change to use module

terraform-modules · Jan 31, 2022 · f514da1 · f514da1
1 parent dc6cf6f
commit f514da1
Showing 1 changed file with 83 additions and 88 deletions.
diff --git a/examples/full-cluster/common-services/ca-cert.tf b/examples/full-cluster/common-services/ca-cert.tf
@@ -24,96 +24,91 @@ locals {
   ca_bundle_filename = format("${path.root}/certs/%v.bundle.crt", local.ca_dns_name)
 }
 
-resource "tls_private_key" "ca" {
-  algorithm = "RSA"
-  rsa_bits  = 4096
-}
-
-resource "tls_cert_request" "ca" {
-  key_algorithm   = "RSA"
-  private_key_pem = tls_private_key.ca.private_key_pem
-
-  dns_names = local.ca_cert_san
-  subject {
-    common_name         = local.ca_dns_name
-    organizational_unit = local.ca_ou
-    organization        = "U.S. Census Bureau"
-    country             = "US"
-  }
-}
-
-resource "null_resource" "ca_root_cert" {
-  provisioner "local-exec" {
-    command = "test -d certs || mkdir certs"
-  }
-  provisioner "local-exec" {
-    command = "curl -o ${local.ca_root_filename} http://ca.apps.tco.census.gov/certs/ca"
-  }
-}
-
-resource "null_resource" "ca_files" {
-  triggers = {
-    ca_key_public = sha256(tls_private_key.ca.public_key_pem)
-    ca_csr        = sha256(tls_cert_request.ca.cert_request_pem)
-  }
+module "cert" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-tls-certificate"
 
-  # get key
-  provisioner "local-exec" {
-    command = "test -d certs || mkdir certs"
-  }
-  provisioner "local-exec" {
-    command = "echo '${tls_private_key.ca.private_key_pem}' > certs/${local.ca_dns_name}.key"
-  }
-  provisioner "local-exec" {
-    command = "echo '${tls_private_key.ca.public_key_pem}' > certs/${local.ca_dns_name}.public_key"
-  }
-  # get csr
-  provisioner "local-exec" {
-    command = "echo '${tls_cert_request.ca.cert_request_pem}' > certs/${local.ca_dns_name}.csr"
-  }
-
-  # detail how to get certs
-  provisioner "local-exec" {
-    command = "echo 'add the key file to .gitignore, add it to git-secret, and hide it.  Then add the .secret to git'"
-  }
-  provisioner "local-exec" {
-    command = "echo 'now submit file to TCO for signing and return the result as below:\n  csr = certs/${local.ca_dns_name}.csr\n  cert = certs/${local.ca_dns_name}.crt\n'"
-  }
-  provisioner "local-exec" {
-    command = "echo command = ./sign-subordinate-ca-cert.sh ${local.ca_dns_name}.csr 'c=US,o=U.S. Census Bureau,OU=PKI,ou=EKS,ou=${var.vpc_full_name},ou=${var.cluster_name},cn=${local.ca_dns_name}' 730"
-  }
-  provisioner "local-exec" {
-    command = "echo 'curl -O http://ca.apps.tco.census.gov/certs/server?host=${local.ca_dns_name}&format=crt&download=1'"
-  }
-}
-
-resource "null_resource" "ca_cert" {
-  count = local.ca_cert_download ? 1 : 0
-  # get cert
-  provisioner "local-exec" {
-    command = "curl -o ${path.root}/certs/${local.ca_dns_name}.crt 'http://ca.apps.tco.census.gov/certs/server?host=${local.ca_dns_name}&format=crt&download=1'"
-  }
+  certificate_cn                = local.ca_dns_name
+  certificate_san               = [local.ca_dns_name]
+  certificate_download          = false
+  enable_acm_certificate        = false
+  certificate_subject_overrides = { ou = local.ca_ou }
 }
 
-resource "local_file" "ca_bundle_cert" {
-  count = local.ca_cert_download && local.ca_cert_exists && local.ca_root_exists && length(local.ca_bundle_contents) > 0 ? 1 : 0
-
-  content         = local.ca_bundle_contents
-  filename        = local.ca_bundle_filename
-  file_permission = "0644"
-}
-
-#---
-# once the cert is in place, you can use the ACM certificate soemthign like below
-#---
-## resource "aws_acm_certificate" "ca" {
-##   count = local.ca_cert_exists ? 1 : 0
-##   private_key      = file("${path.root}/certs/${local.ca_dns_name}.key")
-##   certificate_body = file("${path.root}/certs/${local.ca_dns_name}.crt")
-##   certificate_chain = file("/etc/pki/tls/certs/cacert.crt")
+## resource "tls_private_key" "ca" {
+##   algorithm = "RSA"
+##   rsa_bits  = 4096
+## }
+## 
+## resource "tls_cert_request" "ca" {
+##   key_algorithm   = "RSA"
+##   private_key_pem = tls_private_key.ca.private_key_pem
+## 
+##   dns_names = local.ca_cert_san
+##   subject {
+##     common_name         = local.ca_dns_name
+##     organizational_unit = local.ca_ou
+##     organization        = "U.S. Census Bureau"
+##     country             = "US"
+##   }
+## }
+## 
+## resource "null_resource" "ca_root_cert" {
+##   provisioner "local-exec" {
+##     command = "test -d certs || mkdir certs"
+##   }
+##   provisioner "local-exec" {
+##     command = "curl -o ${local.ca_root_filename} http://ca.apps.tco.census.gov/certs/ca"
+##   }
+## }
+## 
+## resource "null_resource" "ca_files" {
+##   triggers = {
+##     ca_key_public = sha256(tls_private_key.ca.public_key_pem)
+##     ca_csr        = sha256(tls_cert_request.ca.cert_request_pem)
+##   }
+## 
+##   # get key
+##   provisioner "local-exec" {
+##     command = "test -d certs || mkdir certs"
+##   }
+##   provisioner "local-exec" {
+##     command = "echo '${tls_private_key.ca.private_key_pem}' > certs/${local.ca_dns_name}.key"
+##   }
+##   provisioner "local-exec" {
+##     command = "echo '${tls_private_key.ca.public_key_pem}' > certs/${local.ca_dns_name}.public_key"
+##   }
+##   # get csr
+##   provisioner "local-exec" {
+##     command = "echo '${tls_cert_request.ca.cert_request_pem}' > certs/${local.ca_dns_name}.csr"
+##   }
+## 
+##   # detail how to get certs
+##   provisioner "local-exec" {
+##     command = "echo 'add the key file to .gitignore, add it to git-secret, and hide it.  Then add the .secret to git'"
+##   }
+##   provisioner "local-exec" {
+##     command = "echo 'now submit file to TCO for signing and return the result as below:\n  csr = certs/${local.ca_dns_name}.csr\n  cert = certs/${local.ca_dns_name}.crt\n'"
+##   }
+##   provisioner "local-exec" {
+##     command = "echo command = ./sign-subordinate-ca-cert.sh ${local.ca_dns_name}.csr 'c=US,o=U.S. Census Bureau,OU=PKI,ou=EKS,ou=${var.vpc_full_name},ou=${var.cluster_name},cn=${local.ca_dns_name}' 730"
+##   }
+##   provisioner "local-exec" {
+##     command = "echo 'curl -O http://ca.apps.tco.census.gov/certs/server?host=${local.ca_dns_name}&format=crt&download=1'"
+##   }
+## }
+## 
+## resource "null_resource" "ca_cert" {
+##   count = local.ca_cert_download ? 1 : 0
+##   # get cert
+##   provisioner "local-exec" {
+##     command = "curl -o ${path.root}/certs/${local.ca_dns_name}.crt 'http://ca.apps.tco.census.gov/certs/server?host=${local.ca_dns_name}&format=crt&download=1'"
+##   }
+## }
+## 
+## resource "local_file" "ca_bundle_cert" {
+##   count = local.ca_cert_download && local.ca_cert_exists && local.ca_root_exists && length(local.ca_bundle_contents) > 0 ? 1 : 0
 ## 
-##   tags = merge(
-##     local.common_tags,
-##     map("Name", local.ca_dns_name),
-##   )
+##   content         = local.ca_bundle_contents
+##   filename        = local.ca_bundle_filename
+##   file_permission = "0644"
 ## }