class Terrafying::Components::SelfSignedCA

Attributes

ca_key[R]
name[R]
source[R]

Public Class Methods

create(name, bucket, options = {}) click to toggle source
# File lib/terrafying/components/selfsignedca.rb, line 13
def self.create(name, bucket, options = {})
  SelfSignedCA.new.create name, bucket, options
end
new() click to toggle source
Calls superclass method
# File lib/terrafying/components/selfsignedca.rb, line 17
def initialize
  super
end

Public Instance Methods

create(name, bucket, options = {}) click to toggle source
# File lib/terrafying/components/selfsignedca.rb, line 21
def create(name, bucket, options = {})
  options = {
    prefix: '',
    common_name: name,
    organization: 'uSwitch Limited',
    public_certificate: false,
    curve: 'P384'
  }.merge(options)

  @name = name
  @bucket = bucket
  @prefix = options[:prefix]
  @algorithm = options[:algorithm] || 'ECDSA'

  @ident = "#{name}-ca"

  cert_acl = if options[:public_certificate]
               'public-read'
             else
               'private'
             end

  @source = object_url(@name, :cert)

  if options[:ca_key] && options[:ca_cert]
    @ca_key = options[:ca_key]
    @ca_cert = options[:ca_cert]
    resource :aws_s3_bucket_object, "#{@name}-cert",
             bucket: @bucket,
             key: object_key(@name, :cert),
             content: @ca_cert,
             acl: cert_acl
    return self
  end

  provider :tls, {}

  resource :tls_private_key, @ident,
           algorithm: @algorithm,
           ecdsa_curve: options[:curve]

  resource :tls_self_signed_cert, @ident,
           key_algorithm: @algorithm,
           private_key_pem: output_of(:tls_private_key, @ident, :private_key_pem),
           subject: {
             common_name: options[:common_name],
             organization: options[:organization]
           },
           early_renewal_hours: 24 * 30,
           is_ca_certificate: true,
           validity_period_hours: 24 * 365,
           allowed_uses: %w[
             certSigning
             digitalSignature
           ]

  @ca_key = output_of(:tls_private_key, @ident, :private_key_pem)
  @ca_cert = output_of(:tls_self_signed_cert, @ident, :cert_pem)

  resource :aws_s3_bucket_object, object_name(@name, :cert),
           bucket: @bucket,
           key: object_key(@name, :cert),
           content: @ca_cert,
           acl: cert_acl

  self
end
create_keypair_in(ctx, name, options = {}) click to toggle source
# File lib/terrafying/components/selfsignedca.rb, line 123
def create_keypair_in(ctx, name, options = {})
  options = {
    common_name: name,
    organization: 'uSwitch Limited',
    validity_in_hours: 24 * 365,
    allowed_uses: %w[
      nonRepudiation
      digitalSignature
      keyEncipherment
    ],
    dns_names: [],
    ip_addresses: [],
    curve: 'P384'
  }.merge(options)

  key_ident = object_ident(name)

  ctx.resource :tls_private_key, key_ident,
               algorithm: @algorithm,
               ecdsa_curve: options[:curve]

  ctx.resource :tls_cert_request, key_ident,
               key_algorithm: @algorithm,
               private_key_pem: output_of(:tls_private_key, key_ident, :private_key_pem),
               subject: {
                 common_name: options[:common_name],
                 organization: options[:organization]
               },
               dns_names: options[:dns_names],
               ip_addresses: options[:ip_addresses]

  ctx.resource :tls_locally_signed_cert, key_ident,
               cert_request_pem: output_of(:tls_cert_request, key_ident, :cert_request_pem),
               ca_key_algorithm: @algorithm,
               ca_private_key_pem: @ca_key,
               ca_cert_pem: @ca_cert,
               validity_period_hours: options[:validity_in_hours],
               allowed_uses: options[:allowed_uses]

  key_version = "${sha256(tls_private_key.#{key_ident}.private_key_pem)}"
  ctx.resource :aws_s3_bucket_object, object_name(name, :key),
               bucket: @bucket,
               key: object_key(name, :key, key_version),
               content: output_of(:tls_private_key, key_ident, :private_key_pem)
  ctx.resource :aws_s3_bucket_object, "#{key_ident}-key-latest",
               bucket: @bucket,
               key: object_key(name, :key, 'latest'),
               content: key_version

  cert_version = "${sha256(tls_locally_signed_cert.#{key_ident}.cert_pem)}"
  ctx.resource :aws_s3_bucket_object, object_name(name, :cert),
               bucket: @bucket,
               key: object_key(name, :cert, cert_version),
               content: output_of(:tls_locally_signed_cert, key_ident, :cert_pem)
  ctx.resource :aws_s3_bucket_object, "#{key_ident}-cert-latest",
               bucket: @bucket,
               key: object_key(name, :cert, 'latest'),
               content: cert_version

  reference_keypair(ctx, name, key_version: key_version, cert_version: cert_version)
end
keypair() click to toggle source
# File lib/terrafying/components/selfsignedca.rb, line 89
def keypair
  @ca_key_ref ||= resource :aws_s3_bucket_object, object_name(@name, :key),
                           bucket: @bucket,
                           key: File.join('', @prefix, @name, 'ca.key'),
                           content: @ca_key

  {
    ca: self,
    path: {
      cert: File.join('/etc/ssl', @name, 'ca.cert'),
      key: File.join('/etc/ssl', @name, 'ca.key')
    },
    source: {
      cert: object_url(@name, :cert),
      key: object_url(@name, :key)
    },
    resources: [
      "aws_s3_bucket_object.#{object_name(@name, :key)}",
      "aws_s3_bucket_object.#{object_name(@name, :cert)}"
    ],
    iam_statement: {
      Effect: 'Allow',
      Action: [
        's3:GetObjectAcl',
        's3:GetObject'
      ],
      Resource: [
        object_arn(@name, :cert),
        object_arn(@name, :key)
      ]
    }
  }
end