resource "aws_acmpca_certificate_authority_certificate" "www_subordinate" {
  provider                  = aws.common # COMMON SERVICES
  certificate_authority_arn = aws_acmpca_certificate_authority.www_subordinate.arn

  certificate       = aws_acmpca_certificate.www_subordinate.certificate
  certificate_chain = aws_acmpca_certificate.www_subordinate.certificate_chain
}

resource "aws_acmpca_certificate" "www_subordinate" {
  certificate_authority_arn   = var.root_authority_arn
  certificate_signing_request = aws_acmpca_certificate_authority.www_subordinate.certificate_signing_request
  signing_algorithm           = "SHA512WITHECDSA"

  template_arn = "arn:${var.aws_partition}:acm-pca:::template/SubordinateCACertificate_PathLen0/V1"

  validity {
    type  = "YEARS"
    value = 10
  }
}

resource "aws_acmpca_certificate_authority" "www_subordinate" {
  provider = aws.common # COMMON SERVICES
  type     = "SUBORDINATE"

  certificate_authority_configuration {
    key_algorithm     = "EC_secp384r1"
    signing_algorithm = "SHA512WITHECDSA"

    subject {
      common_name         = "XDR WWW Certificates Subordinate CA v2"
      country             = "US"
      organization        = "Accenture Federal Services"
      organizational_unit = "XDR"
    }
  }

  revocation_configuration {
    crl_configuration {
      #custom_cname       = "crl.xdr.accenturefederalcyber.com" # Maybe we want to hide the S3 bucket? Adds cost and complexity so I'm going with YAGNI for now.
      enabled            = true
      expiration_in_days = 7
      s3_bucket_name     = aws_s3_bucket.crl.id
    }
  }

  tags       = merge(local.standard_tags, var.tags)
  depends_on = [aws_s3_bucket_policy.crl]
}