PLT-1658 Add ACM Certificate Module by mianava · Pull Request #440 · CMSgov/cdap

mianava · 2026-04-09T23:43:03Z

🎫 Ticket

https://jira.cms.gov/browse/...

🛠 Changes

Added a new modules/acm-certificate Terraform module that manages TLS certificate issuance and import across three endpoint types:

Internal (*.cmscloud.internal) — PCA-issued certificate for VPC-only service-to-service traffic
Zscaler (*.cmscloud.local) — PCA-issued certificate for Zscaler-accessible internal endpoints
Public (*.cms.gov) — CMS-signed certificate that can be passed in from SOPS or SSM parameter

ℹ️ Context

To enforce TLS everywhere, services need a standardized, secure way to provision and manage certificates.

To reduce the number of certificates in rotation, subject alternative names are used for internal and zscaler domains.

🧪 Validation

output for tftest.test.cdap.cms.<>

Details

# module.private_acm_certificate.aws_acm_certificate.private[0] will be created
  + resource "aws_acm_certificate" "private" {
      + arn                       = (known after apply)
      + certificate_authority_arn = "arn:aws:acm-pca:us-east-1:###:certificate-authority/###"
      + domain_name               = "tf-test-acm-certificate.test.cdap.cmscloud.internal"
      + domain_validation_options = (known after apply)
      + id                        = (known after apply)
      + key_algorithm             = (known after apply)
      + not_after                 = (known after apply)
      + not_before                = (known after apply)
      + pending_renewal           = (known after apply)
      + renewal_eligibility       = (known after apply)
      + renewal_summary           = (known after apply)
      + status                    = (known after apply)
      + subject_alternative_names = [
          + "tf-test-acm-certificate.test.cdap.cmscloud.internal",
          + "tf-test-acm-certificate.test.cdap.cmscloud.local",
        ]
      + tags                      = {
          + "Name" = "tf-test-acm-certificate.test.cdap.cmscloud.internal-private-cert"
        }
      + tags_all                  = {
          + "Name"           = "tf-test-acm-certificate.test.cdap.cmscloud.internal-private-cert"
          + "application"    = "cdap"
          + "business"       = "oeda"
          + "environment"    = "test"
          + "parent_env"     = "test"
          + "service"        = "tf-test-acm-certificate"
          + "terraform"      = "true"
          + "tf_root_module" = "https://github.com/CMSgov/cdap/tree/main/terraform/services/acm-tests"
        }
      + type                      = (known after apply)
      + validation_emails         = (known after apply)
      + validation_method         = (known after apply)

      + options (known after apply)
    }

  # module.private_acm_certificate.aws_acm_certificate_validation.private[0] will be created
  + resource "aws_acm_certificate_validation" "private" {
      + certificate_arn = (known after apply)
      + id              = (known after apply)

      + timeouts {
          + create = "5m"
        }
    }

  # module.public_acm_certificate.aws_ssm_parameter.csr["1"] will be created
  + resource "aws_ssm_parameter" "csr" {
      + arn            = (known after apply)
      + data_type      = (known after apply)
      + description    = "Certificate Signing Request for tftest-acm-certificate.cdap.cms.gov. Submit this to CMS for signing."
      + has_value_wo   = (known after apply)
      + id             = (known after apply)
      + insecure_value = (known after apply)
      + key_id         = (known after apply)
      + name           = "/cdap/test/tf-test-acm-certificate/tls/v1/csr"
      + tags_all       = {
          + "application"    = "cdap"
          + "business"       = "oeda"
          + "environment"    = "test"
          + "parent_env"     = "test"
          + "service"        = "tf-test-acm-certificate"
          + "terraform"      = "true"
          + "tf_root_module" = "https://github.com/CMSgov/cdap/tree/main/terraform/services/acm-tests"
        }
      + tier           = (known after apply)
      + type           = "String"
      + value          = (sensitive value)
      + version        = (known after apply)
    }

  # module.public_acm_certificate.aws_ssm_parameter.private_key["1"] will be created
  + resource "aws_ssm_parameter" "private_key" {
      + arn            = (known after apply)
      + data_type      = (known after apply)
      + has_value_wo   = (known after apply)
      + id             = (known after apply)
      + insecure_value = (known after apply)
      + key_id         = (sensitive value)
      + name           = "/cdap/test/tf-test-acm-certificate/tls/v1/private-key"
      + tags           = {
          + "Name" = "tftest-acm-certificate.cdap.cms.gov-private-key"
        }
      + tags_all       = {
          + "Name"           = "tftest-acm-certificate.cdap.cms.gov-private-key"
          + "application"    = "cdap"
          + "business"       = "oeda"
          + "environment"    = "test"
          + "parent_env"     = "test"
          + "service"        = "tf-test-acm-certificate"
          + "terraform"      = "true"
          + "tf_root_module" = "https://github.com/CMSgov/cdap/tree/main/terraform/services/acm-tests"
        }
      + tier           = (known after apply)
      + type           = "SecureString"
      + value          = (sensitive value)
      + version        = (known after apply)
    }

  # module.public_acm_certificate.tls_cert_request.this["1"] will be created
  + resource "tls_cert_request" "this" {
      + cert_request_pem = (known after apply)
      + id               = (known after apply)
      + key_algorithm    = (known after apply)
      + private_key_pem  = (sensitive value)

      + subject {
          + common_name         = "tftest-acm-certificate.cdap.cms.gov"
          + country             = "US"
          + locality            = "Rockville"
          + organization        = "US Dept of Health and Human Services"
          + organizational_unit = "Centers for Medicare and Medicaid Services"
          + province            = "MD"
        }
    }

  # module.public_acm_certificate.tls_private_key.this["1"] will be created
  + resource "tls_private_key" "this" {
      + algorithm                     = "RSA"
      + ecdsa_curve                   = "P224"
      + id                            = (known after apply)
      + private_key_openssh           = (sensitive value)
      + private_key_pem               = (sensitive value)
      + private_key_pem_pkcs8         = (sensitive value)
      + public_key_fingerprint_md5    = (known after apply)
      + public_key_fingerprint_sha256 = (known after apply)
      + public_key_openssh            = (known after apply)
      + public_key_pem                = (known after apply)
      + rsa_bits                      = 4096
    }

Plan: 6 to add, 0 to change, 0 to destroy.

…efault.

terraform/modules/acm_certificate/variables.tf

mianava added 5 commits April 9, 2026 11:48

Establish ALB module that ingests ACM and sets up a TLS listener by d…

950e22d

…efault.

Format

2f07e7b

Enable private and public certificate usage in existing hosted zones.

f3d6a6b

Generate a CSR for public certificates using tls

03eb72d

Merge branch 'main' into mia/acmcert/PLT-1658

4666ff2

mianava commented Apr 9, 2026

View reviewed changes

terraform/modules/acm_certificate/variables.tf Show resolved Hide resolved

mianava added 9 commits April 9, 2026 19:46

Remove ALB from this PR

d8fc62f

Document ACM Certificate use.

d363640

Enable a hosted zone for cdap-test for evaluation.

2ab763f

Support versioned tls csrs

00d28b5

Set up test file for acm tf test

4123f68

Documentation.

6b2add3

Formatting.

4609c35

Enable platform module use for cdap for testing.

851e72f

Move tf testing to its own path for local evaluation.

6f16872

mianava marked this pull request as ready for review April 10, 2026 13:14

mianava requested a review from a team as a code owner April 10, 2026 13:14

mianava added 2 commits April 10, 2026 10:07

Merge branch 'main' into mia/acmcert/PLT-1658

992ee11

Remove validation as private cert does not require it.

f6ddbce

juliareynolds-nava previously approved these changes Apr 10, 2026

View reviewed changes

Ensure github actions can manage Route53

c4dddfb

mianava dismissed juliareynolds-nava’s stale review via c4dddfb April 13, 2026 13:46

juliareynolds-nava approved these changes Apr 13, 2026

View reviewed changes

jasonvinson approved these changes Apr 13, 2026

View reviewed changes

mianava merged commit 7503f1a into main Apr 13, 2026
17 checks passed

mianava deleted the mia/acmcert/PLT-1658 branch April 13, 2026 18:35

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

PLT-1658 Add ACM Certificate Module#440

PLT-1658 Add ACM Certificate Module#440
mianava merged 17 commits intomainfrom
mia/acmcert/PLT-1658

mianava commented Apr 9, 2026 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

mianava commented Apr 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🎫 Ticket

🛠 Changes

ℹ️ Context

🧪 Validation

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

mianava commented Apr 9, 2026 •

edited

Loading