マネージドPKI: sakuracloud_certificate_authority
Example Usage
terraform {
required_providers {
tls = {
source = "hashicorp/tls"
version = "3.1.0"
}
sakuracloud = {
source = "sacloud/sakuracloud"
version = "2.25.0"
}
}
}
resource "tls_private_key" "client_key" {
algorithm = "ECDSA"
ecdsa_curve = "P384"
}
resource "tls_cert_request" "client_csr" {
key_algorithm = "ECDSA"
private_key_pem = tls_private_key.client_key.private_key_pem
subject {
common_name = "client-csr.usacloud.com"
organization = "usacloud"
}
}
resource "tls_private_key" "server_key" {
algorithm = "ECDSA"
ecdsa_curve = "P384"
}
resource "tls_cert_request" "server_csr" {
key_algorithm = "ECDSA"
private_key_pem = tls_private_key.server_key.private_key_pem
subject {
common_name = "server-csr.usacloud.com"
organization = "usacloud"
}
}
resource "sakuracloud_certificate_authority" "foobar" {
name = "foobar"
validity_period_hours = 24 * 3650
subject {
common_name = "pki.usacloud.jp"
country = "JP"
organization = "usacloud"
organization_units = ["ou1", "ou2"]
}
# by public_key
client {
subject {
common_name = "client1.usacloud.jp"
country = "JP"
organization = "usacloud"
organization_units = ["ou1", "ou2"]
}
validity_period_hours = 24 * 3650
public_key = tls_private_key.client_key.public_key_pem
}
// by CSR
client {
subject {
common_name = "client2.usacloud.jp"
country = "JP"
organization = "usacloud"
organization_units = ["ou1", "ou2"]
}
validity_period_hours = 24 * 3650
csr = tls_cert_request.client_csr.cert_request_pem
}
# by email
client {
subject {
common_name = "client3.usacloud.jp"
country = "JP"
organization = "usacloud"
organization_units = ["ou1", "ou2"]
}
validity_period_hours = 24 * 3650
email = "example@example.com"
}
# by URL
client {
subject {
common_name = "client4.usacloud.jp"
country = "JP"
organization = "usacloud"
organization_units = ["ou1", "ou2"]
}
validity_period_hours = 24 * 3650
}
# by public key
server {
subject {
common_name = "server1.usacloud.jp"
country = "JP"
organization = "usacloud"
organization_units = ["ou1", "ou2"]
}
subject_alternative_names = ["alt1.usacloud.jp", "alt2.usacloud.jp"]
validity_period_hours = 24 * 3650
public_key = tls_private_key.server_key.public_key_pem
}
# by CSR
server {
subject {
common_name = "server2.usacloud.jp"
country = "JP"
organization = "usacloud"
organization_units = ["ou1", "ou2"]
}
subject_alternative_names = ["alt1.usacloud.jp", "alt2.usacloud.jp"]
validity_period_hours = 24 * 3650
csr = tls_cert_request.server_csr.cert_request_pem
}
}
Argument Reference
name- (Required) 名前 /1-64文字で指定client- (Optional) クライアント証明書のリスト。詳細はclientブロックを参照server- (Optional) サーバ証明書のリスト。詳細はserverブロックを参照subject- (Required) CAのサブジェクト。詳細はsubjectブロックを参照validity_period_hours- (Required) 証明書の有効期限時間数
clientブロック
csr- (Optional) CSRemail- (Optional) Eメールアドレスhold- (Optional) 一時停止フラグpublic_key- (Optional) 公開鍵subject- (Required) サブジェクト。詳細はsubjectブロックを参照validity_period_hours- (Required) 証明書の有効期限時間数
serverブロック
csr- (Optional) CSRhold- (Optional) 一時停止フラグpublic_key- (Optional) 公開鍵subject- (Required) サブジェクト。詳細はsubjectブロックを参照subject_alternative_names- (Optional) SANsvalidity_period_hours- (Required) 証明書の有効期限時間数
subjectブロック
common_name- (Required) コモンネームcountry- (Required) 国コードorganization- (Required 組織名organization_units- (Optional) OU
Common Arguments
description- (Optional) 説明 /1-512文字で指定icon_id- (Optional) アイコンIDtags- (Optional) タグ
Timeouts
timeoutsブロックでカスタムタイムアウトが設定可能です。
create- 作成 (デフォルト: 5分)update- 更新 (デフォルト: 5分)delete- 削除 (デフォルト: 5分)
Attribute Reference
id- IDcertificate- CA証明書データ(PEM format)crl_url- CRLのURLnot_after- CA証明書の有効期間終了(RFC3339 format)not_before- CA証明書の有効期間開始(RFC3339 format)serial_number- CAのシリアルナンバー
clientの各要素は以下の項目も参照可能です。
certificate- 証明書データ(PEM format)id- IDissue_state- 発行状態not_after- 証明書の有効期間終了(RFC3339 format)not_before- 証明書の有効期間開始(RFC3339 format)serial_number- シリアルナンバーurl- 証明書の発行用URL、発行方法がURLの場合のみ有効
serverの各要素は以下の項目も参照可能です。
certificate- 証明書データ(PEM format)id- IDissue_state- 発行状態not_after- 証明書の有効期間終了(RFC3339 format)not_before- 証明書の有効期間開始(RFC3339 format)serial_number- シリアルナンバー