#-------------------------------------------
# pki_root:
#   create engine
#   generate rootca certificate
#   read the issuer
#   configure the pki urls
#-------------------------------------------
resource "vault_mount" "pki_root" {
  path                  = "pki_root"
  type                  = "pki"
  description           = "PKI Root CA"
  max_lease_ttl_seconds = 87600 * 3600 # 87600h
}

#resource "vault_pki_secret_backend_root_cert" "pki_root_root_cert" {
#  backend     = vault_mount.pki_root.path
#  common_name = "unkin.net"
#  issuer_name = "UNKIN_ROOTCA_2024"
#  ttl         = 87600 * 3600
#  format      = "pem"
#  type        = "internal"
#}
#
#output "root_certificate" {
#  value     = vault_pki_secret_backend_root_cert.pki_root_root_cert.certificate
#  sensitive = true
#}

data "vault_pki_secret_backend_issuer" "pki_root_issuer" {
  backend    = vault_mount.pki_root.path
  issuer_ref = "default"
}

resource "vault_pki_secret_backend_config_urls" "pki_root_urls" {
  backend = vault_mount.pki_root.path

  issuing_certificates    = ["${local.vault_addr}/v1/pki_root/ca"]
  crl_distribution_points = ["${local.vault_addr}/v1/pki_root/crl"]
}