90360c591e
* Add confidential compute support to google_dataproc_cluster in the dataproc module * fix parent id lookup for networking and security stages (#2744) * Add optional automated MD5 generation in net-vlan-attachment module (#2745) * Bump path-to-regexp and express in /blueprints/gke/binauthz/image (#2749) Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) to 0.1.12 and updates ancestor dependency [express](https://github.com/expressjs/express). These dependencies need to be updated together. Updates `path-to-regexp` from 0.1.10 to 0.1.12 - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md) - [Commits](https://github.com/pillarjs/path-to-regexp/compare/v0.1.10...v0.1.12) Updates `express` from 4.21.1 to 4.21.2 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md) - [Commits](https://github.com/expressjs/express/compare/4.21.1...4.21.2) --- updated-dependencies: - dependency-name: path-to-regexp dependency-type: indirect - dependency-name: express dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add ability to autogenerate md5 keys in net-vpn-ha (#2748) * Add ability to optionally generate MD5 secrets in VPN module * Add ability to autogenerate MD5 keys in net-vpn-ha module * restore missing output * fix test counts --------- Co-authored-by: Luca Prete <lucaprete@google.com> Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com> * update changelog * Bump path-to-regexp and express (#2752) Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) and [express](https://github.com/expressjs/express). These dependencies needed to be updated together. Updates `path-to-regexp` from 0.1.10 to 0.1.12 - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md) - [Commits](https://github.com/pillarjs/path-to-regexp/compare/v0.1.10...v0.1.12) Updates `express` from 4.21.1 to 4.21.2 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md) - [Commits](https://github.com/expressjs/express/compare/4.21.1...4.21.2) --- updated-dependencies: - dependency-name: path-to-regexp dependency-type: indirect - dependency-name: express dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * add support for routing mode to net-swp module (#2751) Co-authored-by: Julio Castillo <jccb@google.com> * remove default location in tag value - cloud-run-v2 tags.tf (#2755) The Parent resource has a default to europe-west1 when it should be for the resource block from where the cloud run actually is. Changed to use the var.region instead * Add path_template_match and path_template_rewrite support to net-lb-app-ext (required for React apps for example). * Add rest of load balancers. * Add path_template_match and path_template_rewrite support to internal load balancers * Add disk encyption key to the google_compute_instance_template - Sovereign support (#2750) * add disk encyption key to the google_compute_instance_template * add a condition to the kms_key_self_link * use dynamic variable for disk_encryption_key * remove the getpip from the repo --------- Co-authored-by: Julio Castillo <jccb@google.com> Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com> * Add support for password validation policy to cloudsql module (#2740) * add support for password validation policy to cloudsql module * fix defaults * update changelog * bump provider version constraint --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com> Co-authored-by: Luca Prete <preteluca@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Luca Prete <lucaprete@google.com> Co-authored-by: Julio Castillo <jccb@google.com> Co-authored-by: Matthew Callinan <47421139+Mattible@users.noreply.github.com> Co-authored-by: Taneli Leppä <taneli@google.com> Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com> Co-authored-by: Kovács Dávid <david-kovacs@t-systems.com>
Certificate manager
This module allows you to create a certificate manager map and associated entries, certificates, DNS authorizations and issueance configs. Map and associated entries creation is optional.
Examples
Self-managed certificate
resource "tls_private_key" "private_key" {
algorithm = "RSA"
rsa_bits = 2048
}
resource "tls_self_signed_cert" "cert" {
private_key_pem = tls_private_key.private_key.private_key_pem
subject {
common_name = "example.com"
organization = "ACME Examples, Inc"
}
validity_period_hours = 720
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
}
module "certificate-manager" {
source = "./fabric/modules/certificate-manager"
project_id = var.project_id
certificates = {
my-certificate-1 = {
self_managed = {
pem_certificate = tls_self_signed_cert.cert.cert_pem
pem_private_key = tls_private_key.private_key.private_key_pem
}
}
}
}
# tftest modules=1 resources=3 inventory=self-managed-cert.yaml
Certificate map with 1 entry with 1 self-managed certificate
resource "tls_private_key" "private_key" {
algorithm = "RSA"
rsa_bits = 2048
}
resource "tls_self_signed_cert" "cert" {
private_key_pem = tls_private_key.private_key.private_key_pem
subject {
common_name = "example.com"
organization = "ACME Examples, Inc"
}
validity_period_hours = 720
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
}
module "certificate-manager" {
source = "./fabric/modules/certificate-manager"
project_id = var.project_id
map = {
name = "my-certificate-map"
description = "My certificate map"
entries = {
mydomain-mycompany-org = {
certificates = [
"my-certificate-1"
]
hostname = "mydomain.mycompany.org"
}
}
}
certificates = {
my-certificate-1 = {
self_managed = {
pem_certificate = tls_self_signed_cert.cert.cert_pem
pem_private_key = tls_private_key.private_key.private_key_pem
}
}
}
}
# tftest modules=1 resources=5 inventory=map-with-self-managed-cert.yaml
Certificate map with 1 entry with 1 managed certificate with load balancer authorization
module "certificate-manager" {
source = "./fabric/modules/certificate-manager"
project_id = var.project_id
map = {
name = "my-certificate-map"
description = "My certificate map"
entries = {
mydomain-mycompany-org = {
certificates = [
"my-certificate-1"
]
matcher = "PRIMARY"
}
}
}
certificates = {
my-certificate-1 = {
managed = {
domains = ["mydomain.mycompany.org"]
}
}
}
}
# tftest modules=1 resources=3 inventory=map-with-managed-cert-lb-authz.yaml
Certificate map with 1 entry with 1 managed certificate with DNS authorization
module "certificate-manager" {
source = "./fabric/modules/certificate-manager"
project_id = var.project_id
map = {
name = "my-certificate-map"
description = "My certificate map"
entries = {
mydomain-mycompany-org = {
certificates = [
"my-certificate-1"
]
matcher = "PRIMARY"
}
}
}
certificates = {
my-certificate-1 = {
managed = {
domains = ["mydomain.mycompany.org"]
dns_authorizations = ["mydomain-mycompany-org"]
}
}
}
dns_authorizations = {
mydomain-mycompany-org = {
type = "PER_PROJECT_RECORD"
domain = "mydomain.mycompany.org"
}
}
}
# tftest modules=1 resources=4 inventory=map-with-managed-cert-dns-authz.yaml
Certificate map with 1 entry with 1 managed certificate with issued by a CA Service instance
resource "google_privateca_ca_pool" "pool" {
name = "ca-pool"
project = var.project_id
location = "us-central1"
tier = "ENTERPRISE"
}
resource "google_privateca_certificate_authority" "ca_authority" {
project = var.project_id
location = "us-central1"
pool = google_privateca_ca_pool.pool.name
certificate_authority_id = "ca-authority"
config {
subject_config {
subject {
organization = "My Company"
common_name = "my-company-authority"
}
subject_alt_name {
dns_names = ["mycompany.org"]
}
}
x509_config {
ca_options {
is_ca = true
}
key_usage {
base_key_usage {
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = true
}
}
}
}
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
deletion_protection = false
skip_grace_period = true
ignore_active_certificates_on_deletion = true
}
module "certificate-manager" {
source = "./fabric/modules/certificate-manager"
project_id = var.project_id
map = {
name = "my-certificate-map"
description = "My certificate map"
entries = {
mydomain-mycompany-org = {
certificates = [
"my-certificate-1"
]
matcher = "PRIMARY"
}
}
}
certificates = {
my-certificate-1 = {
managed = {
domains = ["mydomain.mycompany.org"]
issuance_config = "my-issuance-config"
}
}
}
issuance_configs = {
my-issuance-config = {
ca_pool = google_privateca_ca_pool.pool.id
key_algorithm = "ECDSA_P256"
lifetime = "1814400s"
rotation_window_percentage = 34
}
}
depends_on = [
google_privateca_certificate_authority.ca_authority
]
}
# tftest modules=1 resources=6 inventory=map-with-managed-cert-ca-service.yaml
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| project_id | Project id. | string |
✓ | |
| certificates | Certificates. | map(object({…})) |
{} |
|
| dns_authorizations | DNS authorizations. | map(object({…})) |
{} |
|
| issuance_configs | Issuance configs. | map(object({…})) |
{} |
|
| map | Map attributes. | object({…}) |
null |
Outputs
| name | description | sensitive |
|---|---|---|
| certificate_ids | Certificate ids. | |
| certificates | Certificates. | |
| map | Map. | |
| map_id | Map id. |