96 lines
2.2 KiB
HCL
96 lines
2.2 KiB
HCL
/**
|
|
* Copyright © 2014-2022 HashiCorp, Inc.
|
|
*
|
|
* This Source Code is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this project, you can obtain one at http://mozilla.org/MPL/2.0/.
|
|
*
|
|
*/
|
|
|
|
# Generate a private key so you can create a CA cert with it.
|
|
resource "tls_private_key" "ca" {
|
|
algorithm = "RSA"
|
|
rsa_bits = 2048
|
|
}
|
|
|
|
# Create a CA cert with the private key you just generated.
|
|
resource "tls_self_signed_cert" "ca" {
|
|
private_key_pem = tls_private_key.ca.private_key_pem
|
|
|
|
subject {
|
|
common_name = "ca.vault.server.com"
|
|
}
|
|
|
|
validity_period_hours = 720 # 30 days
|
|
|
|
allowed_uses = [
|
|
"cert_signing",
|
|
"crl_signing",
|
|
]
|
|
|
|
is_ca_certificate = true
|
|
|
|
# provisioner "local-exec" {
|
|
# command = "echo '${tls_self_signed_cert.ca.cert_pem}' > ./vault-ca.pem"
|
|
# }
|
|
}
|
|
|
|
# Generate another private key. This one will be used
|
|
# To create the certs on your Vault nodes
|
|
resource "tls_private_key" "server" {
|
|
algorithm = "RSA"
|
|
rsa_bits = 2048
|
|
|
|
# provisioner "local-exec" {
|
|
# command = "echo '${tls_private_key.server.private_key_pem}' > ./vault-key.pem"
|
|
# }
|
|
}
|
|
|
|
resource "tls_cert_request" "server" {
|
|
private_key_pem = tls_private_key.server.private_key_pem
|
|
|
|
subject {
|
|
common_name = "vault.server.com"
|
|
}
|
|
|
|
dns_names = [
|
|
var.shared_san,
|
|
"localhost",
|
|
]
|
|
|
|
ip_addresses = [
|
|
"127.0.0.1",
|
|
]
|
|
}
|
|
|
|
resource "tls_locally_signed_cert" "server" {
|
|
cert_request_pem = tls_cert_request.server.cert_request_pem
|
|
ca_private_key_pem = tls_private_key.ca.private_key_pem
|
|
ca_cert_pem = tls_self_signed_cert.ca.cert_pem
|
|
|
|
validity_period_hours = 720 # 30 days
|
|
|
|
allowed_uses = [
|
|
"client_auth",
|
|
"digital_signature",
|
|
"key_agreement",
|
|
"key_encipherment",
|
|
"server_auth",
|
|
]
|
|
|
|
# provisioner "local-exec" {
|
|
# command = "echo '${tls_locally_signed_cert.server.cert_pem}' > ./vault-crt.pem"
|
|
# }
|
|
}
|
|
|
|
locals {
|
|
tls_data = {
|
|
vault_ca = base64encode(tls_self_signed_cert.ca.cert_pem)
|
|
vault_cert = base64encode(tls_locally_signed_cert.server.cert_pem)
|
|
vault_pk = base64encode(tls_private_key.server.private_key_pem)
|
|
}
|
|
}
|
|
|
|
locals {
|
|
secret = jsonencode(local.tls_data)
|
|
}
|
|
|