mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 21:47:20 +00:00
124 lines
4 KiB
HCL
124 lines
4 KiB
HCL
# Note: Everything is commented out here as mdm is not enabled by default.
|
|
# Uncomment to use.
|
|
|
|
# This section expects all kms-encrypted secrets to live in the resources/
|
|
# subdirectory. The list of expected filenames is as follows:
|
|
|
|
locals {
|
|
mdm_resource_path = "${path.module}/resources"
|
|
scep_cert = "${local.mdm_resource_path}/scep.crt.encrypted"
|
|
scep_key = "${local.mdm_resource_path}/scep.key.encrypted"
|
|
apns_cert = "${local.mdm_resource_path}/apns.crt.encrypted"
|
|
apns_key = "${local.mdm_resource_path}/apns.key.encrypted"
|
|
abm_cert = "${local.mdm_resource_path}/abm.crt.encrypted"
|
|
abm_key = "${local.mdm_resource_path}/abm.key.encrypted"
|
|
abm_token = "${local.mdm_resource_path}/abm_token.p7m.encrypted"
|
|
}
|
|
|
|
# To ease the process of encrypting and decrypting secrets, see
|
|
# scripts/encrypt.sh and scripts/decrypt.sh
|
|
|
|
# Place your non-encrypted files in the resources folder and
|
|
# run the following:
|
|
#
|
|
# cd resources
|
|
# for i in *; do ../scripts/encrypt.sh <kms-key-id-from-terraform-output> $i $i.encrypted; done
|
|
# for i in *.encrypted; do rm ${i/.encrypted/}; done
|
|
|
|
# The SCEP challenge will be randomly generated by terraform. We do not
|
|
# need to know what it is. For troubleshooting, it can always be found
|
|
# in the SCEP secret in AWS.
|
|
|
|
# resource "random_password" "challenge" {
|
|
# length = 12
|
|
# special = false
|
|
# }
|
|
#
|
|
# resource "aws_secretsmanager_secret_version" "scep" {
|
|
# secret_id = module.mdm.scep.id
|
|
# secret_string = jsonencode(
|
|
# {
|
|
# FLEET_MDM_APPLE_SCEP_CERT_BYTES = data.aws_kms_secrets.scep_cert.plaintext["FLEET_MDM_APPLE_SCEP_CERT_BYTES"]
|
|
# FLEET_MDM_APPLE_SCEP_KEY_BYTES = data.aws_kms_secrets.scep_key.plaintext["FLEET_MDM_APPLE_SCEP_KEY_BYTES"]
|
|
# FLEET_MDM_APPLE_SCEP_CHALLENGE = random_password.challenge.result
|
|
# }
|
|
# )
|
|
# }
|
|
#
|
|
#
|
|
# data "aws_kms_secrets" "scep_cert" {
|
|
# secret {
|
|
# name = "FLEET_MDM_APPLE_SCEP_CERT_BYTES"
|
|
# key_id = aws_kms_key.fleet_data_key.id
|
|
# payload = file(local.scep_cert)
|
|
# }
|
|
# }
|
|
#
|
|
# data "aws_kms_secrets" "scep_key" {
|
|
# secret {
|
|
# name = "FLEET_MDM_APPLE_SCEP_KEY_BYTES"
|
|
# key_id = aws_kms_key.fleet_data_key.id
|
|
# payload = file(local.scep_key)
|
|
# }
|
|
# }
|
|
#
|
|
# resource "aws_secretsmanager_secret_version" "apn" {
|
|
# secret_id = module.mdm.apn.id
|
|
# secret_string = jsonencode(
|
|
# {
|
|
# FLEET_MDM_APPLE_APNS_CERT_BYTES = data.aws_kms_secrets.apns_cert.plaintext["FLEET_MDM_APPLE_APNS_CERT_BYTES"]
|
|
# FLEET_MDM_APPLE_APNS_KEY_BYTES = data.aws_kms_secrets.apns_key.plaintext["FLEET_MDM_APPLE_APNS_KEY_BYTES"]
|
|
# }
|
|
# )
|
|
# }
|
|
#
|
|
# data "aws_kms_secrets" "apns_cert" {
|
|
# secret {
|
|
# name = "FLEET_MDM_APPLE_APNS_CERT_BYTES"
|
|
# key_id = aws_kms_key.fleet_data_key.id
|
|
# payload = file(local.apns_cert)
|
|
# }
|
|
# }
|
|
#
|
|
# data "aws_kms_secrets" "apns_key" {
|
|
# secret {
|
|
# name = "FLEET_MDM_APPLE_APNS_KEY_BYTES"
|
|
# key_id = aws_kms_key.fleet_data_key.id
|
|
# payload = file(local.apns_key)
|
|
# }
|
|
# }
|
|
#
|
|
# resource "aws_secretsmanager_secret_version" "abm" {
|
|
# secret_id = module.mdm.abm.id
|
|
# secret_string = jsonencode(
|
|
# {
|
|
# FLEET_MDM_APPLE_BM_CERT_BYTES = data.aws_kms_secrets.abm_cert.plaintext["FLEET_MDM_APPLE_BM_CERT_BYTES"]
|
|
# FLEET_MDM_APPLE_BM_KEY_BYTES = data.aws_kms_secrets.abm_key.plaintext["FLEET_MDM_APPLE_BM_KEY_BYTES"]
|
|
# FLEET_MDM_APPLE_BM_SERVER_TOKEN_BYTES = data.aws_kms_secrets.token.plaintext["FLEET_MDM_APPLE_BM_SERVER_TOKEN_BYTES"]
|
|
# }
|
|
# )
|
|
# }
|
|
#
|
|
# data "aws_kms_secrets" "abm_cert" {
|
|
# secret {
|
|
# name = "FLEET_MDM_APPLE_BM_CERT_BYTES"
|
|
# key_id = aws_kms_key.fleet_data_key.id
|
|
# payload = file(local.abm_cert)
|
|
# }
|
|
# }
|
|
#
|
|
# data "aws_kms_secrets" "abm_key" {
|
|
# secret {
|
|
# name = "FLEET_MDM_APPLE_BM_KEY_BYTES"
|
|
# key_id = aws_kms_key.fleet_data_key.id
|
|
# payload = file(local.abm_key)
|
|
# }
|
|
# }
|
|
#
|
|
# data "aws_kms_secrets" "token" {
|
|
# secret {
|
|
# name = "FLEET_MDM_APPLE_BM_SERVER_TOKEN_BYTES"
|
|
# key_id = aws_kms_key.fleet_data_key.id
|
|
# payload = file(local.abm_token)
|
|
# }
|
|
# }
|