From 4657a44d4a014ba299213579bf907e9f40088aaf Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Thu, 28 Dec 2023 12:29:11 -0500
Subject: [PATCH] add sample file(s) for acmpca issuer (not yet ready for use)

---
 .../cert-manager-issuer.tf                    | 75 +++++++++++++++++++
 examples/cert-manager-issuer/main.tf.diffs    | 24 ++++++
 examples/cert-manager-issuer/test-cert.tf     | 38 ++++++++++
 3 files changed, 137 insertions(+)
 create mode 100644 examples/cert-manager-issuer/cert-manager-issuer.tf
 create mode 100644 examples/cert-manager-issuer/main.tf.diffs
 create mode 100644 examples/cert-manager-issuer/test-cert.tf

diff --git a/examples/cert-manager-issuer/cert-manager-issuer.tf b/examples/cert-manager-issuer/cert-manager-issuer.tf
new file mode 100644
index 0000000..e607dc7
--- /dev/null
+++ b/examples/cert-manager-issuer/cert-manager-issuer.tf
@@ -0,0 +1,75 @@
+data "aws_ssm_parameter" "subordinate_ca" {
+  name = "/enterprise/pki/ca1"
+}
+
+locals {
+  subordinate_ca_settings = jsondecode(data.aws_ssm_parameter.subordinate_ca.value)
+}
+
+resource "tls_private_key" "subordinate_ca" {
+  algorithm = "RSA"
+  rsa_bits  = 2048
+}
+
+resource "tls_cert_request" "subordinate_ca" {
+  private_key_pem = tls_private_key.subordinate_ca.private_key_pem
+  dns_names       = local.ca_cert_san
+
+  subject {
+    common_name         = local.ca_dns_name
+    country             = "US"
+    organization        = "U.S. Census Bureau"
+    organizational_unit = format("PKI-EKS %v", var.cluster_name)
+  }
+}
+
+resource "aws_acmpca_certificate" "subordinate_ca" {
+  certificate_authority_arn   = local.subordinate_ca_settings.arn
+  certificate_signing_request = tls_cert_request.subordinate_ca.cert_request_pem
+  signing_algorithm           = "SHA384WITHRSA"
+  validity {
+    type  = "DAYS"
+    value = 365
+  }
+  template_arn = local.subordinate_ca_settings.template_arns["SubordinateCACertificate_PathLen0/V1"]
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+locals {
+  subordinate_ca_tls_key = base64encode(tls_private_key.subordinate_ca.private_key_pem)
+  subordinate_ca_chain   = replace(aws_acmpca_certificate.subordinate_ca.certificate_chain, "/\r/", "")
+  subordinate_ca_crt     = aws_acmpca_certificate.subordinate_ca.certificate
+  subordinate_ca_tls_crt = base64encode(join("\n", [local.subordinate_ca_crt, local.subordinate_ca_chain]))
+}
+
+## resource "local_sensitive_file" "subordinate_ca_key" {
+##   filename             = "certs/subordinate_ca.key"
+##   file_permission      = "0644"
+##   directory_permission = "0755"
+##   content              = tls_private_key.subordinate_ca.private_key_pem
+## }
+##
+## resource "local_sensitive_file" "subordinate_ca_csr" {
+##   filename             = "certs/subordinate_ca.csr"
+##   file_permission      = "0644"
+##   directory_permission = "0755"
+##   content              = tls_cert_request.subordinate_ca.cert_request_pem
+## }
+##
+## resource "local_sensitive_file" "subordinate_ca_cert" {
+##   filename             = "certs/subordinate_ca.crt"
+##   file_permission      = "0644"
+##   directory_permission = "0755"
+##   content              = aws_acmpca_certificate.subordinate_ca.certificate
+## }
+##
+## resource "local_sensitive_file" "subordinate_ca_cert_chain" {
+##   filename             = "certs/subordinate_ca.bundle.crt"
+##   file_permission      = "0644"
+##   directory_permission = "0755"
+##   #content              = aws_acmpca_certificate.subordinate_ca.certificate_chain
+##   content              = replace(aws_acmpca_certificate.subordinate_ca.certificate_chain,"/\r/","")
+## }
+##
diff --git a/examples/cert-manager-issuer/main.tf.diffs b/examples/cert-manager-issuer/main.tf.diffs
new file mode 100644
index 0000000..2099431
--- /dev/null
+++ b/examples/cert-manager-issuer/main.tf.diffs
@@ -0,0 +1,24 @@
+diff --git a/vpc/east/vpc2/apps/eks-csvd-datadog-poc/common-services/main.tf b/vpc/east/vpc2/apps/eks-csvd-datadog-poc/common-services/main.tf
+index 29efe14..9f6efc7 100644
+--- a/vpc/east/vpc2/apps/eks-csvd-datadog-poc/common-services/main.tf
++++ b/vpc/east/vpc2/apps/eks-csvd-datadog-poc/common-services/main.tf
+@@ -245,14 +245,17 @@ resource "helm_release" "intermediate-certificate-issuer" {
+ 
+   set {
+     name  = "tls.crt"
+-    value = local.tls_crt_b64
++#    value = local.tls_crt_b64
++    value = local.subordinate_ca_tls_crt
+   }
+   set {
+     name  = "tls.key"
+-    value = local.tls_key_b64
++#    value = local.tls_key_b64
++    value = local.subordinate_ca_tls_key
+   }
+ }
+ 
++
+ # when using vault as a CA is requested
+ resource "helm_release" "vault-certificate-issuer" {
+   count = local.vault_ca == true ? 1 : 0
diff --git a/examples/cert-manager-issuer/test-cert.tf b/examples/cert-manager-issuer/test-cert.tf
new file mode 100644
index 0000000..f9372b6
--- /dev/null
+++ b/examples/cert-manager-issuer/test-cert.tf
@@ -0,0 +1,38 @@
+locals {
+  vs_cert_name = "test"
+}
+
+resource "kubernetes_manifest" "vs_certificate" {
+  manifest = {
+    apiVersion = "cert-manager.io/v1"
+    kind       = "Certificate"
+
+    metadata = {
+      name      = format("%v-cert", local.vs_cert_name)
+      namespace = "istio-system"
+    }
+    spec = {
+      secretName = format("%v-cert", local.vs_cert_name)
+      commonName = format("%v.%v.%v", local.vs_cert_name, var.cluster_name, var.vpc_domain_name)
+      dnsNames = [
+        format("%v.%v.%v", local.vs_cert_name, var.cluster_name, var.vpc_domain_name),
+        format("%v.%v", local.vs_cert_name, var.vpc_domain_name),
+      ]
+      subject = {
+        countries           = ["US"]
+        organizations       = ["U.S. Census Bureau"]
+        organizationalUnits = ["Services"]
+      }
+      usages = [
+        "digital signature",
+        "key encipherment",
+        "server auth",
+        "client auth",
+      ]
+      issuerRef = {
+        kind = "ClusterIssuer"
+        name = "clusterissuer"
+      }
+    }
+  }
+}