From 449864830c522a1a53a1faba08ad96d6c6836fd3 Mon Sep 17 00:00:00 2001 From: Yonatan Koren Date: Tue, 10 Aug 2021 20:55:23 -0400 Subject: [PATCH] Feat: Allow Certificate and Private Key Extensions to be Overridden (#3) * Allow certificate and private key extensions to be overridden; add test for extension override, fix order of variables in assert.Equal in test suite. * Auto Format Co-authored-by: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> --- README.md | 9 ++-- asm.tf | 10 ++-- docs/terraform.md | 9 ++-- .../custom-suffixes.us-east-1.tfvars | 16 +++++++ examples/custom_secrets/main.tf | 1 + examples/custom_secrets/variables.tf | 12 +++++ outputs.tf | 2 +- ssm.tf | 6 +-- test/src/examples_complete_test.go | 8 ++-- test/src/examples_custom_secrets_test.go | 47 ++++++++++++++++--- test/src/examples_preexisting_key_test.go | 6 +-- variables.tf | 46 ++++++++++++------ 12 files changed, 128 insertions(+), 44 deletions(-) create mode 100644 examples/custom_secrets/custom-suffixes.us-east-1.tfvars diff --git a/README.md b/README.md index de33ad5..cc3adcd 100644 --- a/README.md +++ b/README.md @@ -180,11 +180,11 @@ Available targets: | Name | Type | |------|------| -| [aws_secretsmanager_secret.pem](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | +| [aws_secretsmanager_secret.certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | | [aws_secretsmanager_secret.private_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | -| [aws_secretsmanager_secret_version.pem](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | +| [aws_secretsmanager_secret_version.certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | | [aws_secretsmanager_secret_version.private_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | -| [aws_ssm_parameter.pem](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [aws_ssm_parameter.certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | | [aws_ssm_parameter.private_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | | [tls_private_key.default](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource | | [tls_self_signed_cert.default](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource | @@ -213,7 +213,8 @@ Available targets: | [private\_key\_ecdsa\_curve](#input\_private\_key\_ecdsa\_curve) | When `var.cert_key_algorithm` is `ECDSA`, the name of the elliptic curve to use. May be any one of `P224`, `P256`, `P384` or `P521`.

Ignored if `var.cert_key_algorithm` is not `ECDSA`, or if a preexisting private key is supplied via `var.private_key_contents`.

Defaults to the `tls` provider default. | `string` | `"P224"` | no | | [private\_key\_rsa\_bits](#input\_private\_key\_rsa\_bits) | When `var.cert_key_algorithm` is `RSA`, the size of the generated RSA key in bits.

Ignored if `var.cert_key_algorithm` is not `RSA`, or if a preexisting private key is supplied via `var.private_key_contents`.

Defaults to the `tls` provider default. | `number` | `2048` | no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [secret\_path\_format](#input\_secret\_path\_format) | The path format to use when writing secrets to the secret store.

The secret path will be computed as `format(var.secret_path_format, var.name, )`.
Thus by default, if `var.name`=`example-self-signed-cert`, then the resulting secret path for the self-signed certificate's
PEM file will be `/example-self-signed-cert.pem`.

This variable can be overridden in order to create more specific secret store paths. | `string` | `"/%s.%s"` | no | +| [secret\_extensions](#input\_secret\_extensions) | The extensions use when writing secrets to the secret store.

Please refer to `var.secret_path_format` for information on how secret paths are computed. | 
object({
    certificate = string
    private_key = string
  })
| 
{
  "certificate": "pem",
  "private_key": "key"
}
| no | +| [secret\_path\_format](#input\_secret\_path\_format) | The path format to use when writing secrets to the secret store.

The certificate secret path will be computed as `format(var.secret_path_format, var.name, var.secret_extensions.certificate)`
and the private key path as `format(var.secret_path_format, var.name, var.secret_extensions.private_key)`.

Thus by default, if `var.name`=`example-self-signed-cert`, then the resulting secret paths for the self-signed certificate's
PEM file and private key will be `/example-self-signed-cert.pem` and `/example-self-signed-cert.key`, respectively.

This variable can be overridden in order to create more specific secret store paths. | `string` | `"/%s.%s"` | no | | [secrets\_store\_base64\_enabled](#input\_secrets\_store\_base64\_enabled) | Enable or disable base64 encoding of secrets before writing them to the secrets store. | `bool` | `false` | no | | [secrets\_store\_enabled](#input\_secrets\_store\_enabled) | Enable or disable writing to the secrets store. | `bool` | `true` | no | | [secrets\_store\_kms\_key\_id](#input\_secrets\_store\_kms\_key\_id) | The KMD Key ID (ARN or ID) to use when encrypting either the AWS SSM Parameters or AWS Secrets Manager Secrets relating to the certificate.

If not specified, the Amazon-managed Key `alias/aws/ssm` will be used if `var.secrets_store_type` is `SSM`,
and `alias/aws/secretsmanager` will be used if `var.secrets_store_type` is `ASM`. | `string` | `null` | no | diff --git a/asm.tf b/asm.tf index f4d5035..e7c3255 100644 --- a/asm.tf +++ b/asm.tf @@ -1,24 +1,24 @@ -resource "aws_secretsmanager_secret" "pem" { +resource "aws_secretsmanager_secret" "certificate" { count = local.asm_enabled ? 1 : 0 - name = format(var.secret_path_format, module.this.name, "pem") + name = format(var.secret_path_format, module.this.name, var.secret_extensions.certificate) recovery_window_in_days = var.asm_recovery_window_in_days kms_key_id = local.secrets_store_kms_key_id tags = module.this.tags } -resource "aws_secretsmanager_secret_version" "pem" { +resource "aws_secretsmanager_secret_version" "certificate" { count = local.asm_enabled ? 1 : 0 - secret_id = join("", aws_secretsmanager_secret.pem.*.name) + secret_id = join("", aws_secretsmanager_secret.certificate.*.name) secret_string = var.secrets_store_base64_enabled ? base64encode(local.tls_certificate) : local.tls_certificate } resource "aws_secretsmanager_secret" "private_key" { count = local.asm_enabled ? 1 : 0 - name = format(var.secret_path_format, module.this.name, "key") + name = format(var.secret_path_format, module.this.name, var.secret_extensions.private_key) recovery_window_in_days = var.asm_recovery_window_in_days kms_key_id = local.secrets_store_kms_key_id diff --git a/docs/terraform.md b/docs/terraform.md index 55386e3..8b4b374 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -24,11 +24,11 @@ | Name | Type | |------|------| -| [aws_secretsmanager_secret.pem](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | +| [aws_secretsmanager_secret.certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | | [aws_secretsmanager_secret.private_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | -| [aws_secretsmanager_secret_version.pem](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | +| [aws_secretsmanager_secret_version.certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | | [aws_secretsmanager_secret_version.private_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | -| [aws_ssm_parameter.pem](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [aws_ssm_parameter.certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | | [aws_ssm_parameter.private_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | | [tls_private_key.default](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource | | [tls_self_signed_cert.default](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource | @@ -57,7 +57,8 @@ | [private\_key\_ecdsa\_curve](#input\_private\_key\_ecdsa\_curve) | When `var.cert_key_algorithm` is `ECDSA`, the name of the elliptic curve to use. May be any one of `P224`, `P256`, `P384` or `P521`.

Ignored if `var.cert_key_algorithm` is not `ECDSA`, or if a preexisting private key is supplied via `var.private_key_contents`.

Defaults to the `tls` provider default. | `string` | `"P224"` | no | | [private\_key\_rsa\_bits](#input\_private\_key\_rsa\_bits) | When `var.cert_key_algorithm` is `RSA`, the size of the generated RSA key in bits.

Ignored if `var.cert_key_algorithm` is not `RSA`, or if a preexisting private key is supplied via `var.private_key_contents`.

Defaults to the `tls` provider default. | `number` | `2048` | no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [secret\_path\_format](#input\_secret\_path\_format) | The path format to use when writing secrets to the secret store.

The secret path will be computed as `format(var.secret_path_format, var.name, )`.
Thus by default, if `var.name`=`example-self-signed-cert`, then the resulting secret path for the self-signed certificate's
PEM file will be `/example-self-signed-cert.pem`.

This variable can be overridden in order to create more specific secret store paths. | `string` | `"/%s.%s"` | no | +| [secret\_extensions](#input\_secret\_extensions) | The extensions use when writing secrets to the secret store.

Please refer to `var.secret_path_format` for information on how secret paths are computed. | 
object({
    certificate = string
    private_key = string
  })
| 
{
  "certificate": "pem",
  "private_key": "key"
}
| no | +| [secret\_path\_format](#input\_secret\_path\_format) | The path format to use when writing secrets to the secret store.

The certificate secret path will be computed as `format(var.secret_path_format, var.name, var.secret_extensions.certificate)`
and the private key path as `format(var.secret_path_format, var.name, var.secret_extensions.private_key)`.

Thus by default, if `var.name`=`example-self-signed-cert`, then the resulting secret paths for the self-signed certificate's
PEM file and private key will be `/example-self-signed-cert.pem` and `/example-self-signed-cert.key`, respectively.

This variable can be overridden in order to create more specific secret store paths. | `string` | `"/%s.%s"` | no | | [secrets\_store\_base64\_enabled](#input\_secrets\_store\_base64\_enabled) | Enable or disable base64 encoding of secrets before writing them to the secrets store. | `bool` | `false` | no | | [secrets\_store\_enabled](#input\_secrets\_store\_enabled) | Enable or disable writing to the secrets store. | `bool` | `true` | no | | [secrets\_store\_kms\_key\_id](#input\_secrets\_store\_kms\_key\_id) | The KMD Key ID (ARN or ID) to use when encrypting either the AWS SSM Parameters or AWS Secrets Manager Secrets relating to the certificate.

If not specified, the Amazon-managed Key `alias/aws/ssm` will be used if `var.secrets_store_type` is `SSM`,
and `alias/aws/secretsmanager` will be used if `var.secrets_store_type` is `ASM`. | `string` | `null` | no | diff --git a/examples/custom_secrets/custom-suffixes.us-east-1.tfvars b/examples/custom_secrets/custom-suffixes.us-east-1.tfvars new file mode 100644 index 0000000..780f965 --- /dev/null +++ b/examples/custom_secrets/custom-suffixes.us-east-1.tfvars @@ -0,0 +1,16 @@ +region = "us-east-1" + +namespace = "eg" + +environment = "ue1" + +stage = "test" + +name = "self-signed-cert-custom-suffixes" + +secret_extensions = { + certificate = "crt" + private_key = "key" +} + +secret_path_format = "/%s.%s" diff --git a/examples/custom_secrets/main.tf b/examples/custom_secrets/main.tf index 29f89eb..d8ec3b6 100644 --- a/examples/custom_secrets/main.tf +++ b/examples/custom_secrets/main.tf @@ -29,6 +29,7 @@ module "self_signed_cert" { "server_auth" ] + secret_extensions = var.secret_extensions secret_path_format = var.secret_path_format secrets_store_type = var.secrets_store_type secrets_store_enabled = var.secrets_store_enabled diff --git a/examples/custom_secrets/variables.tf b/examples/custom_secrets/variables.tf index db22c23..64bb0ee 100644 --- a/examples/custom_secrets/variables.tf +++ b/examples/custom_secrets/variables.tf @@ -9,6 +9,18 @@ variable "create_cmk" { default = false } +variable "secret_extensions" { + description = "The extensions use when writing secrets to the secret store." + type = object({ + certificate = string + private_key = string + }) + default = { + certificate = "pem" + private_key = "key" + } +} + variable "secret_path_format" { description = "The custom secret path to use." type = string diff --git a/outputs.tf b/outputs.tf index 6b44436..abdb0be 100644 --- a/outputs.tf +++ b/outputs.tf @@ -5,7 +5,7 @@ output "certificate_key_path" { output "certificate_pem_path" { description = "Secrets store path containing the certificate PEM file." - value = local.secrets_store_enabled ? coalesce(join("", aws_ssm_parameter.pem.*.name), join("", aws_secretsmanager_secret.pem.*.name)) : null + value = local.secrets_store_enabled ? coalesce(join("", aws_ssm_parameter.certificate.*.name), join("", aws_secretsmanager_secret.certificate.*.name)) : null } output "certificate_pem" { diff --git a/ssm.tf b/ssm.tf index 72c79f2..dccdcfe 100644 --- a/ssm.tf +++ b/ssm.tf @@ -1,7 +1,7 @@ -resource "aws_ssm_parameter" "pem" { +resource "aws_ssm_parameter" "certificate" { count = local.ssm_enabled ? 1 : 0 - name = format(var.secret_path_format, module.this.name, "pem") + name = format(var.secret_path_format, module.this.name, var.secret_extensions.certificate) type = "SecureString" key_id = local.secrets_store_kms_key_id value = var.secrets_store_base64_enabled ? base64encode(local.tls_certificate) : local.tls_certificate @@ -12,7 +12,7 @@ resource "aws_ssm_parameter" "pem" { resource "aws_ssm_parameter" "private_key" { count = local.ssm_enabled ? 1 : 0 - name = format(var.secret_path_format, module.this.name, "key") + name = format(var.secret_path_format, module.this.name, var.secret_extensions.private_key) type = "SecureString" key_id = local.secrets_store_kms_key_id value = var.secrets_store_base64_enabled ? base64encode(local.tls_key) : local.tls_key diff --git a/test/src/examples_complete_test.go b/test/src/examples_complete_test.go index c0e8bc3..753f6a1 100644 --- a/test/src/examples_complete_test.go +++ b/test/src/examples_complete_test.go @@ -78,10 +78,10 @@ func testExamplesCompleteNonCA(t *testing.T) { terraform.Apply(t, terraformOptions) certificatePEMPath := terraform.Output(t, terraformOptions, "certificate_pem_path") - assert.Equal(t, certificatePEMPath, "/self-signed-cert.pem") + assert.Equal(t, "/self-signed-cert.pem", certificatePEMPath) certificateKeyPath := terraform.Output(t, terraformOptions, "certificate_key_path") - assert.Equal(t, certificateKeyPath, "/self-signed-cert.key") + assert.Equal(t, "/self-signed-cert.key", certificateKeyPath) } func testExamplesCompleteCA(t *testing.T) { @@ -112,8 +112,8 @@ func testExamplesCompleteCA(t *testing.T) { terraform.Apply(t, terraformOptions) certificatePEMPath := terraform.Output(t, terraformOptions, "certificate_pem_path") - assert.Equal(t, certificatePEMPath, "/self-signed-cert-ca.pem") + assert.Equal(t, "/self-signed-cert-ca.pem", certificatePEMPath) certificateKeyPath := terraform.Output(t, terraformOptions, "certificate_key_path") - assert.Equal(t, certificateKeyPath, "/self-signed-cert-ca.key") + assert.Equal(t, "/self-signed-cert-ca.key", certificateKeyPath) } diff --git a/test/src/examples_custom_secrets_test.go b/test/src/examples_custom_secrets_test.go index 5c261b1..5a536c1 100644 --- a/test/src/examples_custom_secrets_test.go +++ b/test/src/examples_custom_secrets_test.go @@ -25,6 +25,7 @@ func TestExamplesCustomSecrets(t *testing.T) { t.Run("SSM", testExamplesCustomSecretsSSM) t.Run("ASM", testExamplesCustomSecretsASM) t.Run("CMK", testExamplesCustomSecretsCMK) + t.Run("CustomSuffixes", testExamplesCustomSecretsSuffixes) } func testExamplesCustomSecretsNoStore(t *testing.T) { @@ -83,10 +84,10 @@ func testExamplesCustomSecretsSSM(t *testing.T) { terraform.Apply(t, terraformOptions) certificatePEMPath := terraform.Output(t, terraformOptions, "certificate_pem_path") - assert.Equal(t, certificatePEMPath, "/test-ssm/self-signed-cert-ssm.pem") + assert.Equal(t, "/test-ssm/self-signed-cert-ssm.pem", certificatePEMPath) certificateKeyPath := terraform.Output(t, terraformOptions, "certificate_key_path") - assert.Equal(t, certificateKeyPath, "/test-ssm/self-signed-cert-ssm.key") + assert.Equal(t, "/test-ssm/self-signed-cert-ssm.key", certificateKeyPath) } func testExamplesCustomSecretsASM(t *testing.T) { @@ -117,10 +118,10 @@ func testExamplesCustomSecretsASM(t *testing.T) { terraform.Apply(t, terraformOptions) certificatePEMPath := terraform.Output(t, terraformOptions, "certificate_pem_path") - assert.Equal(t, certificatePEMPath, "/test-asm/self-signed-cert-asm.pem") + assert.Equal(t, "/test-asm/self-signed-cert-asm.pem", certificatePEMPath) certificateKeyPath := terraform.Output(t, terraformOptions, "certificate_key_path") - assert.Equal(t, certificateKeyPath, "/test-asm/self-signed-cert-asm.key") + assert.Equal(t, "/test-asm/self-signed-cert-asm.key", certificateKeyPath) } @@ -152,8 +153,42 @@ func testExamplesCustomSecretsCMK(t *testing.T) { terraform.Apply(t, terraformOptions) certificatePEMPath := terraform.Output(t, terraformOptions, "certificate_pem_path") - assert.Equal(t, certificatePEMPath, "/test-cmk/self-signed-cert-cmk.pem") + assert.Equal(t, "/test-cmk/self-signed-cert-cmk.pem", certificatePEMPath) certificateKeyPath := terraform.Output(t, terraformOptions, "certificate_key_path") - assert.Equal(t, certificateKeyPath, "/test-cmk/self-signed-cert-cmk.key") + assert.Equal(t, "/test-cmk/self-signed-cert-cmk.key", certificateKeyPath) +} + +func testExamplesCustomSecretsSuffixes(t *testing.T) { + t.Parallel() + + rand.Seed(time.Now().UnixNano() + 4) // give a slightly different seed than the other parallel tests + + attributes := []string{strconv.Itoa(rand.Intn(100000))} + + terraformOptions := &terraform.Options{ + // The path to where our Terraform code is located + TerraformDir: "../../examples/custom_secrets", + Upgrade: true, + EnvVars: map[string]string{ + "TF_CLI_ARGS": "-state=terraform-custom-suffixes-test.tfstate", + }, + // Variables to pass to our Terraform code using -var-file options + VarFiles: []string{"custom-suffixes.us-east-1.tfvars"}, + Vars: map[string]interface{}{ + "attributes": attributes, + }, + } + + // At the end of the test, run `terraform destroy` to clean up any resources that were created + defer terraform.Destroy(t, terraformOptions) + + // This will run `terraform init` and `terraform apply` and fail the test if there are any errors + terraform.Apply(t, terraformOptions) + + certificatePEMPath := terraform.Output(t, terraformOptions, "certificate_pem_path") + assert.Equal(t, "/self-signed-cert-custom-suffixes.crt", certificatePEMPath) + + certificateKeyPath := terraform.Output(t, terraformOptions, "certificate_key_path") + assert.Equal(t, "/self-signed-cert-custom-suffixes.key", certificateKeyPath) } diff --git a/test/src/examples_preexisting_key_test.go b/test/src/examples_preexisting_key_test.go index 0bcf9ed..340748b 100644 --- a/test/src/examples_preexisting_key_test.go +++ b/test/src/examples_preexisting_key_test.go @@ -83,7 +83,7 @@ func testExamplesPreexistingKeyRSA(t *testing.T) { if err != nil { t.Fatal(err) } - assert.Equal(t, certificateKey, string(privateKeyPEM)) + assert.Equal(t, string(privateKeyPEM), certificateKey) } func testExamplesPreexistingKeyRSABase64(t *testing.T) { @@ -134,7 +134,7 @@ func testExamplesPreexistingKeyRSABase64(t *testing.T) { if err != nil { t.Fatal(err) } - assert.Equal(t, certificateKey, base64.StdEncoding.EncodeToString(privateKeyPEM)) + assert.Equal(t, base64.StdEncoding.EncodeToString(privateKeyPEM), certificateKey) } func testExamplesPreexistingKeyECDSA(t *testing.T) { @@ -187,7 +187,7 @@ func testExamplesPreexistingKeyECDSA(t *testing.T) { if err != nil { t.Fatal(err) } - assert.Equal(t, certificateKey, string(privateKeyPEM)) + assert.Equal(t, string(privateKeyPEM), certificateKey) } func getSSMParameterValue(awsRegion string, parameterName string) (string, error) { diff --git a/variables.tf b/variables.tf index 5c9b15d..7a35f41 100644 --- a/variables.tf +++ b/variables.tf @@ -21,17 +21,6 @@ variable "basic_constraints" { } } -variable "private_key_contents" { - description = <<-EOT - The contents of the private key to use for the certificate. - If supplied, this module will not create a private key and use these contents instead for the private key. - - Defaults to `null`, which means a private key will be created. - EOT - type = string - default = null -} - variable "private_key_algorithm" { description = <<-EOT The name of the algorithm for the private key of the certificate. Currently only RSA and ECDSA are supported. @@ -48,6 +37,17 @@ variable "private_key_algorithm" { } } +variable "private_key_contents" { + description = <<-EOT + The contents of the private key to use for the certificate. + If supplied, this module will not create a private key and use these contents instead for the private key. + + Defaults to `null`, which means a private key will be created. + EOT + type = string + default = null +} + variable "private_key_rsa_bits" { description = <<-EOT When `var.cert_key_algorithm` is `RSA`, the size of the generated RSA key in bits. @@ -142,13 +142,31 @@ variable "asm_recovery_window_in_days" { default = 30 } +variable "secret_extensions" { + description = <<-EOT + The extensions use when writing secrets to the secret store. + + Please refer to `var.secret_path_format` for information on how secret paths are computed. + EOT + type = object({ + certificate = string + private_key = string + }) + default = { + certificate = "pem" + private_key = "key" + } +} + variable "secret_path_format" { description = <<-EOT The path format to use when writing secrets to the secret store. - The secret path will be computed as `format(var.secret_path_format, var.name, )`. - Thus by default, if `var.name`=`example-self-signed-cert`, then the resulting secret path for the self-signed certificate's - PEM file will be `/example-self-signed-cert.pem`. + The certificate secret path will be computed as `format(var.secret_path_format, var.name, var.secret_extensions.certificate)` + and the private key path as `format(var.secret_path_format, var.name, var.secret_extensions.private_key)`. + + Thus by default, if `var.name`=`example-self-signed-cert`, then the resulting secret paths for the self-signed certificate's + PEM file and private key will be `/example-self-signed-cert.pem` and `/example-self-signed-cert.key`, respectively. This variable can be overridden in order to create more specific secret store paths. EOT