Secrets Manager Private Certificates Secrets Engine module

This module configures a private certificates engine for a Secrets Manager instance. For more information about enabling Secrets Manager for private certificates, see Preparing to create private certificates.

The module handles the following components:

• Root certificate authorities configuration
• Intermediate certificate authorities configuration
• Certificate templates

These components make up the private_cert secrets type. The module also signs the intermediate certificate authority (CA) when the engine is created.

Overview

• terraform-ibm-secrets-manager-private-cert-engine
• Examples
  • Example with Private-Only Secrets Manager and the private certificates engine
  • Example with Secrets Manager and the private certificates engine
• Contributing

terraform-ibm-secrets-manager-private-cert-engine

Usage

module "private_secret_engine" {
  source                    = "terraform-ibm-modules/secrets-manager-private-cert-engine/ibm"
  version                   = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  secrets_manager_guid      = "<secrets_manager_instance_id>"
  region                    = "us-south"
  root_ca_name              = "My Root CA"
  root_ca_common_name       = "cloud.ibm.com"
  root_ca_max_ttl           = "8760h"
  intermediate_ca_name      = "My Intermediate CA"
  certificate_template_name = "My Certificate Template"
}

Required IAM access policies

You need the following permissions to run this module.

• IAM Services
  • Secrets Manager service
    • Administrator platform access
    • Manager service access

Requirements

Name	Version
terraform	>= 1.9.0
ibm	>= 1.79.0, < 2.0.0

Modules

No modules.

Resources

Name	Type
ibm_sm_private_certificate_configuration_intermediate_ca.intermediate_ca	resource
ibm_sm_private_certificate_configuration_root_ca.private_certificate_root_ca	resource
ibm_sm_private_certificate_configuration_template.certificate_template	resource

Inputs

Name	Description	Type	Default	Required
allowed_domains_template	Allow the domains that are supplied in the allowed_domains field to contain access control list (ACL) templates	bool	false	no
alt_names	Alternate names for the certificate to be created	list(string)	null	no
certificate_template_name	Name of the Certificate Template to create for a private_cert secret engine	string	n/a	yes
country	Country (C) values to define in the subject field of the resulting certificate	list(string)	null	no
endpoint_type	The endpoint type to communicate with the provided secrets manager instance. Possible values are public or private	string	"public"	no
exclude_cn_from_sans	Set whether the common name is excluded from Subject Alternative Names (SANs). If set to true, the common name is not included in DNS or Email SANs if they apply	bool	false	no
intermediate_ca_common_name	Common name for the intermediate CA	string	"cloud.ibm.com"	no
intermediate_ca_crl_disable	crl_disable for the intermediate CA	bool	false	no
intermediate_ca_crl_distribution_points_encoded	crl_distribution_points_encoded flag for the intermediate CA	bool	true	no
intermediate_ca_crl_expiry	crl_expiry for the intermediate CA	string	"72h"	no
intermediate_ca_issuing_certificates_urls_encoded	issuing_certificates_urls_encoded flag for the intermediate CA	bool	true	no
intermediate_ca_max_ttl	for the intermediate CA	string	"26300h"	no
intermediate_ca_name	Name of the Intermediate CA to create for a private_cert secret engine	string	n/a	yes
intermediate_ca_signing_method	Signing method to use with this certificate authority to generate private certificates	string	"internal"	no
ip_sans	IP Subject Alternative Names (SANs) to define for the CA certificate, in a comma-delimited list	string	null	no
key_type	Type of private key to generate	string	"rsa"	no
locality	Locality (L) values to define in the subject field of the resulting certificate	list(string)	null	no
organization	Organization (O) values to define in the subject field of the resulting certificate	list(string)	null	no
organizational_unit	Organizational Unit (OU) values to define in the subject field of the resulting certificate	list(string)	null	no
other_sans	The custom Object Identifier (OID) or UTF8-string Subject Alternative Names (SANs) to define for the CA certificate. The alternative names must match the values that are specified in the 'allowed_other_sans' field in the associated certificate template	list(string)	null	no
permitted_dns_domains	Allowed DNS domains or subdomains for the certificates to be signed and issued by the CA certificate	list(string)	null	no
postal_code	Street Address values in the subject field of the resulting certificate	list(string)	null	no
private_key_format	Format of the generated private key	string	"der"	no
province	Province (ST) values to define in the subject field of the resulting certificate	list(string)	null	no
region	Region of the secrets manager instance	string	n/a	yes
return_format	Format of the returned data	string	"pem"	no
root_ca_common_name	Fully qualified domain name or host domain name for the certificate to be created	string	n/a	yes
root_ca_crl_disable	crl_disable flag for the root CA	bool	false	no
root_ca_crl_distribution_points_encoded	crl_distribution_points_encoded flag for the root CA	bool	true	no
root_ca_crl_expiry	Expiry time for root CA Certificate Revocation List (CRL)	string	null	no
root_ca_issuing_certificates_urls_encoded	issuing_certificates_urls_encoded flag for the root CA	bool	true	no
root_ca_max_ttl	Maximum TTL value for the root CA	string	n/a	yes
root_ca_name	Name of the Root CA to create for a private_cert secret engine	string	n/a	yes
secrets_manager_guid	GUID of secrets manager instance to create the secret engine in	string	n/a	yes
street_address	Street Address values in the subject field of the resulting certificate	list(string)	null	no
tempalate_key_usage	List of allowed key usage constraint to define for private certificates	list(string)	[ "DigitalSignature", "KeyAgreement", "KeyEncipherment" ]	no
template_allow_any_name	Allow clients to request a private certificate that matches any common name	bool	true	no
template_allow_bare_domains	Allow clients to request private certificates that match the value of the actual domains on the final certificate	bool	false	no
template_allow_glob_domains	Allow glob patterns in the names that are specified in the allowed_domains field	bool	false	no
template_allow_ip_sans	Allow clients to request a private certificate with IP Subject Alternative Names	bool	true	no
template_allow_subdomains	Allow clients to request private certificates with common names (CN) that are subdomains of the CNs that are allowed by the other certificate template options	bool	false	no
template_allowed_domains	Domains to define for the certificate template	list(string)	[]	no
template_allowed_other_sans	The custom Object Identifier (OID) or UTF8-string Subject Alternative Names (SANs) to allow for private certificates	list(string)	[]	no
template_allowed_secret_groups	Allowed secrets group Ids as a comma-delimited list	string	null	no
template_allowed_uri_sans	Allowed URI SANs for the certificate template	list(string)	[ "example.com/test" ]	no
template_basic_constraints_valid_for_non_ca	Mark the Basic Constraints extension of an issued private certificate as valid for non-CA certificates	bool	false	no
template_client_flag	Set whether private certificates are flagged for client use	bool	true	no
template_code_signing_flag	Set whether private certificates are flagged for code signing use	bool	false	no
template_email_protection_flag	Set whether private certificates are flagged for email protection use	bool	false	no
template_enforce_hostnames	Set whether to enforce only valid host names for common names, DNS Subject Alternative Names, and the host section of email addresses	bool	true	no
template_ext_key_usage	List of allowed extended key usage constraint on private certificates	list(string)	[]	no
template_ext_key_usage_oids	List of extended key usage Object Identifiers (OIDs)	list(string)	[]	no
template_max_ttl	Max TTL for the certificate template	string	"8760h"	no
template_policy_identifiers	List of policy Object Identifiers (OIDs)	list(string)	[]	no
template_require_common_name	Set whether to require a common name to create a private certificate	bool	true	no
template_serial_number	Serial number to assign to the generated certificate	string	null	no
template_server_flag	Set whether private certificates are flagged for server use	bool	true	no
template_use_csr_cn	Set whether to use the common name (CN) from a certificate signing request (CSR) instead of the CN that's included in the data of the certificate	bool	true	no
template_use_csr_sans	Set whether to use the Subject Alternative Names(SANs) from a certificate signing request (CSR) instead of the SANs that are included in the data of the certificate	bool	true	no
ttl	Time-to-live (TTL) to assign to a private certificate	string	null	no
uri_sans	URI Subject Alternative Names (SANs) to define for the CA certificate, in a comma-delimited list	string	null	no

Outputs

No outputs.

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.