From e1269aa3d7bdda7d5764bffa115df6b05b100e49 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 31 Jan 2022 14:52:37 -0500
Subject: [PATCH 1/2] fix

---
 examples/full-cluster/cluster-roles/variables.tf | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/examples/full-cluster/cluster-roles/variables.tf b/examples/full-cluster/cluster-roles/variables.tf
index 2a571bf..25beb2b 100644
--- a/examples/full-cluster/cluster-roles/variables.tf
+++ b/examples/full-cluster/cluster-roles/variables.tf
@@ -10,6 +10,14 @@ variable "deployer_application_role_name" {
   default     = "deployer-application-role"
 }
 
+variable "deployer_application_istio_role_name" {
+  description = "The kubernetes cluster role name of CICD Deployer"
+  type        = string
+  default     = "deployer-application-istio-role"
+}
+
+
+
 variable "dba_administrator_role_name" {
   description = "The kubernetes cluster role name of DBA Administrator"
   type        = string
@@ -50,6 +58,12 @@ variable "deployer_application_rolebinding_name" {
   default     = "deployer-application-rolebinding"
 }
 
+variable "deployer_application_istio_rolebinding_name" {
+  description = "Role binding name of deployer that binding to role deployer_application_cluster_role"
+  type        = string
+  default     = "deployer-application-istio-rolebinding"
+}
+
 variable "dba_admin_rolebinding_name" {
   description = "Role binding name of deployer that binding to role deployer_application_cluster_role"
   type        = string

From f514da1a775346331a1b5f71408ae8c44d6aa666 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 31 Jan 2022 14:54:22 -0500
Subject: [PATCH 2/2] change to use module

---
 .../full-cluster/common-services/ca-cert.tf   | 171 +++++++++---------
 1 file changed, 83 insertions(+), 88 deletions(-)

diff --git a/examples/full-cluster/common-services/ca-cert.tf b/examples/full-cluster/common-services/ca-cert.tf
index 8e1c01b..a557341 100644
--- a/examples/full-cluster/common-services/ca-cert.tf
+++ b/examples/full-cluster/common-services/ca-cert.tf
@@ -24,96 +24,91 @@ locals {
   ca_bundle_filename = format("${path.root}/certs/%v.bundle.crt", local.ca_dns_name)
 }
 
-resource "tls_private_key" "ca" {
-  algorithm = "RSA"
-  rsa_bits  = 4096
-}
-
-resource "tls_cert_request" "ca" {
-  key_algorithm   = "RSA"
-  private_key_pem = tls_private_key.ca.private_key_pem
-
-  dns_names = local.ca_cert_san
-  subject {
-    common_name         = local.ca_dns_name
-    organizational_unit = local.ca_ou
-    organization        = "U.S. Census Bureau"
-    country             = "US"
-  }
-}
-
-resource "null_resource" "ca_root_cert" {
-  provisioner "local-exec" {
-    command = "test -d certs || mkdir certs"
-  }
-  provisioner "local-exec" {
-    command = "curl -o ${local.ca_root_filename} http://ca.apps.tco.census.gov/certs/ca"
-  }
-}
-
-resource "null_resource" "ca_files" {
-  triggers = {
-    ca_key_public = sha256(tls_private_key.ca.public_key_pem)
-    ca_csr        = sha256(tls_cert_request.ca.cert_request_pem)
-  }
+module "cert" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-tls-certificate"
 
-  # get key
-  provisioner "local-exec" {
-    command = "test -d certs || mkdir certs"
-  }
-  provisioner "local-exec" {
-    command = "echo '${tls_private_key.ca.private_key_pem}' > certs/${local.ca_dns_name}.key"
-  }
-  provisioner "local-exec" {
-    command = "echo '${tls_private_key.ca.public_key_pem}' > certs/${local.ca_dns_name}.public_key"
-  }
-  # get csr
-  provisioner "local-exec" {
-    command = "echo '${tls_cert_request.ca.cert_request_pem}' > certs/${local.ca_dns_name}.csr"
-  }
-
-  # detail how to get certs
-  provisioner "local-exec" {
-    command = "echo 'add the key file to .gitignore, add it to git-secret, and hide it.  Then add the .secret to git'"
-  }
-  provisioner "local-exec" {
-    command = "echo 'now submit file to TCO for signing and return the result as below:\n  csr = certs/${local.ca_dns_name}.csr\n  cert = certs/${local.ca_dns_name}.crt\n'"
-  }
-  provisioner "local-exec" {
-    command = "echo command = ./sign-subordinate-ca-cert.sh ${local.ca_dns_name}.csr 'c=US,o=U.S. Census Bureau,OU=PKI,ou=EKS,ou=${var.vpc_full_name},ou=${var.cluster_name},cn=${local.ca_dns_name}' 730"
-  }
-  provisioner "local-exec" {
-    command = "echo 'curl -O http://ca.apps.tco.census.gov/certs/server?host=${local.ca_dns_name}&format=crt&download=1'"
-  }
-}
-
-resource "null_resource" "ca_cert" {
-  count = local.ca_cert_download ? 1 : 0
-  # get cert
-  provisioner "local-exec" {
-    command = "curl -o ${path.root}/certs/${local.ca_dns_name}.crt 'http://ca.apps.tco.census.gov/certs/server?host=${local.ca_dns_name}&format=crt&download=1'"
-  }
+  certificate_cn                = local.ca_dns_name
+  certificate_san               = [local.ca_dns_name]
+  certificate_download          = false
+  enable_acm_certificate        = false
+  certificate_subject_overrides = { ou = local.ca_ou }
 }
 
-resource "local_file" "ca_bundle_cert" {
-  count = local.ca_cert_download && local.ca_cert_exists && local.ca_root_exists && length(local.ca_bundle_contents) > 0 ? 1 : 0
-
-  content         = local.ca_bundle_contents
-  filename        = local.ca_bundle_filename
-  file_permission = "0644"
-}
-
-#---
-# once the cert is in place, you can use the ACM certificate soemthign like below
-#---
-## resource "aws_acm_certificate" "ca" {
-##   count = local.ca_cert_exists ? 1 : 0
-##   private_key      = file("${path.root}/certs/${local.ca_dns_name}.key")
-##   certificate_body = file("${path.root}/certs/${local.ca_dns_name}.crt")
-##   certificate_chain = file("/etc/pki/tls/certs/cacert.crt")
+## resource "tls_private_key" "ca" {
+##   algorithm = "RSA"
+##   rsa_bits  = 4096
+## }
+## 
+## resource "tls_cert_request" "ca" {
+##   key_algorithm   = "RSA"
+##   private_key_pem = tls_private_key.ca.private_key_pem
+## 
+##   dns_names = local.ca_cert_san
+##   subject {
+##     common_name         = local.ca_dns_name
+##     organizational_unit = local.ca_ou
+##     organization        = "U.S. Census Bureau"
+##     country             = "US"
+##   }
+## }
+## 
+## resource "null_resource" "ca_root_cert" {
+##   provisioner "local-exec" {
+##     command = "test -d certs || mkdir certs"
+##   }
+##   provisioner "local-exec" {
+##     command = "curl -o ${local.ca_root_filename} http://ca.apps.tco.census.gov/certs/ca"
+##   }
+## }
+## 
+## resource "null_resource" "ca_files" {
+##   triggers = {
+##     ca_key_public = sha256(tls_private_key.ca.public_key_pem)
+##     ca_csr        = sha256(tls_cert_request.ca.cert_request_pem)
+##   }
+## 
+##   # get key
+##   provisioner "local-exec" {
+##     command = "test -d certs || mkdir certs"
+##   }
+##   provisioner "local-exec" {
+##     command = "echo '${tls_private_key.ca.private_key_pem}' > certs/${local.ca_dns_name}.key"
+##   }
+##   provisioner "local-exec" {
+##     command = "echo '${tls_private_key.ca.public_key_pem}' > certs/${local.ca_dns_name}.public_key"
+##   }
+##   # get csr
+##   provisioner "local-exec" {
+##     command = "echo '${tls_cert_request.ca.cert_request_pem}' > certs/${local.ca_dns_name}.csr"
+##   }
+## 
+##   # detail how to get certs
+##   provisioner "local-exec" {
+##     command = "echo 'add the key file to .gitignore, add it to git-secret, and hide it.  Then add the .secret to git'"
+##   }
+##   provisioner "local-exec" {
+##     command = "echo 'now submit file to TCO for signing and return the result as below:\n  csr = certs/${local.ca_dns_name}.csr\n  cert = certs/${local.ca_dns_name}.crt\n'"
+##   }
+##   provisioner "local-exec" {
+##     command = "echo command = ./sign-subordinate-ca-cert.sh ${local.ca_dns_name}.csr 'c=US,o=U.S. Census Bureau,OU=PKI,ou=EKS,ou=${var.vpc_full_name},ou=${var.cluster_name},cn=${local.ca_dns_name}' 730"
+##   }
+##   provisioner "local-exec" {
+##     command = "echo 'curl -O http://ca.apps.tco.census.gov/certs/server?host=${local.ca_dns_name}&format=crt&download=1'"
+##   }
+## }
+## 
+## resource "null_resource" "ca_cert" {
+##   count = local.ca_cert_download ? 1 : 0
+##   # get cert
+##   provisioner "local-exec" {
+##     command = "curl -o ${path.root}/certs/${local.ca_dns_name}.crt 'http://ca.apps.tco.census.gov/certs/server?host=${local.ca_dns_name}&format=crt&download=1'"
+##   }
+## }
+## 
+## resource "local_file" "ca_bundle_cert" {
+##   count = local.ca_cert_download && local.ca_cert_exists && local.ca_root_exists && length(local.ca_bundle_contents) > 0 ? 1 : 0
 ## 
-##   tags = merge(
-##     local.common_tags,
-##     map("Name", local.ca_dns_name),
-##   )
+##   content         = local.ca_bundle_contents
+##   filename        = local.ca_bundle_filename
+##   file_permission = "0644"
 ## }