Combines Subordinate CAs into One Module

The subordinate CAs have shared infrastructure. This was the easier path
to a second CA and I think it makes sense.

To be tagged v2.0.7

base/CA_Infrastructure/subordinate_CA/outputs.tf

@@ -1,7 +0,0 @@
-output root_authority_arn {
-  value = aws_acmpca_certificate_authority.subordinate.arn
-}
-
-output role_arn {
-  value = aws_iam_role.run_audit_report_role.arn
-}

base/CA_Infrastructure/subordinate_CA/ca.tf → base/CA_Infrastructure/subordinate_CAs/ca_identity.tf

@@ -28,7 +28,7 @@ resource "aws_acmpca_certificate_authority" "subordinate" {
     signing_algorithm = "SHA512WITHECDSA"
 
     subject {
-      common_name = "XDR ${var.purpose} Subordinate CA v2"
+      common_name = "XDR Identity Certificates Subordinate CA v2"
       country = "US"
       organization = "Accenture Federal Services"
       organizational_unit = "XDR"

base/CA_Infrastructure/subordinate_CAs/ca_www.tf

@@ -0,0 +1,49 @@
+resource "aws_acmpca_certificate_authority_certificate" "www_subordinate" {
+  provider = aws.common # COMMON SERVICES
+  certificate_authority_arn = aws_acmpca_certificate_authority.www_subordinate.arn
+
+  certificate       = aws_acmpca_certificate.www_subordinate.certificate
+  certificate_chain = aws_acmpca_certificate.www_subordinate.certificate_chain
+}
+
+resource "aws_acmpca_certificate" "www_subordinate" {
+  certificate_authority_arn   = var.root_authority_arn
+  certificate_signing_request = aws_acmpca_certificate_authority.www_subordinate.certificate_signing_request
+  signing_algorithm           = "SHA512WITHECDSA"
+
+  template_arn = "arn:${var.aws_partition}:acm-pca:::template/SubordinateCACertificate_PathLen0/V1"
+
+  validity {
+    type  = "YEARS"
+    value = 10
+  }
+}
+
+resource "aws_acmpca_certificate_authority" "www_subordinate" {
+  provider = aws.common # COMMON SERVICES
+  type = "SUBORDINATE"
+
+  certificate_authority_configuration {
+    key_algorithm     = "EC_secp384r1"
+    signing_algorithm = "SHA512WITHECDSA"
+
+    subject {
+      common_name = "XDR WWW Certificates Subordinate CA v2"
+      country = "US"
+      organization = "Accenture Federal Services"
+      organizational_unit = "XDR"
+    }
+  }
+
+  revocation_configuration {
+    crl_configuration {
+      #custom_cname       = "crl.xdr.accenturefederalcyber.com" # Maybe we want to hide the S3 bucket? Adds cost and complexity so I'm going with YAGNI for now.
+      enabled            = true
+      expiration_in_days = 7
+      s3_bucket_name     = aws_s3_bucket.crl.id
+    }
+  }
+
+  tags = merge(var.standard_tags, var.tags)
+  depends_on = [aws_s3_bucket_policy.crl]
+}

base/CA_Infrastructure/subordinate_CAs/outputs.tf

@@ -0,0 +1,10 @@
+output CA_ARNs {
+  value = { 
+    "Identity": aws_acmpca_certificate_authority.subordinate.arn,
+    "WWW": aws_acmpca_certificate_authority.www_subordinate.arn
+  }
+}
+
+output role_arn {
+  value = aws_iam_role.run_audit_report_role.arn
+}

base/CA_Infrastructure/subordinate_CA/vars.tf → base/CA_Infrastructure/subordinate_CAs/vars.tf

@@ -1,8 +1,3 @@
-variable "purpose" { 
-  description = "String that will be appended to the CN that describes the purpose of this subordinate cert."
-  type = string
-}
-
 variable "c2_accounts" { type = map }
 variable "root_authority_arn" { type = string }