diff --git a/modules/certificate-authority-service/README.md b/modules/certificate-authority-service/README.md index 85074033ba..13aabc7063 100644 --- a/modules/certificate-authority-service/README.md +++ b/modules/certificate-authority-service/README.md @@ -109,7 +109,7 @@ module "cas" { | [ca_pool_config](variables.tf#L116) | The CA pool config. If you pass ca_pool_id, an existing pool is used. | object({…}) | ✓ | | | [location](variables.tf#L140) | The location of the CAs. | string | ✓ | | | [project_id](variables.tf#L145) | Project id. | string | ✓ | | -| [ca_configs](variables.tf#L17) | The CA configurations. | map(object({…})) | | {…} | +| [ca_configs](variables.tf#L17) | The CA configurations. | map(object({…})) | | {…} | | [iam](variables-iam.tf#L17) | IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | [iam_bindings](variables-iam.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | map(object({…})) | | {} | | [iam_bindings_additive](variables-iam.tf#L39) | Individual additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | diff --git a/modules/certificate-authority-service/main.tf b/modules/certificate-authority-service/main.tf index 66d0872423..59d2be66f0 100644 --- a/modules/certificate-authority-service/main.tf +++ b/modules/certificate-authority-service/main.tf @@ -16,7 +16,7 @@ locals { ca_pool_id = coalesce( - var.ca_pool_config.ca_pool_id == null, + var.ca_pool_config.ca_pool_id, try(google_privateca_ca_pool.ca_pool[0].name, null) ) } @@ -24,8 +24,8 @@ resource "google_privateca_ca_pool" "ca_pool" { count = var.ca_pool_config.ca_pool_id == null ? 1 : 0 name = var.ca_pool_config.name project = var.project_id - location = "europe-west8" - tier = "DEVOPS" + location = var.location + tier = var.ca_pool_config.tier } resource "google_privateca_certificate_authority" "cas" { @@ -55,11 +55,14 @@ resource "google_privateca_certificate_authority" "cas" { street_address = each.value.subject.street_address postal_code = each.value.subject.postal_code } - subject_alt_name { - dns_names = each.value.subject_alt_name.dns_names - email_addresses = each.value.subject_alt_name.email_addresses - ip_addresses = each.value.subject_alt_name.ip_addresses - uris = each.value.subject_alt_name.uris + dynamic "subject_alt_name" { + for_each = each.value.subject_alt_name != null ? [1] : [] + content { + dns_names = each.value.subject_alt_name.dns_names + email_addresses = each.value.subject_alt_name.email_addresses + ip_addresses = each.value.subject_alt_name.ip_addresses + uris = each.value.subject_alt_name.uris + } } } x509_config { @@ -95,10 +98,19 @@ resource "google_privateca_certificate_authority" "cas" { cloud_kms_key_version = each.value.key_spec.kms_key_id } - subordinate_config { - certificate_authority = each.value.subordinate_config.root_ca_id - pem_issuer_chain { - pem_certificates = each.value.subordinate_config.pem_issuer_certificates + dynamic "subordinate_config" { + for_each = each.value.subordinate_config != null ? [1] : [] + content { + certificate_authority = each.value.subordinate_config.root_ca_id + dynamic "pem_issuer_chain" { + for_each = ( + each.value.subordinate_config.pem_issuer_certificates != null + ? [1] : [] + ) + content { + pem_certificates = each.value.subordinate_config.pem_issuer_certificates + } + } } } } diff --git a/modules/certificate-authority-service/variables.tf b/modules/certificate-authority-service/variables.tf index 92e23374cf..747625add7 100644 --- a/modules/certificate-authority-service/variables.tf +++ b/modules/certificate-authority-service/variables.tf @@ -24,7 +24,7 @@ variable "ca_configs" { pem_ca_certificate = optional(string, null) ignore_active_certificates_on_deletion = optional(bool, false) skip_grace_period = optional(bool, true) - labels = optional(map(string), {}) + labels = optional(map(string), null) gcs_bucket = optional(string, null) key_spec = optional(object({ algorithm = optional(string, "RSA_PKCS1_2048_SHA256") @@ -61,15 +61,15 @@ variable "ca_configs" { organization = "Test Example" }) subject_alt_name = optional(object({ - dns_names = optional(list(string), []) - email_addresses = optional(list(string), []) - ip_addresses = optional(list(string), []) - uris = optional(list(string), []) - }), {}) + dns_names = optional(list(string), null) + email_addresses = optional(list(string), null) + ip_addresses = optional(list(string), null) + uris = optional(list(string), null) + }), null) subordinate_config = optional(object({ root_ca_id = optional(string) pem_issuer_certificates = optional(list(string)) - }), {}) + }), null) })) nullable = false default = {