-
Notifications
You must be signed in to change notification settings - Fork 913
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Luca Prete
committed
Aug 7, 2024
1 parent
33c804b
commit 9b45a3f
Showing
17 changed files
with
597 additions
and
221 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,125 @@ | ||
| # Certificate Authority Service (CAS) | ||
|
|
||
| The module allows you to create one or more CAs and an optional CA pool. | ||
|
|
||
| <!-- BEGIN TOC --> | ||
| - [Examples](#examples) | ||
| - [Basic CA infrastructure](#basic-ca-infrastructure) | ||
| - [Create custom CAs](#create-custom-cas) | ||
| - [Reference an existing CA pool](#reference-an-existing-ca-pool) | ||
| - [IAM](#iam) | ||
| - [Variables](#variables) | ||
| - [Outputs](#outputs) | ||
| <!-- END TOC --> | ||
|
|
||
| ## Examples | ||
|
|
||
| ### Basic CA infrastructure | ||
|
|
||
| This is enough to create a test CA pool and a self-signed root CA. | ||
|
|
||
| ```hcl | ||
| module "cas" { | ||
| source = "./fabric/modules/certificate-authority-service" | ||
| project_id = var.project_id | ||
| location = "europe-west1" | ||
| ca_pool_config = { | ||
| name = "test-cas" | ||
| } | ||
| } | ||
| # tftest modules=1 resources=2 inventory=basic.yaml | ||
| ``` | ||
|
|
||
| ### Create custom CAs | ||
|
|
||
| You can create multiple, custom CAs. | ||
|
|
||
| ```hcl | ||
| module "cas" { | ||
| source = "./fabric/modules/certificate-authority-service" | ||
| project_id = var.project_id | ||
| location = "europe-west1" | ||
| ca_pool_config = { | ||
| name = "test-cas" | ||
| } | ||
| ca_configs = { | ||
| root_ca_1 = { | ||
| key_spec_algorithm = "RSA_PKCS1_4096_SHA256" | ||
| key_usage = { | ||
| client_auth = true | ||
| server_auth = true | ||
| } | ||
| } | ||
| root_ca_2 = { | ||
| subject = { | ||
| common_name = "test2.example.com" | ||
| organization = "Example" | ||
| } | ||
| } | ||
| } | ||
| } | ||
| # tftest modules=1 resources=3 inventory=custom_cas.yaml | ||
| ``` | ||
|
|
||
| ### Reference an existing CA pool | ||
|
|
||
| ```hcl | ||
| module "cas" { | ||
| source = "./fabric/modules/certificate-authority-service" | ||
| project_id = var.project_id | ||
| location = "europe-west1" | ||
| ca_pool_config = { | ||
| ca_pool_id = var.ca_pool_id | ||
| } | ||
| } | ||
| # tftest modules=1 resources=1 inventory=existing_ca.yaml | ||
| ``` | ||
|
|
||
| ### IAM | ||
|
|
||
| You can assign authoritative and addittive IAM roles to identities on the CA pool, using the usual fabric interface (`iam`, `iam_bindings`, `iam_binding_addittive`, `iam_by_principals`). | ||
|
|
||
| ```hcl | ||
| module "cas" { | ||
| source = "./fabric/modules/certificate-authority-service" | ||
| project_id = var.project_id | ||
| location = "europe-west1" | ||
| ca_pool_config = { | ||
| name = "test-cas" | ||
| } | ||
| iam = { | ||
| "roles/privateca.certificateManager" = [ | ||
| var.service_account.iam_email | ||
| ] | ||
| } | ||
| iam_bindings_additive = { | ||
| cert-manager = { | ||
| member = "group:${var.group_email}" | ||
| role = "roles/privateca.certificateManager" | ||
| } | ||
| } | ||
| } | ||
| # tftest modules=1 resources=4 inventory=iam.yaml | ||
| ``` | ||
| <!-- BEGIN TFDOC --> | ||
| ## Variables | ||
|
|
||
| | name | description | type | required | default | | ||
| |---|---|:---:|:---:|:---:| | ||
| | [ca_pool_config](variables.tf#L116) | The CA pool config. If you pass ca_pool_id, an existing pool is used. | <code title="object({ ca_pool_id = optional(string, null) name = optional(string, null) tier = optional(string, "DEVOPS") })">object({…})</code> | ✓ | | | ||
| | [location](variables.tf#L140) | The location of the CAs. | <code>string</code> | ✓ | | | ||
| | [project_id](variables.tf#L145) | Project id. | <code>string</code> | ✓ | | | ||
| | [ca_configs](variables.tf#L17) | The CA configurations. | <code title="map(object({ deletion_protection = optional(string, true) type = optional(string, "SELF_SIGNED") is_ca = optional(bool, true) lifetime = optional(string, null) pem_ca_certificate = optional(string, null) ignore_active_certificates_on_deletion = optional(bool, false) skip_grace_period = optional(bool, true) labels = optional(map(string), {}) gcs_bucket = optional(string, null) key_spec = optional(object({ algorithm = optional(string, "RSA_PKCS1_2048_SHA256") kms_key_id = optional(string, null) }), {}) key_usage = optional(object({ cert_sign = optional(bool, true) client_auth = optional(bool, false) code_signing = optional(bool, false) content_commitment = optional(bool, false) crl_sign = optional(bool, true) data_encipherment = optional(bool, false) decipher_only = optional(bool, false) digital_signature = optional(bool, false) email_protection = optional(bool, false) encipher_only = optional(bool, false) key_agreement = optional(bool, false) key_encipherment = optional(bool, true) ocsp_signing = optional(bool, false) server_auth = optional(bool, true) time_stamping = optional(bool, false) }), {}) subject = optional(object({ common_name = string organization = string country_code = optional(string) locality = optional(string) organizational_unit = optional(string) postal_code = optional(string) province = optional(string) street_address = optional(string) }), { common_name = "test.example.com" organization = "Test Example" }) subject_alt_name = optional(object({ dns_names = optional(list(string), []) email_addresses = optional(list(string), []) ip_addresses = optional(list(string), []) uris = optional(list(string), []) }), {}) subordinate_config = optional(object({ root_ca_id = optional(string) pem_issuer_certificates = optional(list(string)) }), {}) }))">map(object({…}))</code> | | <code title="{ test-ca = {} }">{…}</code> | | ||
| | [iam](variables-iam.tf#L17) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> | | ||
| | [iam_bindings](variables-iam.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> | | ||
| | [iam_bindings_additive](variables-iam.tf#L39) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> | | ||
| | [iam_by_principals](variables-iam.tf#L54) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> | | ||
|
|
||
| ## Outputs | ||
|
|
||
| | name | description | sensitive | | ||
| |---|---|:---:| | ||
| | [ca_ids](outputs.tf#L17) | The CA ids. | | | ||
| | [ca_pool_id](outputs.tf#L25) | The CA pool id. | | | ||
| | [cas](outputs.tf#L30) | The CAs. | | | ||
| <!-- END TFDOC --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| /** | ||
| * Copyright 2024 Google LLC | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| # tfdoc:file:description IAM bindings. | ||
|
|
||
| locals { | ||
| _iam_principal_roles = distinct(flatten(values(var.iam_by_principals))) | ||
| _iam_principals = { | ||
| for r in local._iam_principal_roles : r => [ | ||
| for k, v in var.iam_by_principals : | ||
| k if try(index(v, r), null) != null | ||
| ] | ||
| } | ||
| iam = { | ||
| for role in distinct(concat(keys(var.iam), keys(local._iam_principals))) : | ||
| role => concat( | ||
| try(var.iam[role], []), | ||
| try(local._iam_principals[role], []) | ||
| ) | ||
| } | ||
| } | ||
|
|
||
| resource "google_privateca_ca_pool_iam_binding" "authoritative" { | ||
| for_each = local.iam | ||
| ca_pool = local.ca_pool_id | ||
| role = each.key | ||
| members = each.value | ||
| } | ||
|
|
||
| resource "google_privateca_ca_pool_iam_binding" "bindings" { | ||
| for_each = var.iam_bindings | ||
| ca_pool = local.ca_pool_id | ||
| role = each.value.role | ||
| members = each.value.members | ||
| dynamic "condition" { | ||
| for_each = each.value.condition == null ? [] : [""] | ||
| content { | ||
| expression = each.value.condition.expression | ||
| title = each.value.condition.title | ||
| description = each.value.condition.description | ||
| } | ||
| } | ||
| } | ||
|
|
||
| resource "google_privateca_ca_pool_iam_member" "bindings" { | ||
| for_each = var.iam_bindings_additive | ||
| ca_pool = local.ca_pool_id | ||
| role = each.value.role | ||
| member = each.value.member | ||
| dynamic "condition" { | ||
| for_each = each.value.condition == null ? [] : [""] | ||
| content { | ||
| expression = each.value.condition.expression | ||
| title = each.value.condition.title | ||
| description = each.value.condition.description | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,104 @@ | ||
| /** | ||
| * Copyright 2024 Google LLC | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| locals { | ||
| ca_pool_id = coalesce( | ||
| var.ca_pool_config.ca_pool_id == null, | ||
| try(google_privateca_ca_pool.ca_pool[0].name, null) | ||
| ) | ||
| } | ||
| resource "google_privateca_ca_pool" "ca_pool" { | ||
| count = var.ca_pool_config.ca_pool_id == null ? 1 : 0 | ||
| name = var.ca_pool_config.name | ||
| project = var.project_id | ||
| location = "europe-west8" | ||
| tier = "DEVOPS" | ||
| } | ||
|
|
||
| resource "google_privateca_certificate_authority" "cas" { | ||
| for_each = var.ca_configs | ||
| pool = local.ca_pool_id | ||
| certificate_authority_id = each.key | ||
| project = var.project_id | ||
| location = var.location | ||
| type = each.value.type | ||
| deletion_protection = each.value.deletion_protection | ||
| lifetime = each.value.lifetime | ||
| pem_ca_certificate = each.value.pem_ca_certificate | ||
| ignore_active_certificates_on_deletion = each.value.ignore_active_certificates_on_deletion | ||
| skip_grace_period = each.value.skip_grace_period | ||
| gcs_bucket = each.value.gcs_bucket | ||
| labels = each.value.labels | ||
|
|
||
| config { | ||
| subject_config { | ||
| subject { | ||
| common_name = each.value.subject.common_name | ||
| country_code = each.value.subject.country_code | ||
| organizational_unit = each.value.subject.organizational_unit | ||
| locality = each.value.subject.locality | ||
| organization = each.value.subject.organization | ||
| province = each.value.subject.province | ||
| street_address = each.value.subject.street_address | ||
| postal_code = each.value.subject.postal_code | ||
| } | ||
| subject_alt_name { | ||
| dns_names = each.value.subject_alt_name.dns_names | ||
| email_addresses = each.value.subject_alt_name.email_addresses | ||
| ip_addresses = each.value.subject_alt_name.ip_addresses | ||
| uris = each.value.subject_alt_name.uris | ||
| } | ||
| } | ||
| x509_config { | ||
| ca_options { | ||
| is_ca = each.value.is_ca | ||
| } | ||
| key_usage { | ||
| base_key_usage { | ||
| cert_sign = each.value.key_usage.cert_sign | ||
| content_commitment = each.value.key_usage.content_commitment | ||
| crl_sign = each.value.key_usage.crl_sign | ||
| data_encipherment = each.value.key_usage.data_encipherment | ||
| decipher_only = each.value.key_usage.decipher_only | ||
| digital_signature = each.value.key_usage.digital_signature | ||
| encipher_only = each.value.key_usage.encipher_only | ||
| key_agreement = each.value.key_usage.key_agreement | ||
| key_encipherment = each.value.key_usage.key_encipherment | ||
| } | ||
| extended_key_usage { | ||
| client_auth = each.value.key_usage.client_auth | ||
| code_signing = each.value.key_usage.code_signing | ||
| email_protection = each.value.key_usage.email_protection | ||
| ocsp_signing = each.value.key_usage.ocsp_signing | ||
| server_auth = each.value.key_usage.server_auth | ||
| time_stamping = each.value.key_usage.time_stamping | ||
| } | ||
| } | ||
| } | ||
| } | ||
|
|
||
| key_spec { | ||
| algorithm = each.value.key_spec.algorithm | ||
| cloud_kms_key_version = each.value.key_spec.kms_key_id | ||
| } | ||
|
|
||
| subordinate_config { | ||
| certificate_authority = each.value.subordinate_config.root_ca_id | ||
| pem_issuer_chain { | ||
| pem_certificates = each.value.subordinate_config.pem_issuer_certificates | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.