使用terraform 生成自签名证书

时间:2023-11-22 20:54:44

terraform 是一个很不错的基础设施工具,我们可以用来做关于基础设施部署的事情,可以实现基础设施即代码
以下演示一个简单的自签名证书的生成(使用tls provider)

main.tf 文件

resource "tls_private_key" "example" {
  algorithm = "RSA"
}
resource "tls_self_signed_cert" "example" {
  key_algorithm = "${tls_private_key.example.algorithm}"
  private_key_pem = "${tls_private_key.example.private_key_pem}"
  # Certificate expires after 12 hours.
  validity_period_hours = 120000000
  # Generate a new certificate if Terraform is run within three
  # hours of the certificate's expiration time.
  early_renewal_hours = 30000000
  is_ca_certificate = true
  # Reasonable set of uses for a server SSL certificate.
  allowed_uses = [
      "key_encipherment",
      "digital_signature",
      "server_auth",
  ]
  ip_addresses = ["127.0.0.1","192.168.0.111","10.10.18.119"]
  dns_names = ["api.example.com", "k8sapi.example.com"]
  subject {
      common_name = "example.com"
      organization = "example, Inc"
  }
}
data "archive_file" "userinfos" {
  type = "zip"
  output_path = "tf-result/cert.zip"
  source {
    content = tls_private_key.example.private_key_pem
    filename = "private_key_pem"
  }
  source {
    content = tls_private_key.example.public_key_pem
    filename = "public_key_pem"
  }
  source {
    content = tls_self_signed_cert.example.cert_pem
    filename = "cert_pem"
  }
}

resource 说明

以上代码使用了archive provider 进行生成文件压缩,使用tls_private_key 生成私钥
使用tls_self_signed_cert 生成自签名证书

运行

  • init 下载插件
terraform init
  • 查看计划
terraform plan

效果

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)
Terraform will perform the following actions:
  # data.archive_file.userinfos will be read during apply
  # (config refers to values not yet known)
 <= data "archive_file" "userinfos" {
      + id = (known after apply)
      + output_base64sha256 = (known after apply)
      + output_md5 = (known after apply)
      + output_path = "tf-result/cert.zip"
      + output_sha = (known after apply)
      + output_size = (known after apply)
      + type = "zip"
      + source {
          + content = (known after apply)
          + filename = "cert_pem"
        }
      + source {
          + content = (known after apply)
          + filename = "private_key_pem"
        }
      + source {
          + content = (known after apply)
          + filename = "public_key_pem"
        }
    }
  # tls_private_key.example will be created
  + resource "tls_private_key" "example" {
      + algorithm = "RSA"
      + ecdsa_curve = "P224"
      + id = (known after apply)
      + private_key_pem = (known after apply)
      + public_key_fingerprint_md5 = (known after apply)
      + public_key_openssh = (known after apply)
      + public_key_pem = (known after apply)
      + rsa_bits = 2048
    }
  # tls_self_signed_cert.example will be created
  + resource "tls_self_signed_cert" "example" {
      + allowed_uses = [
          + "key_encipherment",
          + "digital_signature",
          + "server_auth",
        ]
      + cert_pem = (known after apply)
      + dns_names = [
          + "api.example.com",
          + "k8sapi.example.com",
        ]
      + early_renewal_hours = 30000000
      + id = (known after apply)
      + ip_addresses = [
          + "127.0.0.1",
          + "192.168.0.111",
          + "10.10.18.119",
        ]
      + is_ca_certificate = true
      + key_algorithm = "RSA"
      + private_key_pem = (known after apply)
      + validity_end_time = (known after apply)
      + validity_period_hours = 120000000
      + validity_start_time = (known after apply)
      + subject {
          + common_name = "example.com"
          + organization = "example, Inc"
        }
    }
Plan: 2 to add, 0 to change, 0 to destroy.
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.
  • apply
terraform apply

效果

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)
Terraform will perform the following actions:
  # data.archive_file.userinfos will be read during apply
  # (config refers to values not yet known)
 <= data "archive_file" "userinfos" {
      + id = (known after apply)
      + output_base64sha256 = (known after apply)
      + output_md5 = (known after apply)
      + output_path = "tf-result/cert.zip"
      + output_sha = (known after apply)
      + output_size = (known after apply)
      + type = "zip"
      + source {
          + content = (known after apply)
          + filename = "cert_pem"
        }
      + source {
          + content = (known after apply)
          + filename = "private_key_pem"
        }
      + source {
          + content = (known after apply)
          + filename = "public_key_pem"
        }
    }
  # tls_private_key.example will be created
  + resource "tls_private_key" "example" {
      + algorithm = "RSA"
      + ecdsa_curve = "P224"
      + id = (known after apply)
      + private_key_pem = (known after apply)
      + public_key_fingerprint_md5 = (known after apply)
      + public_key_openssh = (known after apply)
      + public_key_pem = (known after apply)
      + rsa_bits = 2048
    }
  # tls_self_signed_cert.example will be created
  + resource "tls_self_signed_cert" "example" {
      + allowed_uses = [
          + "key_encipherment",
          + "digital_signature",
          + "server_auth",
        ]
      + cert_pem = (known after apply)
      + dns_names = [
          + "api.example.com",
          + "k8sapi.example.com",
        ]
      + early_renewal_hours = 30000000
      + id = (known after apply)
      + ip_addresses = [
          + "127.0.0.1",
          + "192.168.0.111",
          + "10.10.18.119",
        ]
      + is_ca_certificate = true
      + key_algorithm = "RSA"
      + private_key_pem = (known after apply)
      + validity_end_time = (known after apply)
      + validity_period_hours = 120000000
      + validity_start_time = (known after apply)
      + subject {
          + common_name = "example.com"
          + organization = "example, Inc"
        }
    }
Plan: 2 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.
  Enter a value: yes
tls_private_key.example: Creating...
tls_private_key.example: Creation complete after 0s [id=4bb57b583566785ce23a003432515e07fcebfdba]
tls_self_signed_cert.example: Creating...
tls_self_signed_cert.example: Creation complete after 0s [id=132700825268662052341550768328847386301]
data.archive_file.userinfos: Refreshing state...
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
  • 文件内容
unzip cert.zip 
Archive: cert.zip
  inflating: cert_pem                
  inflating: private_key_pem         
  inflating: public_key_pem   

说明

我们可以结合vault 的tls 管理以及tf 方便的进行证书管理——基础设施即代码

参考资料

https://www.terraform.io/docs/providers/tls/r/self_signed_cert.html
https://learn.hashicorp.com/vault/secrets-management/sm-pki-engine