kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
02d14da4db7e26a6b30de22515487c5b40539b94
hunfabric/modules/certificate-authority-service/README.md

8.2 KiB
Raw Blame History

Certificate Authority Service (CAS)

The module allows you to create one or more CAs and an optional CA pool.

Examples

Basic CA infrastructure

This is enough to create a test CA pool and a self-signed root CA.

module "cas" {
  source     = "./fabric/modules/certificate-authority-service"
  project_id = var.project_id
  location   = "europe-west1"
  ca_pool_config = {
    name = "test-cas"
  }
}
# tftest modules=1 resources=2 inventory=basic.yaml

Create custom CAs

You can create multiple, custom CAs.

module "cas" {
  source     = "./fabric/modules/certificate-authority-service"
  project_id = var.project_id
  location   = "europe-west1"
  ca_pool_config = {
    name = "test-cas"
  }
  ca_configs = {
    root_ca_1 = {
      key_spec_algorithm = "RSA_PKCS1_4096_SHA256"
      key_usage = {
        client_auth = true
        server_auth = true
      }
    }
    root_ca_2 = {
      subject = {
        common_name  = "test2.example.com"
        organization = "Example"
      }
    }
  }
}
# tftest modules=1 resources=3 inventory=custom_cas.yaml

Reference an existing CA pool

module "cas" {
  source     = "./fabric/modules/certificate-authority-service"
  project_id = var.project_id
  location   = "europe-west1"
  ca_pool_config = {
    ca_pool_id = var.ca_pool_id
  }
}
# tftest modules=1 resources=1 inventory=existing_ca.yaml

IAM

You can assign authoritative and addittive IAM roles to identities on the CA pool, using the usual fabric interface (iam, iam_bindings, iam_binding_addittive, iam_by_principals).

module "cas" {
  source     = "./fabric/modules/certificate-authority-service"
  project_id = var.project_id
  location   = "europe-west1"
  ca_pool_config = {
    name = "test-cas"
  }
  iam = {
    "roles/privateca.certificateManager" = [
      var.service_account.iam_email
    ]
  }
  iam_bindings_additive = {
    cert-manager = {
      member = "group:${var.group_email}"
      role   = "roles/privateca.certificateManager"
    }
  }
}
# tftest modules=1 resources=4 inventory=iam.yaml

Variables

name description type required default
ca_pool_config The CA pool config. If you pass ca_pool_id, an existing pool is used. object({…})
location The location of the CAs. string
project_id Project id. string
ca_configs The CA configurations. map(object({…})) {…}
iam IAM bindings in {ROLE => [MEMBERS]} format. map(list(string)) {}
iam_bindings Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. map(object({…})) {}
iam_bindings_additive Individual additive IAM bindings. Keys are arbitrary. map(object({…})) {}
iam_by_principals Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the iam variable. map(list(string)) {}

Outputs

name description sensitive
ca_ids The CA ids.
ca_pool The CA pool.
ca_pool_id The CA pool id.
cas The CAs.