Generate a postgresql certificate.

2021-07-18 21:19:08 -04:00 · 2021-07-18 21:19:08 -04:00 · fd63ea2c43
commit fd63ea2c43
parent 8a7fa68a6e
3 changed files with 53 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,3 +2,7 @@
 .terraform/
 terraform.tfstate
 terraform.tfstate.backup
+
+pgclient.crt
+pgclient.key
+pgserver.crt
--- a/terraform/basic_gke/main.tf
+++ b/terraform/basic_gke/main.tf
@ -105,6 +105,45 @@ module "cloudsql" {
  ]
 }

+output "cloudsql_server_certificate" {
+  description = "CA certificate"
+  value       = module.cloudsql.certificate.server_ca_cert
+  sensitive   = true
+}
+
+output "cloudsql_client_certificate" {
+  description = "CA certificate"
+  value       = module.cloudsql.certificate.cert
+  sensitive   = true
+}
+
+output "cloudsql_client_key" {
+  description = "CA certificate"
+  value       = module.cloudsql.certificate.private_key
+  sensitive   = true
+}
+
+resource "local_file" "pgserver_crt" {
+  sensitive_content    = module.cloudsql.certificate.server_ca_cert
+  filename             = "${path.module}/pgserver.crt"
+  file_permission      = "0600"
+  directory_permission = "0700"
+}
+
+resource "local_file" "pgclient_crt" {
+  sensitive_content    = module.cloudsql.certificate.cert
+  filename             = "${path.module}/pgclient.crt"
+  file_permission      = "0600"
+  directory_permission = "0700"
+}
+
+resource "local_file" "pgclient_key" {
+  sensitive_content    = module.cloudsql.certificate.private_key
+  filename             = "${path.module}/pgclient.key"
+  file_permission      = "0600"
+  directory_permission = "0700"
+}
+
 # Create a workload identity service account for IAM authentication to
 # cloudsql
 module "cloudsql_test_sa" {
--- a/terraform/modules/cloudsql/cloudsql.tf
+++ b/terraform/modules/cloudsql/cloudsql.tf
@ -43,6 +43,11 @@ output "instance" {
  value       = google_sql_database_instance.instance
 }

+output "certificate" {
+  description = "TLS certificate for connecting to the database."
+  value       = google_sql_ssl_cert.client_cert
+}
+
 # Needed for CloudSQL Auth Proxy
 resource "google_project_service" "sqladmin" {
  project                    = var.project
@ -85,3 +90,8 @@ resource "google_sql_user" "postgres" {
  instance = google_sql_database_instance.instance.name
  password = var.postgres_password
 }
+
+resource "google_sql_ssl_cert" "client_cert" {
+  common_name = "client-name"
+  instance    = google_sql_database_instance.instance.name
+}