-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathecpki.tf
122 lines (98 loc) · 3.36 KB
/
ecpki.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
// Doc: https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/mount
resource "vault_mount" "ecpki" {
path = "ecpki"
type = "pki"
description = "EC PKI mount"
## Default lease TTL 1 year
default_lease_ttl_seconds = 31536000
## Max lease TTL 10 years
max_lease_ttl_seconds = 315360000
}
// Doc: https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/pki_secret_backend_root_cert
resource "vault_pki_secret_backend_root_cert" "vault_ec_pki_ca" {
depends_on = [vault_mount.ecpki]
backend = vault_mount.ecpki.path
type = "internal"
common_name = "Vault Lab EC Root CA"
## 10 Years (must be <= max_lease_ttl_seconds of mount pki)
ttl = "315360000"
format = "pem"
// private_key_format = "der"
// Supported Key Tye: 'rsa', 'ed25519' or 'ec'
key_type = "ec"
key_bits = 521
exclude_cn_from_sans = true
ou = "Lab"
organization = "Home"
}
// Doc: https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/pki_secret_backend_config_urls
resource "vault_pki_secret_backend_config_urls" "ec_config_urls" {
backend = vault_mount.ecpki.path
issuing_certificates = ["https://iamvault.internal.e-corp.com/v1/ecpki/ca"]
crl_distribution_points = ["https://iamvault.internal.e-corp.com/v1/ecpki/crl"]
## WARNING: Vault does NOT host its own OCSP Responder
## This url thus point to a external OCSP responder server
## That you have to host your self (e.g. https://github.com/T-Systems-MMS/vault-ocsp)
// ocsp_servers = ["http://127.0.0.1:8200/v1/pki/ocsp"]
}
// Doc: https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/pki_secret_backend_crl_config
resource "vault_pki_secret_backend_crl_config" "ec_crl_config" {
backend = vault_mount.ecpki.path
expiry = "72h"
disable = false
}
// Doc: https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/pki_secret_backend_role
resource "vault_pki_secret_backend_role" "ec_server_role" {
backend = vault_mount.ecpki.path
name = "ec-server-certificates"
## 1 Year
ttl = 31536000
allow_ip_sans = true
// Supported Key Tye: 'rsa', 'ed25519' or 'ec'
key_type = "ec"
key_bits = 521
## SAN Restriction
allowed_domains = [
"internal.e-corp.com",
"kube.internal.e-corp.com"
]
allow_subdomains = true
allow_localhost = true
## CN restriction
allow_any_name = true
enforce_hostnames = true
## Key USage
server_flag = true
client_flag = true
key_usage = [
"DigitalSignature",
"KeyAgreement",
"KeyEncipherment"
]
## generate Not Before
not_before_duration = "30s"
}
// Doc: https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/pki_secret_backend_role
resource "vault_pki_secret_backend_role" "ec_client_role" {
backend = vault_mount.ecpki.path
name = "ec-client-certificates"
## 1 Year
ttl = 31536000
allow_ip_sans = true
// Supported Key Tye: 'rsa', 'ed25519' or 'ec'
key_type = "ec"
key_bits = 521
## CN restriction
allow_any_name = true
enforce_hostnames = false
## Key USage
server_flag = true
client_flag = true
key_usage = [
"DigitalSignature",
"KeyAgreement",
"KeyEncipherment"
]
## generate Not Before
not_before_duration = "30s"
}