Created
July 6, 2022 12:59
-
-
Save optiz0r/ce5af8c4ab5ab120b38c345393f41ed2 to your computer and use it in GitHub Desktop.
Terraform code allowing puppet clients to acquire TLS certificates matching their own hostname only
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Allow clients to auth using puppet certificates | |
| resource "vault_auth_backend" "host_certs" { | |
| path = "host_certs" | |
| type = "cert" | |
| } | |
| resource "vault_cert_auth_backend_role" "puppet_certificate" { | |
| name = "puppet_certificate" | |
| backend = vault_auth_backend.host_certs.path | |
| certificate = file("files/puppet-ca.crt") | |
| allowed_dns_sans = ["*.example.com"] | |
| token_policies = ["host-certificates"] | |
| } | |
| # Setup a PKI to issue host certificates | |
| resource "vault_mount" "host_certs" { | |
| path = "host_certs" | |
| description = "Backend for auto-generated host certificates" | |
| type = "pki" | |
| default_lease_ttl_seconds = 31536000 | |
| max_lease_ttl_seconds = 31536000 | |
| } | |
| resource "vault_pki_secret_backend_config_ca" "host_certs" { | |
| backend = vault_mount.host_certs.path | |
| # In this case the intermediate CA issued to vault is subordinate to an existing Intermediate | |
| # issued certs -> vault intermediate -> internal intermediate -> internal root | |
| # So we define both the upstream intermediate and root certs as the CA for this pki | |
| pem_bundle = join("\n", [file("files/internal-intermediate-ca.crt"), file("files/internal-root-ca.crt")]) | |
| } | |
| resource "vault_pki_secret_backend_config_urls" "host_certs" { | |
| backend = vault_mount.host_certs.path | |
| issuing_certificates = [ | |
| "https://vault.example.com:8200/v1/host_certs/ca", | |
| ] | |
| crl_distribution_points = [ | |
| "https://vault.example.com:8200/v1/host_certs/crl", | |
| ] | |
| } | |
| resource "vault_pki_secret_backend_crl_config" "host_certs" { | |
| backend = vault_mount.host_certs.path | |
| expiry = "72h" | |
| disable = false | |
| } | |
| resource "vault_pki_secret_backend_intermediate_cert_request" "host_certs" { | |
| backend = vault_mount.host_certs.path | |
| type = "internal" | |
| common_name = "Vault Intermediate authority" | |
| } | |
| output "host_certs_intermediate_csr" { | |
| value = vault_pki_secret_backend_intermediate_cert_request.host_certs.csr | |
| } | |
| # This is a little bit circular | |
| # Once the above CSR is signed, enable the below to import it, or import it manually | |
| #resource "vault_pki_secret_backend_intermediate_set_signed" "host_certs" { | |
| # backend = vault_mount.host_certs.path | |
| # certificate = file("files/host_certs-ca.crt") | |
| #} | |
| resource "vault_policy" "host_certificates" { | |
| name = "host-certificates" | |
| policy = <<-EOT | |
| path "host_certs/issue/host_certs" { | |
| capabilities = ["create", "update"] | |
| } | |
| path "host_certs/issuer/+/issue/host_certs" { | |
| capabilities = ["create", "update"] | |
| } | |
| EOT | |
| } | |
| resource "vault_pki_secret_backend_role" "role" { | |
| backend = vault_mount.host_certs.path | |
| name = "host_certs" | |
| # SAN restrictions | |
| allowed_domains_template = true | |
| allowed_domains = ["{{identity.entity.name}}"] | |
| allow_any_name = false | |
| allow_bare_domains = true | |
| allow_subdomains = false | |
| allow_glob_domains = false | |
| allow_ip_sans = false | |
| # Allow use for both server and client uses | |
| server_flag = true | |
| client_flag = true | |
| # Key params | |
| key_type = "rsa" | |
| key_bits = 4096 | |
| key_usage = [ | |
| "DigitalSignature", | |
| "KeyAgreement", | |
| "KeyEncipherment", | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment