Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/launchbynttdata/tf-aws-module_primitive-private_ca
https://github.com/launchbynttdata/tf-aws-module_primitive-private_ca
aws primitive terraform
Last synced: 5 days ago
JSON representation
- Host: GitHub
- URL: https://github.com/launchbynttdata/tf-aws-module_primitive-private_ca
- Owner: launchbynttdata
- License: apache-2.0
- Created: 2024-05-02T20:56:39.000Z (8 months ago)
- Default Branch: main
- Last Pushed: 2024-10-21T21:20:40.000Z (3 months ago)
- Last Synced: 2024-11-09T06:07:19.168Z (2 months ago)
- Topics: aws, primitive, terraform
- Language: HCL
- Size: 87.9 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: CODEOWNERS
Awesome Lists containing this project
README
# tf-aws-module_primitive-private_ca
[](https://opensource.org/licenses/Apache-2.0)
[](https://creativecommons.org/licenses/by-nc-nd/4.0/)
## Overview
This terraform module creates a Private CA in the AWS account.
## Usage
A sample variable file `example.tfvars` is available in the root directory which can be used to test this module. User needs to follow the below steps to execute this module
1. Update the `example.tfvars` to manually enter values for all fields marked within `<>` to make the variable file usable
2. Create a file `provider.tf` with the below contents
```
provider "aws" {
profile = ""
region = ""
}
```
If using `SSO`, make sure you are logged in `aws sso login --profile `
3. Make sure terraform binary is installed on your local. Use command `type terraform` to find the installation location. If you are using `asdf`, you can run `asfd install` and it will install the correct terraform version for you. `.tool-version` contains all the dependencies.
4. Run the `terraform` to provision infrastructure on AWS
```
# Initialize
terraform init
# Plan
terraform plan -var-file example.tfvars
# Apply (this is create the actual infrastructure)
terraform apply -var-file example.tfvars -auto-approve
```
## Known Issues
1. The `Encryption in transit` functionality is currently not supported by terraform. There is an open issue registered with the provider https://github.com/hashicorp/terraform-provider-aws/issues/26367
## Pre-Commit hooks
[.pre-commit-config.yaml](.pre-commit-config.yaml) file defines certain `pre-commit` hooks that are relevant to terraform, golang and common linting tasks. There are no custom hooks added.
`commitlint` hook enforces commit message in certain format. The commit contains the following structural elements, to communicate intent to the consumers of your commit messages:
- **fix**: a commit of the type `fix` patches a bug in your codebase (this correlates with PATCH in Semantic Versioning).
- **feat**: a commit of the type `feat` introduces a new feature to the codebase (this correlates with MINOR in Semantic Versioning).
- **BREAKING CHANGE**: a commit that has a footer `BREAKING CHANGE:`, or appends a `!` after the type/scope, introduces a breaking API change (correlating with MAJOR in Semantic Versioning). A BREAKING CHANGE can be part of commits of any type.
footers other than BREAKING CHANGE: may be provided and follow a convention similar to git trailer format.
- **build**: a commit of the type `build` adds changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
- **chore**: a commit of the type `chore` adds changes that don't modify src or test files
- **ci**: a commit of the type `ci` adds changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
- **docs**: a commit of the type `docs` adds documentation only changes
- **perf**: a commit of the type `perf` adds code change that improves performance
- **refactor**: a commit of the type `refactor` adds code change that neither fixes a bug nor adds a feature
- **revert**: a commit of the type `revert` reverts a previous commit
- **style**: a commit of the type `style` adds code changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
- **test**: a commit of the type `test` adds missing tests or correcting existing tests
Base configuration used for this project is [commitlint-config-conventional (based on the Angular convention)](https://github.com/conventional-changelog/commitlint/tree/master/@commitlint/config-conventional#type-enum)
If you are a developer using vscode, [this](https://marketplace.visualstudio.com/items?itemName=joshbolduc.commitlint) plugin may be helpful.
`detect-secrets-hook` prevents new secrets from being introduced into the baseline. TODO: INSERT DOC LINK ABOUT HOOKS
In order for `pre-commit` hooks to work properly
- You need to have the pre-commit package manager installed. [Here](https://pre-commit.com/#install) are the installation instructions.
- `pre-commit` would install all the hooks when commit message is added by default except for `commitlint` hook. `commitlint` hook would need to be installed manually using the command below
```
pre-commit install --hook-type commit-msg
```
## To test the resource group module locally
1. For development/enhancements to this module locally, you'll need to install all of its components. This is controlled by the `configure` target in the project's [`Makefile`](./Makefile). Before you can run `configure`, familiarize yourself with the variables in the `Makefile` and ensure they're pointing to the right places.
```
make configure
```
This adds in several files and directories that are ignored by `git`. They expose many new Make targets.
2. The first target you care about is `env`. This is the common interface for setting up environment variables. The values of the environment variables will be used to authenticate with cloud provider from local development workstation.
`make configure` command will bring down `aws_env.sh` file on local workstation. Developer would need to modify this file, replace the environment variable values with relevant values.
These environment variables are used by `terratest` integration suit.
Then run this make target to set the environment variables on developer workstation.
```
make env
```
3. The first target you care about is `check`.
**Pre-requisites**
Before running this target it is important to ensure that, developer has created files mentioned below on local workstation under root directory of git repository that contains code for primitives/segments. Note that these files are `aws` specific. If primitive/segment under development uses any other cloud provider than AWS, this section may not be relevant.
- A file named `provider.tf` with contents below
```
provider "aws" {
profile = ""
region = ""
}
```
- A file named `terraform.tfvars` which contains key value pair of variables used.
Note that since these files are added in `gitignore` they would not be checked in into primitive/segment's git repo.
After creating these files, for running tests associated with the primitive/segment, run
```
make check
```
If `make check` target is successful, developer is good to commit the code to primitive/segment's git repo.
`make check` target
- runs `terraform commands` to `lint`,`validate` and `plan` terraform code.
- runs `conftests`. `conftests` make sure `policy` checks are successful.
- runs `terratest`. This is integration test suit.
- runs `opa` tests
# Know Issues
Currently, the `encrypt at transit` is not supported in terraform. There is an open issue for this logged with Hashicorp - https://github.com/hashicorp/terraform-provider-aws/pull/26987
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | ~> 1.0 |
| [aws](#requirement\_aws) | ~> 5.0 |
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | 5.72.1 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| [resource\_names](#module\_resource\_names) | terraform.registry.launch.nttdata.com/module_library/resource_name/launch | ~> 2.0 |
## Resources
| Name | Type |
|------|------|
| [aws_acmpca_certificate.certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acmpca_certificate) | resource |
| [aws_acmpca_certificate_authority.private_ca](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acmpca_certificate_authority) | resource |
| [aws_acmpca_certificate_authority_certificate.ca_certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acmpca_certificate_authority_certificate) | resource |
| [aws_acmpca_permission.ca_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acmpca_permission) | resource |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [logical\_product\_family](#input\_logical\_product\_family) | (Required) Name of the product family for which the resource is created.
Example: org\_name, department\_name. | `string` | `"launch"` | no |
| [logical\_product\_service](#input\_logical\_product\_service) | (Required) Name of the product service for which the resource is created.
For example, backend, frontend, middleware etc. | `string` | `"ecs"` | no |
| [environment](#input\_environment) | Environment in which the resource should be provisioned like dev, qa, prod etc. | `string` | `"dev"` | no |
| [environment\_number](#input\_environment\_number) | The environment count for the respective environment. Defaults to 000. Increments in value of 1 | `string` | `"000"` | no |
| [resource\_number](#input\_resource\_number) | The resource count for the respective resource. Defaults to 000. Increments in value of 1 | `string` | `"000"` | no |
| [region](#input\_region) | AWS Region in which the infra needs to be provisioned | `string` | `"us-east-2"` | no |
| [key\_algorithm](#input\_key\_algorithm) | Type of public key algorithm to use for this CA | `string` | `"RSA_4096"` | no |
| [signing\_algorithm](#input\_signing\_algorithm) | Name of the algorithm your private CA uses to sign certificate requests. | `string` | `"SHA512WITHRSA"` | no |
| [subject](#input\_subject) | Contains information about the certificate subject. Identifies the entity that owns or controls the public key in the certificate. The entity can be a user, computer, device, or service. |
object({
country = optional(string)
distinguished_name_qualifier = optional(string)
generation_qualifier = optional(string)
given_name = optional(string)
initials = optional(string)
locality = optional(string)
organization = optional(string)
organizational_unit = optional(string)
state = optional(string)
}) | {
"country": "US",
"organization": "Launch by NTT DATA",
"organizational_unit": "DSO",
"state": "Texas"
} | no |
| [permanent\_deletion\_time\_in\_days](#input\_permanent\_deletion\_time\_in\_days) | Number of days to make a CA restorable after it has been deleted,
must be between 7 to 30 days, with default to 30 days. | `number` | `7` | no |
| [usage\_mode](#input\_usage\_mode) | Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism,
or short-lived certificates that may optionally omit revocation because they expire quickly. | `string` | `"GENERAL_PURPOSE"` | no |
| [enabled](#input\_enabled) | Whether the certificate authority is enabled or disabled. | `bool` | `true` | no |
| [type](#input\_type) | Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE. | `string` | `"ROOT"` | no |
| [ca\_certificate\_validity](#input\_ca\_certificate\_validity) | Configures end of the validity period for the CA ROOT certificate. Defaults to 1 year | object({
type = string
value = number
}) | {
"type": "YEARS",
"value": 10
} | no |
| [tags](#input\_tags) | A map of custom tags to be associated with the cache cluster | `map(string)` | `{}` | no |
## Outputs
| Name | Description |
|------|-------------|
| [resource\_name\_tag](#output\_resource\_name\_tag) | n/a |
| [private\_ca\_arn](#output\_private\_ca\_arn) | ARN of Private CA |
| [private\_ca\_id](#output\_private\_ca\_id) | ID of the private CA |
| [private\_ca\_type](#output\_private\_ca\_type) | Type of the private CA |
| [private\_ca\_usage\_mode](#output\_private\_ca\_usage\_mode) | Usage mode of the private CA |
| [private\_ca\_key\_algorithm](#output\_private\_ca\_key\_algorithm) | Configuration of the private CA |
| [private\_ca\_signing\_algorithm](#output\_private\_ca\_signing\_algorithm) | Configuration of the private CA |