{OCI ロード・バランサ} プライベート認証局と証明書の発行

cat <<-'EOF' > a.yaml
#cloud-config
timezone: Asia/Tokyo
locale: ja_JP.utf8
package_update: true
packages:
- httpd
runcmd:
- setenforce 0
- sed -i -e 's/^SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
- systemctl stop firewalld
- systemctl disable firewalld
- systemctl start httpd
- systemctl enable httpd
- echo $(hostname) > /var/www/html/index.html

EOF

cat <<-'EOF' > variables.tf

locals {
tenancy_ocid = "ocid1.tenancy.oc1..111111111111111111111111111111111111111111111111111111111111"

}

variable "compartment_name" {
description = "compartment_name"
type = string
default = "cmp04"
}

variable "shape" {
description = "shape"
type = string
default = "VM.Standard.E2.1"
}

EOF

cat <<-'EOF' > main.tf

terraform {
required_version = ">= 1.0.0, < 2.0.0"
required_providers {
oci = {
source = "oracle/oci"
version = "= 5.23.0"
}
}
}

provider "oci" {
tenancy_ocid = local.tenancy_ocid
user_ocid = "ocid1.user.oc1..111111111111111111111111111111111111111111111111111111111111"
private_key_path = "~/.oci/oci_api_key.pem"
fingerprint = "45:ed:22:e6:cc:fd:63:97:12:9d:62:7a:90:12:65:7a"
region = "us-ashburn-1"
}

resource "oci_identity_compartment" "cmp04" {
# Required
compartment_id = local.tenancy_ocid
description = var.compartment_name
name = var.compartment_name

enable_delete = true
}

resource "oci_core_vcn" "vcn01" {
#Required
compartment_id = oci_identity_compartment.cmp04.id

#Optional
cidr_block = "10.0.0.0/16"
display_name = "vcn01"
dns_label = "vcn01"

}

resource "oci_core_internet_gateway" "igw01" {
#Required
compartment_id = oci_identity_compartment.cmp04.id
vcn_id = oci_core_vcn.vcn01.id

#Optional
enabled = true
display_name = "igw01"
}

resource "oci_core_route_table" "rt01" {
#Required
compartment_id = oci_identity_compartment.cmp04.id
vcn_id = oci_core_vcn.vcn01.id

#Optional
display_name = "rt01"
route_rules {
#Required
network_entity_id = oci_core_internet_gateway.igw01.id
#Optional
destination = "0.0.0.0/0"
}

}

resource "oci_core_route_table" "rt02" {
#Required
compartment_id = oci_identity_compartment.cmp04.id
vcn_id = oci_core_vcn.vcn01.id

#Optional
display_name = "rt02"
route_rules {
#Required
network_entity_id = oci_core_internet_gateway.igw01.id
#Optional
destination = "0.0.0.0/0"
}

}

resource "oci_core_security_list" "sl01" {
#Required
compartment_id = oci_identity_compartment.cmp04.id
vcn_id = oci_core_vcn.vcn01.id

#Optional
display_name = "sl01"

egress_security_rules {
destination = "0.0.0.0/0"
protocol = "all"
stateless = false
}

ingress_security_rules {
protocol = "6"
source = "0.0.0.0/0"
stateless = false
tcp_options {
max = 22
min = 22
}
}
ingress_security_rules {
protocol = "6"
source = "0.0.0.0/0"
stateless = false
tcp_options {
max = 80
min = 80
}
}
ingress_security_rules {
protocol = "6"
source = "0.0.0.0/0"
stateless = false
tcp_options {
max = 443
min = 443
}
}
}

resource "oci_core_security_list" "sl02" {
#Required
compartment_id = oci_identity_compartment.cmp04.id
vcn_id = oci_core_vcn.vcn01.id

#Optional
display_name = "sl02"

egress_security_rules {
destination = "0.0.0.0/0"
protocol = "all"
stateless = false
}

resource "oci_core_subnet" "subnet01" {
#Required
cidr_block = "10.0.1.0/24"
compartment_id = oci_identity_compartment.cmp04.id
vcn_id = oci_core_vcn.vcn01.id

#Optional

display_name = "subnet01"
dns_label = "subnet01"
route_table_id = oci_core_route_table.rt01.id
security_list_ids = [oci_core_security_list.sl01.id]
}

resource "oci_core_subnet" "subnet02" {
#Required
cidr_block = "10.0.2.0/24"
compartment_id = oci_identity_compartment.cmp04.id
vcn_id = oci_core_vcn.vcn01.id

#Optional

display_name = "subnet02"
dns_label = "subnet02"
route_table_id = oci_core_route_table.rt02.id
security_list_ids = [oci_core_security_list.sl02.id]
}

data "oci_core_images" "ol9_latest" {
#Required
compartment_id = oci_identity_compartment.cmp04.id

#Optional
operating_system = "Oracle Linux"
operating_system_version = "9"
shape = var.shape
sort_by = "TIMECREATED"
sort_order = "DESC"

filter {
name = "display_name"
values = ["Oracle-Linux-9*"]
regex = true
}

}

resource "oci_core_instance" "vm01" {
#Required
availability_domain = "OEIw:US-ASHBURN-AD-1"
compartment_id = oci_identity_compartment.cmp04.id
shape = var.shape

agent_config {
plugins_config {
desired_state = "ENABLED"
name = "OS Management Service Agent"
}
plugins_config {
desired_state = "ENABLED"
name = "Compute Instance Run Command"
}
plugins_config {
desired_state = "ENABLED"
name = "Compute Instance Monitoring"
}

}

create_vnic_details {
#Optional
assign_public_ip = true
subnet_id = oci_core_subnet.subnet02.id
}

display_name = "vm01"
fault_domain = "FAULT-DOMAIN-1"

metadata = {
ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
user_data = "${base64encode(file("./a.yaml"))}"
}

source_details {
#Required
source_id = data.oci_core_images.ol9_latest.images[0].id
source_type = "image"

#Optional
boot_volume_size_in_gbs = 50
}
preserve_boot_volume = false
}

resource "oci_core_instance" "vm02" {
#Required
availability_domain = "OEIw:US-ASHBURN-AD-2"
compartment_id = oci_identity_compartment.cmp04.id
shape = var.shape

}

create_vnic_details {
#Optional
assign_public_ip = true
subnet_id = oci_core_subnet.subnet02.id
}

display_name = "vm02"
fault_domain = "FAULT-DOMAIN-2"

metadata = {
ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
user_data = "${base64encode(file("./a.yaml"))}"
}

source_details {
#Required
source_id = data.oci_core_images.ol9_latest.images[0].id
source_type = "image"

#Optional
boot_volume_size_in_gbs = 50
}
preserve_boot_volume = false
}

resource "oci_load_balancer_load_balancer" "lb01" {
#Required
compartment_id = oci_identity_compartment.cmp04.id
display_name = "lb01"
shape = "flexible"
subnet_ids = [oci_core_subnet.subnet01.id]

#Optional
ip_mode = "IPV4"
is_private = false

shape_details {
#Required
maximum_bandwidth_in_mbps = 10
minimum_bandwidth_in_mbps = 10
}
}

resource "oci_load_balancer_backend_set" "bs01" {
#Required
health_checker {
#Required
protocol = "HTTP"

interval_ms = 100000
port = 80
retries =3
return_code = 200
timeout_in_millis = 3000
url_path = "/"
}
load_balancer_id = oci_load_balancer_load_balancer.lb01.id
name = "bs01"
policy = "ROUND_ROBIN"

}

resource "oci_load_balancer_backend" "be01" {
backendset_name = oci_load_balancer_backend_set.bs01.name
ip_address = oci_core_instance.vm01.private_ip
load_balancer_id = oci_load_balancer_load_balancer.lb01.id
port = 80

backup = false
drain = false
offline = false
weight = 1
}

resource "oci_load_balancer_backend" "be02" {
backendset_name = oci_load_balancer_backend_set.bs01.name
ip_address = oci_core_instance.vm02.private_ip
load_balancer_id = oci_load_balancer_load_balancer.lb01.id
port = 80

backup = false
drain = false
offline = false
weight = 1
}

resource "oci_load_balancer_listener" "lis01" {
#Required
default_backend_set_name = oci_load_balancer_backend_set.bs01.name
load_balancer_id = oci_load_balancer_load_balancer.lb01.id
name = "lis01"
port = 80
protocol = "HTTP"

}

EOF

cat <<-'EOF' > outputs.tf

output "cmp04_id" {
value = oci_identity_compartment.cmp04.id
description = "cmp04.id"
}

output "vcn01_id" {
value = oci_core_vcn.vcn01.id
description = "vcn01.id"
}

output "igw01_id" {
value = oci_core_internet_gateway.igw01.id
description = "igw01.id"
}
output "rt01_id" {
value = oci_core_route_table.rt01.id
description = "rt01.id"
}
output "rt02_id" {
value = oci_core_route_table.rt02.id
description = "rt02.id"
}

output "sl01_id" {
value = oci_core_security_list.sl01.id
description = "sl01.id"
}

output "sl02_id" {
value = oci_core_security_list.sl02.id
description = "sl02.id"
}

output "subnet01_id" {
value = oci_core_subnet.subnet01.id
description = "subnet01.id"
}
output "subnet02_id" {
value = oci_core_subnet.subnet02.id
description = "subnet02.id"
}

output "ol9_latest_id" {
value = data.oci_core_images.ol9_latest.images[0].id
description = "ol9_latest.id"
}

output "vm01_id" {
value = oci_core_instance.vm01.id
description = "vm01.id"
}

output "vm01_public_ip" {
value = oci_core_instance.vm01.public_ip
description = "vm01.public_ip"
}
output "vm01_private_ip" {
value = oci_core_instance.vm01.private_ip
description = "vm01.private_ip"
}

output "vm02_id" {
value = oci_core_instance.vm02.id
description = "vm02.id"
}

output "vm02_public_ip" {
value = oci_core_instance.vm02.public_ip
description = "vm02.public_ip"
}
output "vm02_private_ip" {
value = oci_core_instance.vm02.private_ip
description = "vm02.private_ip"
}

output "lb01_id" {
value = oci_load_balancer_load_balancer.lb01.id
description = "lb01.id"
}

output "lb01_ip_address" {
value = oci_load_balancer_load_balancer.lb01.ip_address_details[0].ip_address
description = "lb01.ip_address"
}

EOF

terraform init
terraform fmt
terraform -version

export TF_VAR_compartment_name=cmp04

terraform plan

terraform apply -auto-approve

terraform destroy -auto-approve

-- 2. 動的グループ作成

oci iam dynamic-group list

oci iam dynamic-group create \
--description dg01 \
--matching-rule "ANY {resource.type ='certificateauthority'}" \
--name dg01

oci iam dynamic-group delete \
--dynamic-group-id ocid1.dynamicgroup.oc1..111111111111111111111111111111111111111111111111111111111111 \
--force

-- 3. 動的グループポリシー作成

oci iam policy list \
--compartment-id ocid1.tenancy.oc1..111111111111111111111111111111111111111111111111111111111111

oci iam policy create \
--compartment-id ocid1.tenancy.oc1..111111111111111111111111111111111111111111111111111111111111 \
--description policy03 \
--name policy11 \
--statements '[
"Allow dynamic-group dg01 to use keys in compartment cmp04",
"Allow dynamic-group dg01 to manage objects in compartment cmp04",
]'

oci iam policy delete \
--policy-id ocid1.policy.oc1..111111111111111111111111111111111111111111111111111111111111 \
--force

-- 4. ボールト作成

oci kms management vault list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--all \
--query 'data.{"display-name":"display-name","id":"id","lifecycle-state":"lifecycle-state"}' \
--output table

oci kms management vault create \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--display-name vault01 \
--vault-type DEFAULT

oci kms management vault get \
--vault-id ocid1.vault.oc1.iad.1111111111111.111111111111111111111111111111111111111111111111111111111111

oci kms management vault schedule-deletion \
--vault-id ocid1.vault.oc1.iad.1111111111111.111111111111111111111111111111111111111111111111111111111111 \
--time-of-deletion 2024-07-10T03:00:00Z

7日から30日までの範囲を設定できます。

-- 5. マスター暗号化キー作成

oci kms management key list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--endpoint "https://1111111111111-management.kms.us-ashburn-1.oraclecloud.com" \
--all \
--query 'data.{"display-name":"display-name","id":"id","lifecycle-state":"lifecycle-state"}' \
--output table

oci kms management key create --generate-full-command-json-input

oci kms management key create \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--display-name key01 \
--endpoint "https://1111111111111-management.kms.us-ashburn-1.oraclecloud.com" \
--protection-mode HSM \
--key-shape '{
"algorithm": "RSA",
"curveId": null,
"length": 256
}'

oci kms management key get \
--endpoint "https://1111111111111-management.kms.us-ashburn-1.oraclecloud.com" \
--key-id ocid1.key.oc1.iad.1111111111111.111111111111111111111111111111111111111111111111111111111111

oci kms management key schedule-deletion \
--key-id ocid1.key.oc1.iad.1111111111111.111111111111111111111111111111111111111111111111111111111111 \
--endpoint "https://1111111111111-management.kms.us-ashburn-1.oraclecloud.com" \
--time-of-deletion 2024-07-10T03:00:00Z

7日から30日までの範囲を設定できます。

-- 6. プライベート認証局の作成

oci certs-mgmt certificate-authority list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--all

oci certs-mgmt certificate-authority create-root-ca-by-generating-config-details --generate-full-command-json-input

oci certs-mgmt certificate-authority create-root-ca-by-generating-config-details \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--kms-key-id ocid1.key.oc1.iad.1111111111111.111111111111111111111111111111111111111111111111111111111111 \
--name certauth01 \
--signing-algorithm "SHA256_WITH_RSA" \
--subject '{
"commonName": "certauth01",
"country": null,
"distinguishedNameQualifier": null,
"domainComponent": null,
"generationQualifier": null,
"givenName": null,
"initials": null,
"localityName": null,
"organization": null,
"organizationalUnit": null,
"pseudonym": null,
"serialNumber": null,
"stateOrProvinceName": null,
"street": null,
"surname": null,
"title": null,
"userId": null
}' \

oci certs-mgmt certificate-authority get \
--certificate-authority-id ocid1.certificateauthority.oc1.iad.111111111111111111111111111111111111111111111111111111111111

oci certs-mgmt certificate-authority schedule-deletion \
--certificate-authority-id ocid1.certificateauthority.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--time-of-deletion 2024-08-01T03:00:00Z

※証明書が削除保留中は認証局の削除スケジュールができない

-- 7. プライベート証明書の作成

oci certs-mgmt certificate list \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--all

oci certs-mgmt certificate create-certificate-issued-by-internal-ca --generate-full-command-json-input

oci certs-mgmt certificate create-certificate-issued-by-internal-ca \
--certificate-profile-type "TLS_SERVER_OR_CLIENT" \
--compartment-id ocid1.compartment.oc1..111111111111111111111111111111111111111111111111111111111111 \
--issuer-certificate-authority-id ocid1.certificateauthority.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--name cert01 \
--key-algorithm "RSA2048" \
--signature-algorithm "SHA256_WITH_RSA" \
--subject-alternative-names '[
{
"type": "DNS",
"value": "cert01"
}
]' \
--subject '{
"commonName": "cert01",
"country": null,
"distinguishedNameQualifier": null,
"domainComponent": null,
"generationQualifier": null,
"givenName": null,
"initials": null,
"localityName": null,
"organization": null,
"organizationalUnit": null,
"pseudonym": null,
"serialNumber": null,
"stateOrProvinceName": null,
"street": null,
"surname": null,
"title": null,
"userId": null
}'

oci certs-mgmt certificate get \
--certificate-id ocid1.certificate.oc1.iad.111111111111111111111111111111111111111111111111111111111111

oci certs-mgmt certificate schedule-deletion \
--certificate-id ocid1.certificate.oc1.iad.111111111111111111111111111111111111111111111111111111111111

-- 8. リスナー変更

HTTPリスナー削除

oci lb listener delete \
--listener-name lis01 \
--load-balancer-id ocid1.loadbalancer.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--force

HTTPSリスナー作成

oci lb listener create --generate-full-command-json-input

oci lb listener create \
--default-backend-set-name bs01 \
--load-balancer-id ocid1.loadbalancer.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--name lis02 \
--port 443 \
--protocol HTTP \
--ssl-certificate-ids '["ocid1.certificate.oc1.iad.111111111111111111111111111111111111111111111111111111111111"]'

※CLIの場合、プロトコルはHTTPSを設定できない。HTTPを設定

oci lb listener delete \
--listener-name lis02 \
--load-balancer-id ocid1.loadbalancer.oc1.iad.111111111111111111111111111111111111111111111111111111111111 \
--force

-- 9. 動作確認

curl http://192.0.2.1

curl https://192.0.2.1

curl -k https://192.0.2.1

hostsファイルの設定
証明書のダウンロード
証明書の変換

openssl x509 -outform der -in certificate.pem -out certificate.crt

証明書のインポート