使用terraform 生成自签名证书

terraform 是一个很不错的基础设施工具，我们可以用来做关于基础设施部署的事情，可以实现基础设施即代码
以下演示一个简单的自签名证书的生成（使用tls provider）

main.tf 文件

 

resource "tls_private_key" "example" {

  algorithm = "RSA"

}

resource "tls_self_signed_cert" "example" {

  key_algorithm = "${tls_private_key.example.algorithm}"

  private_key_pem = "${tls_private_key.example.private_key_pem}"

​

  # Certificate expires after 12 hours.

  validity_period_hours = 120000000

​

  # Generate a new certificate if Terraform is run within three

  # hours of the certificate's expiration time.

  early_renewal_hours = 30000000

  is_ca_certificate = true

  # Reasonable set of uses for a server SSL certificate.

  allowed_uses = [

      "key_encipherment",

      "digital_signature",

      "server_auth",

  ]

  ip_addresses = ["127.0.0.1","192.168.0.111","10.10.18.119"]

  dns_names = ["api.example.com", "k8sapi.example.com"]

​

  subject {

      common_name = "example.com"

      organization = "example, Inc"

  }

}

​

data "archive_file" "userinfos" {

  type = "zip"

  output_path = "tf-result/cert.zip"

  source {

    content = tls_private_key.example.private_key_pem

    filename = "private_key_pem"

  }

  source {

    content = tls_private_key.example.public_key_pem

    filename = "public_key_pem"

  }

  source {

    content = tls_self_signed_cert.example.cert_pem

    filename = "cert_pem"

  }

}

 

resource 说明

以上代码使用了archive provider 进行生成文件压缩，使用tls_private_key 生成私钥
使用tls_self_signed_cert 生成自签名证书

运行

• init 下载插件

 

terraform init

• 查看计划

terraform plan

效果

Refreshing Terraform state in-memory prior to plan...

The refreshed state will be used to calculate this plan, but will not be

persisted to local or remote state storage.

​

​

------------------------------------------------------------------------

​

An execution plan has been generated and is shown below.

Resource actions are indicated with the following symbols:

  + create

 <= read (data resources)

​

Terraform will perform the following actions:

​

  # data.archive_file.userinfos will be read during apply

  # (config refers to values not yet known)

 <= data "archive_file" "userinfos" {

      + id = (known after apply)

      + output_base64sha256 = (known after apply)

      + output_md5 = (known after apply)

      + output_path = "tf-result/cert.zip"

      + output_sha = (known after apply)

      + output_size = (known after apply)

      + type = "zip"

​

      + source {

          + content = (known after apply)

          + filename = "cert_pem"

        }

      + source {

          + content = (known after apply)

          + filename = "private_key_pem"

        }

      + source {

          + content = (known after apply)

          + filename = "public_key_pem"

        }

    }

​

  # tls_private_key.example will be created

  + resource "tls_private_key" "example" {

      + algorithm = "RSA"

      + ecdsa_curve = "P224"

      + id = (known after apply)

      + private_key_pem = (known after apply)

      + public_key_fingerprint_md5 = (known after apply)

      + public_key_openssh = (known after apply)

      + public_key_pem = (known after apply)

      + rsa_bits = 2048

    }

​

  # tls_self_signed_cert.example will be created

  + resource "tls_self_signed_cert" "example" {

      + allowed_uses = [

          + "key_encipherment",

          + "digital_signature",

          + "server_auth",

        ]

      + cert_pem = (known after apply)

      + dns_names = [

          + "api.example.com",

          + "k8sapi.example.com",

        ]

      + early_renewal_hours = 30000000

      + id = (known after apply)

      + ip_addresses = [

          + "127.0.0.1",

          + "192.168.0.111",

          + "10.10.18.119",

        ]

      + is_ca_certificate = true

      + key_algorithm = "RSA"

      + private_key_pem = (known after apply)

      + validity_end_time = (known after apply)

      + validity_period_hours = 120000000

      + validity_start_time = (known after apply)

​

      + subject {

          + common_name = "example.com"

          + organization = "example, Inc"

        }

    }

​

Plan: 2 to add, 0 to change, 0 to destroy.

​

------------------------------------------------------------------------

​

Note: You didn't specify an "-out" parameter to save this plan, so Terraform

can't guarantee that exactly these actions will be performed if

"terraform apply" is subsequently run.

 

 

• apply

terraform apply

效果

An execution plan has been generated and is shown below.

Resource actions are indicated with the following symbols:

  + create

 <= read (data resources)

​

Terraform will perform the following actions:

​

  # data.archive_file.userinfos will be read during apply

  # (config refers to values not yet known)

 <= data "archive_file" "userinfos" {

      + id = (known after apply)

      + output_base64sha256 = (known after apply)

      + output_md5 = (known after apply)

      + output_path = "tf-result/cert.zip"

      + output_sha = (known after apply)

      + output_size = (known after apply)

      + type = "zip"

​

      + source {

          + content = (known after apply)

          + filename = "cert_pem"

        }

      + source {

          + content = (known after apply)

          + filename = "private_key_pem"

        }

      + source {

          + content = (known after apply)

          + filename = "public_key_pem"

        }

    }

​

  # tls_private_key.example will be created

  + resource "tls_private_key" "example" {

      + algorithm = "RSA"

      + ecdsa_curve = "P224"

      + id = (known after apply)

      + private_key_pem = (known after apply)

      + public_key_fingerprint_md5 = (known after apply)

      + public_key_openssh = (known after apply)

      + public_key_pem = (known after apply)

      + rsa_bits = 2048

    }

​

  # tls_self_signed_cert.example will be created

  + resource "tls_self_signed_cert" "example" {

      + allowed_uses = [

          + "key_encipherment",

          + "digital_signature",

          + "server_auth",

        ]

      + cert_pem = (known after apply)

      + dns_names = [

          + "api.example.com",

          + "k8sapi.example.com",

        ]

      + early_renewal_hours = 30000000

      + id = (known after apply)

      + ip_addresses = [

          + "127.0.0.1",

          + "192.168.0.111",

          + "10.10.18.119",

        ]

      + is_ca_certificate = true

      + key_algorithm = "RSA"

      + private_key_pem = (known after apply)

      + validity_end_time = (known after apply)

      + validity_period_hours = 120000000

      + validity_start_time = (known after apply)

​

      + subject {

          + common_name = "example.com"

          + organization = "example, Inc"

        }

    }

​

Plan: 2 to add, 0 to change, 0 to destroy.

​

Do you want to perform these actions?

  Terraform will perform the actions described above.

  Only 'yes' will be accepted to approve.

​

  Enter a value: yes

​

tls_private_key.example: Creating...

tls_private_key.example: Creation complete after 0s [id=4bb57b583566785ce23a003432515e07fcebfdba]

tls_self_signed_cert.example: Creating...

tls_self_signed_cert.example: Creation complete after 0s [id=132700825268662052341550768328847386301]

data.archive_file.userinfos: Refreshing state...

​

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

 

 

• 文件内容

unzip cert.zip 

Archive: cert.zip

  inflating: cert_pem                

  inflating: private_key_pem         

  inflating: public_key_pem   

说明

我们可以结合vault 的tls 管理以及tf 方便的进行证书管理——基础设施即代码

参考资料

https://www.terraform.io/docs/providers/tls/r/self_signed_cert.html
https://learn.hashicorp.com/vault/secrets-management/sm-pki-engine