Generate a postgresql certificate.

This commit is contained in:
Tom Alexander 2021-07-18 21:19:08 -04:00
parent 8a7fa68a6e
commit fd63ea2c43
Signed by: talexander
GPG Key ID: D3A179C9A53C0EDE
3 changed files with 53 additions and 0 deletions

4
.gitignore vendored
View File

@ -2,3 +2,7 @@
.terraform/
terraform.tfstate
terraform.tfstate.backup
pgclient.crt
pgclient.key
pgserver.crt

View File

@ -105,6 +105,45 @@ module "cloudsql" {
]
}
output "cloudsql_server_certificate" {
description = "CA certificate"
value = module.cloudsql.certificate.server_ca_cert
sensitive = true
}
output "cloudsql_client_certificate" {
description = "CA certificate"
value = module.cloudsql.certificate.cert
sensitive = true
}
output "cloudsql_client_key" {
description = "CA certificate"
value = module.cloudsql.certificate.private_key
sensitive = true
}
resource "local_file" "pgserver_crt" {
sensitive_content = module.cloudsql.certificate.server_ca_cert
filename = "${path.module}/pgserver.crt"
file_permission = "0600"
directory_permission = "0700"
}
resource "local_file" "pgclient_crt" {
sensitive_content = module.cloudsql.certificate.cert
filename = "${path.module}/pgclient.crt"
file_permission = "0600"
directory_permission = "0700"
}
resource "local_file" "pgclient_key" {
sensitive_content = module.cloudsql.certificate.private_key
filename = "${path.module}/pgclient.key"
file_permission = "0600"
directory_permission = "0700"
}
# Create a workload identity service account for IAM authentication to
# cloudsql
module "cloudsql_test_sa" {

View File

@ -43,6 +43,11 @@ output "instance" {
value = google_sql_database_instance.instance
}
output "certificate" {
description = "TLS certificate for connecting to the database."
value = google_sql_ssl_cert.client_cert
}
# Needed for CloudSQL Auth Proxy
resource "google_project_service" "sqladmin" {
project = var.project
@ -85,3 +90,8 @@ resource "google_sql_user" "postgres" {
instance = google_sql_database_instance.instance.name
password = var.postgres_password
}
resource "google_sql_ssl_cert" "client_cert" {
common_name = "client-name"
instance = google_sql_database_instance.instance.name
}