Ben Vincent
14790f8277
- import pki, ssh, kv, rundeck engines - deploy all roles from terraform - deploy all policies from terraform - deploy all approles from terraform
50 lines
1.7 KiB
HCL
50 lines
1.7 KiB
HCL
#--------------------------------------------------------------
|
|
# pki_int
|
|
# create engine
|
|
# generate intermediate csa
|
|
# sign the intermediate against rootca
|
|
# set the signed intermediate cert in the pki_int engine
|
|
#--------------------------------------------------------------
|
|
resource "vault_mount" "pki_int" {
|
|
path = "pki_int"
|
|
type = "pki"
|
|
description = "PKI Intermediate CA"
|
|
max_lease_ttl_seconds = 43800 * 3600 # 43800 hours
|
|
}
|
|
|
|
## Generate the intermediate CSR
|
|
#resource "vault_pki_secret_backend_intermediate_cert_request" "pki_int_intermediate" {
|
|
# backend = vault_mount.pki_int.path
|
|
# common_name = "unkin.net Intermediate Authority"
|
|
# format = "pem"
|
|
# type = "internal"
|
|
#}
|
|
#
|
|
## Sign the intermediate CSR using the root CA
|
|
#resource "vault_generic_endpoint" "pki_root_sign_intermediate" {
|
|
# path = "${vault_mount.pki_root.path}/root/sign-intermediate"
|
|
#
|
|
# data_json = jsonencode({
|
|
# csr = vault_pki_secret_backend_intermediate_cert_request.pki_int_intermediate.csr,
|
|
# format = "pem_bundle",
|
|
# ttl = "43800h",
|
|
# issuer_ref = "UNKIN_ROOTCA_2024"
|
|
# })
|
|
#}
|
|
#
|
|
## Decode the certificate from the response
|
|
#locals {
|
|
# intermediate_signed_cert = vault_generic_endpoint.pki_root_sign_intermediate.write_data["certificate"]
|
|
#}
|
|
#
|
|
## Set the signed intermediate certificate
|
|
#resource "vault_pki_secret_backend_intermediate_set_signed" "pki_int_set_signed" {
|
|
# backend = vault_mount.pki_int.path
|
|
# certificate = local.intermediate_signed_cert
|
|
#}
|
|
|
|
#data "vault_pki_secret_backend_issuer" "pki_int_issuer" {
|
|
# backend = vault_mount.pki_int.path
|
|
# issuer_ref = data.vault_pki_secret_backend_root_cert.root.issuer_id
|
|
#}
|