feat: create self-signed certificate

scalair · Jan 30, 2023 · 4189069 · 4189069
1 parent c62a144
commit 4189069
Show file tree

Hide file tree

Showing 2 changed files with 89 additions and 0 deletions.
diff --git a/main.tf b/main.tf
@@ -1,6 +1,7 @@
 terraform {
   required_version = ">= 0.12.0"
 }
+data "azurerm_client_config" "current" {}
 
 resource "azurerm_key_vault" "kv" {
   name                = var.name
@@ -18,6 +19,37 @@ resource "azurerm_key_vault" "kv" {
   enabled_for_template_deployment = var.enabled_for_template_deployment
   enable_rbac_authorization       = var.enable_rbac_authorization
 
+  access_policy {
+    tenant_id = data.azurerm_client_config.current.tenant_id
+    object_id = data.azurerm_client_config.current.object_id
+
+    certificate_permissions = [
+      "Get",
+      "List",
+      "Create",
+      "Import",
+      "Update",
+      "Delete",
+      "Purge"
+    ]
+
+    key_permissions = [
+      "Get",
+      "List",
+      "Create",
+      "Import"
+    ]
+
+    secret_permissions = [
+      "Get",
+      "List",
+      "Set",
+      "Delete",
+      "Purge"
+    ]
+  }
+
+
   dynamic "access_policy" {
     for_each = var.access_policy
 
@@ -56,3 +88,54 @@ resource "azurerm_key_vault" "kv" {
 
   tags = var.tags
 }
+
+resource "azurerm_key_vault_certificate" "example" {
+  for_each     = toset( var.certificates )
+  name         = replace(each.key, ".", "-")
+  key_vault_id = azurerm_key_vault.kv.id
+
+  certificate_policy {
+    issuer_parameters {
+      name = "Self"
+    }
+
+    key_properties {
+      exportable = true
+      key_size   = 2048
+      key_type   = "RSA"
+      reuse_key  = true
+    }
+
+    lifetime_action {
+      action {
+        action_type = "AutoRenew"
+      }
+
+      trigger {
+        days_before_expiry = 30
+      }
+    }
+
+    secret_properties {
+      content_type = "application/x-pkcs12"
+    }
+
+    x509_certificate_properties {
+      # Server Authentication = 1.3.6.1.5.5.7.3.1
+      # Client Authentication = 1.3.6.1.5.5.7.3.2
+      extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
+
+      key_usage = [
+        "cRLSign",
+        "dataEncipherment",
+        "digitalSignature",
+        "keyAgreement",
+        "keyCertSign",
+        "keyEncipherment",
+      ]
+
+      subject            = format("CN=%s",each.key)
+      validity_in_months = 12
+    }
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -30,6 +30,12 @@ variable "access_policy" {
   default     = []
 }
 
+variable "certificates" {
+  type = list(any)
+  description = "(Optional) A list of self signed certificates"
+  default     = []
+}
+
 variable "enabled_for_deployment" {
   type        = bool
   description = "(Optional) Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false."