* 2.0.3 -- 2024-01-10

- change common-services to use cert-manager-issuer which uses the new acmpca-eks-cert-manager module - remove extraneous helm charts for non-issuer ca - add contact_email variable
terraform-modules · Jan 10, 2024 · b1dcde6 · b1dcde6
1 parent 4657a44
commit b1dcde6
Show file tree

Hide file tree

Showing 11 changed files with 631 additions and 194 deletions.
diff --git a/.gitignore b/.gitignore
@@ -10,3 +10,5 @@ logs
 common/README.md
 
 OLD/
+X
+Y
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,3 +17,8 @@
   - 1.25:
     - add eks_instance_volume_type allowing gp2 and gp3, default gp3
     - remove link details from README.md
+
+* 2.0.3 -- 2024-01-10
+  - change common-services to use cert-manager-issuer which uses the new acmpca-eks-cert-manager module
+  - remove extraneous helm charts for non-issuer ca
+  - add contact_email variable
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.0.1"
+  _module_version = "2.0.3"
 }
diff --git a/examples/cert-manager-issuer/cert-manager-issuer.tf b/examples/cert-manager-issuer/cert-manager-issuer.tf
@@ -1,75 +1,14 @@
-data "aws_ssm_parameter" "subordinate_ca" {
-  name = "/enterprise/pki/ca1"
-}
-
-locals {
-  subordinate_ca_settings = jsondecode(data.aws_ssm_parameter.subordinate_ca.value)
-}
-
-resource "tls_private_key" "subordinate_ca" {
-  algorithm = "RSA"
-  rsa_bits  = 2048
-}
+module "subordinate_ca" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca-eks-cert-manager"
 
-resource "tls_cert_request" "subordinate_ca" {
-  private_key_pem = tls_private_key.subordinate_ca.private_key_pem
-  dns_names       = local.ca_cert_san
+  cluster_name  = var.cluster_name
+  contact_email = var.contact_email
 
-  subject {
-    common_name         = local.ca_dns_name
-    country             = "US"
-    organization        = "U.S. Census Bureau"
-    organizational_unit = format("PKI-EKS %v", var.cluster_name)
-  }
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.account_tags,
+    var.infrastructure_tags,
+    var.application_tags,
+  )
 }
-
-resource "aws_acmpca_certificate" "subordinate_ca" {
-  certificate_authority_arn   = local.subordinate_ca_settings.arn
-  certificate_signing_request = tls_cert_request.subordinate_ca.cert_request_pem
-  signing_algorithm           = "SHA384WITHRSA"
-  validity {
-    type  = "DAYS"
-    value = 365
-  }
-  template_arn = local.subordinate_ca_settings.template_arns["SubordinateCACertificate_PathLen0/V1"]
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-locals {
-  subordinate_ca_tls_key = base64encode(tls_private_key.subordinate_ca.private_key_pem)
-  subordinate_ca_chain   = replace(aws_acmpca_certificate.subordinate_ca.certificate_chain, "/\r/", "")
-  subordinate_ca_crt     = aws_acmpca_certificate.subordinate_ca.certificate
-  subordinate_ca_tls_crt = base64encode(join("\n", [local.subordinate_ca_crt, local.subordinate_ca_chain]))
-}
-
-## resource "local_sensitive_file" "subordinate_ca_key" {
-##   filename             = "certs/subordinate_ca.key"
-##   file_permission      = "0644"
-##   directory_permission = "0755"
-##   content              = tls_private_key.subordinate_ca.private_key_pem
-## }
-##
-## resource "local_sensitive_file" "subordinate_ca_csr" {
-##   filename             = "certs/subordinate_ca.csr"
-##   file_permission      = "0644"
-##   directory_permission = "0755"
-##   content              = tls_cert_request.subordinate_ca.cert_request_pem
-## }
-##
-## resource "local_sensitive_file" "subordinate_ca_cert" {
-##   filename             = "certs/subordinate_ca.crt"
-##   file_permission      = "0644"
-##   directory_permission = "0755"
-##   content              = aws_acmpca_certificate.subordinate_ca.certificate
-## }
-##
-## resource "local_sensitive_file" "subordinate_ca_cert_chain" {
-##   filename             = "certs/subordinate_ca.bundle.crt"
-##   file_permission      = "0644"
-##   directory_permission = "0755"
-##   #content              = aws_acmpca_certificate.subordinate_ca.certificate_chain
-##   content              = replace(aws_acmpca_certificate.subordinate_ca.certificate_chain,"/\r/","")
-## }
-##
diff --git a/examples/cert-manager-issuer/main.tf.diffs b/examples/cert-manager-issuer/main.tf.diffs
@@ -8,17 +8,18 @@ index 29efe14..9f6efc7 100644
      name  = "tls.crt"
 -    value = local.tls_crt_b64
 +#    value = local.tls_crt_b64
-+    value = local.subordinate_ca_tls_crt
++    value = module.subordinate_ca.certificate_tls_crt
    }
    set {
      name  = "tls.key"
 -    value = local.tls_key_b64
 +#    value = local.tls_key_b64
-+    value = local.subordinate_ca_tls_key
++    value = module.subordinate_ca.certificate_tls_key
    }
  }
 
 +
  # when using vault as a CA is requested
  resource "helm_release" "vault-certificate-issuer" {
    count = local.vault_ca == true ? 1 : 0
+
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cert-manager-issuer.tf b/examples/full-cluster-tf-upgrade/1.25/common-services/cert-manager-issuer.tf
@@ -0,0 +1,14 @@
+module "subordinate_ca" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca-eks-cert-manager"
+
+  cluster_name  = var.cluster_name
+  contact_email = var.contact_email
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.account_tags,
+    var.infrastructure_tags,
+    var.application_tags,
+  )
+}
diff --git a/...r-tf-upgrade/1.25/common-services/cert.tf → ...-upgrade/1.25/common-services/cert.tf.old b/...r-tf-upgrade/1.25/common-services/cert.tf → ...-upgrade/1.25/common-services/cert.tf.old