terraform 是一个很不错的基础设施工具,我们可以用来做关于基础设施部署的事情,可以实现基础设施即代码
以下演示一个简单的自签名证书的生成(使用tls provider)

main.tf 文件

 
resource "tls_private_key" "example" {
  algorithm = "RSA"
}
resource "tls_self_signed_cert" "example" {
  key_algorithm = "${tls_private_key.example.algorithm}"
  private_key_pem = "${tls_private_key.example.private_key_pem}"
  # Certificate expires after 12 hours.
  validity_period_hours = 120000000
  # Generate a new certificate if Terraform is run within three
  # hours of the certificate's expiration time.
  early_renewal_hours = 30000000
  is_ca_certificate = true
  # Reasonable set of uses for a server SSL certificate.
  allowed_uses = [
      "key_encipherment",
      "digital_signature",
      "server_auth",
  ]
  ip_addresses = ["127.0.0.1","192.168.0.111","10.10.18.119"]
  dns_names = ["api.example.com", "k8sapi.example.com"]
  subject {
      common_name = "example.com"
      organization = "example, Inc"
  }
}
data "archive_file" "userinfos" {
  type = "zip"
  output_path = "tf-result/cert.zip"
  source {
    content = tls_private_key.example.private_key_pem
    filename = "private_key_pem"
  }
  source {
    content = tls_private_key.example.public_key_pem
    filename = "public_key_pem"
  }
  source {
    content = tls_self_signed_cert.example.cert_pem
    filename = "cert_pem"
  }
}
 

resource 说明

以上代码使用了archive provider 进行生成文件压缩,使用tls_private_key 生成私钥
使用tls_self_signed_cert 生成自签名证书

运行

  • init 下载插件
 
terraform init
  • 查看计划
terraform plan

效果

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)
Terraform will perform the following actions:
  # data.archive_file.userinfos will be read during apply
  # (config refers to values not yet known)
 <= data "archive_file" "userinfos" {
      + id = (known after apply)
      + output_base64sha256 = (known after apply)
      + output_md5 = (known after apply)
      + output_path = "tf-result/cert.zip"
      + output_sha = (known after apply)
      + output_size = (known after apply)
      + type = "zip"
      + source {
          + content = (known after apply)
          + filename = "cert_pem"
        }
      + source {
          + content = (known after apply)
          + filename = "private_key_pem"
        }
      + source {
          + content = (known after apply)
          + filename = "public_key_pem"
        }
    }
  # tls_private_key.example will be created
  + resource "tls_private_key" "example" {
      + algorithm = "RSA"
      + ecdsa_curve = "P224"
      + id = (known after apply)
      + private_key_pem = (known after apply)
      + public_key_fingerprint_md5 = (known after apply)
      + public_key_openssh = (known after apply)
      + public_key_pem = (known after apply)
      + rsa_bits = 2048
    }
  # tls_self_signed_cert.example will be created
  + resource "tls_self_signed_cert" "example" {
      + allowed_uses = [
          + "key_encipherment",
          + "digital_signature",
          + "server_auth",
        ]
      + cert_pem = (known after apply)
      + dns_names = [
          + "api.example.com",
          + "k8sapi.example.com",
        ]
      + early_renewal_hours = 30000000
      + id = (known after apply)
      + ip_addresses = [
          + "127.0.0.1",
          + "192.168.0.111",
          + "10.10.18.119",
        ]
      + is_ca_certificate = true
      + key_algorithm = "RSA"
      + private_key_pem = (known after apply)
      + validity_end_time = (known after apply)
      + validity_period_hours = 120000000
      + validity_start_time = (known after apply)
      + subject {
          + common_name = "example.com"
          + organization = "example, Inc"
        }
    }
Plan: 2 to add, 0 to change, 0 to destroy.
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.
 
 
  • apply
terraform apply

效果

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)
Terraform will perform the following actions:
  # data.archive_file.userinfos will be read during apply
  # (config refers to values not yet known)
 <= data "archive_file" "userinfos" {
      + id = (known after apply)
      + output_base64sha256 = (known after apply)
      + output_md5 = (known after apply)
      + output_path = "tf-result/cert.zip"
      + output_sha = (known after apply)
      + output_size = (known after apply)
      + type = "zip"
      + source {
          + content = (known after apply)
          + filename = "cert_pem"
        }
      + source {
          + content = (known after apply)
          + filename = "private_key_pem"
        }
      + source {
          + content = (known after apply)
          + filename = "public_key_pem"
        }
    }
  # tls_private_key.example will be created
  + resource "tls_private_key" "example" {
      + algorithm = "RSA"
      + ecdsa_curve = "P224"
      + id = (known after apply)
      + private_key_pem = (known after apply)
      + public_key_fingerprint_md5 = (known after apply)
      + public_key_openssh = (known after apply)
      + public_key_pem = (known after apply)
      + rsa_bits = 2048
    }
  # tls_self_signed_cert.example will be created
  + resource "tls_self_signed_cert" "example" {
      + allowed_uses = [
          + "key_encipherment",
          + "digital_signature",
          + "server_auth",
        ]
      + cert_pem = (known after apply)
      + dns_names = [
          + "api.example.com",
          + "k8sapi.example.com",
        ]
      + early_renewal_hours = 30000000
      + id = (known after apply)
      + ip_addresses = [
          + "127.0.0.1",
          + "192.168.0.111",
          + "10.10.18.119",
        ]
      + is_ca_certificate = true
      + key_algorithm = "RSA"
      + private_key_pem = (known after apply)
      + validity_end_time = (known after apply)
      + validity_period_hours = 120000000
      + validity_start_time = (known after apply)
      + subject {
          + common_name = "example.com"
          + organization = "example, Inc"
        }
    }
Plan: 2 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.
  Enter a value: yes
tls_private_key.example: Creating...
tls_private_key.example: Creation complete after 0s [id=4bb57b583566785ce23a003432515e07fcebfdba]
tls_self_signed_cert.example: Creating...
tls_self_signed_cert.example: Creation complete after 0s [id=132700825268662052341550768328847386301]
data.archive_file.userinfos: Refreshing state...
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
 
 
  • 文件内容
unzip cert.zip 
Archive: cert.zip
  inflating: cert_pem                
  inflating: private_key_pem         
  inflating: public_key_pem

说明

我们可以结合vault 的tls 管理以及tf 方便的进行证书管理——基础设施即代码

参考资料

https://www.terraform.io/docs/providers/tls/r/self_signed_cert.html
https://learn.hashicorp.com/vault/secrets-management/sm-pki-engine

使用terraform 生成自签名证书的更多相关文章

  1. cmd命令生成android签名证书

    cmd命令生成android签名证书,有空在写一篇eclipse导出带签名的apk,这里面包括生成新的签名.现在还是讲讲在cmd怎么操作生成签名证书. 1.dos下进入JDK的bin目录 运行如下命令 ...

  2. windows下使用makecert命令生成自签名证书

    1.makecert命令路径 C:\Program Files (x86)\Windows Kits\8.1\bin\x64 2.生成一个自签名证书 makecert -r -pe -n " ...

  3. openssl生成自签名证书

    1.生成x509格式的CA自签名证书 openssl req -new -x509 -keyout ca.key -out ca.crt 2.生成服务端的私钥(key文件)及申请证书文件csr文件 o ...

  4. 用OpenSSL生成自签名证书在IIS上搭建Https站点(用于iOS的https访问)

    前提: 先安装openssl,安装有两种方式,第一种直接下载安装包,装上就可运行:第二种可以自己下载源码,自己编译.这里推荐第一种. 安装包:http://slproweb.com/products/ ...

  5. [ipsec][strongswan] 用strongswan pki工具生成自签名证书

    如题.我在实验环境里,分别要为两个endpoint(T9和T129)生成证书. 证书是如何生成的呢? 证书是由根证书机构签发的.申请证书的人将request提交给根证书机构,然后根证书机构根据requ ...

  6. ios生成自签名证书,实现web下载安装app

    抄自http://beyondvincent.com/blog/2014/03/17/five-tips-for-using-self-signed-ssl-certificates-with-ios ...

  7. 生成自签名证书-开启https

    1.生成CA证书 # 生成 CA 私钥 openssl genrsa -out ca.key 2048 # X.509 Certificate Signing Request (CSR) Manage ...

  8. OpenSSL使用1(用OpenSSL生成自签名证书在IIS上搭建Https站点)(用于iOS的https访问)

    前提: 先安装openssl,安装有两种方式,第一种直接下载安装包,装上就可运行:第二种可以自己下载源码,自己编译.这里推荐第一种. 安装包:http://slproweb.com/products/ ...

  9. Windows下生成自签名证书

    最近通过openssl生成了自签名的证书,总结成下面这张图. 说明:下载openssl0.9.8之后解压,然后运行bin\openssl.exe进入openssl运行环境,然后按上图中顺序执行命令.( ...

随机推荐

  1. 上传docker镜像到阿里云镜像源

    阿里云docker镜像配置 阿里云用户名可以使用淘宝系的,或者新注册都行. a. 配置阿里云的镜像加速器:加速器 然后在线上创建`镜像仓库`,需要设置`命名空间`和`仓库名称`,然后接着操作下面的步骤 ...

  2. 转!!DBCP2 配置详解说明

    转自:https://www.cnblogs.com/diyunpeng/p/6980098.html 由于commons-dbcp所用的连接池出现版本升级,因此commons-dbcp2中的数据库池 ...

  3. MySQL和SQL Server一些基本用法区别

    具体查看:https://www.cnblogs.com/zhaow/articles/9633554.html 转自:https://www.cnblogs.com/zhaow/articles/9 ...

  4. CentOS - Eclipse安装Shelled

    一,下载Shelled: https://sourceforge.net/projects/shelled/ 二,打开Eclipse,以离线方式安装: Help->Install New Sof ...

  5. Linux目录结构说明

    文件系统层级标准(filesystem hierarchy standard,FHS). http://www.pathname.com/fhs/pub/fhs-2.3.html 以下是对这些目录的解 ...

  6. time的基本使用介绍

    1.获取当前时间并格式化输出 import time t=time.gmtime() tplt='%Y-%m-%d %H:%M:%S' info=time.strftime(tplt,t) print ...

  7. java实现mysql数据备份

    /** * @param hostIP ip地址,可以是本机也可以是远程 * @param userName 数据库的用户名 * @param password 数据库的密码 * @param sav ...

  8. MySQL5.7应当注意的参数

    简介: 本篇文章主要介绍 MySQL 初始化应当注意的参数,对于不同环境间实例迁移,这些参数同样应当注意. 注: 本文介绍的参数都是在配置文件 [mysqld] 部分. server_id 和 log ...

  9. Oracle SQL函数-NLSSORT

    Syntax 用途: NLSSORT返回字符值char的排序规则键和显式或隐式指定的排序规则.排序规则键是一个用于根据指定的排序规则对char进行排序的字节字符串.排序规则键的属性是:按二进制比较由给 ...

  10. quartz——JobExecutionContext和JobDataMap

    控制器传值,需要根据对应值创建,启动以及对定时任务的相关操作:JobExecutionContext和JobDataMap基本用法,代码待优化,主要是用法吧第一:控制器, @RequestMappin ...