tls.tf

# Generate a private key so you can create a CA cert with it.
resource "tls_private_key" "ca" {
  algorithm = "RSA"
  rsa_bits  = 2048
}

# Create a CA cert with the private key you just generated.
resource "tls_self_signed_cert" "ca" {
  private_key_pem = tls_private_key.ca.private_key_pem

  subject {
    common_name = "ca.vault.jrx.de"
  }

  validity_period_hours = 720 # 30 days

  allowed_uses = [
    "cert_signing",
    "crl_signing",
  ]

  is_ca_certificate = true

  #  provisioner "local-exec" {
  #    command = "echo '${tls_self_signed_cert.ca.cert_pem}' > ./vault-ca.pem"
  #  }
}

# Generate another private key. This one will be used
# To create the certs on your Vault nodes
resource "tls_private_key" "server" {
  algorithm = "RSA"
  rsa_bits  = 2048

  #  provisioner "local-exec" {
  #    command = "echo '${tls_private_key.server.private_key_pem}' > ./vault-key.pem"
  #  }
}

resource "tls_cert_request" "server" {
  private_key_pem = tls_private_key.server.private_key_pem

  subject {
    common_name = "vault.jrx.de"
  }

  dns_names = [
    var.vault_shared_san,
    module.loadbalancer.vault_lb_dns_name,
    "localhost",
  ]

  ip_addresses = [
    "127.0.0.1",
  ]
}

resource "tls_locally_signed_cert" "server" {
  cert_request_pem   = tls_cert_request.server.cert_request_pem
  ca_private_key_pem = tls_private_key.ca.private_key_pem
  ca_cert_pem        = tls_self_signed_cert.ca.cert_pem

  validity_period_hours = 720 # 30 days

  allowed_uses = [
    "client_auth",
    "digital_signature",
    "key_agreement",
    "key_encipherment",
    "server_auth",
  ]

  #  provisioner "local-exec" {
  #    command = "echo '${tls_locally_signed_cert.server.cert_pem}' > ./vault-crt.pem"
  #  }
}