forked from Invicton-Labs/terraform-tls-signed-certificate
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathvariables.tf
More file actions
172 lines (150 loc) · 5.79 KB
/
Copy pathvariables.tf
File metadata and controls
172 lines (150 loc) · 5.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
variable "certificate_authority" {
description = "The Certificate Authority certificate to use for signing the new certificate."
type = object({
private_key_algorithm = string
private_key_pem = string
cert_pem = string
})
default = null
}
variable "acm_import" {
description = "Boolean value of whether the generated and signed certificate should be imported into ACM. Defaults to false."
type = bool
default = false
nullable = false
}
variable "key_algorithm" {
description = "Algorithm to use for the private key. Options are 'RSA' or 'ECDSA'. Defaults to 'RSA'."
type = string
default = "RSA"
nullable = false
}
variable "ecdsa_curve" {
description = "Elliptic curve to use for the ECDSA algorithm. Has no effect unless the 'key_algorithm' variable is set to 'ECDSA'. Options are 'P224', 'P256', 'P384', or 'P521'. Defaults to 'P224'."
type = string
default = "P224"
nullable = false
}
variable "key_bits" {
description = "Number of bits to use for the RSA private key. Has no effect unless the 'key_algorithm' variable is set to 'RSA'. Defaults to 2048."
type = number
default = 2048
nullable = false
}
variable "certificate_acm_name" {
description = "The name to display for the certificate in ACM. Defaults to the subject common name."
type = string
default = null
}
variable "subject_common_name" {
description = "The certificate subject's common name."
type = string
nullable = false
}
variable "subject_organization" {
description = "The certificate subject's organization."
type = string
default = null
}
variable "subject_organizational_unit" {
description = "The certificate subject's organizational unit."
type = string
default = null
}
variable "subject_street_address" {
description = "The certificate subject's street address (list of strings)."
type = list(string)
default = []
nullable = false
}
variable "subject_locality" {
description = "The certificate subject's locality."
type = string
default = null
}
variable "subject_province" {
description = "The certificate subject's province."
type = string
default = null
}
variable "subject_country" {
description = "The certificate subject's country."
type = string
default = null
}
variable "subject_postal_code" {
description = "The certificate subject's postal code."
type = string
default = null
}
variable "subject_serial_number" {
description = "The certificate subject's serial number."
type = string
default = null
}
variable "validity_period_hours" {
description = "How many hours the certificate should be valid for. Defaults to 8760 (1 year)."
type = number
default = 8760
nullable = false
}
variable "dns_names" {
description = "List of DNS names for which a certificate is being created. Defaults to none."
type = list(string)
default = null
}
variable "ip_addresses" {
description = "List of IP addresses for which a certificate is being created. Defaults to none."
type = list(string)
default = null
}
variable "uris" {
description = "List of URIs for which a certificate is being created. Defaults to none."
type = list(string)
default = null
}
variable "early_renewal_hours" {
description = "If set, the resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. Note however that the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Note also that this advance update can only be performed should the Terraform configuration be applied during the early renewal period."
type = number
default = null
}
variable "is_ca_certificate" {
description = "Boolean controlling whether the CA flag will be set in the generated certificate. Defaults to false, meaning that the certificate does not represent a certificate authority."
type = bool
default = false
nullable = false
}
variable "set_subject_key_id" {
description = "If true, the certificate will include the subject key identifier. Defaults to false, in which case the subject key identifier is not set at all."
type = bool
default = false
nullable = false
}
variable "allowed_uses" {
description = "List of keywords each describing a use that is permitted for the issued certificate, combining the set of flags defined by both Key Usage and Extended Key Usage in RFC5280. Options are: digital_signature, content_commitment, key_encipherment, data_encipherment, key_agreement, cert_signing, crl_signing, encipher_only, decipher_only, any_extended, server_auth, client_auth, code_signing, email_protection, ipsec_end_system, ipsec_tunnel, ipsec_user, timestamping, ocsp_signing, microsoft_server_gated_crypto, netscape_server_gated_crypto. Defaults to allow all of them."
type = list(string)
default = [
"digital_signature",
"content_commitment",
"key_encipherment",
"data_encipherment",
"key_agreement",
"cert_signing",
"crl_signing",
"encipher_only",
"decipher_only",
"any_extended",
"server_auth",
"client_auth",
"code_signing",
"email_protection",
"ipsec_end_system",
"ipsec_tunnel",
"ipsec_user",
"timestamping",
"ocsp_signing",
"microsoft_server_gated_crypto",
"netscape_server_gated_crypto"
]
nullable = false
}