F refactor (#1)

* Initial commit * Update output names * Update outputs to fix warning * Fix output warnings * Add self signed cert PEM to outputs * Use HTTPS instead of SSH for module sources * Update gitignore * Update module outputs * Remove element hack and don't download certs * Update module * Update list defaults * Remove f-refactor branch
hashicorp-modules · Apr 30, 2018 · d0d0b1f · d0d0b1f
1 parent a1009d2
commit d0d0b1f
Show file tree

Hide file tree

Showing 29 changed files with 1,155 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,10 @@
+# Compiled files
+*.tfstate
+*.tfstate.backup
+*.tfstate.lock.info
+
+# Directories
+.terraform/
+
+# SSH Keys
+*.pem
diff --git a/README.md b/README.md
@@ -1 +1,69 @@
-# tls-self-signed-cert
+# TLS Self Signed Cert Terraform Module
+
+- Generates a secure RSA or ECDAS private key for the CA cert
+- Generates a self signed CA cert
+- Generates a secure RSA or ECDAS private key for the leaf cert
+- Generates a TLS certificate request for the leaf cert
+- Generates a locally signed leaf cert
+- Encodes the private keys as PEM
+
+Checkout [examples](./examples) for fully functioning examples.
+
+## Environment Variables
+
+This module doesn't require any environment variables to be set.
+
+## Input Variables
+
+- `create`: [Optional] Create Module, defaults to true.
+- `name`: [Optional] Filename to write the private key data to, default to "tls-private-key".
+- `algorithm`: [Optional] The name of the algorithm to use for the key. Currently-supported values are "RSA" and "ECDSA". Defaults to "RSA".
+- `rsa_bits`: [Optional] When algorithm is "RSA", the size of the generated RSA key in bits. Defaults to "2048".
+- `ecdsa_curve`: [Optional] When algorithm is "ECDSA", the name of the elliptic curve to use. May be any one of "P224", "P256", "P384" or "P521". Defaults to "P224".
+- `permissions`: [Optional] The Unix file permission to assign to the cert files (e.g. 0600), defaults to "0600".
+- `validity_period_hours`: [Required] The number of hours after initial issuing that the certificate will become invalid.
+- `ca_allowed_uses`: [Optional] List of keywords from RFC5280 describing a use that is permitted for the CA certificate. For more info and the list of keywords, see https://www.terraform.io/docs/providers/tls/r/self_signed_cert.html#allowed_uses.
+- `ca_common_name`: [Optional] The common name to use in the subject of the CA certificate (e.g. hashicorp.com).
+- `organization_name`: [Required] The name of the organization to associate with the certificates (e.g. HashiCorp Inc.).
+- `allowed_uses`: [Required] List of keywords from RFC5280 describing a use that is permitted for the issued certificate. For more info and the list of keywords, see https://www.terraform.io/docs/providers/tls/r/self_signed_cert.html#allowed_uses.
+- `common_name`: [Required] The common name to use in the subject of the certificate (e.g. hashicorp.com).
+- `dns_names`: [Required] List of DNS names for which the certificate will be valid (e.g. foo.hashicorp.com), defaults to empty list.
+- `ip_addresses`: [Required] List of IP addresses for which the certificate will be valid (e.g. 127.0.0.1), defaults to empty list.
+- `ca_override`: [Optional] Don't create a CA cert, override with the provided CA to sign certs withr
+- `ca_key_override`: [Optional] CA private key pem override.
+- `ca_cert_override`: [Optional] CA cert pem override.
+- `download_certs`: [Optional] Download certs locally, defaults to false.
+
+## Outputs
+
+- `algorithm`: The algorithm that was selected for the key.
+- `ca_cert_pem`: The CA cert data in PEM format.
+- `ca_cert_validity_start_time`: The time after which the CA certificate is valid, as an RFC3339 timestamp.
+- `ca_cert_validity_end_time`: The time until which the CA certificate is invalid, as an RFC3339 timestamp.
+- `ca_private_key_pem`: The CA cert private key data in PEM format.
+- `ca_private_key_name`: The CA cert private key filename.
+- `ca_private_key_filename`: The CA cert private key filename with file extension.
+- `ca_public_key_pem`: The CA cert public key data in PEM format.
+- `ca_public_key_openssh`: The CA cert public key data in OpenSSH authorized_keys format, if the selected private key format is compatible. All RSA keys are supported, and ECDSA keys with curves "P256", "P384" and "P251" are supported. This attribute is empty if an incompatible ECDSA curve is selected.
+
+- `leaf_private_key_pem`: The Leaf cert private key data in PEM format.
+- `leaf_private_key_name`: The Leaf cert private key filename.
+- `leaf_private_key_filename`: The Leaf cert private key filename with file extension.
+- `leaf_public_key_pem`: The Leaf cert public key data in PEM format.
+- `leaf_public_key_openssh`: The Leaf cert public key data in OpenSSH authorized_keys format, if the selected private key format is compatible. All RSA keys are supported, and ECDSA keys with curves "P256", "P384" and "P251" are supported. This attribute is empty if an incompatible ECDSA curve is selected.
+- `leaf_cert_request_pem`: The Leaf cert request data in PEM format.
+- `leaf_cert_pem`: The Leaf cert data in PEM format.
+- `leaf_cert_validity_start_time`: The time after which the leaf certificate is valid, as an RFC3339 timestamp.
+- `leaf_cert_validity_end_time`: The time until which the leaf certificate is invalid, as an RFC3339 timestamp.
+
+## Submodules
+
+This module has no submodules.
+
+## Authors
+
+HashiCorp Solutions Engineering Team.
+
+## License
+
+Mozilla Public License Version 2.0. See LICENSE for full details.
diff --git a/examples/advanced-ecdsa/main.tf b/examples/advanced-ecdsa/main.tf
@@ -0,0 +1,16 @@
+module "tls_self_signed_cert" {
+  # source = "github.com/hashicorp-modules/tls-self-signed-cert"
+  source = "../../../tls-self-signed-cert"
+
+  create                = "${var.create}"
+  name                  = "${var.name}"
+  algorithm             = "${var.algorithm}"
+  ecdsa_curve           = "${var.ecdsa_curve}"
+  validity_period_hours = "${var.validity_period_hours}"
+  ca_common_name        = "${var.ca_common_name}"
+  organization_name     = "${var.organization_name}"
+  common_name           = "${var.common_name}"
+  dns_names             = "${var.dns_names}"
+  ip_addresses          = "${var.ip_addresses}"
+  download_certs        = true
+}
diff --git a/examples/advanced-ecdsa/outputs.tf b/examples/advanced-ecdsa/outputs.tf
@@ -0,0 +1,94 @@
+output "zREADME" {
+  value = <<README
+- Generated a secure RSA or ECDAS private key for the CA cert
+- Generated a self signed CA cert
+- Generated a secure RSA or ECDAS private key for the leaf cert
+- Generated a TLS certificate request for the leaf cert
+- Generated a locally signed leaf cert
+- Encoded the private keys as PEM
+- Downloaded the private keys locally and updated the file permissions appropriately
+
+${module.tls_self_signed_cert.zREADME}
+README
+}
+
+output "algorithm" {
+  value = "${var.algorithm}"
+}
+
+# CA - TLS private key
+output "ca_private_key_pem" {
+  value = "${module.tls_self_signed_cert.ca_private_key_pem}"
+}
+
+output "ca_public_key_pem" {
+  value = "${module.tls_self_signed_cert.ca_public_key_pem}"
+}
+
+output "ca_public_key_openssh" {
+  value = "${module.tls_self_signed_cert.ca_public_key_openssh}"
+}
+
+# CA - TLS self signed cert
+output "ca_cert_name" {
+  value = "${module.tls_self_signed_cert.ca_cert_name}"
+}
+
+output "ca_cert_filename" {
+  value = "${module.tls_self_signed_cert.ca_cert_filename}"
+}
+
+output "ca_cert_pem" {
+  value = "${module.tls_self_signed_cert.ca_cert_pem}"
+}
+
+output "ca_cert_validity_start_time" {
+  value = "${module.tls_self_signed_cert.ca_cert_validity_start_time}"
+}
+
+output "ca_cert_validity_end_time" {
+  value = "${module.tls_self_signed_cert.ca_cert_validity_end_time}"
+}
+
+# Leaf - TLS private key
+output "leaf_private_key_pem" {
+  value = "${module.tls_self_signed_cert.leaf_private_key_pem}"
+}
+
+output "leaf_private_key_filename" {
+  value = "${module.tls_self_signed_cert.leaf_private_key_filename}"
+}
+
+output "leaf_public_key_pem" {
+  value = "${module.tls_self_signed_cert.leaf_public_key_pem}"
+}
+
+output "leaf_public_key_openssh" {
+  value = "${module.tls_self_signed_cert.leaf_public_key_openssh}"
+}
+
+# Leaf - TLS cert request
+output "leaf_cert_request_pem" {
+  value = "${module.tls_self_signed_cert.leaf_cert_request_pem}"
+}
+
+# Leaf - TLS locally signed cert
+output "leaf_cert_name" {
+  value = "${module.tls_self_signed_cert.leaf_cert_name}"
+}
+
+output "leaf_cert_filename" {
+  value = "${module.tls_self_signed_cert.leaf_cert_filename}"
+}
+
+output "leaf_cert_pem" {
+  value = "${module.tls_self_signed_cert.leaf_cert_pem}"
+}
+
+output "leaf_cert_validity_start_time" {
+  value = "${module.tls_self_signed_cert.leaf_cert_validity_start_time}"
+}
+
+output "leaf_cert_validity_end_time" {
+  value = "${module.tls_self_signed_cert.leaf_cert_validity_end_time}"
+}
diff --git a/examples/advanced-ecdsa/terraform.tfvars b/examples/advanced-ecdsa/terraform.tfvars
@@ -0,0 +1,10 @@
+create                = true
+name                  = "advanced-ecdsa"
+algorithm             = "ECDSA"
+ecdsa_curve           = "P521"
+validity_period_hours = "48"
+ca_common_name        = "advanced-ecdsa.com"
+organization_name     = "Advanced ECDSA Inc."
+common_name           = "advanced-ecdsa.com"
+dns_names             = ["foo.advanced-ecdsa.com", "bar.advanced-ecdsa.com",]
+ip_addresses          = ["127.0.0.1", "0.0.0.0",]
diff --git a/examples/advanced-ecdsa/variables.tf b/examples/advanced-ecdsa/variables.tf
@@ -0,0 +1,10 @@
+variable "create"                { }
+variable "name"                  { }
+variable "algorithm"             { }
+variable "ecdsa_curve"           { }
+variable "validity_period_hours" { }
+variable "ca_common_name"        { }
+variable "organization_name"     { }
+variable "common_name"           { }
+variable "dns_names"             { type = "list" }
+variable "ip_addresses"          { type = "list" }
diff --git a/examples/advanced-rsa/main.tf b/examples/advanced-rsa/main.tf
@@ -0,0 +1,16 @@
+module "tls_self_signed_cert" {
+  # source = "github.com/hashicorp-modules/tls-self-signed-cert"
+  source = "../../../tls-self-signed-cert"
+
+  create                = "${var.create}"
+  name                  = "${var.name}"
+  algorithm             = "${var.algorithm}"
+  rsa_bits              = "${var.rsa_bits}"
+  validity_period_hours = "${var.validity_period_hours}"
+  ca_common_name        = "${var.ca_common_name}"
+  organization_name     = "${var.organization_name}"
+  common_name           = "${var.common_name}"
+  dns_names             = "${var.dns_names}"
+  ip_addresses          = "${var.ip_addresses}"
+  download_certs        = true
+}
diff --git a/examples/advanced-rsa/outputs.tf b/examples/advanced-rsa/outputs.tf
@@ -0,0 +1,94 @@
+output "zREADME" {
+  value = <<README
+- Generated a secure RSA or ECDAS private key for the CA cert
+- Generated a self signed CA cert
+- Generated a secure RSA or ECDAS private key for the leaf cert
+- Generated a TLS certificate request for the leaf cert
+- Generated a locally signed leaf cert
+- Encoded the private keys as PEM
+- Downloaded the private keys locally and updated the file permissions appropriately
+
+${module.tls_self_signed_cert.zREADME}
+README
+}
+
+output "algorithm" {
+  value = "${var.algorithm}"
+}
+
+# CA - TLS private key
+output "ca_private_key_pem" {
+  value = "${module.tls_self_signed_cert.ca_private_key_pem}"
+}
+
+output "ca_public_key_pem" {
+  value = "${module.tls_self_signed_cert.ca_public_key_pem}"
+}
+
+output "ca_public_key_openssh" {
+  value = "${module.tls_self_signed_cert.ca_public_key_openssh}"
+}
+
+# CA - TLS self signed cert
+output "ca_cert_name" {
+  value = "${module.tls_self_signed_cert.ca_cert_name}"
+}
+
+output "ca_cert_filename" {
+  value = "${module.tls_self_signed_cert.ca_cert_filename}"
+}
+
+output "ca_cert_pem" {
+  value = "${module.tls_self_signed_cert.ca_cert_pem}"
+}
+
+output "ca_cert_validity_start_time" {
+  value = "${module.tls_self_signed_cert.ca_cert_validity_start_time}"
+}
+
+output "ca_cert_validity_end_time" {
+  value = "${module.tls_self_signed_cert.ca_cert_validity_end_time}"
+}
+
+# Leaf - TLS private key
+output "leaf_private_key_pem" {
+  value = "${module.tls_self_signed_cert.leaf_private_key_pem}"
+}
+
+output "leaf_private_key_filename" {
+  value = "${module.tls_self_signed_cert.leaf_private_key_filename}"
+}
+
+output "leaf_public_key_pem" {
+  value = "${module.tls_self_signed_cert.leaf_public_key_pem}"
+}
+
+output "leaf_public_key_openssh" {
+  value = "${module.tls_self_signed_cert.leaf_public_key_openssh}"
+}
+
+# Leaf - TLS cert request
+output "leaf_cert_request_pem" {
+  value = "${module.tls_self_signed_cert.leaf_cert_request_pem}"
+}
+
+# Leaf - TLS locally signed cert
+output "leaf_cert_name" {
+  value = "${module.tls_self_signed_cert.leaf_cert_name}"
+}
+
+output "leaf_cert_filename" {
+  value = "${module.tls_self_signed_cert.leaf_cert_filename}"
+}
+
+output "leaf_cert_pem" {
+  value = "${module.tls_self_signed_cert.leaf_cert_pem}"
+}
+
+output "leaf_cert_validity_start_time" {
+  value = "${module.tls_self_signed_cert.leaf_cert_validity_start_time}"
+}
+
+output "leaf_cert_validity_end_time" {
+  value = "${module.tls_self_signed_cert.leaf_cert_validity_end_time}"
+}
diff --git a/examples/advanced-rsa/terraform.tfvars b/examples/advanced-rsa/terraform.tfvars
@@ -0,0 +1,10 @@
+create                = true
+name                  = "advanced-rsa"
+algorithm             = "RSA"
+rsa_bits              = "3072"
+validity_period_hours = "36"
+ca_common_name        = "advanced-rsa.com"
+organization_name     = "Advanced RSA Inc."
+common_name           = "advanced-rsa.com"
+dns_names             = ["foo.advanced-rsa.com", "bar.advanced-rsa.com",]
+ip_addresses          = ["127.0.0.1", "0.0.0.0",]
diff --git a/examples/advanced-rsa/variables.tf b/examples/advanced-rsa/variables.tf
@@ -0,0 +1,10 @@
+variable "create"                { }
+variable "name"                  { }
+variable "algorithm"             { }
+variable "rsa_bits"              { }
+variable "validity_period_hours" { }
+variable "ca_common_name"        { }
+variable "organization_name"     { }
+variable "common_name"           { }
+variable "dns_names"             { type = "list" }
+variable "ip_addresses"          { type = "list" }
diff --git a/examples/ca-override/main.tf b/examples/ca-override/main.tf
@@ -0,0 +1,37 @@
+module "tls_self_signed_cert" {
+  # source = "github.com/hashicorp-modules/tls-self-signed-cert"
+  source = "../../../tls-self-signed-cert"
+
+  create                = "${var.create}"
+  name                  = "${var.name}"
+  algorithm             = "${var.algorithm}"
+  rsa_bits              = "${var.rsa_bits}"
+  validity_period_hours = "${var.validity_period_hours}"
+  ca_common_name        = "${var.ca_common_name}"
+  organization_name     = "${var.organization_name}"
+  common_name           = "${var.common_name}"
+  dns_names             = "${var.dns_names}"
+  ip_addresses          = "${var.ip_addresses}"
+  download_certs        = true
+}
+
+module "tls_self_signed_cert_override" {
+  # source = "github.com/hashicorp-modules/tls-self-signed-cert"
+  source = "../../../tls-self-signed-cert"
+
+  create                = "${var.create}"
+  name                  = "${var.name}-override"
+  algorithm             = "${var.algorithm}"
+  rsa_bits              = "${var.rsa_bits}"
+  validity_period_hours = "${var.validity_period_hours}"
+  ca_common_name        = "${var.ca_common_name}"
+  organization_name     = "${var.organization_name}"
+  common_name           = "${var.common_name}"
+  dns_names             = "${var.dns_names}"
+  ip_addresses          = "${var.ip_addresses}"
+  download_certs        = true
+
+  ca_override      = true
+  ca_key_override  = "${module.tls_self_signed_cert.ca_private_key_pem}"
+  ca_cert_override = "${module.tls_self_signed_cert.ca_cert_pem}"
+}