/terraform-provider-puppetca

Terraform Puppet CA Provider

Primary LanguageGoMozilla Public License 2.0MPL-2.0

Puppet CA Terraform Provider

Terraform Registry Version Go Report Card Build Status By Camptocamp

This Terraform provider allows to connect to a Puppet Certificate Authority to verify that node certificates were signed, and clean them upon decommissioning the node.

Requirements

  • Terraform 0.10.x
  • Go 1.8 (to build the provider plugin)

Building The Provider

Clone repository to: $GOPATH/src/github.com/camptocamp/terraform-provider-puppetca

$ mkdir -p $GOPATH/src/github.com/camptocamp; cd $GOPATH/src/github.com/camptocamp
$ git clone git@github.com:camptocamp/terraform-provider-puppetca

Enter the provider directory and build the provider

$ cd $GOPATH/src/github.com/camptocamp/terraform-provider-puppetca
$ make build

Using the provider

provider puppetca {
  url = "https://puppetca.example.com:8140"
  cert = "certs/puppet.crt"
  key = "certs/puppet.key"
  ca = "certs/ca.pem"

}

resource "puppetca_certificate" "test" {
  name = "0a7842c26ad0.foo.com"
}

resource "puppetca_certificate" "ec2instance" {
  name   = "0a7842c26ad1.foo.com"
  usedby = aws_instance.ec2instance.id
}

The first puppetca_certificate resource, test, will remove the certificate if a destroy plan is run. The second puppetca_certificate resource, ec2instance, will remove the certificate if Terraform destroys the EC2 instance.

The usedby parameter can be populated as a resource parameter to drive the removal of the certificate from the Puppet CA at the desired time. In the example above, if a Terraform plan has to recreate the EC2 instance, the certificate will be removed when the EC2 instance is destroyed since each EC2 instance is assigned a new instance id.

The provider can also be configured using environment variables:

export PUPPETCA_URL="https://puppetca.example.com:8140"
export PUPPETCA_CA=$(cat certs/ca.pem)
export PUPPETCA_CERT=$(cat certs/puppet.crt)
export PUPPETCA_KEY=$(cat certs/puppet.key)

The provider needs to be configured with a certificate. This certificate should be signed by the CA, and have specific rights to list and delete certificates. See the Puppet docs for how to configure your Puppet Master to give these rights to your certificate. For example, if your certificate uses the pp_employee extension, you could add a rule like the following:

{                                                                         
    match-request: {
        path: "^/puppet-ca/v1/certificate(_status|_request)?/([^/]+)$"
        type: regex
        method: [delete]
    }
    allow: [
      {extensions:{pp_employee: "true"}},
      ]
    sort-order: 500
    name: "let employees delete certs"
},

Developing the Provider

If you wish to work on the provider, you'll first need Go installed on your machine (version 1.8+ is required). You'll also need to correctly setup a GOPATH, as well as adding $GOPATH/bin to your $PATH.

To compile the provider, run make build. This will build the provider and put the provider binary in the $GOPATH/bin directory.

$ make bin
...
$ $GOPATH/bin/terraform-provider-puppetca
...

In order to test the provider, you can simply run make test.

$ make test

In order to run the full suite of Acceptance tests, run make testacc.

Note: Acceptance tests create real resources, and often cost money to run.

$ make testacc