Skip to content

Latest commit

 

History

History

certificate-authority-service

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Certificate Authority Service (CAS)

The module allows you to create one or more CAs and an optional CA pool.

Examples

Basic CA infrastructure

This is enough to create a test CA pool and a self-signed root CA.

module "cas" {
  source     = "./fabric/modules/certificate-authority-service"
  project_id = var.project_id
  location   = "europe-west1"
  ca_pool_config = {
    create_pool = {
      name = "test-ca"
    }
  }
}
# tftest modules=1 resources=2 inventory=basic.yaml

Create custom CAs

You can create multiple, custom CAs.

module "cas" {
  source     = "./fabric/modules/certificate-authority-service"
  project_id = var.project_id
  location   = "europe-west1"
  ca_pool_config = {
    create_pool = {
      name = "test-ca"
    }
  }
  ca_configs = {
    root_ca_1 = {
      key_spec_algorithm = "RSA_PKCS1_4096_SHA256"
      key_usage = {
        client_auth = true
        server_auth = true
      }
    }
    root_ca_2 = {
      subject = {
        common_name  = "test2.example.com"
        organization = "Example"
      }
    }
  }
}
# tftest modules=1 resources=3 inventory=custom_cas.yaml

Reference an existing CA pool

module "cas" {
  source     = "./fabric/modules/certificate-authority-service"
  project_id = var.project_id
  location   = "europe-west1"
  ca_pool_config = {
    use_pool = {
      id = var.ca_pool_id
    }
  }
}
# tftest modules=1 resources=1 inventory=existing_ca.yaml

IAM

You can assign authoritative and addittive IAM roles to identities on the CA pool, using the usual fabric interface (iam, iam_bindings, iam_binding_addittive, iam_by_principals).

module "cas" {
  source     = "./fabric/modules/certificate-authority-service"
  project_id = var.project_id
  location   = "europe-west1"
  ca_pool_config = {
    create_pool = {
      name = "test-ca"
    }
  }
  iam = {
    "roles/privateca.certificateManager" = [
      var.service_account.iam_email
    ]
  }
  iam_bindings_additive = {
    cert-manager = {
      member = "group:${var.group_email}"
      role   = "roles/privateca.certificateManager"
    }
  }
}
# tftest modules=1 resources=4 inventory=iam.yaml

Variables

name description type required default
ca_pool_config The CA pool config. Either use_pool or create_pool need to be used. Use pool takes precedence if both are defined. object({…})
location The location of the CAs. string
project_id Project id. string
ca_configs The CA configurations. map(object({…})) {…}
iam IAM bindings in {ROLE => [MEMBERS]} format. map(list(string)) {}
iam_bindings Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. map(object({…})) {}
iam_bindings_additive Individual additive IAM bindings. Keys are arbitrary. map(object({…})) {}
iam_by_principals Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the iam variable. map(list(string)) {}

Outputs

name description sensitive
ca_ids The CA ids.
ca_pool The CA pool.
ca_pool_id The CA pool id.
cas The CAs.