terraform 是一个很不错的基础设施工具,我们可以用来做关于基础设施部署的事情,可以实现基础设施即代码
以下演示一个简单的自签名证书的生成(使用tls provider)

main.tf 文件

 
resource "tls_private_key" "example" {
  algorithm = "RSA"
}
resource "tls_self_signed_cert" "example" {
  key_algorithm = "${tls_private_key.example.algorithm}"
  private_key_pem = "${tls_private_key.example.private_key_pem}"
  # Certificate expires after 12 hours.
  validity_period_hours = 120000000
  # Generate a new certificate if Terraform is run within three
  # hours of the certificate's expiration time.
  early_renewal_hours = 30000000
  is_ca_certificate = true
  # Reasonable set of uses for a server SSL certificate.
  allowed_uses = [
      "key_encipherment",
      "digital_signature",
      "server_auth",
  ]
  ip_addresses = ["127.0.0.1","192.168.0.111","10.10.18.119"]
  dns_names = ["api.example.com", "k8sapi.example.com"]
  subject {
      common_name = "example.com"
      organization = "example, Inc"
  }
}
data "archive_file" "userinfos" {
  type = "zip"
  output_path = "tf-result/cert.zip"
  source {
    content = tls_private_key.example.private_key_pem
    filename = "private_key_pem"
  }
  source {
    content = tls_private_key.example.public_key_pem
    filename = "public_key_pem"
  }
  source {
    content = tls_self_signed_cert.example.cert_pem
    filename = "cert_pem"
  }
}
 

resource 说明

以上代码使用了archive provider 进行生成文件压缩,使用tls_private_key 生成私钥
使用tls_self_signed_cert 生成自签名证书

运行

  • init 下载插件
 
terraform init
  • 查看计划
terraform plan

效果

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)
Terraform will perform the following actions:
  # data.archive_file.userinfos will be read during apply
  # (config refers to values not yet known)
 <= data "archive_file" "userinfos" {
      + id = (known after apply)
      + output_base64sha256 = (known after apply)
      + output_md5 = (known after apply)
      + output_path = "tf-result/cert.zip"
      + output_sha = (known after apply)
      + output_size = (known after apply)
      + type = "zip"
      + source {
          + content = (known after apply)
          + filename = "cert_pem"
        }
      + source {
          + content = (known after apply)
          + filename = "private_key_pem"
        }
      + source {
          + content = (known after apply)
          + filename = "public_key_pem"
        }
    }
  # tls_private_key.example will be created
  + resource "tls_private_key" "example" {
      + algorithm = "RSA"
      + ecdsa_curve = "P224"
      + id = (known after apply)
      + private_key_pem = (known after apply)
      + public_key_fingerprint_md5 = (known after apply)
      + public_key_openssh = (known after apply)
      + public_key_pem = (known after apply)
      + rsa_bits = 2048
    }
  # tls_self_signed_cert.example will be created
  + resource "tls_self_signed_cert" "example" {
      + allowed_uses = [
          + "key_encipherment",
          + "digital_signature",
          + "server_auth",
        ]
      + cert_pem = (known after apply)
      + dns_names = [
          + "api.example.com",
          + "k8sapi.example.com",
        ]
      + early_renewal_hours = 30000000
      + id = (known after apply)
      + ip_addresses = [
          + "127.0.0.1",
          + "192.168.0.111",
          + "10.10.18.119",
        ]
      + is_ca_certificate = true
      + key_algorithm = "RSA"
      + private_key_pem = (known after apply)
      + validity_end_time = (known after apply)
      + validity_period_hours = 120000000
      + validity_start_time = (known after apply)
      + subject {
          + common_name = "example.com"
          + organization = "example, Inc"
        }
    }
Plan: 2 to add, 0 to change, 0 to destroy.
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.
 
 
  • apply
terraform apply

效果

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)
Terraform will perform the following actions:
  # data.archive_file.userinfos will be read during apply
  # (config refers to values not yet known)
 <= data "archive_file" "userinfos" {
      + id = (known after apply)
      + output_base64sha256 = (known after apply)
      + output_md5 = (known after apply)
      + output_path = "tf-result/cert.zip"
      + output_sha = (known after apply)
      + output_size = (known after apply)
      + type = "zip"
      + source {
          + content = (known after apply)
          + filename = "cert_pem"
        }
      + source {
          + content = (known after apply)
          + filename = "private_key_pem"
        }
      + source {
          + content = (known after apply)
          + filename = "public_key_pem"
        }
    }
  # tls_private_key.example will be created
  + resource "tls_private_key" "example" {
      + algorithm = "RSA"
      + ecdsa_curve = "P224"
      + id = (known after apply)
      + private_key_pem = (known after apply)
      + public_key_fingerprint_md5 = (known after apply)
      + public_key_openssh = (known after apply)
      + public_key_pem = (known after apply)
      + rsa_bits = 2048
    }
  # tls_self_signed_cert.example will be created
  + resource "tls_self_signed_cert" "example" {
      + allowed_uses = [
          + "key_encipherment",
          + "digital_signature",
          + "server_auth",
        ]
      + cert_pem = (known after apply)
      + dns_names = [
          + "api.example.com",
          + "k8sapi.example.com",
        ]
      + early_renewal_hours = 30000000
      + id = (known after apply)
      + ip_addresses = [
          + "127.0.0.1",
          + "192.168.0.111",
          + "10.10.18.119",
        ]
      + is_ca_certificate = true
      + key_algorithm = "RSA"
      + private_key_pem = (known after apply)
      + validity_end_time = (known after apply)
      + validity_period_hours = 120000000
      + validity_start_time = (known after apply)
      + subject {
          + common_name = "example.com"
          + organization = "example, Inc"
        }
    }
Plan: 2 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.
  Enter a value: yes
tls_private_key.example: Creating...
tls_private_key.example: Creation complete after 0s [id=4bb57b583566785ce23a003432515e07fcebfdba]
tls_self_signed_cert.example: Creating...
tls_self_signed_cert.example: Creation complete after 0s [id=132700825268662052341550768328847386301]
data.archive_file.userinfos: Refreshing state...
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
 
 
  • 文件内容
unzip cert.zip 
Archive: cert.zip
  inflating: cert_pem                
  inflating: private_key_pem         
  inflating: public_key_pem

说明

我们可以结合vault 的tls 管理以及tf 方便的进行证书管理——基础设施即代码

参考资料

https://www.terraform.io/docs/providers/tls/r/self_signed_cert.html
https://learn.hashicorp.com/vault/secrets-management/sm-pki-engine

使用terraform 生成自签名证书的更多相关文章

  1. cmd命令生成android签名证书

    cmd命令生成android签名证书,有空在写一篇eclipse导出带签名的apk,这里面包括生成新的签名.现在还是讲讲在cmd怎么操作生成签名证书. 1.dos下进入JDK的bin目录 运行如下命令 ...

  2. windows下使用makecert命令生成自签名证书

    1.makecert命令路径 C:\Program Files (x86)\Windows Kits\8.1\bin\x64 2.生成一个自签名证书 makecert -r -pe -n " ...

  3. openssl生成自签名证书

    1.生成x509格式的CA自签名证书 openssl req -new -x509 -keyout ca.key -out ca.crt 2.生成服务端的私钥(key文件)及申请证书文件csr文件 o ...

  4. 用OpenSSL生成自签名证书在IIS上搭建Https站点(用于iOS的https访问)

    前提: 先安装openssl,安装有两种方式,第一种直接下载安装包,装上就可运行:第二种可以自己下载源码,自己编译.这里推荐第一种. 安装包:http://slproweb.com/products/ ...

  5. [ipsec][strongswan] 用strongswan pki工具生成自签名证书

    如题.我在实验环境里,分别要为两个endpoint(T9和T129)生成证书. 证书是如何生成的呢? 证书是由根证书机构签发的.申请证书的人将request提交给根证书机构,然后根证书机构根据requ ...

  6. ios生成自签名证书,实现web下载安装app

    抄自http://beyondvincent.com/blog/2014/03/17/five-tips-for-using-self-signed-ssl-certificates-with-ios ...

  7. 生成自签名证书-开启https

    1.生成CA证书 # 生成 CA 私钥 openssl genrsa -out ca.key 2048 # X.509 Certificate Signing Request (CSR) Manage ...

  8. OpenSSL使用1(用OpenSSL生成自签名证书在IIS上搭建Https站点)(用于iOS的https访问)

    前提: 先安装openssl,安装有两种方式,第一种直接下载安装包,装上就可运行:第二种可以自己下载源码,自己编译.这里推荐第一种. 安装包:http://slproweb.com/products/ ...

  9. Windows下生成自签名证书

    最近通过openssl生成了自签名的证书,总结成下面这张图. 说明:下载openssl0.9.8之后解压,然后运行bin\openssl.exe进入openssl运行环境,然后按上图中顺序执行命令.( ...

随机推荐

  1. (1)ASP.NET Core 应用启动Startup类简介

    1.前言 Core与早期版本的 ASP.NET 对比,配置应用程序的方式的 Global.asax.FilterConfig.cs和RouteConfig.cs 都被Program.cs 和 Star ...

  2. C#静态字段的两个用处

    静态字段的2个常用方法 (1)记录已实例化的对象的个数 (2)存储必须在所有实例化之间共享的值 (1)记录已实例化的对象的个数 现在某个培训机构啊,要开设一个学理发的班,计划招5人,只要人数够5人就开 ...

  3. 爬虫多次爬取时候cookie的存储用于登入

    一.用requests模块自动保存(保存缓存中) 构建一个session对象session = requests.session() 用构建的session代替requests进行访问他就会自动存啦 ...

  4. JavaScript insertAdjacentHTML()的使用

    含义: insertAdjacentHTML() 将指定的文本解析为HTML或XML,并将结果节点插入到DOM树中的指定位置.它不会重新解析它正在使用的元素,因此它不会破坏元素内的现有元素.这避免了额 ...

  5. Git版本管理工具使用

    1.Git简介 Git(读音为/gɪt/.)是一个开源的分布式版本控制系统,可以有效.高速地处理从很小到非常大的项目版本管理. Git 是 Linus Torvalds 为了帮助管理 Linux 内核 ...

  6. Java字符串操作工具类

    import java.io.ByteArrayOutputStream; import java.io.UnsupportedEncodingException; import java.lang. ...

  7. day 05 预科

    目录 文本处理 什么是文件 什么是文本 视频/音频文件(多媒体文件) 我们如何通过文本编辑器去控制txt文件 文本高级 文本处理+高级分析 文本处理 什么是文件 文件是操作系统提供的一个特殊概念,拿来 ...

  8. 使用kubeadm部署k8s

    k8s组件 master,node master中包括apiserver,scheduler,controller.etcd apiserver:负责接收用户请求,并且保存至etcd中. schedu ...

  9. 树莓派配置samba服务器,实现linux、windows文件共享

    一.安装samba服务器 输入如下命令: 二.配置文件smb.conf 找到[homes],将read only那里的yes改为no,允许读写 添加用户和设置密码 sudo smbpasswd -a ...

  10. Xenia and Weights(Codeforces Round #197 (Div. 2)+DP)

    题目链接 传送门 思路 \(dp[i][j][k]\)表示第\(i\)次操作放\(j\)后与另一堆的重量差为\(k\)是否存在. 代码实现如下 #include <set> #includ ...