forked from serverless-ca/terraform-aws-ca
-
Notifications
You must be signed in to change notification settings - Fork 0
/
issuing-ca.tf
103 lines (92 loc) · 5.04 KB
/
issuing-ca.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
module "kms_rsa_issuing_ca" {
# Issuing CA private / public key pair
source = "./modules/terraform-aws-ca-kms"
for_each = var.issuing_ca_list
project = "${var.project}-${each.key}-ca"
env = var.env
description = "${var.project}-${var.env} Issuing CA key pair for ${each.key}"
customer_master_key_spec = var.issuing_ca_key_spec
key_usage = "SIGN_VERIFY"
kms_policy = "ca"
}
module "create_issuing_ca_iam" {
# IAM role and policy assumed by create Issuing CA lambda using KMS private key
source = "./modules/terraform-aws-ca-iam"
project = var.project
env = var.env
function_name = "create-issuing-ca"
kms_arn_ca_list = concat([module.kms_rsa_root_ca.kms_arn], [for ca_name, _ in var.issuing_ca_list : module.kms_rsa_issuing_ca[ca_name].kms_arn])
kms_arn_resource = var.kms_arn_resource == "" ? module.kms_tls_keygen.kms_arn : var.kms_arn_resource
ddb_table_arn = module.dynamodb.ddb_table_arn
policy = "issuing_ca"
external_s3_bucket_arn = module.external_s3.s3_bucket_arn
internal_s3_bucket_arn = module.internal_s3.s3_bucket_arn
}
module "issuing_crl_iam" {
# IAM role and policy assumed by Issuing CA lambda using KMS private key
source = "./modules/terraform-aws-ca-iam"
project = var.project
env = var.env
function_name = "issuing-crl"
kms_arn_ca_list = [for ca_name, _ in var.issuing_ca_list : module.kms_rsa_issuing_ca[ca_name].kms_arn]
kms_arn_resource = var.kms_arn_resource == "" ? module.kms_tls_keygen.kms_arn : var.kms_arn_resource
ddb_table_arn = module.dynamodb.ddb_table_arn
policy = "issuing_crl"
external_s3_bucket_arn = module.external_s3.s3_bucket_arn
internal_s3_bucket_arn = module.internal_s3.s3_bucket_arn
}
module "tls_keygen_iam" {
# IAM role and policy assumed by TLS certificate lambda using issuing CA KMS private key
source = "./modules/terraform-aws-ca-iam"
project = var.project
env = var.env
function_name = "tls-cert"
kms_arn_ca_list = [for ca_name, _ in var.issuing_ca_list : module.kms_rsa_issuing_ca[ca_name].kms_arn]
kms_arn_tls_keygen = module.kms_tls_keygen.kms_arn
kms_arn_resource = var.kms_arn_resource == "" ? module.kms_tls_keygen.kms_arn : var.kms_arn_resource
ddb_table_arn = module.dynamodb.ddb_table_arn
policy = "tls_cert"
external_s3_bucket_arn = module.external_s3.s3_bucket_arn
internal_s3_bucket_arn = module.internal_s3.s3_bucket_arn
sns_topic_arn = module.sns_ca_notifications.sns_topic_arn
}
module "create_rsa_issuing_ca_lambda" {
# Lambda function to check for existence and otherwise create Issuing CA using KMS private key
source = "./modules/terraform-aws-ca-lambda"
project = var.project
env = var.env
function_name = "create-issuing-ca"
description = "create Issuing Certificate Authority with KMS private key"
external_s3_bucket = module.external_s3.s3_bucket_name
internal_s3_bucket = module.internal_s3.s3_bucket_name
logging_account_id = var.logging_account_id
subscription_filter_destination = var.subscription_filter_destination
filter_pattern = var.filter_pattern
issuing_ca_list = var.issuing_ca_list
lambda_role_arn = module.create_issuing_ca_iam.lambda_role_arn
domain = var.hosted_zone_domain
runtime = var.runtime
public_crl = var.public_crl
sns_topic_arn = module.sns_ca_notifications.sns_topic_arn
}
module "rsa_issuing_ca_crl_lambda" {
# Lambda function to publish Issuing CA CRL signed by Issuing CA KMS private key
source = "./modules/terraform-aws-ca-lambda"
project = var.project
env = var.env
function_name = "issuing-ca-crl"
description = "publish Issuing CA certificate revocation list signed by KMS private key"
external_s3_bucket = module.external_s3.s3_bucket_name
internal_s3_bucket = module.internal_s3.s3_bucket_name
logging_account_id = var.logging_account_id
subscription_filter_destination = var.subscription_filter_destination
filter_pattern = var.filter_pattern
issuing_ca_list = var.issuing_ca_list
issuing_crl_days = var.issuing_crl_days
issuing_crl_seconds = var.issuing_crl_seconds
lambda_role_arn = module.issuing_crl_iam.lambda_role_arn
domain = var.hosted_zone_domain
runtime = var.runtime
public_crl = var.public_crl
sns_topic_arn = module.sns_ca_notifications.sns_topic_arn
}