Skip to content

Instantly share code, notes, and snippets.

@lucymhdavies

lucymhdavies/README.md

Last active July 7, 2021 12:01
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lucymhdavies/224effc8bbe7e47362274e500d85f30f to your computer and use it in GitHub Desktop.
Save lucymhdavies/224effc8bbe7e47362274e500d85f30f to your computer and use it in GitHub Desktop.
Download ZIP
Dynamic Terraform for Vault PKI Roles
Raw
README.md

Terraform plan to create this example looks like:

  # vault_pki_secret_backend_role.pki_roles["pki/inter/davnet.lmhd.me.yaml"] will be created
  + resource "vault_pki_secret_backend_role" "pki_roles" {
      + allow_any_name                     = false
      + allow_bare_domains                 = false
      + allow_glob_domains                 = false
      + allow_ip_sans                      = true
      + allow_localhost                    = false
      + allow_subdomains                   = true
      + allowed_domains                    = [
          + "davnet.lmhd.me",
        ]
      + allowed_domains_template           = false
      + backend                            = "pki/inter"
      + basic_constraints_valid_for_non_ca = false
      + client_flag                        = true
      + code_signing_flag                  = false
      + email_protection_flag              = false
      + enforce_hostnames                  = true
      + generate_lease                     = false
      + id                                 = (known after apply)
      + key_bits                           = 2048
      + key_type                           = "rsa"
      + key_usage                          = [
          + "DigitalSignature",
          + "KeyAgreement",
          + "KeyEncipherment",
        ]
      + max_ttl                            = "7776000"
      + name                               = "davnet.lmhd.me"
      + no_store                           = false
      + not_before_duration                = (known after apply)
      + require_cn                         = true
      + server_flag                        = true
      + ttl                                = "2764800"
      + use_csr_common_name                = true
      + use_csr_sans                       = true
    }

  # vault_pki_secret_backend_role.pki_roles["pki/api/api.test.lmhd.me-client.yaml"] will be created
  + resource "vault_pki_secret_backend_role" "pki_roles" {
      + allow_any_name                     = true
      + allow_bare_domains                 = true
      + allow_glob_domains                 = false
      + allow_ip_sans                      = false
      + allow_localhost                    = false
      + allow_subdomains                   = false
      + allowed_domains                    = []
      + allowed_domains_template           = false
      + backend                            = "pki/api"
      + basic_constraints_valid_for_non_ca = false
      + client_flag                        = true
      + code_signing_flag                  = false
      + email_protection_flag              = false
      + enforce_hostnames                  = false
      + generate_lease                     = false
      + id                                 = (known after apply)
      + key_bits                           = 2048
      + key_type                           = "rsa"
      + key_usage                          = [
          + "DigitalSignature",
          + "KeyEncipherment",
        ]
      + max_ttl                            = "3600"
      + name                               = "api.test.lmhd.me-client"
      + no_store                           = false
      + not_before_duration                = (known after apply)
      + organization                       = [
          + "fronter.federate:read",
          + "fronter.federate:write",
        ]
      + ou                                 = [
          + "api.test.lmhd.me",
        ]
      + require_cn                         = false
      + server_flag                        = false
      + ttl                                = "3600"
      + use_csr_common_name                = true
      + use_csr_sans                       = true
    }
Raw
api.test.lmhd.me-client.yaml
# file path in my vault_terraform repo: pki/api/api.test.lmhd.me-client.yaml
# No hostnames or SANs for this
allow_any_name: true
allow_bare_domains: true
allow_ip_sans: false
allow_localhost: false
enforce_hostnames: false
# Don't think we need a CN, but we can enable this later if needed
require_cn: false
# The API will use this to determine if the cert is authorized for this instance
ou:
- api.test.lmhd.me
# The API will use this to determine what roles the cert has within the api
organization:
- fronter.federate:read
- fronter.federate:write
# This is a client certificate
client_flag: true
server_flag: false
key_usage:
- DigitalSignature
- KeyEncipherment
# 60 minutes (production should be shorter)
ttl: 3600
max_ttl: 3600
Raw
davnet.lmhd.me.yaml
# file path in my vault_terraform repo: pki/inter/davnet.lmhd.me.yaml
allowed_domains:
- davnet.lmhd.me
allow_localhost: false
allow_subdomains: true
# 32/90 days
ttl: 2764800
max_ttl: 7776000
Raw
pki_roles.tf
# List all YAML files in subdirectories of pki/
# each of these correspond to PKI Mounts in Vault
# e.g. pki/inter
locals {
pki_role_files = fileset(path.module, "pki/*/*.yaml")
}
resource "vault_pki_secret_backend_role" "pki_roles" {
# For each YAML file we found...
for_each = local.pki_role_files
# Use the "backend" key if specified
# otherwise fall back to the directory name
backend = lookup(
yamldecode(file(each.key)),
"backend",
dirname(each.key)
)
# Use the "name" key if specified
# otherwise fallback to filename, minus .yaml
name = lookup(
yamldecode(file(each.key)),
"name",
trimsuffix(basename(each.key), ".yaml")
)
# Other parameters, use defaults from
# https://www.vaultproject.io/api/secret/pki#create-update-role
# unless otherwise specified
#
# This list of parameters is short, as it only includes those we actually
# make use of for now. It can expand as needed
allow_any_name = lookup(
yamldecode(file(each.key)),
"allow_any_name",
false
)
allow_bare_domains = lookup(
yamldecode(file(each.key)),
"allow_bare_domains",
false
)
allow_ip_sans = lookup(
yamldecode(file(each.key)),
"allow_ip_sans",
true
)
enforce_hostnames = lookup(
yamldecode(file(each.key)),
"enforce_hostnames",
true
)
require_cn = lookup(
yamldecode(file(each.key)),
"require_cn",
true
)
ou = lookup(
yamldecode(file(each.key)),
"ou",
[]
)
organization = lookup(
yamldecode(file(each.key)),
"organization",
[]
)
client_flag = lookup(
yamldecode(file(each.key)),
"client_flag",
true
)
server_flag = lookup(
yamldecode(file(each.key)),
"server_flag",
true
)
allowed_domains = lookup(
yamldecode(file(each.key)),
"allowed_domains",
[]
)
allow_localhost = lookup(
yamldecode(file(each.key)),
"allow_localhost",
true
)
allow_subdomains = lookup(
yamldecode(file(each.key)),
"allow_subdomains",
false
)
key_usage = lookup(
yamldecode(file(each.key)),
"key_usage",
["DigitalSignature", "KeyAgreement", "KeyEncipherment"]
)
ttl = lookup(
yamldecode(file(each.key)),
"ttl",
""
)
max_ttl = lookup(
yamldecode(file(each.key)),
"max_ttl",
""
)
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment