terraform-vault/modules/vault_cluster/modules/pki_secret_backend/main.tf

resource "vault_mount" "pki" {
  path                  = var.path
  type                  = "pki"
  description           = var.description
  max_lease_ttl_seconds = var.max_lease_ttl_seconds
}

resource "vault_pki_secret_backend_root_cert" "root_cert" {
  backend     = vault_mount.pki.path
  common_name = var.common_name
  issuer_name = var.issuer_name
  ttl         = var.ttl
  format      = var.format
  type        = "internal"
}

data "vault_pki_secret_backend_issuer" "issuer" {
  backend    = vault_mount.pki.path
  issuer_ref = vault_pki_secret_backend_root_cert.root_cert.issuer_id

  depends_on = [vault_pki_secret_backend_root_cert.root_cert]
}

resource "vault_pki_secret_backend_config_urls" "urls" {
  backend = vault_mount.pki.path

  issuing_certificates    = var.issuing_certificates
  crl_distribution_points = var.crl_distribution_points
  ocsp_servers            = var.ocsp_servers
  enable_templating       = var.enable_templating
}

resource "vault_pki_secret_backend_config_issuers" "issuers" {
  backend                       = vault_mount.pki.path
  default                       = data.vault_pki_secret_backend_issuer.issuer.issuer_id
  default_follows_latest_issuer = var.default_follows_latest_issuer

  depends_on = [
    vault_pki_secret_backend_root_cert.root_cert,
    data.vault_pki_secret_backend_issuer.issuer
  ]
}

resource "vault_pki_secret_backend_crl_config" "crl" {
  backend                = vault_mount.pki.path
  expiry                 = var.crl_expiry
  disable                = var.crl_disable
  ocsp_disable           = var.ocsp_disable
  auto_rebuild           = var.auto_rebuild
  enable_delta           = var.enable_delta
  delta_rebuild_interval = var.delta_rebuild_interval

  depends_on = [vault_pki_secret_backend_root_cert.root_cert]
}