From a8fb7e8abcc816174e093e71591e79f59074520d Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 8 Jan 2024 15:45:04 -0500 Subject: [PATCH] add acmpca-eks-cert-manager --- acmpca-eks-cert-manager/.terraform-docs.yml | 1 + acmpca-eks-cert-manager/README.md | 65 +++++++++++++++++++++ acmpca-eks-cert-manager/data.tf | 1 + acmpca-eks-cert-manager/defaults.tf | 1 + acmpca-eks-cert-manager/example.tf.txt | 54 +++++++++++++++++ acmpca-eks-cert-manager/main.tf | 38 ++++++++++++ acmpca-eks-cert-manager/output.tf | 24 ++++++++ acmpca-eks-cert-manager/prefixes.tf | 1 + acmpca-eks-cert-manager/variables.common.tf | 1 + acmpca-eks-cert-manager/variables.tf | 20 +++++++ acmpca-eks-cert-manager/version.tf | 1 + acmpca-eks-cert-manager/versions.tf | 1 + 12 files changed, 208 insertions(+) create mode 120000 acmpca-eks-cert-manager/.terraform-docs.yml create mode 100644 acmpca-eks-cert-manager/README.md create mode 120000 acmpca-eks-cert-manager/data.tf create mode 120000 acmpca-eks-cert-manager/defaults.tf create mode 100644 acmpca-eks-cert-manager/example.tf.txt create mode 100644 acmpca-eks-cert-manager/main.tf create mode 100644 acmpca-eks-cert-manager/output.tf create mode 120000 acmpca-eks-cert-manager/prefixes.tf create mode 120000 acmpca-eks-cert-manager/variables.common.tf create mode 100644 acmpca-eks-cert-manager/variables.tf create mode 120000 acmpca-eks-cert-manager/version.tf create mode 120000 acmpca-eks-cert-manager/versions.tf diff --git a/acmpca-eks-cert-manager/.terraform-docs.yml b/acmpca-eks-cert-manager/.terraform-docs.yml new file mode 120000 index 0000000..f095125 --- /dev/null +++ b/acmpca-eks-cert-manager/.terraform-docs.yml @@ -0,0 +1 @@ +../.terraform-docs.yml \ No newline at end of file diff --git a/acmpca-eks-cert-manager/README.md b/acmpca-eks-cert-manager/README.md new file mode 100644 index 0000000..49ce2b7 --- /dev/null +++ b/acmpca-eks-cert-manager/README.md @@ -0,0 +1,65 @@ + +# About : aws-certificate/acmpca-eks-cert-manager + +This module creates an ACM-PCA certificate, using the `acmpca` submodule in this repository. It is for the creation of the +EKS setup for cert-manager. See the general [documentation](../acmpca) for more low-level details. All the requirements and pre-requisities +for the for the [acmpca](../acmpca) submodule apply to this submodule. + +This creates a certificate with the subject of **C=US,O=U.S. Census Bureau,OU=PKI-EKS,CN={clustername} Issuer {region\_short}**. + +This module returns: + +# Usage +This shows the module call with how you would use it. + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.14 | +| [aws](#requirement\_aws) | >= 5.0 | +| [local](#requirement\_local) | >= 2.1.0 | +| [null](#requirement\_null) | >= 3.1.0 | +| [tls](#requirement\_tls) | >= 3.1.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 5.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [certificate](#module\_certificate) | ../acmpca | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [cluster\_name](#input\_cluster\_name) | EKS Cluster Name | `any` | `null` | no | +| [contact\_email](#input\_contact\_email) | Email address in @census.gov of contact for the certificate. This is strongly recommended to be a group email address. | `string` | n/a | yes | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no | +| [validity\_days](#input\_validity\_days) | Number of days for which the certificate is valid. For the short lived certificate, this must be <= 7 | `number` | `365` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [certificate](#output\_certificate) | PEM format for signed certificate | +| [certificate\_chain](#output\_certificate\_chain) | PEM format for certificate chain (issuer through root) | +| [certificate\_csr](#output\_certificate\_csr) | PEM format Certificate Signing Request | +| [certificate\_key](#output\_certificate\_key) | PEM format RSA Key | + \ No newline at end of file diff --git a/acmpca-eks-cert-manager/data.tf b/acmpca-eks-cert-manager/data.tf new file mode 120000 index 0000000..995624d --- /dev/null +++ b/acmpca-eks-cert-manager/data.tf @@ -0,0 +1 @@ +../common/data.tf \ No newline at end of file diff --git a/acmpca-eks-cert-manager/defaults.tf b/acmpca-eks-cert-manager/defaults.tf new file mode 120000 index 0000000..a5556ac --- /dev/null +++ b/acmpca-eks-cert-manager/defaults.tf @@ -0,0 +1 @@ +../common/defaults.tf \ No newline at end of file diff --git a/acmpca-eks-cert-manager/example.tf.txt b/acmpca-eks-cert-manager/example.tf.txt new file mode 100644 index 0000000..cfa41fa --- /dev/null +++ b/acmpca-eks-cert-manager/example.tf.txt @@ -0,0 +1,54 @@ +module "cert1" { + source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca" + + certificate_dns = "test1.domain.census.gov" + contact_email = "cio.engineering.alert.list@census.gov" + create_files = false + certificate_authority_mode = "general" + certificate_type = "end-entity" + + ## optional + # certificate_san = [ "otherdomain.domain.census.gov" ] +} + + +module "cert2" { + source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca" + + certificate_dns = "test2.domain.census.gov" + contact_email = "cio.engineering.alert.list@census.gov" + create_files = true + certificate_authority_mode = "general" + certificate_type = "subordinate-ca" + certificate_subject_overrides = { ou = "PKI-EKS my-cluster" } +} + +module "cert3" { + source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca" + + certificate_dns = "test3.domain.census.gov" + contact_email = "cio.engineering.alert.list@census.gov" + create_files = false + certificate_authority_mode = "short" + validity_days = 2 + + ## optional + # certificate_san = [ "otherdomain.domain.census.gov" ] +} + +certificate_authority_mode = "general" +certificate_authority_template = "" +certificate_cn = "" +certificate_dns = "" +certificate_filename = "" +certificate_san = [] +certificate_subject_overrides = {} +certificate_type = "end-entity" +contact_email = "" +create_files = false +csr_filename = "" +key_filename = "" +output_file_directory = "" +override_prefixes = {} +tags = {} +validity_days = 365 diff --git a/acmpca-eks-cert-manager/main.tf b/acmpca-eks-cert-manager/main.tf new file mode 100644 index 0000000..e58e682 --- /dev/null +++ b/acmpca-eks-cert-manager/main.tf @@ -0,0 +1,38 @@ +/* +* # About : aws-certificate/acmpca-eks-cert-manager +* +* This module creates an ACM-PCA certificate, using the `acmpca` submodule in this repository. It is for the creation of the +* EKS setup for cert-manager. See the general [documentation](../acmpca) for more low-level details. All the requirements and pre-requisities +* for the for the [acmpca](../acmpca) submodule apply to this submodule. +* +* This creates a certificate with the subject of **C=US,O=U.S. Census Bureau,OU=PKI-EKS,CN={clustername} Issuer {region_short}**. +* +* This module returns: +* +* # Usage +* This shows the module call with how you would use it. +* +*/ + +locals { + account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id + account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" + region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)]) + + base_tags = { + "boc:tf_module_version" = local._module_version + "boc:created_by" = "terraform" + } +} + +module "certificate" { + source = "../acmpca" + + certificate_cn = format("%v Issuer %v", var.cluster_name, local.region_short) + contact_email = var.contact_email + create_files = false + certificate_authority_mode = "general" + certificate_type = "subordinate-ca" + certificate_subject_overrides = { ou = "PKI-EKS" } + validity_days = 365 +} diff --git a/acmpca-eks-cert-manager/output.tf b/acmpca-eks-cert-manager/output.tf new file mode 100644 index 0000000..77023e6 --- /dev/null +++ b/acmpca-eks-cert-manager/output.tf @@ -0,0 +1,24 @@ +output "certificate_key" { + description = "PEM format RSA Key" + sensitive = true + value = tls_private_key.certificate.private_key_pem +} + +output "certificate_csr" { + description = "PEM format Certificate Signing Request" + sensitive = false + value = tls_cert_request.certificate.cert_request_pem +} + +output "certificate" { + description = "PEM format for signed certificate" + sensitive = false + value = aws_acmpca_certificate.certificate.certificate +} + +output "certificate_chain" { + description = "PEM format for certificate chain (issuer through root)" + sensitive = false + value = local.certificate_chain +} + diff --git a/acmpca-eks-cert-manager/prefixes.tf b/acmpca-eks-cert-manager/prefixes.tf new file mode 120000 index 0000000..7e265d5 --- /dev/null +++ b/acmpca-eks-cert-manager/prefixes.tf @@ -0,0 +1 @@ +../common/prefixes.tf \ No newline at end of file diff --git a/acmpca-eks-cert-manager/variables.common.tf b/acmpca-eks-cert-manager/variables.common.tf new file mode 120000 index 0000000..7439ed8 --- /dev/null +++ b/acmpca-eks-cert-manager/variables.common.tf @@ -0,0 +1 @@ +../common/variables.common.tf \ No newline at end of file diff --git a/acmpca-eks-cert-manager/variables.tf b/acmpca-eks-cert-manager/variables.tf new file mode 100644 index 0000000..e3d1642 --- /dev/null +++ b/acmpca-eks-cert-manager/variables.tf @@ -0,0 +1,20 @@ +variable "cluster_name" { + description = "EKS Cluster Name" + default = null +} + +variable "contact_email" { + description = "Email address in @census.gov of contact for the certificate. This is strongly recommended to be a group email address." + type = string +} + +variable "validity_days" { + description = "Number of days for which the certificate is valid. For the short lived certificate, this must be <= 7" + type = number + default = 365 + + validation { + condition = var.validity_days > 0 + error_message = "validity_days must be larger than 0." + } +} diff --git a/acmpca-eks-cert-manager/version.tf b/acmpca-eks-cert-manager/version.tf new file mode 120000 index 0000000..b83c5b7 --- /dev/null +++ b/acmpca-eks-cert-manager/version.tf @@ -0,0 +1 @@ +../common/version.tf \ No newline at end of file diff --git a/acmpca-eks-cert-manager/versions.tf b/acmpca-eks-cert-manager/versions.tf new file mode 120000 index 0000000..41bb22f --- /dev/null +++ b/acmpca-eks-cert-manager/versions.tf @@ -0,0 +1 @@ +../common/versions.tf \ No newline at end of file