terraform 是一个很不错的基础设施工具,我们可以用来做关于基础设施部署的事情,可以实现基础设施即代码
以下演示一个简单的自签名证书的生成(使用tls provider)

main.tf 文件

 
resource "tls_private_key" "example" {
  algorithm = "RSA"
}
resource "tls_self_signed_cert" "example" {
  key_algorithm = "${tls_private_key.example.algorithm}"
  private_key_pem = "${tls_private_key.example.private_key_pem}"
  # Certificate expires after 12 hours.
  validity_period_hours = 120000000
  # Generate a new certificate if Terraform is run within three
  # hours of the certificate's expiration time.
  early_renewal_hours = 30000000
  is_ca_certificate = true
  # Reasonable set of uses for a server SSL certificate.
  allowed_uses = [
      "key_encipherment",
      "digital_signature",
      "server_auth",
  ]
  ip_addresses = ["127.0.0.1","192.168.0.111","10.10.18.119"]
  dns_names = ["api.example.com", "k8sapi.example.com"]
  subject {
      common_name = "example.com"
      organization = "example, Inc"
  }
}
data "archive_file" "userinfos" {
  type = "zip"
  output_path = "tf-result/cert.zip"
  source {
    content = tls_private_key.example.private_key_pem
    filename = "private_key_pem"
  }
  source {
    content = tls_private_key.example.public_key_pem
    filename = "public_key_pem"
  }
  source {
    content = tls_self_signed_cert.example.cert_pem
    filename = "cert_pem"
  }
}
 

resource 说明

以上代码使用了archive provider 进行生成文件压缩,使用tls_private_key 生成私钥
使用tls_self_signed_cert 生成自签名证书

运行

  • init 下载插件
 
terraform init
  • 查看计划
terraform plan

效果

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)
Terraform will perform the following actions:
  # data.archive_file.userinfos will be read during apply
  # (config refers to values not yet known)
 <= data "archive_file" "userinfos" {
      + id = (known after apply)
      + output_base64sha256 = (known after apply)
      + output_md5 = (known after apply)
      + output_path = "tf-result/cert.zip"
      + output_sha = (known after apply)
      + output_size = (known after apply)
      + type = "zip"
      + source {
          + content = (known after apply)
          + filename = "cert_pem"
        }
      + source {
          + content = (known after apply)
          + filename = "private_key_pem"
        }
      + source {
          + content = (known after apply)
          + filename = "public_key_pem"
        }
    }
  # tls_private_key.example will be created
  + resource "tls_private_key" "example" {
      + algorithm = "RSA"
      + ecdsa_curve = "P224"
      + id = (known after apply)
      + private_key_pem = (known after apply)
      + public_key_fingerprint_md5 = (known after apply)
      + public_key_openssh = (known after apply)
      + public_key_pem = (known after apply)
      + rsa_bits = 2048
    }
  # tls_self_signed_cert.example will be created
  + resource "tls_self_signed_cert" "example" {
      + allowed_uses = [
          + "key_encipherment",
          + "digital_signature",
          + "server_auth",
        ]
      + cert_pem = (known after apply)
      + dns_names = [
          + "api.example.com",
          + "k8sapi.example.com",
        ]
      + early_renewal_hours = 30000000
      + id = (known after apply)
      + ip_addresses = [
          + "127.0.0.1",
          + "192.168.0.111",
          + "10.10.18.119",
        ]
      + is_ca_certificate = true
      + key_algorithm = "RSA"
      + private_key_pem = (known after apply)
      + validity_end_time = (known after apply)
      + validity_period_hours = 120000000
      + validity_start_time = (known after apply)
      + subject {
          + common_name = "example.com"
          + organization = "example, Inc"
        }
    }
Plan: 2 to add, 0 to change, 0 to destroy.
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.
 
 
  • apply
terraform apply

效果

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)
Terraform will perform the following actions:
  # data.archive_file.userinfos will be read during apply
  # (config refers to values not yet known)
 <= data "archive_file" "userinfos" {
      + id = (known after apply)
      + output_base64sha256 = (known after apply)
      + output_md5 = (known after apply)
      + output_path = "tf-result/cert.zip"
      + output_sha = (known after apply)
      + output_size = (known after apply)
      + type = "zip"
      + source {
          + content = (known after apply)
          + filename = "cert_pem"
        }
      + source {
          + content = (known after apply)
          + filename = "private_key_pem"
        }
      + source {
          + content = (known after apply)
          + filename = "public_key_pem"
        }
    }
  # tls_private_key.example will be created
  + resource "tls_private_key" "example" {
      + algorithm = "RSA"
      + ecdsa_curve = "P224"
      + id = (known after apply)
      + private_key_pem = (known after apply)
      + public_key_fingerprint_md5 = (known after apply)
      + public_key_openssh = (known after apply)
      + public_key_pem = (known after apply)
      + rsa_bits = 2048
    }
  # tls_self_signed_cert.example will be created
  + resource "tls_self_signed_cert" "example" {
      + allowed_uses = [
          + "key_encipherment",
          + "digital_signature",
          + "server_auth",
        ]
      + cert_pem = (known after apply)
      + dns_names = [
          + "api.example.com",
          + "k8sapi.example.com",
        ]
      + early_renewal_hours = 30000000
      + id = (known after apply)
      + ip_addresses = [
          + "127.0.0.1",
          + "192.168.0.111",
          + "10.10.18.119",
        ]
      + is_ca_certificate = true
      + key_algorithm = "RSA"
      + private_key_pem = (known after apply)
      + validity_end_time = (known after apply)
      + validity_period_hours = 120000000
      + validity_start_time = (known after apply)
      + subject {
          + common_name = "example.com"
          + organization = "example, Inc"
        }
    }
Plan: 2 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.
  Enter a value: yes
tls_private_key.example: Creating...
tls_private_key.example: Creation complete after 0s [id=4bb57b583566785ce23a003432515e07fcebfdba]
tls_self_signed_cert.example: Creating...
tls_self_signed_cert.example: Creation complete after 0s [id=132700825268662052341550768328847386301]
data.archive_file.userinfos: Refreshing state...
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
 
 
  • 文件内容
unzip cert.zip 
Archive: cert.zip
  inflating: cert_pem                
  inflating: private_key_pem         
  inflating: public_key_pem

说明

我们可以结合vault 的tls 管理以及tf 方便的进行证书管理——基础设施即代码

参考资料

https://www.terraform.io/docs/providers/tls/r/self_signed_cert.html
https://learn.hashicorp.com/vault/secrets-management/sm-pki-engine

使用terraform 生成自签名证书的更多相关文章

  1. cmd命令生成android签名证书

    cmd命令生成android签名证书,有空在写一篇eclipse导出带签名的apk,这里面包括生成新的签名.现在还是讲讲在cmd怎么操作生成签名证书. 1.dos下进入JDK的bin目录 运行如下命令 ...

  2. windows下使用makecert命令生成自签名证书

    1.makecert命令路径 C:\Program Files (x86)\Windows Kits\8.1\bin\x64 2.生成一个自签名证书 makecert -r -pe -n " ...

  3. openssl生成自签名证书

    1.生成x509格式的CA自签名证书 openssl req -new -x509 -keyout ca.key -out ca.crt 2.生成服务端的私钥(key文件)及申请证书文件csr文件 o ...

  4. 用OpenSSL生成自签名证书在IIS上搭建Https站点(用于iOS的https访问)

    前提: 先安装openssl,安装有两种方式,第一种直接下载安装包,装上就可运行:第二种可以自己下载源码,自己编译.这里推荐第一种. 安装包:http://slproweb.com/products/ ...

  5. [ipsec][strongswan] 用strongswan pki工具生成自签名证书

    如题.我在实验环境里,分别要为两个endpoint(T9和T129)生成证书. 证书是如何生成的呢? 证书是由根证书机构签发的.申请证书的人将request提交给根证书机构,然后根证书机构根据requ ...

  6. ios生成自签名证书,实现web下载安装app

    抄自http://beyondvincent.com/blog/2014/03/17/five-tips-for-using-self-signed-ssl-certificates-with-ios ...

  7. 生成自签名证书-开启https

    1.生成CA证书 # 生成 CA 私钥 openssl genrsa -out ca.key 2048 # X.509 Certificate Signing Request (CSR) Manage ...

  8. OpenSSL使用1(用OpenSSL生成自签名证书在IIS上搭建Https站点)(用于iOS的https访问)

    前提: 先安装openssl,安装有两种方式,第一种直接下载安装包,装上就可运行:第二种可以自己下载源码,自己编译.这里推荐第一种. 安装包:http://slproweb.com/products/ ...

  9. Windows下生成自签名证书

    最近通过openssl生成了自签名的证书,总结成下面这张图. 说明:下载openssl0.9.8之后解压,然后运行bin\openssl.exe进入openssl运行环境,然后按上图中顺序执行命令.( ...

随机推荐

  1. nginx通过自定义header属性来转发不同的服务

    一.背景 因为需要上线灰度发布,只要nginx接收到头部为: wx_unionid: 就会跳转到另外一个url,比如: 通过配置nginx 匹配请求头wx_unionid 来转发到灰度环境.核心:客户 ...

  2. pytest_使用自定义标记mark

    前言 pytest可以支持自定义标记,自定义标记可以把一个web项目划分多个模块,然后指定模块名称执行.app自动化的时候,如果想android和ios公用一套代码时,也可以使用标记功能,标明哪些是i ...

  3. 华为云实战开发】5.如何快速创建免费Git代码仓库【华为云技术分享】

    1 文章目的 本文主要帮助已经掌握或者想要掌握Git的开发者,如何更好的应用Git,以及更好的将Git与DevCloud结合应用. 2 概述 2.1 版本控制系统介绍 从狭义上来说,版本控制系统是软件 ...

  4. writeAsBytes writeAsString

    import 'dart:io';import 'dart:convert'; main()async{ File a = File('C:\\aria2\\1.txt'); var c = read ...

  5. Workerman简单开发示例实践(一)

    一.去官网下载workerman,地址:https://www.workerman.net/download,下载后解压任意文件夹. 二.在解压文件目录下新建http_test.php,输入如下代码: ...

  6. elsave.exe日志清除

    > elsave.exe -h usage: elsave [-s \\server] [-l log] [-F file] [-C] [-q] Saves and/or clears a Wi ...

  7. Linux“七大蠢”收录

    这个系列的文章,前段时间在微信公共平台(阿里技术嘉年华)上看过,写得很好. Linux"七大蠢"之一:万般皆文本 Linux"七大蠢"之二:处处有脚本 Linu ...

  8. C# DataTable 和List之间相互转换的方法(转载)

    来源:https://www.cnblogs.com/shiyh/p/7478241.html 一.List<T>/IEnumerable转换到DataTable/DataView 方法一 ...

  9. Linux 各系统目录作用及内容

  10. python(练习题)

    1.请写出冒泡排序将list1进行排序? List1 = [1,2,34,12,33,25,12,33,90,28] 2.使用python语言打印出name=”I love python”的长度 3. ...