Skip to content

Latest commit

 

History

History
126 lines (109 loc) · 8.21 KB

File metadata and controls

126 lines (109 loc) · 8.21 KB

Certificate Authority Service (CAS)

The module allows you to create one or more CAs and an optional CA pool.

Examples

Basic CA infrastructure

This is enough to create a test CA pool and a self-signed root CA.

module "cas" {
  source     = "./fabric/modules/certificate-authority-service"
  project_id = var.project_id
  location   = "europe-west1"
  ca_pool_config = {
    name = "test-cas"
  }
}
# tftest modules=1 resources=2 inventory=basic.yaml

Create custom CAs

You can create multiple, custom CAs.

module "cas" {
  source     = "./fabric/modules/certificate-authority-service"
  project_id = var.project_id
  location   = "europe-west1"
  ca_pool_config = {
    name = "test-cas"
  }
  ca_configs = {
    root_ca_1 = {
      key_spec_algorithm = "RSA_PKCS1_4096_SHA256"
      key_usage = {
        client_auth = true
        server_auth = true
      }
    }
    root_ca_2 = {
      subject = {
        common_name  = "test2.example.com"
        organization = "Example"
      }
    }
  }
}
# tftest modules=1 resources=3 inventory=custom_cas.yaml

Reference an existing CA pool

module "cas" {
  source     = "./fabric/modules/certificate-authority-service"
  project_id = var.project_id
  location   = "europe-west1"
  ca_pool_config = {
    ca_pool_id = var.ca_pool_id
  }
}
# tftest modules=1 resources=1 inventory=existing_ca.yaml

IAM

You can assign authoritative and addittive IAM roles to identities on the CA pool, using the usual fabric interface (iam, iam_bindings, iam_binding_addittive, iam_by_principals).

module "cas" {
  source     = "./fabric/modules/certificate-authority-service"
  project_id = var.project_id
  location   = "europe-west1"
  ca_pool_config = {
    name = "test-cas"
  }
  iam = {
    "roles/privateca.certificateManager" = [
      var.service_account.iam_email
    ]
  }
  iam_bindings_additive = {
    cert-manager = {
      member = "group:${var.group_email}"
      role   = "roles/privateca.certificateManager"
    }
  }
}
# tftest modules=1 resources=4 inventory=iam.yaml

Variables

name description type required default
ca_pool_config The CA pool config. If you pass ca_pool_id, an existing pool is used. object({…})
location The location of the CAs. string
project_id Project id. string
ca_configs The CA configurations. map(object({…})) {…}
iam IAM bindings in {ROLE => [MEMBERS]} format. map(list(string)) {}
iam_bindings Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. map(object({…})) {}
iam_bindings_additive Individual additive IAM bindings. Keys are arbitrary. map(object({…})) {}
iam_by_principals Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the iam variable. map(list(string)) {}

Outputs

name description sensitive
ca_ids The CA ids.
ca_pool The CA pool.
ca_pool_id The CA pool id.
cas The CAs.