Untitled

mail@pastecode.io avatar
unknown
terraform
a year ago
2.3 kB
1
Indexable
Never
resource "tls_private_key" "server_ca_private_key" {
  algorithm = "RSA"
}
#
resource "local_file" "server_ca_key" {
  content  = tls_private_key.server_ca_private_key.private_key_pem
  filename = "${path.module}/certs/ServerCA.key"
}

resource "tls_self_signed_cert" "server_ca_cert" {
  private_key_pem = tls_private_key.server_ca_private_key.private_key_pem

  is_ca_certificate = true

  subject {
    country             = "IN"
    province            = "Mahrashatra"
    locality            = "Mumbai"
    common_name         = "VPN Server Root CA"
    organization        = "VPN Server Solutions Pvt Ltd."
    organizational_unit = "VPN Server Root Certification Auhtority"
  }

  validity_period_hours = 43800 //  1825 days or 5 years

  allowed_uses = [
    "digital_signature",
    "cert_signing",
    "crl_signing",
  ]
}

resource "local_file" "server_ca_cert" {
  content  = tls_self_signed_cert.server_ca_cert.cert_pem
  filename = "${path.module}/certs/ServerCA.cert"
}

# Create private key for client certificate
resource "tls_private_key" "client" {
  algorithm = "RSA"
}

resource "local_file" "client_key" {
  content  = tls_private_key.client.private_key_pem
  filename = "${path.module}/certs/client.key"
}

# Create CSR for for client certificate 
resource "tls_cert_request" "client_request" {

  private_key_pem = tls_private_key.client.private_key_pem

  subject {
    country             = "IN"
    province            = "Mahrashatra"
    locality            = "Mumbai"
    common_name         = "VPN Server Internal"
    organization        = "VPN Server Solutions"
    organizational_unit = "Development"
  }
}

# Sign Seerver Certificate by Private CA 
resource "tls_locally_signed_cert" "client_cert" {
  // CSR by the client
  cert_request_pem = tls_cert_request.client_request.cert_request_pem
  // CA Private key 
  ca_private_key_pem = tls_private_key.server_ca_private_key.private_key_pem
  // CA certificate
  ca_cert_pem = tls_self_signed_cert.server_ca_cert.cert_pem

  validity_period_hours = 43800

  allowed_uses = [
    "digital_signature",
    "key_encipherment",
    "server_auth",
    "client_auth",
  ]
}

resource "local_file" "cm_internal_cert" {
  content  = tls_locally_signed_cert.client_cert.cert_pem
  filename = "${path.module}/certs/client.cert"
}