dotfiles/terraform/pki.tf

resource "vault_mount" "pki-inra" {
  path                      = "pki-inra"
  type                      = "pki"
  description               = "in.redalder.org"
  default_lease_ttl_seconds = 8640000
  max_lease_ttl_seconds     = 8640000
}

resource "vault_policy" "pki-inra-update" {
  name = "pki-inra-update"

  policy = <<EOF
path "${vault_mount.pki-inra.path}/config/ca" {
  capabilities = ["update"]
}
EOF
}

resource "vault_pki_secret_backend_config_urls" "example" {
  backend = vault_mount.pki-inra.path
  issuing_certificates = [
    "https://vault.in.redalder.org:8200/v1/pki/ca",
  ]
  crl_distribution_points = [
    "https://vault.in.redalder.org:8200/v1/pki_int/crl",
  ]
}

resource "vault_pki_secret_backend_role" "test_role" {
  backend          = vault_mount.pki-inra.path
  name             = "test_role"
  ttl              = 3600
  allow_ip_sans    = true
  key_type         = "rsa"
  key_bits         = 4096
  allowed_domains  = ["test.in.redalder.org"]
  allow_subdomains = false
}
Setup acme.sh for Vault Signed-off-by: Magic_RB <magic_rb@redalder.org> 2022-10-11 07:55:27 +02:00			`resource "vault_mount" "pki-inra" {`
			`path = "pki-inra"`
			`type = "pki"`
			`description = "in.redalder.org"`
			`default_lease_ttl_seconds = 8640000`
			`max_lease_ttl_seconds = 8640000`
			`}`

			`resource "vault_policy" "pki-inra-update" {`
			`name = "pki-inra-update"`

			`policy = <<EOF`
			`path "${vault_mount.pki-inra.path}/config/ca" {`
			`capabilities = ["update"]`
			`}`
			`EOF`
			`}`

			`resource "vault_pki_secret_backend_config_urls" "example" {`
			`backend = vault_mount.pki-inra.path`
			`issuing_certificates = [`
			`"https://vault.in.redalder.org:8200/v1/pki/ca",`
			`]`
			`crl_distribution_points = [`
			`"https://vault.in.redalder.org:8200/v1/pki_int/crl",`
			`]`
			`}`

			`resource "vault_pki_secret_backend_role" "test_role" {`
			`backend = vault_mount.pki-inra.path`
			`name = "test_role"`
			`ttl = 3600`
			`allow_ip_sans = true`
			`key_type = "rsa"`
			`key_bits = 4096`
			`allowed_domains = ["test.in.redalder.org"]`
			`allow_subdomains = false`
			`}`