Skip to content
This repository has been archived by the owner on Jan 19, 2024. It is now read-only.

Commit

Permalink
Merge pull request #1 from r2ronoha/full_chain_no_ca_state
Browse files Browse the repository at this point in the history
Full chain no ca state
  • Loading branch information
r2ronoha authored Apr 14, 2020
2 parents 253a2be + 65516aa commit 9ad08dd
Show file tree
Hide file tree
Showing 5 changed files with 177 additions and 2 deletions.
1 change: 1 addition & 0 deletions cfssl/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ func Provider() terraform.ResourceProvider {
ResourcesMap: map[string]*schema.Resource{
"cfssl_cert": resourceCert(),
"cfssl_self_signed_ca_cert": resourceSelfSignedCACert(),
"cfssl_full_chain_cert": resourceFullChain(),
},

DataSourcesMap: map[string]*schema.Resource{},
Expand Down
2 changes: 1 addition & 1 deletion cfssl/resource_cert.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ func resourceCert() *schema.Resource {
func resourceCertCreate(d *schema.ResourceData, meta interface{}) error {
csrJson := []byte(d.Get("csr_json").(string))
req := csr.CertificateRequest{
KeyRequest: csr.NewBasicKeyRequest(),
KeyRequest: csr.NewKeyRequest(),
}
err := json.Unmarshal(csrJson, &req)
if err != nil {
Expand Down
153 changes: 153 additions & 0 deletions cfssl/resource_full_chain.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,153 @@
package cfssl

import (
"encoding/json"
"io/ioutil"
//"os"
"time"

"github.com/cloudflare/cfssl/cli"
"github.com/cloudflare/cfssl/cli/genkey"
"github.com/cloudflare/cfssl/cli/sign"
"github.com/cloudflare/cfssl/csr"
"github.com/cloudflare/cfssl/initca"
"github.com/cloudflare/cfssl/signer"

"github.com/hashicorp/terraform/helper/schema"
"github.com/hashicorp/terraform/helper/validation"
)

func resourceFullChain() *schema.Resource {
return &schema.Resource{
Create: resourceFullChainCreate,
Read: resourceFullChainRead,
Delete: resourceFullChainDelete,

Schema: map[string]*schema.Schema{
"cert_id": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"ca_csr_json": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
ValidateFunc: validation.ValidateJsonString,
DiffSuppressFunc: jsonDiffSuppress,
},
"csr_json": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
ValidateFunc: validation.ValidateJsonString,
DiffSuppressFunc: jsonDiffSuppress,
},
"ca_cert": {
Type: schema.TypeString,
Computed: true,
},
"ca_csr": {
Type: schema.TypeString,
Computed: true,
},
"ca_key": {
Type: schema.TypeString,
Computed: true,
},
"cert": {
Type: schema.TypeString,
Computed: true,
},
"csr": {
Type: schema.TypeString,
Computed: true,
},
"key": {
Type: schema.TypeString,
Computed: true,
},
},
}
}

func resourceFullChainCreate(d *schema.ResourceData, meta interface{}) error {
caCsrJson := []byte(d.Get("ca_csr_json").(string))
ca_req := csr.CertificateRequest{
KeyRequest: csr.NewKeyRequest(),
}
ca_err := json.Unmarshal(caCsrJson, &ca_req)
if ca_err != nil {
return ca_err
}

ca_cert, ca_csrBytes, ca_key, err := initca.New(&ca_req)
if err != nil {
return err
}

d.Set("ca_cert", string(ca_cert))
d.Set("ca_csr", string(ca_csrBytes))
d.Set("ca_key", string(ca_key))

csrJson := []byte(d.Get("csr_json").(string))
req := csr.CertificateRequest{
KeyRequest: csr.NewKeyRequest(),
}
csr_err := json.Unmarshal(csrJson, &req)
if csr_err != nil {
return csr_err
}

ca_cert_filename := "/tmp/" + d.Get("cert_id").(string) + "_ca.crt"
ca_cert_w_err := ioutil.WriteFile(ca_cert_filename, []byte(d.Get("ca_cert").(string)), 0600)
if ca_cert_w_err != nil {
return ca_cert_w_err
}

ca_key_filename := "/tmp/" + d.Get("cert_id").(string) + "_ca.key"
ca_key_w_err := ioutil.WriteFile(ca_key_filename, []byte(d.Get("ca_key").(string)), 0600)
if ca_key_w_err != nil {
return ca_key_w_err
}

g := &csr.Generator{Validator: genkey.Validator}
csrBytes, key, err := g.ProcessRequest(&req)
if err != nil {
return err
}

c := cli.Config{
CAFile: ca_cert_filename,
CAKeyFile: ca_key_filename,
}
s, err := sign.SignerFromConfig(c)
if err != nil {
return err
}
signReq := signer.SignRequest{
Request: string(csrBytes),
}
cert, err := s.Sign(signReq)
if err != nil {
return err
}

d.SetId(d.Get("cert_id").(string) + " - " + time.Now().UTC().String())
d.Set("cert", string(cert))
d.Set("csr", string(csrBytes))
d.Set("key", string(key))
d.Set("ca_cert", "")
d.Set("ca_key", "")
d.Set("ca_csr", "")

return nil
}

func resourceFullChainRead(d *schema.ResourceData, meta interface{}) error {
return nil
}

func resourceFullChainDelete(d *schema.ResourceData, meta interface{}) error {
return nil
}
2 changes: 1 addition & 1 deletion cfssl/resource_self_signed_ca_cert.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ func resourceSelfSignedCACert() *schema.Resource {
func resourceSelfSignedCACertCreate(d *schema.ResourceData, meta interface{}) error {
csrJson := []byte(d.Get("csr_json").(string))
req := csr.CertificateRequest{
KeyRequest: csr.NewBasicKeyRequest(),
KeyRequest: csr.NewKeyRequest(),
}
err := json.Unmarshal(csrJson, &req)
if err != nil {
Expand Down
21 changes: 21 additions & 0 deletions using.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,3 +54,24 @@ The following attributes are exported in addition to the above configuration:
* `cert` - (string) The output ertificate
* `csr` - (string) The output CSR in PEM format
* `key` - (string) The output private key

### `cfssl_full_chain_cert`

Generate a certificate and private key signed by a CA generated in the same run.
CA clear text contents are removed from the state file
See [CloudFlare's documentation](https://github.com/cloudflare/cfssl#generating-a-local-issued-certificate-and-private-key).

#### Argument Reference

The following arguments are supported:

* `ca_csr_json` - (Required, string) The CA request as a JSON string.
* `csr_json` - (Required, string) The server cert request as a JSON string.

#### Attributes Reference

The following attributes are exported in addition to the above configuration:

* `cert` - (string) The output ertificate
* `csr` - (string) The output CSR in PEM format
* `key` - (string) The output private key

0 comments on commit 9ad08dd

Please sign in to comment.