How to use set_signed correctly with terraform

I’m new to vault and all the lingo around pki certificates. I wanted to check in here to see if I’m doing anything that could be better or if theres anything in this workflow that is wrong or even dangerous…

I’m trying to determine if I should be providing the certificate (vault_pki_secret_backend_root_cert.root.certificate) or the issuing_ca (vault_pki_secret_backend_root_cert.root.issuing_ca ) here in a self signed terraform / vault workflow:

resource "vault_pki_secret_backend_intermediate_set_signed" "intermediate" { 
  backend = vault_mount.pki_int.path 
  
  certificate = "${vault_pki_secret_backend_root_sign_intermediate.root.certificate}\n${vault_pki_secret_backend_root_cert.root.certificate}"
} 

This was based on an example at Creating a Certificate Authority With Hashicorp Vault and Terraform | by Steve Dillon | Medium

This is the full example of how I am generating my self signed root and intermediate certs via terraform. Im not exactly clear what set_signed is doing and why it must be done for an intermediate to generate certificates.


resource "vault_mount" "pki" {
  path        = "pki"
  type        = "pki"
  description = "PKI for the ROOT CA"
  default_lease_ttl_seconds = 315360000 # 10 years
  max_lease_ttl_seconds = 315360000 # 10 years
}

resource "vault_pki_secret_backend_root_cert" "root" {
  depends_on = [ vault_mount.pki ]

  backend = vault_mount.pki.path

  type = "internal"
  common_name = "Root CA"
  ttl = "315360000"
  format = "pem"
  private_key_format = "der"
  key_type = "rsa"
  key_bits = 4096
}

resource "vault_mount" "pki_int" {
  path        = "pki_int"
  type        = "pki"
  description = "PKI for the ROOT CA"
  default_lease_ttl_seconds = 315360000 # 10 years
  max_lease_ttl_seconds = 315360000 # 10 years
}

resource "vault_pki_secret_backend_intermediate_cert_request" "intermediate" {
  depends_on = [ vault_mount.pki, vault_mount.pki_int ]

  backend = vault_mount.pki_int.path

  type = "internal"
  common_name = "pki-ca-int"
  format = "pem"
  private_key_format = "der"
  key_type = "rsa"
  key_bits = "4096"
}

resource "vault_pki_secret_backend_root_sign_intermediate" "root" {
  depends_on = [ vault_pki_secret_backend_intermediate_cert_request.intermediate ]

  backend = vault_mount.pki.path

  csr = vault_pki_secret_backend_intermediate_cert_request.intermediate.csr
  common_name = "pki-ca-int"
  exclude_cn_from_sans = true
  organization = "firehawkvfx.com"
  ttl = 252288000 # 8 years
}

resource "vault_pki_secret_backend_intermediate_set_signed" "intermediate" { 
  backend = vault_mount.pki_int.path 
  
  certificate = "${vault_pki_secret_backend_root_sign_intermediate.root.certificate}\n${vault_pki_secret_backend_root_cert.root.certificate}"
}

resource "vault_pki_secret_backend_role" "firehawkvfx-dot-com" {
  backend = vault_mount.pki_int.path
  name    = "firehawkvfx-dot-com"
  generate_lease = true
  allow_any_name = true
  ttl = 157680000 # 5 years
  max_ttl = 157680000 # 5 years
}