This module will build and configure an AWS Private CA and its revocation methods
This repository is a READ-ONLY sub-tree split. See https://github.com/FriendsOfTerraform/modules to create issues or submit pull requests.
# Create Root CA
module "root_ca" {
source = "github.com/FriendsOfTerraform/aws-private-certificate-authority.git?ref=v1.0.0"
# The X509 subject for the CA
subject = {
common_name = "demo-root-ca"
country = "US"
locality = "Los Angeles"
organization = "My Company"
organization_unit = "Cloud"
state = "California"
}
# Enables CRL distribution
crl_configuration = {
enabled = true
create_s3_bucket = {
bucket_name = "root-ca-crl"
}
}
# Enables OCSP
ocsp_configuration = {
enabled = true
}
}
module "roles_anywhere_intermediate_ca" {
source = "github.com/FriendsOfTerraform/aws-private-certificate-authority.git?ref=v1.0.0"
ca_type = "SUBORDINATE"
usage_mode = "SHORT_LIVED_CERTIFICATE"
validity = "5 years"
# Sign subordinate CA with root CA
subordinate_ca_configuration = {
parent_ca_arn = module.root_ca.certificate_authority_arn
}
# The X509 subject for the Subordinate CA
subject = {
common_name = "roles-anywhere-intermediate-ca"
country = "US"
locality = "Los Angeles"
organization = "My Company"
organization_unit = "Cloud"
state = "California"
}
}- Create the subordinate CA and obtain its CSR
module "external_intermediate_ca" {
source = "github.com/FriendsOfTerraform/aws-private-certificate-authority.git?ref=v1.0.0"
ca_type = "SUBORDINATE"
usage_mode = "SHORT_LIVED_CERTIFICATE"
validity = "5 years"
subject = {
common_name = "external-intermediate-ca"
country = "US"
locality = "Los Angeles"
organization = "My Company"
organization_unit = "Cloud"
state = "California"
}
}
# output CSR
output "external_intermediate_ca_csr" {
value = module.external_intermediate_ca.certificate_authority_csr
}- After signing the CSR with the external parent CA, update the manifest to import the certificate as follow
module "external_intermediate_ca" {
source = "github.com/FriendsOfTerraform/aws-private-certificate-authority.git?ref=v1.0.0"
ca_type = "SUBORDINATE"
usage_mode = "SHORT_LIVED_CERTIFICATE"
validity = "5 years"
# import subordinate CA certificate
subordinate_ca_configuration = {
import_certificate = {
certificate = file("${path.root}/certificate.pem")
certificate_chain = file("${path.root}/certificate-chain.pem")
}
}
subject = {
common_name = "external-intermediate-ca"
country = "US"
locality = "Los Angeles"
organization = "My Company"
organization_unit = "Cloud"
state = "California"
}
}-
(object)
subject[since v1.0.0]The X509 subject of the CA certificate
-
(string)
common_name[since v1.0.0]Specify the common name of the CA. For CA and end-entity certificates in a private PKI, the common name (CN) can be any string within the length limit
-
(optional(string))
country = null[since v1.0.0]Two-digit code that specifies the country in which the certificate subject located. For example:
"US" -
(optional(string))
locality = null[since v1.0.0]The locality (such as a city or town) in which the certificate subject is located. For example:
"Los Angeles" -
(optional(string))
organization = null[since v1.0.0]Legal name of the organization with which the certificate subject is affiliated.
-
(optional(string))
organization_unit = null[since v1.0.0]A subdivision or unit of the organization (such as
"sales"or"finance") with which the certificate subject is affiliated. -
(optional(string))
state[since v1.0.0]State in which the subject of the certificate is located. For example:
"California"
-
-
(map(string))
additional_tags = {}[since v1.0.0]Additional tags for the private CA
-
(map(string))
additional_tags_all = {}[since v1.0.0]Additional tags for all resources deployed with this module
-
(bool)
authorize_acm_access_to_renew_certificates = true[since v1.0.0]Grant AWS Certificate Manager (ACM) permissions for automated renewal for this CA at any time. The change will take effect for all future renewal cycles for ACM certificates generated within this account for this CA.
-
(string)
ca_type = "ROOT"[since v1.0.0]Specify the type of the CA. Valid values are:
"ROOT","SUBORDINATE" -
(object)
crl_configuration = null[since v1.0.0]Configuration of the certificate revocation list (CRL) maintained by your private CA. A CRL is typically updated approximately 30 minutes after a certificate is revoked. If for any reason a CRL update fails, AWS Private CA makes further attempts every 15 minutes. CRL is distributed to a S3 bucket.
-
(object)
create_s3_bucket = null[since v1.0.0]Create a new S3 bucket to use as the CRL Distribution Point (CDP). This bucket is publicly accessible with S3 Block Public Access disabled, as required by AWS Private CA. Alternatively, to leave BPA enabled (S3 best practice) do not use this setting to create the bucket but use CloudFront with a private S3 bucket. Mutually exclusive to
s3_bucket_name-
(string)
bucket_name[since v1.0.0]The name of the S3 bucket. Must be globally unique.
-
(map(string))
additional_tags = {}[since v1.0.0]Additional tags attached to the S3 bucket
-
(bool)
enable_versioning = false[since v1.0.0]Whether S3 bucket versioning is enabled
-
-
(string)
custom_crl_name = null[since v1.0.0]Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point.
-
(bool)
enabled = true[since v1.0.0]Specifies whether CRL is enabled
-
(string)
s3_bucket_name = null[since v1.0.0]The S3 bucket where the CRLs are distributed to. Mutually exclusive to
create_s3_bucket -
(number)
validity_in_days = 7[since v1.0.0]Validity period of the distributed CRLs in days
-
-
(string)
key_algorithm = "RSA_2048"[since v1.0.0]Type of the public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate. When you create a subordinate CA, you must use a key algorithm supported by the parent CA. Valid values:
"RSA_2048","RSA_4096","EC_prime256v1","EC_secp384r1" -
(object)
ocsp_configuration = null[since v1.0.0]Configuration of Online Certificate Status Protocol (OCSP) support maintained by your private CA. When you revoke a certificate, OCSP responses may take up to 60 minutes to reflect the new status.
-
(string)
custom_ocsp_endpoint = null[since v1.0.0]CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://". Please review the documentation for additional requirements to use the custom endpoint.
-
(bool)
enabled = true[since v1.0.0]Specifies whether OCSP is enabled
-
-
(string)
policy = null[since v1.0.0]Attaches a JSON-formatted resource-based IAM policy to this private CA
-
(string)
signing_algorithm = "SHA256WITHRSA"[since v1.0.0]Name of the algorithm your private CA uses to sign certificate requests. Valid values:
"SHA256WITHECDSA","SHA384WITHECDSA","SHA512WITHECDSA","SHA256WITHRSA","SHA384WITHRSA","SHA512WITHRSA"Key Algorithm Valid Signing Algorithm RSA_2048, RSA_4096 SHA256WITHRSA, SHA384WITHRSA, SHA512WITHRSA EC_prime256v1, EC_secp384r1 SHA256WITHECDSA, SHA384WITHECDSA, SHA512WITHECDSA -
(object)
subordinate_ca_configuration = null[since v1.0.0]Specify options to setup a subordinate CA. Required if
ca_type = "SUBORDINATE".-
(object)
import_certificate = null[since v1.0.0]Import a subordinate CA certificate signed by an external CA. See example. Mutually exclusive to
parent_ca_arn-
(string)
certificate[since v1.0.0]Specify the PEM-encoded subordinate CA certificate
-
(string)
certificate_chain[since v1.0.0]Specify the PEM-encoded subordinate CA certificate chain
-
-
(string)
parent_ca_arn = null[since v1.0.0]Signs the subordinate CA certificate with an AWS private CA. See example. Mutually exclusive to
import_certificate -
(number)
path_length = 0[since v1.0.0]Specify the path length constraint of the subordinate CA, which determines the maximum number of lower-level subordinate CAs that can exist in a valid chain of trust. AWS Private CA supports a maximum chain of up to 5 levels deep, therefore this values must be
<= 3
-
-
(string)
usage_mode = "GENERAL_PURPOSE"[since v1.0.0]Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Please refer to this documentation for more detail.
-
(string)
validity = "10 years"[since v1.0.0]Specify the validity period of the CA certificate. See example
-
(string)
certificate_authority_arn[since v1.0.0]The ARN of the certificate authority
-
(string)
certificate_authority_certificate[since v1.0.0]Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
-
(string)
certificate_authority_csr[since v1.0.0]The base64 PEM-encoded certificate signing request (CSR) for the private CA certificate.
-
(string)
certificate_authority_certificate_chain[since v1.0.0]Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
-
(string)
certificate_authority_id[since v1.0.0]The ID of the certificate authority
If you enable crl_configuration with the create_s3_bucket option, the creation could failed due to S3 not having the correct bucket policy created. This is because there is currently no way to configure the correct Terraform dependency to ensure the bucket policy gets created first. As a workaround, create the crl_configuration with enabled = false, this will allow the S3 bucket to be properly created, then update to enabled = true