mirror of
https://github.com/opentofu/opentofu.git
synced 2025-01-24 23:46:26 -06:00
309e697a52
This allows you to generate and sign certificates using a local CA.
102 lines
2.5 KiB
Go
102 lines
2.5 KiB
Go
package tls
|
|
|
|
import (
|
|
"crypto/x509"
|
|
"fmt"
|
|
"net"
|
|
|
|
"github.com/hashicorp/terraform/helper/schema"
|
|
)
|
|
|
|
func resourceSelfSignedCert() *schema.Resource {
|
|
s := resourceCertificateCommonSchema()
|
|
|
|
s["subject"] = &schema.Schema{
|
|
Type: schema.TypeList,
|
|
Required: true,
|
|
Elem: nameSchema,
|
|
ForceNew: true,
|
|
}
|
|
|
|
s["dns_names"] = &schema.Schema{
|
|
Type: schema.TypeList,
|
|
Optional: true,
|
|
Description: "List of DNS names to use as subjects of the certificate",
|
|
ForceNew: true,
|
|
Elem: &schema.Schema{
|
|
Type: schema.TypeString,
|
|
},
|
|
}
|
|
|
|
s["ip_addresses"] = &schema.Schema{
|
|
Type: schema.TypeList,
|
|
Optional: true,
|
|
Description: "List of IP addresses to use as subjects of the certificate",
|
|
ForceNew: true,
|
|
Elem: &schema.Schema{
|
|
Type: schema.TypeString,
|
|
},
|
|
}
|
|
|
|
s["key_algorithm"] = &schema.Schema{
|
|
Type: schema.TypeString,
|
|
Required: true,
|
|
Description: "Name of the algorithm to use to generate the certificate's private key",
|
|
ForceNew: true,
|
|
}
|
|
|
|
s["private_key_pem"] = &schema.Schema{
|
|
Type: schema.TypeString,
|
|
Required: true,
|
|
Description: "PEM-encoded private key that the certificate will belong to",
|
|
ForceNew: true,
|
|
StateFunc: func(v interface{}) string {
|
|
return hashForState(v.(string))
|
|
},
|
|
}
|
|
|
|
return &schema.Resource{
|
|
Create: CreateSelfSignedCert,
|
|
Delete: DeleteCertificate,
|
|
Read: ReadCertificate,
|
|
Schema: s,
|
|
}
|
|
}
|
|
|
|
func CreateSelfSignedCert(d *schema.ResourceData, meta interface{}) error {
|
|
key, err := parsePrivateKey(d, "private_key_pem", "key_algorithm")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
subjectConfs := d.Get("subject").([]interface{})
|
|
if len(subjectConfs) != 1 {
|
|
return fmt.Errorf("must have exactly one 'subject' block")
|
|
}
|
|
subjectConf := subjectConfs[0].(map[string]interface{})
|
|
subject, err := nameFromResourceData(subjectConf)
|
|
if err != nil {
|
|
return fmt.Errorf("invalid subject block: %s", err)
|
|
}
|
|
|
|
cert := x509.Certificate{
|
|
Subject: *subject,
|
|
BasicConstraintsValid: true,
|
|
}
|
|
|
|
dnsNamesI := d.Get("dns_names").([]interface{})
|
|
for _, nameI := range dnsNamesI {
|
|
cert.DNSNames = append(cert.DNSNames, nameI.(string))
|
|
}
|
|
ipAddressesI := d.Get("ip_addresses").([]interface{})
|
|
for _, ipStrI := range ipAddressesI {
|
|
ip := net.ParseIP(ipStrI.(string))
|
|
if ip == nil {
|
|
return fmt.Errorf("invalid IP address %#v", ipStrI.(string))
|
|
}
|
|
cert.IPAddresses = append(cert.IPAddresses, ip)
|
|
}
|
|
|
|
return createCertificate(d, &cert, &cert, publicKey(key), key)
|
|
}
|