AWS Private CA enables creation of private certificate authority (CA) hierarchies, including root and subordinate CAs
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | >= 4.50.0 |
| Name | Version |
|---|---|
| aws | >= 4.50.0 |
| aws.crl | >= 4.50.0 |
| Name | Source | Version |
|---|---|---|
| cloudfront | git::https://github.com/dfds/aws-modules-cloudfront.git | v1.0.1 |
| cloudfront_logs_bucket | git::https://github.com/dfds/aws-modules-s3.git | v1.3.0 |
| crl_bucket | git::https://github.com/dfds/aws-modules-s3.git | v1.3.0 |
| s3_logs_bucket | git::https://github.com/dfds/aws-modules-s3.git//s3-logging-bucket | v1.3.0 |
| Name | Type |
|---|---|
| aws_acmpca_certificate_authority.this | resource |
| aws_cloudfront_origin_access_control.this | resource |
| aws_kms_alias.this | resource |
| aws_kms_key.this | resource |
| aws_s3_bucket_policy.this | resource |
| aws_caller_identity.crl_account | data source |
| aws_caller_identity.pca_account | data source |
| aws_iam_policy_document.bucket | data source |
| aws_iam_policy_document.kms | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| bucket_name | Name of the S3 bucket that contains the CRL | string |
"" |
no |
| ca_certificate_validity | How long the CA certificate should be valid in days | number |
3634 |
no |
| ca_type | Type of the certificate authority. Defaults to SUBORDINATE |
string |
"SUBORDINATE" |
no |
| cloudfront_logs_bucket | Name of the S3 bucket for Cloudfront logs | string |
n/a | yes |
| cloudfront_origin_access_control_name | Unique Cloudfront origin access control name | string |
n/a | yes |
| cloudfront_tags | Map of tags for Cloudfront distribution | object({}) |
{} |
no |
| common_name | Fully qualified domain name (FQDN) associated with the certificate subject | string |
"" |
no |
| country | Two digit code that specifies the country in which the certificate subject located | string |
"" |
no |
| create_kms | Whether to create a KMS key for S3 bucket | bool |
true |
no |
| custom_cname | Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public | string |
"" |
no |
| enable_crl | Whether to enable Certificate Revocation Lists | bool |
true |
no |
| enable_key_rotation | Whether to enable key rotation | bool |
true |
no |
| enable_kms_default_policy | Whether to enable default policy for KMS key | bool |
true |
no |
| enable_ocsp | Whether a custom OCSP responder is enabled | bool |
false |
no |
| expiration_in_days | Number of days until a certificate expires | number |
7 |
no |
| key_algorithm | Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate | string |
"RSA_2048" |
no |
| kms_key_administrators | List of KMS key administrators | list(string) |
[] |
no |
| kms_key_alias | Alias for the KMS key | string |
"" |
no |
| kms_key_users | List of KMS key users | list(string) |
[] |
no |
| kms_tags | Map of tags for KMS key distribution | object({}) |
{} |
no |
| locality | Locality (such as a city or town) in which the certificate subject is located | string |
"" |
no |
| ocsp_custom_cname | CNAME specifying a customized OCSP domain | string |
"" |
no |
| organization | Legal name of the organization with which the certificate subject is affiliated | string |
"" |
no |
| organizational_unit | Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated | string |
"" |
no |
| private_ca_tags | Map of tags for private CA | object({}) |
{} |
no |
| s3_logs_bucket | S3 bucket name to store S3 logs | string |
n/a | yes |
| s3_object_acl | Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket | string |
"BUCKET_OWNER_FULL_CONTROL" |
no |
| signing_algorithm | Name of the algorithm your private CA uses to sign certificate requests | string |
"SHA256WITHRSA" |
no |
| state | State in which the subject of the certificate is located | string |
"" |
no |
| usage_mode | Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly | string |
"GENERAL_PURPOSE" |
no |
| Name | Description |
|---|---|
| private_ca_arn | ARN of the private certificate authority |