-cert-manager
+
+This module creates an ACM-PCA certificate, using the `acmpca` submodule in this repository.  It is for the creation of the
+EKS setup for cert-manager.  See the general [documentation](../acmpca) for more low-level details.  All the requirements and pre-requisities
+for the for the [acmpca](../acmpca) submodule apply to this submodule.
+
+This creates a certificate with the subject of **C=US,O=U.S. Census Bureau,OU=PKI-EKS,CN={clustername} Issuer {region\_short}**.
+
+This module returns:
+
+# Usage
+This shows the module call with how you would use it.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_local"></a> [local](#requirement\_local) | >= 2.1.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.1.0 |
+| <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 3.1.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_certificate"></a> [certificate](#module\_certificate) | ../acmpca | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS Cluster Name | `any` | `null` | no |
+| <a name="input_contact_email"></a> [contact\_email](#input\_contact\_email) | Email address in @census.gov of contact for the certificate.  This is strongly recommended to be a group email address. | `string` | n/a | yes |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
+| <a name="input_validity_days"></a> [validity\_days](#input\_validity\_days) | Number of days for which the certificate is valid. For the short lived certificate, this must be <= 7 | `number` | `365` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_certificate"></a> [certificate](#output\_certificate) | PEM format for signed certificate |
+| <a name="output_certificate_chain"></a> [certificate\_chain](#output\_certificate\_chain) | PEM format for certificate chain (issuer through root) |
+| <a name="output_certificate_csr"></a> [certificate\_csr](#output\_certificate\_csr) | PEM format Certificate Signing Request |
+| <a name="output_certificate_key"></a> [certificate\_key](#output\_certificate\_key) | PEM format RSA Key |
+<!-- END_TF_DOCS -->

acmpca-eks-cert-manager/data.tf

@@ -0,0 +1 @@
+../common/data.tf

acmpca-eks-cert-manager/defaults.tf

@@ -0,0 +1 @@
+../common/defaults.tf

acmpca-eks-cert-manager/example.tf.txt

@@ -0,0 +1,54 @@
+module "cert1" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca"
+
+  certificate_dns            = "test1.domain.census.gov"
+  contact_email              = "cio.engineering.alert.list@census.gov"
+  create_files               = false
+  certificate_authority_mode = "general"
+  certificate_type           = "end-entity"
+
+  ## optional
+  # certificate_san    = [ "otherdomain.domain.census.gov" ]
+}
+
+
+module "cert2" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca"
+
+  certificate_dns               = "test2.domain.census.gov"
+  contact_email                 = "cio.engineering.alert.list@census.gov"
+  create_files                  = true
+  certificate_authority_mode    = "general"
+  certificate_type              = "subordinate-ca"
+  certificate_subject_overrides = { ou = "PKI-EKS my-cluster" }
+}
+
+module "cert3" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca"
+
+  certificate_dns            = "test3.domain.census.gov"
+  contact_email              = "cio.engineering.alert.list@census.gov"
+  create_files               = false
+  certificate_authority_mode = "short"
+  validity_days              = 2
+
+  ## optional
+  # certificate_san    = [ "otherdomain.domain.census.gov" ]
+}
+
+certificate_authority_mode     = "general"
+certificate_authority_template = ""
+certificate_cn                 = ""
+certificate_dns                = ""
+certificate_filename           = ""
+certificate_san                = []
+certificate_subject_overrides  = {}
+certificate_type               = "end-entity"
+contact_email                  = ""
+create_files                   = false
+csr_filename                   = ""
+key_filename                   = ""
+output_file_directory          = ""
+override_prefixes              = {}
+tags                           = {}
+validity_days                  = 365

acmpca-eks-cert-manager/main.tf

@@ -0,0 +1,38 @@
+/* 
+* # About : aws-certificate/acmpca-eks-cert-manager
+* 
+* This module creates an ACM-PCA certificate, using the `acmpca` submodule in this repository.  It is for the creation of the
+* EKS setup for cert-manager.  See the general [documentation](../acmpca) for more low-level details.  All the requirements and pre-requisities
+* for the for the [acmpca](../acmpca) submodule apply to this submodule.
+* 
+* This creates a certificate with the subject of **C=US,O=U.S. Census Bureau,OU=PKI-EKS,CN={clustername} Issuer {region_short}**.
+* 
+* This module returns:
+*
+* # Usage
+* This shows the module call with how you would use it.
+*
+*/
+
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+  region_short        = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
+
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}
+
+module "certificate" {
+  source = "../acmpca"
+
+  certificate_cn                = format("%v Issuer %v", var.cluster_name, local.region_short)
+  contact_email                 = var.contact_email
+  create_files                  = false
+  certificate_authority_mode    = "general"
+  certificate_type              = "subordinate-ca"
+  certificate_subject_overrides = { ou = "PKI-EKS" }
+  validity_days                 = 365
+}

acmpca-eks-cert-manager/output.tf

@@ -0,0 +1,24 @@
+output "certificate_key" {
+  description = "PEM format RSA Key"
+  sensitive   = true
+  value       = tls_private_key.certificate.private_key_pem
+}
+
+output "certificate_csr" {
+  description = "PEM format Certificate Signing Request"
+  sensitive   = false
+  value       = tls_cert_request.certificate.cert_request_pem
+}
+
+output "certificate" {
+  description = "PEM format for signed certificate"
+  sensitive   = false
+  value       = aws_acmpca_certificate.certificate.certificate
+}
+
+output "certificate_chain" {
+  description = "PEM format for certificate chain (issuer through root)"
+  sensitive   = false
+  value       = local.certificate_chain
+}
+

acmpca-eks-cert-manager/prefixes.tf

@@ -0,0 +1 @@
+../common/prefixes.tf

acmpca-eks-cert-manager/variables.common.tf

@@ -0,0 +1 @@
+../common/variables.common.tf

acmpca-eks-cert-manager/variables.tf

@@ -0,0 +1,20 @@
+variable "cluster_name" {
+  description = "EKS Cluster Name"
+  default     = null
+}
+
+variable "contact_email" {
+  description = "Email address in @census.gov of contact for the certificate.  This is strongly recommended to be a group email address."
+  type        = string
+}
+
+variable "validity_days" {
+  description = "Number of days for which the certificate is valid. For the short lived certificate, this must be <= 7"
+  type        = number
+  default     = 365
+
+  validation {
+    condition     = var.validity_days > 0
+    error_message = "validity_days must be larger than 0."
+  }
+}

acmpca-eks-cert-manager/version.tf

@@ -0,0 +1 @@
+../common/version.tf

acmpca-eks-cert-manager/versions.tf

@@ -0,0 +1 @@
+../common/versions.tf