-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathmain.tf
60 lines (59 loc) · 1.48 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# Make sure to 'source ./env-vars.sh'
terraform {
required_providers {
vault = {
source = "hashicorp/vault"
version = "2.14.0"
}
}
}
provider "vault" {
# Configuration options
}
#
# Role for server certs
#
resource "vault_pki_secret_backend_role" "role-server-cer" {
backend = vault_mount.pki_int.path
name = "server-cert-for-${var.server_cert_domain}"
allowed_domains = [ var.server_cert_domain ]
allow_subdomains = true
allow_glob_domains = false
allow_any_name = false
enforce_hostnames = true
allow_ip_sans = true
server_flag = true
client_flag = false
ou = ["Development"]
organization = ["TeKanAid Solutions Inc."]
country = ["Canada"]
locality = ["Toronto"]
# 2 years
max_ttl = 63113904
# 30 days
ttl = 2592000
no_store = false
}
resource "vault_pki_secret_backend_role" "vault-client-cert" {
backend = vault_mount.pki_int.path
name = "client-cert-for-${var.client_cert_domain}"
allowed_domains = [ var.client_cert_domain ]
allow_subdomains = false
allow_glob_domains = false
allow_bare_domains = true # needed for email address verification
allow_any_name = false
enforce_hostnames = true
allow_ip_sans = true
#allowed_other_sans = ["1.2.840.113549.1.9.1;utf8:emailAddress"]
server_flag = true
client_flag = true
ou = ["Development"]
organization = ["TeKanAid Solutions Inc."]
country = ["Canada"]
locality = ["Toronto"]
# 2 years
max_ttl = 63113904
# 30 days
ttl = 2592000
no_store = false
}