terraform-google-modules/terraform-google-vault

The root ca and server cert validity_period is hardcoded

Closed this issue · 1 comments

inetshell commented

TL;DR

Currently "tls_self_signed_cert.root" has the property "validity_period_hours" hardcoded to 26280 and "tls_locally_signed_cert.vault-server" to 17520. It would be nice to have an ability to modify those properties using a variable. That would allow to use long-lived certificates.

Terraform Resources

https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert

Detailed design

# Proposition - not tested yet

variable "tls_ca_validity_period_hours" {
  description = "Number of hours, after initial issuing, that the root certificate will remain valid for."
  type        = number
  default     = 26280
}

variable "tls_cert_validity_period_hours" {
  description = "Number of hours, after initial issuing, that the server certificate will remain valid for."
  type        = number
  default     = 17520
}

# Sign ourselves
resource "tls_self_signed_cert" "root" {
  count = local.manage_tls_count

  private_key_pem = tls_private_key.root[0].private_key_pem

  subject {
    common_name         = var.tls_ca_subject.common_name
    country             = var.tls_ca_subject.country
    locality            = var.tls_ca_subject.locality
    organization        = var.tls_ca_subject.organization
    organizational_unit = var.tls_ca_subject.organizational_unit
    postal_code         = var.tls_ca_subject.postal_code
    province            = var.tls_ca_subject.province
    street_address      = var.tls_ca_subject.street_address
  }

  validity_period_hours = var.tls_ca_validity_period_hours
  early_renewal_hours   = 8760
  is_ca_certificate     = true

  allowed_uses = ["cert_signing"]
}

# Vault server key
resource "tls_private_key" "vault-server" {
  count = local.manage_tls_count

  algorithm = "RSA"
  rsa_bits  = "2048"
}

# Sign the cert
resource "tls_locally_signed_cert" "vault-server" {
  count = local.manage_tls_count

  cert_request_pem   = tls_cert_request.vault-server[0].cert_request_pem
  ca_private_key_pem = tls_private_key.root[0].private_key_pem
  ca_cert_pem        = tls_self_signed_cert.root[0].cert_pem

  validity_period_hours = var.tls_cert_validity_period_hours
  early_renewal_hours   = 8760

  allowed_uses = ["server_auth"]
}

Additional information

No response

github-actions commented

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days