terraform 是一个很不错的基础设施工具,我们可以用来做关于基础设施部署的事情,可以实现基础设施即代码
以下演示一个简单的自签名证书的生成(使用tls provider)

main.tf 文件

 
resource "tls_private_key" "example" {
  algorithm = "RSA"
}
resource "tls_self_signed_cert" "example" {
  key_algorithm = "${tls_private_key.example.algorithm}"
  private_key_pem = "${tls_private_key.example.private_key_pem}"
  # Certificate expires after 12 hours.
  validity_period_hours = 120000000
  # Generate a new certificate if Terraform is run within three
  # hours of the certificate's expiration time.
  early_renewal_hours = 30000000
  is_ca_certificate = true
  # Reasonable set of uses for a server SSL certificate.
  allowed_uses = [
      "key_encipherment",
      "digital_signature",
      "server_auth",
  ]
  ip_addresses = ["127.0.0.1","192.168.0.111","10.10.18.119"]
  dns_names = ["api.example.com", "k8sapi.example.com"]
  subject {
      common_name = "example.com"
      organization = "example, Inc"
  }
}
data "archive_file" "userinfos" {
  type = "zip"
  output_path = "tf-result/cert.zip"
  source {
    content = tls_private_key.example.private_key_pem
    filename = "private_key_pem"
  }
  source {
    content = tls_private_key.example.public_key_pem
    filename = "public_key_pem"
  }
  source {
    content = tls_self_signed_cert.example.cert_pem
    filename = "cert_pem"
  }
}
 

resource 说明

以上代码使用了archive provider 进行生成文件压缩,使用tls_private_key 生成私钥
使用tls_self_signed_cert 生成自签名证书

运行

  • init 下载插件
 
terraform init
  • 查看计划
terraform plan

效果

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)
Terraform will perform the following actions:
  # data.archive_file.userinfos will be read during apply
  # (config refers to values not yet known)
 <= data "archive_file" "userinfos" {
      + id = (known after apply)
      + output_base64sha256 = (known after apply)
      + output_md5 = (known after apply)
      + output_path = "tf-result/cert.zip"
      + output_sha = (known after apply)
      + output_size = (known after apply)
      + type = "zip"
      + source {
          + content = (known after apply)
          + filename = "cert_pem"
        }
      + source {
          + content = (known after apply)
          + filename = "private_key_pem"
        }
      + source {
          + content = (known after apply)
          + filename = "public_key_pem"
        }
    }
  # tls_private_key.example will be created
  + resource "tls_private_key" "example" {
      + algorithm = "RSA"
      + ecdsa_curve = "P224"
      + id = (known after apply)
      + private_key_pem = (known after apply)
      + public_key_fingerprint_md5 = (known after apply)
      + public_key_openssh = (known after apply)
      + public_key_pem = (known after apply)
      + rsa_bits = 2048
    }
  # tls_self_signed_cert.example will be created
  + resource "tls_self_signed_cert" "example" {
      + allowed_uses = [
          + "key_encipherment",
          + "digital_signature",
          + "server_auth",
        ]
      + cert_pem = (known after apply)
      + dns_names = [
          + "api.example.com",
          + "k8sapi.example.com",
        ]
      + early_renewal_hours = 30000000
      + id = (known after apply)
      + ip_addresses = [
          + "127.0.0.1",
          + "192.168.0.111",
          + "10.10.18.119",
        ]
      + is_ca_certificate = true
      + key_algorithm = "RSA"
      + private_key_pem = (known after apply)
      + validity_end_time = (known after apply)
      + validity_period_hours = 120000000
      + validity_start_time = (known after apply)
      + subject {
          + common_name = "example.com"
          + organization = "example, Inc"
        }
    }
Plan: 2 to add, 0 to change, 0 to destroy.
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.
 
 
  • apply
terraform apply

效果

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)
Terraform will perform the following actions:
  # data.archive_file.userinfos will be read during apply
  # (config refers to values not yet known)
 <= data "archive_file" "userinfos" {
      + id = (known after apply)
      + output_base64sha256 = (known after apply)
      + output_md5 = (known after apply)
      + output_path = "tf-result/cert.zip"
      + output_sha = (known after apply)
      + output_size = (known after apply)
      + type = "zip"
      + source {
          + content = (known after apply)
          + filename = "cert_pem"
        }
      + source {
          + content = (known after apply)
          + filename = "private_key_pem"
        }
      + source {
          + content = (known after apply)
          + filename = "public_key_pem"
        }
    }
  # tls_private_key.example will be created
  + resource "tls_private_key" "example" {
      + algorithm = "RSA"
      + ecdsa_curve = "P224"
      + id = (known after apply)
      + private_key_pem = (known after apply)
      + public_key_fingerprint_md5 = (known after apply)
      + public_key_openssh = (known after apply)
      + public_key_pem = (known after apply)
      + rsa_bits = 2048
    }
  # tls_self_signed_cert.example will be created
  + resource "tls_self_signed_cert" "example" {
      + allowed_uses = [
          + "key_encipherment",
          + "digital_signature",
          + "server_auth",
        ]
      + cert_pem = (known after apply)
      + dns_names = [
          + "api.example.com",
          + "k8sapi.example.com",
        ]
      + early_renewal_hours = 30000000
      + id = (known after apply)
      + ip_addresses = [
          + "127.0.0.1",
          + "192.168.0.111",
          + "10.10.18.119",
        ]
      + is_ca_certificate = true
      + key_algorithm = "RSA"
      + private_key_pem = (known after apply)
      + validity_end_time = (known after apply)
      + validity_period_hours = 120000000
      + validity_start_time = (known after apply)
      + subject {
          + common_name = "example.com"
          + organization = "example, Inc"
        }
    }
Plan: 2 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.
  Enter a value: yes
tls_private_key.example: Creating...
tls_private_key.example: Creation complete after 0s [id=4bb57b583566785ce23a003432515e07fcebfdba]
tls_self_signed_cert.example: Creating...
tls_self_signed_cert.example: Creation complete after 0s [id=132700825268662052341550768328847386301]
data.archive_file.userinfos: Refreshing state...
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
 
 
  • 文件内容
unzip cert.zip 
Archive: cert.zip
  inflating: cert_pem                
  inflating: private_key_pem         
  inflating: public_key_pem

说明

我们可以结合vault 的tls 管理以及tf 方便的进行证书管理——基础设施即代码

参考资料

https://www.terraform.io/docs/providers/tls/r/self_signed_cert.html
https://learn.hashicorp.com/vault/secrets-management/sm-pki-engine

使用terraform 生成自签名证书的更多相关文章

  1. cmd命令生成android签名证书

    cmd命令生成android签名证书,有空在写一篇eclipse导出带签名的apk,这里面包括生成新的签名.现在还是讲讲在cmd怎么操作生成签名证书. 1.dos下进入JDK的bin目录 运行如下命令 ...

  2. windows下使用makecert命令生成自签名证书

    1.makecert命令路径 C:\Program Files (x86)\Windows Kits\8.1\bin\x64 2.生成一个自签名证书 makecert -r -pe -n " ...

  3. openssl生成自签名证书

    1.生成x509格式的CA自签名证书 openssl req -new -x509 -keyout ca.key -out ca.crt 2.生成服务端的私钥(key文件)及申请证书文件csr文件 o ...

  4. 用OpenSSL生成自签名证书在IIS上搭建Https站点(用于iOS的https访问)

    前提: 先安装openssl,安装有两种方式,第一种直接下载安装包,装上就可运行:第二种可以自己下载源码,自己编译.这里推荐第一种. 安装包:http://slproweb.com/products/ ...

  5. [ipsec][strongswan] 用strongswan pki工具生成自签名证书

    如题.我在实验环境里,分别要为两个endpoint(T9和T129)生成证书. 证书是如何生成的呢? 证书是由根证书机构签发的.申请证书的人将request提交给根证书机构,然后根证书机构根据requ ...

  6. ios生成自签名证书,实现web下载安装app

    抄自http://beyondvincent.com/blog/2014/03/17/five-tips-for-using-self-signed-ssl-certificates-with-ios ...

  7. 生成自签名证书-开启https

    1.生成CA证书 # 生成 CA 私钥 openssl genrsa -out ca.key 2048 # X.509 Certificate Signing Request (CSR) Manage ...

  8. OpenSSL使用1(用OpenSSL生成自签名证书在IIS上搭建Https站点)(用于iOS的https访问)

    前提: 先安装openssl,安装有两种方式,第一种直接下载安装包,装上就可运行:第二种可以自己下载源码,自己编译.这里推荐第一种. 安装包:http://slproweb.com/products/ ...

  9. Windows下生成自签名证书

    最近通过openssl生成了自签名的证书,总结成下面这张图. 说明:下载openssl0.9.8之后解压,然后运行bin\openssl.exe进入openssl运行环境,然后按上图中顺序执行命令.( ...

随机推荐

  1. vs配置opencv(只需一次)

    一.配置环境变量(bin) 二.配置属性表 1.配置包含(include)目录 2.配置库(lib)目录 3.配置依赖项(.lib)

  2. 静态工具类注入service的方法

    http://blog.sina.com.cn/s/blog_6e2d53050102wl3x.html

  3. python ocr中文识别库 tesseract安装及问题处理

    这个破东西,折腾了快1个小时,网上的教材太乱了. 我解决的主要是windows的问题 先下载exe.(一看到这个,我就有种预感,不妙) https://digi.bib.uni-mannheim.de ...

  4. Git撤销add、commit

    撤销add git status 查看当下更新的文件 git reset HEAD 表示撤销上次add的所有文件 git reset HEAD dir/dir/test.php 撤销指定文件 撤销co ...

  5. Java中new和Class.forName的区别

    首先:New = Class.forName("pacage.A").newInstance(); new是关键字,直接创建对象.Class.forName()是一个方法,要求JV ...

  6. Exception和RuntimeException区别

    Exception:强制性要求用户必须进行处理: RuntimeException:是Exception的子类,由用户选择是否进行处理:

  7. Abp vNext抽茧剥丝01 使用using临时更改当前租户

    在Abp vNext中,如果开启了多租户功能,在业务代码中默认使用当前租户的数据,如果我们需要更改当前租户,可以使用下面的方法 /* 此时当前租户 */ using (CurrentTenant.Ch ...

  8. ffmpeg 把视频转换为图片

    ffmpeg -i "Tail of Hope.mp4" -r 1 -q:v 2 -f image2 pic-%03d.jpeg

  9. Kubernetes pod平滑迁移

    pod平滑迁移 使用到的命令 (cordon, drain, uncordon)这三个命令是正式release的1.2新加入的命令,三个命令一起介绍,是因为三个命令配合使用可以实现节点的维护.在1.2 ...

  10. 【笔记】Reptile-一阶元学习算法

    目录 论文信息 Nichol A , Achiam J , Schulman J . On First-Order Meta-Learning Algorithms[J]. 2018. 一.摘要 本文 ...