* 1.1.0 -- 2024-05-17

  - acmpca-iam-rolesanywhere new submodule

CHANGELOG.md

@@ -17,10 +17,13 @@
 * 1.0.3 -- 2024-04-23
   - add output directory for certificates
 
-* 1.1.0 -- 2024-05-16
+* 1.0.4 -- 2024-05-16
   - acmpca
     - new outputs
       - certificate_details
       - certificate_subject
       - certificate_issuer_details
       - certificate_issuer_subject
+
+* 1.1.0 -- 2024-05-17
+  - acmpca-iam-rolesanywhere new submodule

acmpca-eks-cert-manager/README.md

@@ -115,6 +115,8 @@ resource "helm_release" "intermediate-certificate-issuer" {
 | Name | Description |
 |------|-------------|
 | <a name="output_certificate"></a> [certificate](#output\_certificate) | PEM format for signed certificate |
+| <a name="output_certificate_authority_arn"></a> [certificate\_authority\_arn](#output\_certificate\_authority\_arn) | ACM PCA Certificate Authority ARN |
+| <a name="output_certificate_authority_name"></a> [certificate\_authority\_name](#output\_certificate\_authority\_name) | ACM PCA Certificate Authority Name |
 | <a name="output_certificate_chain"></a> [certificate\_chain](#output\_certificate\_chain) | PEM format for certificate chain (issuer through root) |
 | <a name="output_certificate_csr"></a> [certificate\_csr](#output\_certificate\_csr) | PEM format Certificate Signing Request |
 | <a name="output_certificate_key"></a> [certificate\_key](#output\_certificate\_key) | PEM format RSA Key |

acmpca-eks-cert-manager/output.tf

@@ -1,3 +1,13 @@
+output "certificate_authority_arn" {
+  description = "ACM PCA Certificate Authority ARN"
+  value       = module.certificate.certificate_authority_arn
+}
+
+output "certificate_authority_name" {
+  description = "ACM PCA Certificate Authority Name"
+  value       = module.certificate.certificate_authority_name
+}
+
 output "certificate_key" {
   description = "PEM format RSA Key"
   sensitive   = true

acmpca-iam-rolesanywhere/.terraform-docs.yml

@@ -0,0 +1 @@
+../.terraform-docs.yml

acmpca-iam-rolesanywhere/README.md

@@ -0,0 +1,129 @@
+<!-- BEGIN_TF_DOCS -->
+# About : aws-certificate/acmpca-iam-rolesanywhere
+
+This module creates an ACM-PCA certificate, using the `acmpca` submodule in this repository.  It is for the creation of the
+EKS setup for cert-manager.  See the general [documentation](../acmpca) for more low-level details.  All the requirements and pre-requisities
+for the for the [acmpca](../acmpca) submodule apply to this submodule.
+
+This creates a certificate with the subject of **C=US,O=U.S. Census Bureau,OU=PKI-EKS,CN={region\_short} {clustername} Issuer**.  It does
+not nor will it create any local files, so no longer do you need to add files to `git-secret` or add files to git in `certs/` (as the directory
+is not created).
+
+This module returns:
+- certificate\_tls\_key  
+  The base64 PEM formatted key.  This is what you need to use in the helm chart for `tls.key`.
+- certificate\_tls\_crt  
+  The base64 PEM formatted certificate and chain.  This is what you need to use in the helm chart for `tls.crt`.
+- certificate\_key  
+  The PEM formatted key. It is here for reference, but should not be needed by `cert-manager`.
+- certificate\_csr  
+  The certificate signing requested.  It is here for reference, but should not be needed by `cert-manager`.
+- certificate  
+  The PEM formatted signed certificate from ACM-PCA.  It is here for reference, but should not be needed by `cert-manager`.
+- certificate\_chain  
+  The PEM formatted certificate chain (issuer, intermediates, root).  It is here for reference, but should not be needed by `cert-manager`.
+
+It takes two arguments, the `cluster_name` and the `contact_email`, which should be a group email address.  Currently, and ACM-PCA Certificate
+does not permit the use of Tags, so this email address is intended to be used at a future time through a to-be-established tracking system.
+
+The certificate issued will be good for 365 days.  ACM-PCA created for EKS cert-manager does not have an automatic renew capability as it
+is not associated with a supported AWS Service.
+
+# Usage
+## Create Subordinate CA
+
+This shows the module call with how you would use it.
+
+```hcl
+module "subordinate_ca" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca-eks-cert-manager"
+
+  cluster_name  = "test-cluster-dev"
+  contact_email = "group-mailing-list@census.gov"
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.account_tags,
+    var.infrastructure_tags,
+    var.application_tags,
+  )
+}
+```
+## Update settings in helm chart
+Update the `tls.crt` and `tls.key` settings to their respective output values from the module.
+
+```hcl
+resource "helm_release" "intermediate-certificate-issuer" {
+  # other code
+  set {
+    name  = "tls.crt"
+    value = module.subordinate_ca.certificate_tls_crt
+  }
+  set {
+    name  = "tls.key"
+    value = module.subordinate_ca.certificate_tls_key
+  }
+
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_local"></a> [local](#requirement\_local) | >= 2.1.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.1.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.6.0 |
+| <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 3.1.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_certificate"></a> [certificate](#module\_certificate) | ../acmpca | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_certificate_subject_ou"></a> [certificate\_subject\_ou](#input\_certificate\_subject\_ou) | Specific OU to use in the certificate subject. Default is 'IAM RolesAnywhere {account\_id}' | `string` | `null` | no |
+| <a name="input_contact_email"></a> [contact\_email](#input\_contact\_email) | Email address in @census.gov of contact for the certificate.  This is strongly recommended to be a group email address. | `string` | n/a | yes |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | IAM RolesAnywhere Role Name (including r- prefix if necessary) | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
+| <a name="input_validity_days"></a> [validity\_days](#input\_validity\_days) | Number of days for which the certificate is valid. For the short lived certificate, this must be <= 7 | `number` | `365` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_certificate"></a> [certificate](#output\_certificate) | PEM format for signed certificate |
+| <a name="output_certificate_authority_arn"></a> [certificate\_authority\_arn](#output\_certificate\_authority\_arn) | ACM PCA Certificate Authority ARN |
+| <a name="output_certificate_authority_name"></a> [certificate\_authority\_name](#output\_certificate\_authority\_name) | ACM PCA Certificate Authority Name |
+| <a name="output_certificate_chain"></a> [certificate\_chain](#output\_certificate\_chain) | PEM format for certificate chain (issuer through root) |
+| <a name="output_certificate_csr"></a> [certificate\_csr](#output\_certificate\_csr) | PEM format Certificate Signing Request |
+| <a name="output_certificate_details"></a> [certificate\_details](#output\_certificate\_details) | Certificate details |
+| <a name="output_certificate_filenames"></a> [certificate\_filenames](#output\_certificate\_filenames) | Map of certificate file names |
+| <a name="output_certificate_issuer_details"></a> [certificate\_issuer\_details](#output\_certificate\_issuer\_details) | Certificate Issuer details |
+| <a name="output_certificate_issuer_subject"></a> [certificate\_issuer\_subject](#output\_certificate\_issuer\_subject) | Certificate Issuer Subject field map |
+| <a name="output_certificate_key"></a> [certificate\_key](#output\_certificate\_key) | PEM format RSA Key |
+| <a name="output_certificate_subject"></a> [certificate\_subject](#output\_certificate\_subject) | Certificate Subject field map |
+<!-- END_TF_DOCS -->

acmpca-iam-rolesanywhere/data.tf

@@ -0,0 +1 @@
+../common/data.tf

acmpca-iam-rolesanywhere/defaults.tf

@@ -0,0 +1 @@
+../common/defaults.tf

acmpca-iam-rolesanywhere/main.tf

@@ -0,0 +1,107 @@
+/* 
+* # About : aws-certificate/acmpca-iam-rolesanywhere
+* 
+* This module creates an ACM-PCA certificate, using the `acmpca` submodule in this repository.  It is for the creation of the
+* EKS setup for cert-manager.  See the general [documentation](../acmpca) for more low-level details.  All the requirements and pre-requisities
+* for the for the [acmpca](../acmpca) submodule apply to this submodule.
+* 
+* This creates a certificate with the subject of **C=US,O=U.S. Census Bureau,OU=PKI-EKS,CN={region_short} {clustername} Issuer**.  It does
+* not nor will it create any local files, so no longer do you need to add files to `git-secret` or add files to git in `certs/` (as the directory
+* is not created).
+* 
+* This module returns:
+* - certificate_tls_key  
+*   The base64 PEM formatted key.  This is what you need to use in the helm chart for `tls.key`.
+* - certificate_tls_crt  
+*   The base64 PEM formatted certificate and chain.  This is what you need to use in the helm chart for `tls.crt`.
+* - certificate_key  
+*   The PEM formatted key. It is here for reference, but should not be needed by `cert-manager`.
+* - certificate_csr  
+*   The certificate signing requested.  It is here for reference, but should not be needed by `cert-manager`.
+* - certificate  
+*   The PEM formatted signed certificate from ACM-PCA.  It is here for reference, but should not be needed by `cert-manager`.
+* - certificate_chain  
+*   The PEM formatted certificate chain (issuer, intermediates, root).  It is here for reference, but should not be needed by `cert-manager`.
+*
+* It takes two arguments, the `cluster_name` and the `contact_email`, which should be a group email address.  Currently, and ACM-PCA Certificate
+* does not permit the use of Tags, so this email address is intended to be used at a future time through a to-be-established tracking system.
+*
+* The certificate issued will be good for 365 days.  ACM-PCA created for EKS cert-manager does not have an automatic renew capability as it
+* is not associated with a supported AWS Service.
+* 
+* # Usage
+* ## Create Subordinate CA
+* 
+* This shows the module call with how you would use it.
+*
+* ```hcl
+* module "subordinate_ca" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca-eks-cert-manager"
+* 
+*   cluster_name  = "test-cluster-dev"
+*   contact_email = "group-mailing-list@census.gov"
+* 
+*   tags = merge(
+*     local.base_tags,
+*     local.common_tags,
+*     var.account_tags,
+*     var.infrastructure_tags,
+*     var.application_tags,
+*   )
+* }
+* ```
+* ## Update settings in helm chart
+* Update the `tls.crt` and `tls.key` settings to their respective output values from the module.
+* 
+* ```hcl
+* resource "helm_release" "intermediate-certificate-issuer" {
+*   # other code
+*   set {
+*     name  = "tls.crt"
+*     value = module.subordinate_ca.certificate_tls_crt
+*   }
+*   set {
+*     name  = "tls.key"
+*     value = module.subordinate_ca.certificate_tls_key
+*   }
+* 
+* ```
+*/
+
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+  region              = data.aws_region.current.name
+  region_short        = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
+
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}
+
+locals {
+  #   authority_mode = var.validity_days <= 7 ? "short" : var.certificate_authority_mode
+  certificate_subject_ou = var.certificate_subject_ou == null ? format("IAM RolesAnywhere %v", local.account_id) : var.certificate_subject_ou
+}
+
+module "certificate" {
+  source = "../acmpca"
+
+  certificate_cn                = var.role_name
+  contact_email                 = var.contact_email
+  create_files                  = var.create_files
+  certificate_filename          = format("%v.crt", var.role_name)
+  certificate_chain_filename    = format("%v.chain.crt", var.role_name)
+  key_filename                  = format("%v.key", var.role_name)
+  csr_filename                  = format("%v.csr", var.role_name)
+  certificate_authority_mode    = "general"
+  certificate_type              = "end-entity"
+  certificate_subject_overrides = { ou = local.certificate_subject_ou }
+  validity_days                 = var.validity_days
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+  )
+}

acmpca-iam-rolesanywhere/output.tf

@@ -0,0 +1,63 @@
+output "certificate_authority_arn" {
+  description = "ACM PCA Certificate Authority ARN"
+  value       = module.certificate.certificate_authority_arn
+}
+
+output "certificate_authority_name" {
+  description = "ACM PCA Certificate Authority Name"
+  value       = module.certificate.certificate_authority_name
+}
+
+output "certificate_key" {
+  description = "PEM format RSA Key"
+  sensitive   = true
+  value       = module.certificate.certificate_key
+}
+
+output "certificate_csr" {
+  description = "PEM format Certificate Signing Request"
+  sensitive   = false
+  value       = module.certificate.certificate_csr
+}
+
+output "certificate" {
+  description = "PEM format for signed certificate"
+  sensitive   = false
+  value       = module.certificate.certificate
+}
+
+output "certificate_chain" {
+  description = "PEM format for certificate chain (issuer through root)"
+  sensitive   = false
+  value       = module.certificate.certificate_chain
+}
+
+output "certificate_filenames" {
+  description = "Map of certificate file names"
+  sensitive   = false
+  value       = module.certificate.filenames
+}
+
+output "certificate_details" {
+  description = "Certificate details"
+  sensitive   = false
+  value       = module.certificate.certificate_details
+}
+
+output "certificate_subject" {
+  description = "Certificate Subject field map"
+  sensitive   = false
+  value       = module.certificate.certificate_subject
+}
+
+output "certificate_issuer_details" {
+  description = "Certificate Issuer details"
+  sensitive   = false
+  value       = module.certificate.certificate_issuer_details
+}
+
+output "certificate_issuer_subject" {
+  description = "Certificate Issuer Subject field map"
+  sensitive   = false
+  value       = module.certificate.certificate_issuer_subject
+}

acmpca-iam-rolesanywhere/prefixes.tf

@@ -0,0 +1 @@
+../common/prefixes.tf

acmpca-iam-rolesanywhere/variables.common.tf

@@ -0,0 +1 @@
+../common/variables.common.tf

acmpca-iam-rolesanywhere/variables.tf

@@ -0,0 +1,33 @@
+variable "role_name" {
+  description = "IAM RolesAnywhere Role Name (including r- prefix if necessary)"
+  type        = string
+}
+
+variable "contact_email" {
+  description = "Email address in @census.gov of contact for the certificate.  This is strongly recommended to be a group email address."
+  type        = string
+}
+
+variable "validity_days" {
+  description = "Number of days for which the certificate is valid. For the short lived certificate, this must be <= 7"
+  type        = number
+  default     = 365
+
+  validation {
+    condition     = var.validity_days > 0
+    error_message = "validity_days must be larger than 0."
+  }
+}
+
+# variable "certificate_naming_attributes" {
+#   description = "Map of certificate naming attributes"
+#   type = map(string)
+#   default = {}
+# }
+
+variable "certificate_subject_ou" {
+  description = "Specific OU to use in the certificate subject. Default is 'IAM RolesAnywhere {account_id}'"
+  type        = string
+  default     = null
+}
+

acmpca-iam-rolesanywhere/version.tf

@@ -0,0 +1 @@
+../common/version.tf

acmpca-iam-rolesanywhere/versions.tf

@@ -0,0 +1 @@
+../common/versions.tf