Last active
May 10, 2021 20:59
-
-
Save lucymhdavies/bbe493ce4c4c21f02c55a8cb00cc9d62 to your computer and use it in GitHub Desktop.
Vault PKI Terraform
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Terraforming the example from here: | |
| # https://learn.hashicorp.com/tutorials/vault/pki-engine | |
| # | |
| # Root CA | |
| # | |
| resource "vault_mount" "pki_root" { | |
| path = "pki/root" | |
| type = "pki" | |
| # 1 day | |
| default_lease_ttl_seconds = 60 * 60 * 24 | |
| # 10 years | |
| max_lease_ttl_seconds = 60 * 60 * 24 * 365 * 10 | |
| } | |
| resource "vault_pki_secret_backend_config_urls" "pki_root_config_urls" { | |
| backend = vault_mount.pki_root.path | |
| issuing_certificates = ["https://vault.lmhd.me/v1/${vault_mount.pki_root.path}/ca"] | |
| crl_distribution_points = ["https://vault.lmhd.me/v1/${vault_mount.pki_root.path}/crl"] | |
| } | |
| # | |
| # Intermediary CA | |
| # | |
| resource "vault_mount" "pki_inter" { | |
| path = "pki/inter" | |
| type = "pki" | |
| # 1 day | |
| default_lease_ttl_seconds = 60 * 60 * 24 | |
| # 1 year | |
| max_lease_ttl_seconds = 60 * 60 * 24 * 365 | |
| } | |
| resource "vault_pki_secret_backend_config_urls" "pki_inter_config_urls" { | |
| backend = vault_mount.pki_inter.path | |
| issuing_certificates = ["https://vault.lmhd.me/v1/${vault_mount.pki_inter.path}/ca"] | |
| crl_distribution_points = ["https://vault.lmhd.me/v1/${vault_mount.pki_inter.path}/crl"] | |
| } | |
| # | |
| # Generate Root CA | |
| # | |
| resource "vault_pki_secret_backend_root_cert" "pki_root_cert" { | |
| depends_on = [vault_mount.pki_root] | |
| backend = vault_mount.pki_root.path | |
| type = "internal" | |
| common_name = "LMHD Root CA" | |
| ttl = 60 * 60 * 24 * 365 * 10 | |
| } | |
| # | |
| # Generate Inter CSR | |
| # | |
| resource "vault_pki_secret_backend_intermediate_cert_request" "pki_inter" { | |
| depends_on = [vault_mount.pki_inter] | |
| backend = vault_mount.pki_inter.path | |
| type = "internal" | |
| common_name = "LMHD Intermediary CA" | |
| } | |
| # | |
| # Root signs Inter | |
| # | |
| resource "vault_pki_secret_backend_root_sign_intermediate" "pki_root_inter" { | |
| depends_on = [vault_pki_secret_backend_intermediate_cert_request.pki_inter] | |
| backend = vault_mount.pki_root.path | |
| csr = vault_pki_secret_backend_intermediate_cert_request.pki_inter.csr | |
| common_name = "LMHD Intermediary CA" | |
| format = "pem_bundle" | |
| ttl = 60 * 60 * 24 * 365 | |
| } | |
| # Set Inter CA | |
| resource "vault_pki_secret_backend_intermediate_set_signed" "pki_inter" { | |
| backend = vault_mount.pki_inter.path | |
| certificate = vault_pki_secret_backend_root_sign_intermediate.pki_root_inter.certificate | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment