https://github.com/philippechepy/terraform-tls-certificate
https://github.com/philippechepy/terraform-tls-certificate
Last synced: 4 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/philippechepy/terraform-tls-certificate
- Owner: PhilippeChepy
- Created: 2021-12-05T17:23:48.000Z (over 4 years ago)
- Default Branch: main
- Last Pushed: 2022-04-05T21:05:33.000Z (about 4 years ago)
- Last Synced: 2025-01-20T15:19:51.225Z (over 1 year ago)
- Language: HCL
- Size: 4.88 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Terraform PKI: Certificate
This module allows one to build a TLS certificate and its associated private key.
Part of this collection:
- https://github.com/PhilippeChepy/terraform-tls-root-ca
- https://github.com/PhilippeChepy/terraform-tls-intermediate-ca
- https://github.com/PhilippeChepy/terraform-tls-certificate
## Example usage
With a root CA certificate generated by the [Root CA module](https://github.com/PhilippeChepy/terraform-tls-root-ca):
```
module "etcd_ca_certificates" {
source = "git@github.com:PhilippeChepy/terraform-tls-root-ca.git"
common_name = "Etcd CA"
validity_period_hours = 87660
}
module "etcd_server_certificate" {
source = "git@github.com:PhilippeChepy/terraform-tls-certificate.git"
for_each = module.etcd_cluster.instances
signing_key_pem = module.etcd_ca_certificates.private_key_pem
signing_cert_pem = module.etcd_ca_certificates.certificate_pem
common_name = each.value.hostname
dns_sans = [each.value.hostname]
ip_sans = concat(
length(each.value.ipv4_address) != 0 ? [each.value.ipv4_address] : [],
length(each.value.ipv6_address) != 0 ? [each.value.ipv6_address] : [],
)
server_auth = true
client_auth = true
validity_period_hours = 87660
}
```
## Requirements
No requirements.
## Providers
The following providers are used by this module:
## Modules
No modules.
## Resources
The following resources are used by this module:
- [tls_cert_request.certificate](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) (resource)
- [tls_locally_signed_cert.certificate](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) (resource)
- [tls_private_key.certificate](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) (resource)
## Required Inputs
The following input variables are required:
### [common\_name](#input\_common\_name)
Description: Define the certificate common name.
Type: `string`
### [signing\_cert\_pem](#input\_signing\_cert\_pem)
Description: The root or intermediate certificate used to sign this certificate.
Type: `string`
### [signing\_key\_pem](#input\_signing\_key\_pem)
Description: The private key used to sign this certificate.
Type: `string`
### [validity\_period\_hours](#input\_validity\_period\_hours)
Description: The certificate will expire after this amount of time.
Type: `number`
## Optional Inputs
The following input variables are optional (have default values):
### [client\_auth](#input\_client\_auth)
Description: Set the certificate usable for client authentication
Type: `bool`
Default: `false`
### [dns\_sans](#input\_dns\_sans)
Description: Set a list of DNS as SANS (subject alternative names).
Type: `set(string)`
Default: `[]`
### [ecdsa\_curve](#input\_ecdsa\_curve)
Description: May be any of 'P224', 'P256', 'P384' or 'P521', with 'P224' as the default.
Type: `string`
Default: `null`
### [ip\_sans](#input\_ip\_sans)
Description: Define a list of IP SANS (subject alternative names).
Type: `set(string)`
Default: `[]`
### [key\_algorithm](#input\_key\_algorithm)
Description: Key Algorithm (e.g. 'RSA' or 'ECDSA'), with 'RSA' as the default.
Type: `string`
Default: `"RSA"`
### [organization](#input\_organization)
Description: Define the certificate organization.
Type: `string`
Default: `null`
### [rsa\_bits](#input\_rsa\_bits)
Description: Defaults to '4096' bits.
Type: `string`
Default: `4096`
### [server\_auth](#input\_server\_auth)
Description: Set the certificate usable for server authentication
Type: `bool`
Default: `true`
## Outputs
The following outputs are exported:
### [bundle\_pem](#output\_bundle\_pem)
Description: A bundle containing the private key and the resulting certificate.
### [certificate\_bundle\_pem](#output\_certificate\_bundle\_pem)
Description: A bundle containing both the signing and the resulting certificates.
### [certificate\_pem](#output\_certificate\_pem)
Description: The resulting certificate.
### [private\_key\_pem](#output\_private\_key\_pem)
Description: The private key of the certificate.