#--------------------------------------------------------------
# pki_int
#   create engine
#   generate intermediate csa
#   sign the intermediate against rootca
#   set the signed intermediate cert in the pki_int engine
#--------------------------------------------------------------
resource "vault_mount" "pki_int" {
  path                  = "pki_int"
  type                  = "pki"
  description           = "PKI Intermediate CA"
  max_lease_ttl_seconds = 43800 * 3600 # 43800 hours
}

## Generate the intermediate CSR
#resource "vault_pki_secret_backend_intermediate_cert_request" "pki_int_intermediate" {
#  backend     = vault_mount.pki_int.path
#  common_name = "unkin.net Intermediate Authority"
#  format      = "pem"
#  type        = "internal"
#}
#
## Sign the intermediate CSR using the root CA
#resource "vault_generic_endpoint" "pki_root_sign_intermediate" {
#  path = "${vault_mount.pki_root.path}/root/sign-intermediate"
#
#  data_json = jsonencode({
#    csr        = vault_pki_secret_backend_intermediate_cert_request.pki_int_intermediate.csr,
#    format     = "pem_bundle",
#    ttl        = "43800h",
#    issuer_ref = "UNKIN_ROOTCA_2024"
#  })
#}
#
## Decode the certificate from the response
#locals {
#  intermediate_signed_cert = vault_generic_endpoint.pki_root_sign_intermediate.write_data["certificate"]
#}
#
## Set the signed intermediate certificate
#resource "vault_pki_secret_backend_intermediate_set_signed" "pki_int_set_signed" {
#  backend     = vault_mount.pki_int.path
#  certificate = local.intermediate_signed_cert
#}

#data "vault_pki_secret_backend_issuer" "pki_int_issuer" {
#  backend    = vault_mount.pki_int.path
#  issuer_ref = data.vault_pki_secret_backend_root_cert.root.issuer_id
#}