update cert.tf again

examples/full-cluster-tf-upgrade/common-services/cert.tf

@@ -22,17 +22,20 @@ locals {
   ca_root_exists     = fileexists(local.ca_root_filename)
   ca_bundle_contents = local.ca_cert_exists && local.ca_root_exists ? format("%v%v", file(local.ca_cert_filename), file(local.ca_root_filename)) : ""
   ca_bundle_filename = format("${path.root}/certs/%v.bundle.crt", local.ca_dns_name)
-}
 
-module "cert" {
-  source = "git@github.e.it.census.gov:terraform-modules/aws-tls-certificate"
+  v2_certificate_csr_message = <<EOM
+Now submit file to TCO for signing and return the result as below:
 
-  certificate_cn                = local.ca_dns_name
-  certificate_san               = [local.ca_dns_name]
-  certificate_download          = local.ca_cert_download
-  enable_acm_certificate        = false
-  certificate_subject_overrides = { ou = local.ca_ou }
-  certificate_csr_message       = <<EOM
+  dns  = ${local.ca_dns_name}
+  csr  = certs/${local.ca_dns_name}.csr
+
+Ask for the certificate to be signed with the Linux (v2) PKI CA with the command:
+
+% ./sign-subordinate-ca-cert.sh ${local.ca_dns_name}.csr 'c=US,o=U.S. Census Bureau,OU=PKI,ou=EKS,ou=${var.vpc_full_name},ou=${var.cluster_name},cn=${local.ca_dns_name}' 730"
+
+EOM
+
+  v3_certificate_csr_message = <<EOM
 Now submit file to TCO for signing and return the result as below:
 
   dns  = ${local.ca_dns_name}
@@ -50,7 +53,19 @@ will fail and will cause a lot of issues.
 
 Further, you will NOT enable the download option with the MS CA.  If you receive a download link to ca.apps.tco.census.gov, do not attempt
 to proceed, and request the correctly-signed certificate as described above.
-
 EOM
 }
 
+
+module "cert" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-tls-certificate"
+
+  certificate_cn                = local.ca_dns_name
+  certificate_san               = [local.ca_dns_name]
+  certificate_download          = local.ca_cert_download
+  enable_acm_certificate        = false
+  certificate_subject_overrides = { ou = local.ca_ou }
+  # use v2 for linux ca, v3 for ms ca
+  certificate_csr_message = local.v2_certificate_csr_message
+  #  certificate_csr_message       = local.v3_certificate_csr_message
+}

examples/full-cluster/common-services/cert.tf

@@ -22,17 +22,8 @@ locals {
   ca_root_exists     = fileexists(local.ca_root_filename)
   ca_bundle_contents = local.ca_cert_exists && local.ca_root_exists ? format("%v%v", file(local.ca_cert_filename), file(local.ca_root_filename)) : ""
   ca_bundle_filename = format("${path.root}/certs/%v.bundle.crt", local.ca_dns_name)
-}
-
-module "cert" {
-  source = "git@github.e.it.census.gov:terraform-modules/aws-tls-certificate"
 
-  certificate_cn                = local.ca_dns_name
-  certificate_san               = [local.ca_dns_name]
-  certificate_download          = local.ca_cert_download
-  enable_acm_certificate        = false
-  certificate_subject_overrides = { ou = local.ca_ou }
-  certificate_csr_message       = <<EOM
+  v2_certificate_csr_message = <<EOM
 Now submit file to TCO for signing and return the result as below:
 
   dns  = ${local.ca_dns_name}
@@ -42,6 +33,39 @@ Ask for the certificate to be signed with the Linux (v2) PKI CA with the command
 
 % ./sign-subordinate-ca-cert.sh ${local.ca_dns_name}.csr 'c=US,o=U.S. Census Bureau,OU=PKI,ou=EKS,ou=${var.vpc_full_name},ou=${var.cluster_name},cn=${local.ca_dns_name}' 730"
 
+EOM
+
+  v3_certificate_csr_message = <<EOM
+Now submit file to TCO for signing and return the result as below:
+
+  dns  = ${local.ca_dns_name}
+  csr  = certs/${local.ca_dns_name}.csr
+
+**IMPORTANT**
+
+We are no longer issuing certificate from the Linux (v2) PKI, so you must request one from the MS CA.
+Ask for the certificate to be signed with the Microsoft (MS CA, v3) PKI CA with the command (Windows, PowerShell):
+
+  certreq -submit -attrib "CertificateTemplate:USCBSubordinateCertificationAuthority"  ${local.ca_dns_name}.csr  ${local.ca_dns_name}.cer
+
+It is very important that this certificate be issued as a Subordinate Certification Authority. The default method of a server certificate
+will fail and will cause a lot of issues.
+
+Further, you will NOT enable the download option with the MS CA.  If you receive a download link to ca.apps.tco.census.gov, do not attempt
+to proceed, and request the correctly-signed certificate as described above.
 EOM
 }
 
+
+module "cert" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-tls-certificate"
+
+  certificate_cn                = local.ca_dns_name
+  certificate_san               = [local.ca_dns_name]
+  certificate_download          = local.ca_cert_download
+  enable_acm_certificate        = false
+  certificate_subject_overrides = { ou = local.ca_ou }
+  # use v2 for linux ca, v3 for ms ca
+  certificate_csr_message = local.v2_certificate_csr_message
+  #  certificate_csr_message       = local.v3_certificate_csr_message
+}

examples/full-cluster/common-services/copy_images.tf

@@ -73,8 +73,8 @@ locals {
 resource "null_resource" "copy_images" {
   for_each = { for image in local.images : image.name => image if image.enabled }
   triggers = {
-    name = each.key
-    image = format("%v:%v",each.value.image,each.value.tag)
+    name  = each.key
+    image = format("%v:%v", each.value.image, each.value.tag)
   }
 
   provisioner "local-exec" {

examples/full-cluster/common-services/main.tf

@@ -10,7 +10,7 @@ locals {
     "metrics-server" = {
       name       = "metrics-server"
       repository = "https://charts.bitnami.com/bitnami"
-#      version    = "5.10.4"
+      #      version    = "5.10.4"
       version    = "5.11.9"
       use_remote = true
     }