update cert.tf again

terraform-modules · Dec 22, 2022 · 31f977f · 31f977f
1 parent 0ee8df9
commit 31f977f
Showing 1 changed file with 25 additions and 10 deletions.
diff --git a/examples/full-cluster/common-services/cert.tf b/examples/full-cluster/common-services/cert.tf
@@ -22,17 +22,20 @@ locals {
   ca_root_exists     = fileexists(local.ca_root_filename)
   ca_bundle_contents = local.ca_cert_exists && local.ca_root_exists ? format("%v%v", file(local.ca_cert_filename), file(local.ca_root_filename)) : ""
   ca_bundle_filename = format("${path.root}/certs/%v.bundle.crt", local.ca_dns_name)
-}
 
-module "cert" {
-  source = "git@github.e.it.census.gov:terraform-modules/aws-tls-certificate"
+  v2_certificate_csr_message = <<EOM
+Now submit file to TCO for signing and return the result as below:
 
-  certificate_cn                = local.ca_dns_name
-  certificate_san               = [local.ca_dns_name]
-  certificate_download          = local.ca_cert_download
-  enable_acm_certificate        = false
-  certificate_subject_overrides = { ou = local.ca_ou }
-  certificate_csr_message       = <<EOM
+  dns  = ${local.ca_dns_name}
+  csr  = certs/${local.ca_dns_name}.csr
+
+Ask for the certificate to be signed with the Linux (v2) PKI CA with the command:
+
+% ./sign-subordinate-ca-cert.sh ${local.ca_dns_name}.csr 'c=US,o=U.S. Census Bureau,OU=PKI,ou=EKS,ou=${var.vpc_full_name},ou=${var.cluster_name},cn=${local.ca_dns_name}' 730"
+
+EOM
+
+  v3_certificate_csr_message = <<EOM
 Now submit file to TCO for signing and return the result as below:
 
   dns  = ${local.ca_dns_name}
@@ -50,7 +53,19 @@ will fail and will cause a lot of issues.
 
 Further, you will NOT enable the download option with the MS CA.  If you receive a download link to ca.apps.tco.census.gov, do not attempt
 to proceed, and request the correctly-signed certificate as described above.
-
 EOM
 }
 
+
+module "cert" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-tls-certificate"
+
+  certificate_cn                = local.ca_dns_name
+  certificate_san               = [local.ca_dns_name]
+  certificate_download          = local.ca_cert_download
+  enable_acm_certificate        = false
+  certificate_subject_overrides = { ou = local.ca_ou }
+  # use v2 for linux ca, v3 for ms ca
+  certificate_csr_message = local.v2_certificate_csr_message
+  #  certificate_csr_message       = local.v3_certificate_csr_message
+}