# Note: Everything is commented out here as mdm is not enabled by default. # Uncomment to use. # This section expects all kms-encrypted secrets to live in the resources/ # subdirectory. The list of expected filenames is as follows: locals { mdm_resource_path = "${path.module}/resources" scep_cert = "${local.mdm_resource_path}/scep.crt.encrypted" scep_key = "${local.mdm_resource_path}/scep.key.encrypted" apns_cert = "${local.mdm_resource_path}/apns.crt.encrypted" apns_key = "${local.mdm_resource_path}/apns.key.encrypted" abm_cert = "${local.mdm_resource_path}/abm.crt.encrypted" abm_key = "${local.mdm_resource_path}/abm.key.encrypted" abm_token = "${local.mdm_resource_path}/abm_token.p7m.encrypted" } # To ease the process of encrypting and decrypting secrets, see # scripts/encrypt.sh and scripts/decrypt.sh # Place your non-encrypted files in the resources folder and # run the following: # # cd resources # for i in *; do ../scripts/encrypt.sh $i $i.encrypted; done # for i in *.encrypted; do rm ${i/.encrypted/}; done # The SCEP challenge will be randomly generated by terraform. We do not # need to know what it is. For troubleshooting, it can always be found # in the SCEP secret in AWS. # resource "random_password" "challenge" { # length = 12 # special = false # } # # resource "aws_secretsmanager_secret_version" "scep" { # secret_id = module.mdm.scep.id # secret_string = jsonencode( # { # FLEET_MDM_APPLE_SCEP_CERT_BYTES = data.aws_kms_secrets.scep_cert.plaintext["FLEET_MDM_APPLE_SCEP_CERT_BYTES"] # FLEET_MDM_APPLE_SCEP_KEY_BYTES = data.aws_kms_secrets.scep_key.plaintext["FLEET_MDM_APPLE_SCEP_KEY_BYTES"] # FLEET_MDM_APPLE_SCEP_CHALLENGE = random_password.challenge.result # } # ) # } # # # data "aws_kms_secrets" "scep_cert" { # secret { # name = "FLEET_MDM_APPLE_SCEP_CERT_BYTES" # key_id = aws_kms_key.fleet_data_key.id # payload = file(local.scep_cert) # } # } # # data "aws_kms_secrets" "scep_key" { # secret { # name = "FLEET_MDM_APPLE_SCEP_KEY_BYTES" # key_id = aws_kms_key.fleet_data_key.id # payload = file(local.scep_key) # } # } # # resource "aws_secretsmanager_secret_version" "apn" { # secret_id = module.mdm.apn.id # secret_string = jsonencode( # { # FLEET_MDM_APPLE_APNS_CERT_BYTES = data.aws_kms_secrets.apns_cert.plaintext["FLEET_MDM_APPLE_APNS_CERT_BYTES"] # FLEET_MDM_APPLE_APNS_KEY_BYTES = data.aws_kms_secrets.apns_key.plaintext["FLEET_MDM_APPLE_APNS_KEY_BYTES"] # } # ) # } # # data "aws_kms_secrets" "apns_cert" { # secret { # name = "FLEET_MDM_APPLE_APNS_CERT_BYTES" # key_id = aws_kms_key.fleet_data_key.id # payload = file(local.apns_cert) # } # } # # data "aws_kms_secrets" "apns_key" { # secret { # name = "FLEET_MDM_APPLE_APNS_KEY_BYTES" # key_id = aws_kms_key.fleet_data_key.id # payload = file(local.apns_key) # } # } # # resource "aws_secretsmanager_secret_version" "abm" { # secret_id = module.mdm.abm.id # secret_string = jsonencode( # { # FLEET_MDM_APPLE_BM_CERT_BYTES = data.aws_kms_secrets.abm_cert.plaintext["FLEET_MDM_APPLE_BM_CERT_BYTES"] # FLEET_MDM_APPLE_BM_KEY_BYTES = data.aws_kms_secrets.abm_key.plaintext["FLEET_MDM_APPLE_BM_KEY_BYTES"] # FLEET_MDM_APPLE_BM_SERVER_TOKEN_BYTES = data.aws_kms_secrets.token.plaintext["FLEET_MDM_APPLE_BM_SERVER_TOKEN_BYTES"] # } # ) # } # # data "aws_kms_secrets" "abm_cert" { # secret { # name = "FLEET_MDM_APPLE_BM_CERT_BYTES" # key_id = aws_kms_key.fleet_data_key.id # payload = file(local.abm_cert) # } # } # # data "aws_kms_secrets" "abm_key" { # secret { # name = "FLEET_MDM_APPLE_BM_KEY_BYTES" # key_id = aws_kms_key.fleet_data_key.id # payload = file(local.abm_key) # } # } # # data "aws_kms_secrets" "token" { # secret { # name = "FLEET_MDM_APPLE_BM_SERVER_TOKEN_BYTES" # key_id = aws_kms_key.fleet_data_key.id # payload = file(local.abm_token) # } # }