Skip to content

Commit

Permalink
[fix] Fixes errors in certificate-authority-service module (#2493)
Browse files Browse the repository at this point in the history
  • Loading branch information
@LucaPrete
LucaPrete authored Aug 9, 2024
1 parent d5210d5 commit d415aaf
Show file tree
Hide file tree
Showing 3 changed files with 32 additions and 20 deletions.
2 changes: 1 addition & 1 deletion modules/certificate-authority-service/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ module "cas" {
| [ca_pool_config](variables.tf#L116) | The CA pool config. If you pass ca_pool_id, an existing pool is used. | <code title="object&#40;&#123;&#10; ca_pool_id &#61; optional&#40;string, null&#41;&#10; name &#61; optional&#40;string, null&#41;&#10; tier &#61; optional&#40;string, &#34;DEVOPS&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> || |
| [location](variables.tf#L140) | The location of the CAs. | <code>string</code> || |
| [project_id](variables.tf#L145) | Project id. | <code>string</code> || |
| [ca_configs](variables.tf#L17) | The CA configurations. | <code title="map&#40;object&#40;&#123;&#10; deletion_protection &#61; optional&#40;string, true&#41;&#10; type &#61; optional&#40;string, &#34;SELF_SIGNED&#34;&#41;&#10; is_ca &#61; optional&#40;bool, true&#41;&#10; lifetime &#61; optional&#40;string, null&#41;&#10; pem_ca_certificate &#61; optional&#40;string, null&#41;&#10; ignore_active_certificates_on_deletion &#61; optional&#40;bool, false&#41;&#10; skip_grace_period &#61; optional&#40;bool, true&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; gcs_bucket &#61; optional&#40;string, null&#41;&#10; key_spec &#61; optional&#40;object&#40;&#123;&#10; algorithm &#61; optional&#40;string, &#34;RSA_PKCS1_2048_SHA256&#34;&#41;&#10; kms_key_id &#61; optional&#40;string, null&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; key_usage &#61; optional&#40;object&#40;&#123;&#10; cert_sign &#61; optional&#40;bool, true&#41;&#10; client_auth &#61; optional&#40;bool, false&#41;&#10; code_signing &#61; optional&#40;bool, false&#41;&#10; content_commitment &#61; optional&#40;bool, false&#41;&#10; crl_sign &#61; optional&#40;bool, true&#41;&#10; data_encipherment &#61; optional&#40;bool, false&#41;&#10; decipher_only &#61; optional&#40;bool, false&#41;&#10; digital_signature &#61; optional&#40;bool, false&#41;&#10; email_protection &#61; optional&#40;bool, false&#41;&#10; encipher_only &#61; optional&#40;bool, false&#41;&#10; key_agreement &#61; optional&#40;bool, false&#41;&#10; key_encipherment &#61; optional&#40;bool, true&#41;&#10; ocsp_signing &#61; optional&#40;bool, false&#41;&#10; server_auth &#61; optional&#40;bool, true&#41;&#10; time_stamping &#61; optional&#40;bool, false&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; subject &#61; optional&#40;object&#40;&#123;&#10; common_name &#61; string&#10; organization &#61; string&#10; country_code &#61; optional&#40;string&#41;&#10; locality &#61; optional&#40;string&#41;&#10; organizational_unit &#61; optional&#40;string&#41;&#10; postal_code &#61; optional&#40;string&#41;&#10; province &#61; optional&#40;string&#41;&#10; street_address &#61; optional&#40;string&#41;&#10; &#125;&#41;, &#123;&#10; common_name &#61; &#34;test.example.com&#34;&#10; organization &#61; &#34;Test Example&#34;&#10; &#125;&#41;&#10; subject_alt_name &#61; optional&#40;object&#40;&#123;&#10; dns_names &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; email_addresses &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; ip_addresses &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; uris &#61; optional&#40;list&#40;string&#41;, &#91;&#93;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; subordinate_config &#61; optional&#40;object&#40;&#123;&#10; root_ca_id &#61; optional&#40;string&#41;&#10; pem_issuer_certificates &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; test-ca &#61; &#123;&#125;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [ca_configs](variables.tf#L17) | The CA configurations. | <code title="map&#40;object&#40;&#123;&#10; deletion_protection &#61; optional&#40;string, true&#41;&#10; type &#61; optional&#40;string, &#34;SELF_SIGNED&#34;&#41;&#10; is_ca &#61; optional&#40;bool, true&#41;&#10; lifetime &#61; optional&#40;string, null&#41;&#10; pem_ca_certificate &#61; optional&#40;string, null&#41;&#10; ignore_active_certificates_on_deletion &#61; optional&#40;bool, false&#41;&#10; skip_grace_period &#61; optional&#40;bool, true&#41;&#10; labels &#61; optional&#40;map&#40;string&#41;, null&#41;&#10; gcs_bucket &#61; optional&#40;string, null&#41;&#10; key_spec &#61; optional&#40;object&#40;&#123;&#10; algorithm &#61; optional&#40;string, &#34;RSA_PKCS1_2048_SHA256&#34;&#41;&#10; kms_key_id &#61; optional&#40;string, null&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; key_usage &#61; optional&#40;object&#40;&#123;&#10; cert_sign &#61; optional&#40;bool, true&#41;&#10; client_auth &#61; optional&#40;bool, false&#41;&#10; code_signing &#61; optional&#40;bool, false&#41;&#10; content_commitment &#61; optional&#40;bool, false&#41;&#10; crl_sign &#61; optional&#40;bool, true&#41;&#10; data_encipherment &#61; optional&#40;bool, false&#41;&#10; decipher_only &#61; optional&#40;bool, false&#41;&#10; digital_signature &#61; optional&#40;bool, false&#41;&#10; email_protection &#61; optional&#40;bool, false&#41;&#10; encipher_only &#61; optional&#40;bool, false&#41;&#10; key_agreement &#61; optional&#40;bool, false&#41;&#10; key_encipherment &#61; optional&#40;bool, true&#41;&#10; ocsp_signing &#61; optional&#40;bool, false&#41;&#10; server_auth &#61; optional&#40;bool, true&#41;&#10; time_stamping &#61; optional&#40;bool, false&#41;&#10; &#125;&#41;, &#123;&#125;&#41;&#10; subject &#61; optional&#40;object&#40;&#123;&#10; common_name &#61; string&#10; organization &#61; string&#10; country_code &#61; optional&#40;string&#41;&#10; locality &#61; optional&#40;string&#41;&#10; organizational_unit &#61; optional&#40;string&#41;&#10; postal_code &#61; optional&#40;string&#41;&#10; province &#61; optional&#40;string&#41;&#10; street_address &#61; optional&#40;string&#41;&#10; &#125;&#41;, &#123;&#10; common_name &#61; &#34;test.example.com&#34;&#10; organization &#61; &#34;Test Example&#34;&#10; &#125;&#41;&#10; subject_alt_name &#61; optional&#40;object&#40;&#123;&#10; dns_names &#61; optional&#40;list&#40;string&#41;, null&#41;&#10; email_addresses &#61; optional&#40;list&#40;string&#41;, null&#41;&#10; ip_addresses &#61; optional&#40;list&#40;string&#41;, null&#41;&#10; uris &#61; optional&#40;list&#40;string&#41;, null&#41;&#10; &#125;&#41;, null&#41;&#10; subordinate_config &#61; optional&#40;object&#40;&#123;&#10; root_ca_id &#61; optional&#40;string&#41;&#10; pem_issuer_certificates &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;, null&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; test-ca &#61; &#123;&#125;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [iam](variables-iam.tf#L17) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [iam_bindings](variables-iam.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10; members &#61; list&#40;string&#41;&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [iam_bindings_additive](variables-iam.tf#L39) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10; member &#61; string&#10; role &#61; string&#10; condition &#61; optional&#40;object&#40;&#123;&#10; expression &#61; string&#10; title &#61; string&#10; description &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
Expand Down
36 changes: 24 additions & 12 deletions modules/certificate-authority-service/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,16 +16,16 @@

locals {
ca_pool_id = coalesce(
var.ca_pool_config.ca_pool_id == null,
var.ca_pool_config.ca_pool_id,
try(google_privateca_ca_pool.ca_pool[0].name, null)
)
}
resource "google_privateca_ca_pool" "ca_pool" {
count = var.ca_pool_config.ca_pool_id == null ? 1 : 0
name = var.ca_pool_config.name
project = var.project_id
location = "europe-west8"
tier = "DEVOPS"
location = var.location
tier = var.ca_pool_config.tier
}

resource "google_privateca_certificate_authority" "cas" {
Expand Down Expand Up @@ -55,11 +55,14 @@ resource "google_privateca_certificate_authority" "cas" {
street_address = each.value.subject.street_address
postal_code = each.value.subject.postal_code
}
subject_alt_name {
dns_names = each.value.subject_alt_name.dns_names
email_addresses = each.value.subject_alt_name.email_addresses
ip_addresses = each.value.subject_alt_name.ip_addresses
uris = each.value.subject_alt_name.uris
dynamic "subject_alt_name" {
for_each = each.value.subject_alt_name != null ? [1] : []
content {
dns_names = each.value.subject_alt_name.dns_names
email_addresses = each.value.subject_alt_name.email_addresses
ip_addresses = each.value.subject_alt_name.ip_addresses
uris = each.value.subject_alt_name.uris
}
}
}
x509_config {
Expand Down Expand Up @@ -95,10 +98,19 @@ resource "google_privateca_certificate_authority" "cas" {
cloud_kms_key_version = each.value.key_spec.kms_key_id
}

subordinate_config {
certificate_authority = each.value.subordinate_config.root_ca_id
pem_issuer_chain {
pem_certificates = each.value.subordinate_config.pem_issuer_certificates
dynamic "subordinate_config" {
for_each = each.value.subordinate_config != null ? [1] : []
content {
certificate_authority = each.value.subordinate_config.root_ca_id
dynamic "pem_issuer_chain" {
for_each = (
each.value.subordinate_config.pem_issuer_certificates != null
? [1] : []
)
content {
pem_certificates = each.value.subordinate_config.pem_issuer_certificates
}
}
}
}
}
14 changes: 7 additions & 7 deletions modules/certificate-authority-service/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ variable "ca_configs" {
pem_ca_certificate = optional(string, null)
ignore_active_certificates_on_deletion = optional(bool, false)
skip_grace_period = optional(bool, true)
labels = optional(map(string), {})
labels = optional(map(string), null)
gcs_bucket = optional(string, null)
key_spec = optional(object({
algorithm = optional(string, "RSA_PKCS1_2048_SHA256")
Expand Down Expand Up @@ -61,15 +61,15 @@ variable "ca_configs" {
organization = "Test Example"
})
subject_alt_name = optional(object({
dns_names = optional(list(string), [])
email_addresses = optional(list(string), [])
ip_addresses = optional(list(string), [])
uris = optional(list(string), [])
}), {})
dns_names = optional(list(string), null)
email_addresses = optional(list(string), null)
ip_addresses = optional(list(string), null)
uris = optional(list(string), null)
}), null)
subordinate_config = optional(object({
root_ca_id = optional(string)
pem_issuer_certificates = optional(list(string))
}), {})
}), null)
}))
nullable = false
default = {
Expand Down

0 comments on commit d415aaf

Please sign in to comment.