resource "aws_acmpca_certificate_authority" "root_CA" {
  type = "ROOT"
  certificate_authority_configuration {
    key_algorithm     = "EC_secp384r1"
    signing_algorithm = "SHA512WITHECDSA"

    subject {
      common_name = "XDR Root CA v2"
      country = "US"
      organization = "Accenture Federal Services"
      organizational_unit = "XDR"
    }
  }

  revocation_configuration {
    crl_configuration {
      #custom_cname       = "crl.xdr.accenturefederalcyber.com" # Maybe we want to hide the S3 bucket? Adds cost and complexity so I'm going with YAGNI for now.
      enabled            = true
      expiration_in_days = 7
      s3_bucket_name     = aws_s3_bucket.crl.id
    }
  }

  tags = merge(var.standard_tags, var.tags)
  depends_on = [aws_s3_bucket_policy.crl]
}

resource "aws_acmpca_certificate" "root_certificate" {
  certificate_authority_arn   = aws_acmpca_certificate_authority.root_CA.arn
  certificate_signing_request = aws_acmpca_certificate_authority.root_CA.certificate_signing_request
  signing_algorithm           = "SHA512WITHECDSA"

  template_arn = "arn:${var.aws_partition}:acm-pca:::template/RootCACertificate/V1"

  validity {
    type  = "YEARS"
    value = 20
  }
}

resource "aws_acmpca_certificate_authority_certificate" "root_certificate" {
  certificate_authority_arn = aws_acmpca_certificate_authority.root_CA.arn

  certificate       = aws_acmpca_certificate.root_certificate.certificate
  certificate_chain = aws_acmpca_certificate.root_certificate.certificate_chain
}