diff --git a/modules/certificate-authority-service/README.md b/modules/certificate-authority-service/README.md
index 85074033ba..13aabc7063 100644
--- a/modules/certificate-authority-service/README.md
+++ b/modules/certificate-authority-service/README.md
@@ -109,7 +109,7 @@ module "cas" {
| [ca_pool_config](variables.tf#L116) | The CA pool config. If you pass ca_pool_id, an existing pool is used. | object({…})
| ✓ | |
| [location](variables.tf#L140) | The location of the CAs. | string
| ✓ | |
| [project_id](variables.tf#L145) | Project id. | string
| ✓ | |
-| [ca_configs](variables.tf#L17) | The CA configurations. | map(object({…}))
| | {…}
|
+| [ca_configs](variables.tf#L17) | The CA configurations. | map(object({…}))
| | {…}
|
| [iam](variables-iam.tf#L17) | IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string))
| | {}
|
| [iam_bindings](variables-iam.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | map(object({…}))
| | {}
|
| [iam_bindings_additive](variables-iam.tf#L39) | Individual additive IAM bindings. Keys are arbitrary. | map(object({…}))
| | {}
|
diff --git a/modules/certificate-authority-service/main.tf b/modules/certificate-authority-service/main.tf
index 66d0872423..59d2be66f0 100644
--- a/modules/certificate-authority-service/main.tf
+++ b/modules/certificate-authority-service/main.tf
@@ -16,7 +16,7 @@
locals {
ca_pool_id = coalesce(
- var.ca_pool_config.ca_pool_id == null,
+ var.ca_pool_config.ca_pool_id,
try(google_privateca_ca_pool.ca_pool[0].name, null)
)
}
@@ -24,8 +24,8 @@ resource "google_privateca_ca_pool" "ca_pool" {
count = var.ca_pool_config.ca_pool_id == null ? 1 : 0
name = var.ca_pool_config.name
project = var.project_id
- location = "europe-west8"
- tier = "DEVOPS"
+ location = var.location
+ tier = var.ca_pool_config.tier
}
resource "google_privateca_certificate_authority" "cas" {
@@ -55,11 +55,14 @@ resource "google_privateca_certificate_authority" "cas" {
street_address = each.value.subject.street_address
postal_code = each.value.subject.postal_code
}
- subject_alt_name {
- dns_names = each.value.subject_alt_name.dns_names
- email_addresses = each.value.subject_alt_name.email_addresses
- ip_addresses = each.value.subject_alt_name.ip_addresses
- uris = each.value.subject_alt_name.uris
+ dynamic "subject_alt_name" {
+ for_each = each.value.subject_alt_name != null ? [1] : []
+ content {
+ dns_names = each.value.subject_alt_name.dns_names
+ email_addresses = each.value.subject_alt_name.email_addresses
+ ip_addresses = each.value.subject_alt_name.ip_addresses
+ uris = each.value.subject_alt_name.uris
+ }
}
}
x509_config {
@@ -95,10 +98,19 @@ resource "google_privateca_certificate_authority" "cas" {
cloud_kms_key_version = each.value.key_spec.kms_key_id
}
- subordinate_config {
- certificate_authority = each.value.subordinate_config.root_ca_id
- pem_issuer_chain {
- pem_certificates = each.value.subordinate_config.pem_issuer_certificates
+ dynamic "subordinate_config" {
+ for_each = each.value.subordinate_config != null ? [1] : []
+ content {
+ certificate_authority = each.value.subordinate_config.root_ca_id
+ dynamic "pem_issuer_chain" {
+ for_each = (
+ each.value.subordinate_config.pem_issuer_certificates != null
+ ? [1] : []
+ )
+ content {
+ pem_certificates = each.value.subordinate_config.pem_issuer_certificates
+ }
+ }
}
}
}
diff --git a/modules/certificate-authority-service/variables.tf b/modules/certificate-authority-service/variables.tf
index 92e23374cf..747625add7 100644
--- a/modules/certificate-authority-service/variables.tf
+++ b/modules/certificate-authority-service/variables.tf
@@ -24,7 +24,7 @@ variable "ca_configs" {
pem_ca_certificate = optional(string, null)
ignore_active_certificates_on_deletion = optional(bool, false)
skip_grace_period = optional(bool, true)
- labels = optional(map(string), {})
+ labels = optional(map(string), null)
gcs_bucket = optional(string, null)
key_spec = optional(object({
algorithm = optional(string, "RSA_PKCS1_2048_SHA256")
@@ -61,15 +61,15 @@ variable "ca_configs" {
organization = "Test Example"
})
subject_alt_name = optional(object({
- dns_names = optional(list(string), [])
- email_addresses = optional(list(string), [])
- ip_addresses = optional(list(string), [])
- uris = optional(list(string), [])
- }), {})
+ dns_names = optional(list(string), null)
+ email_addresses = optional(list(string), null)
+ ip_addresses = optional(list(string), null)
+ uris = optional(list(string), null)
+ }), null)
subordinate_config = optional(object({
root_ca_id = optional(string)
pem_issuer_certificates = optional(list(string))
- }), {})
+ }), null)
}))
nullable = false
default = {