Skip to content
This repository has been archived by the owner on Aug 7, 2023. It is now read-only.

Terraform provider to automate the creation of BLESS deployments

License

Notifications You must be signed in to change notification settings

chanzuckerberg/terraform-provider-bless

Repository files navigation

Terraform-provider-bless


Please note: If you believe you have found a security issue, please responsibly disclose by contacting us at [email protected].


Terraform provider to automate the creation of BLESS deployments.

bless_ca

This provider generates a BLESS CA without leaking any sensitive material to the terraform state store. The private part of the key is encrypted with a password. This password is then encrypted through KMS so that it is compatible with BLESS.

Example usage

provider "bless" {
  region  = "us-east-1"
  profile = "<aws_profile>"
}

resource "bless_ca" "example" {
  kms_key_id = "<kms_key_id>"
}

# The encrypted CA private key
output "encrypted_ca" {
  value = "${bless_ca.example.encrypted_ca}"
}

# The CA public key
output "ca" {
  value = "${bless_ca.example.public_key}"
}

# The KMS encrypted CA password
output "password" {
  value = "${bless_ca.example.encrypted_password}"
}

This module only creates logical resources and therefore only contributes to terraform state. Does not create externally managed resources. In order to generate a new key then, you must taint the resource. Terraform will then generate a new key on the next run.

terraform taint bless.example