Skip to content

Instantly share code, notes, and snippets.

@optiz0r
Created July 6, 2022 12:59
Show Gist options
  • Save optiz0r/ce5af8c4ab5ab120b38c345393f41ed2 to your computer and use it in GitHub Desktop.
Save optiz0r/ce5af8c4ab5ab120b38c345393f41ed2 to your computer and use it in GitHub Desktop.
Terraform code allowing puppet clients to acquire TLS certificates matching their own hostname only
# Allow clients to auth using puppet certificates
resource "vault_auth_backend" "host_certs" {
path = "host_certs"
type = "cert"
}
resource "vault_cert_auth_backend_role" "puppet_certificate" {
name = "puppet_certificate"
backend = vault_auth_backend.host_certs.path
certificate = file("files/puppet-ca.crt")
allowed_dns_sans = ["*.example.com"]
token_policies = ["host-certificates"]
}
# Setup a PKI to issue host certificates
resource "vault_mount" "host_certs" {
path = "host_certs"
description = "Backend for auto-generated host certificates"
type = "pki"
default_lease_ttl_seconds = 31536000
max_lease_ttl_seconds = 31536000
}
resource "vault_pki_secret_backend_config_ca" "host_certs" {
backend = vault_mount.host_certs.path
# In this case the intermediate CA issued to vault is subordinate to an existing Intermediate
# issued certs -> vault intermediate -> internal intermediate -> internal root
# So we define both the upstream intermediate and root certs as the CA for this pki
pem_bundle = join("\n", [file("files/internal-intermediate-ca.crt"), file("files/internal-root-ca.crt")])
}
resource "vault_pki_secret_backend_config_urls" "host_certs" {
backend = vault_mount.host_certs.path
issuing_certificates = [
"https://vault.example.com:8200/v1/host_certs/ca",
]
crl_distribution_points = [
"https://vault.example.com:8200/v1/host_certs/crl",
]
}
resource "vault_pki_secret_backend_crl_config" "host_certs" {
backend = vault_mount.host_certs.path
expiry = "72h"
disable = false
}
resource "vault_pki_secret_backend_intermediate_cert_request" "host_certs" {
backend = vault_mount.host_certs.path
type = "internal"
common_name = "Vault Intermediate authority"
}
output "host_certs_intermediate_csr" {
value = vault_pki_secret_backend_intermediate_cert_request.host_certs.csr
}
# This is a little bit circular
# Once the above CSR is signed, enable the below to import it, or import it manually
#resource "vault_pki_secret_backend_intermediate_set_signed" "host_certs" {
# backend = vault_mount.host_certs.path
# certificate = file("files/host_certs-ca.crt")
#}
resource "vault_policy" "host_certificates" {
name = "host-certificates"
policy = <<-EOT
path "host_certs/issue/host_certs" {
capabilities = ["create", "update"]
}
path "host_certs/issuer/+/issue/host_certs" {
capabilities = ["create", "update"]
}
EOT
}
resource "vault_pki_secret_backend_role" "role" {
backend = vault_mount.host_certs.path
name = "host_certs"
# SAN restrictions
allowed_domains_template = true
allowed_domains = ["{{identity.entity.name}}"]
allow_any_name = false
allow_bare_domains = true
allow_subdomains = false
allow_glob_domains = false
allow_ip_sans = false
# Allow use for both server and client uses
server_flag = true
client_flag = true
# Key params
key_type = "rsa"
key_bits = 4096
key_usage = [
"DigitalSignature",
"KeyAgreement",
"KeyEncipherment",
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment