The root ca and server cert validity_period is hardcoded
Closed this issue · 1 comments
inetshell commented
TL;DR
Currently "tls_self_signed_cert.root" has the property "validity_period_hours" hardcoded to 26280 and "tls_locally_signed_cert.vault-server" to 17520. It would be nice to have an ability to modify those properties using a variable. That would allow to use long-lived certificates.
Terraform Resources
https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert
Detailed design
# Proposition - not tested yet
variable "tls_ca_validity_period_hours" {
description = "Number of hours, after initial issuing, that the root certificate will remain valid for."
type = number
default = 26280
}
variable "tls_cert_validity_period_hours" {
description = "Number of hours, after initial issuing, that the server certificate will remain valid for."
type = number
default = 17520
}
# Sign ourselves
resource "tls_self_signed_cert" "root" {
count = local.manage_tls_count
private_key_pem = tls_private_key.root[0].private_key_pem
subject {
common_name = var.tls_ca_subject.common_name
country = var.tls_ca_subject.country
locality = var.tls_ca_subject.locality
organization = var.tls_ca_subject.organization
organizational_unit = var.tls_ca_subject.organizational_unit
postal_code = var.tls_ca_subject.postal_code
province = var.tls_ca_subject.province
street_address = var.tls_ca_subject.street_address
}
validity_period_hours = var.tls_ca_validity_period_hours
early_renewal_hours = 8760
is_ca_certificate = true
allowed_uses = ["cert_signing"]
}
# Vault server key
resource "tls_private_key" "vault-server" {
count = local.manage_tls_count
algorithm = "RSA"
rsa_bits = "2048"
}
# Sign the cert
resource "tls_locally_signed_cert" "vault-server" {
count = local.manage_tls_count
cert_request_pem = tls_cert_request.vault-server[0].cert_request_pem
ca_private_key_pem = tls_private_key.root[0].private_key_pem
ca_cert_pem = tls_self_signed_cert.root[0].cert_pem
validity_period_hours = var.tls_cert_validity_period_hours
early_renewal_hours = 8760
allowed_uses = ["server_auth"]
}
Additional information
No response
github-actions commented
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days