feat(terraform): add Let's Encrypt certificate automation for OCI

Add automatic certificate provisioning using OCI Functions:
- New Terraform module terraform/modules/certificates/oci/
- OCI Function (certmgr) for ACME DNS-01 challenges
- Vault secrets for certificate/key/ACME account storage
- IAM policies for DNS, Vault, and Load Balancer access
- Makefile targets for function build/deploy/invoke

Certificate lifecycle: daily renewal checks, auto-renewal when
certificate expires within configurable threshold (default 30 days).
Uses Resource Principal auth - no credentials in config.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: ericfitz

.gitignore

@@ -42,6 +42,8 @@
 !static/**
 !wstest/
 !wstest/**
+!functions/
+!functions/**
 !test/
 !test/**
 !.claude/
@@ -94,6 +96,9 @@ test/outputs/
 test/deprecated/
 test/tools/wstest/wstest
 
+# Built function binaries
+functions/certmgr/certmgr
+
 # Oracle/OCI (contains sensitive credentials)
 wallet/
 Wallet_*.zip

Makefile

@@ -1079,6 +1079,56 @@ start-containers-environment:
 # Shorthand for all container operations
 build-containers-all: build-containers report-containers
 
+# ============================================================================
+# OCI FUNCTIONS - Certificate Manager
+# ============================================================================
+
+.PHONY: fn-check fn-build-certmgr fn-deploy-certmgr fn-invoke-certmgr fn-logs-certmgr
+
+# Check if Fn CLI is installed
+fn-check:
+	@command -v fn >/dev/null 2>&1 || { \
+		echo -e "$(RED)[ERROR]$(NC) Fn CLI is not installed."; \
+		echo -e "$(BLUE)[INFO]$(NC) Install with: brew install fn"; \
+		exit 1; \
+	}
+
+# Build the certificate manager function
+fn-build-certmgr: fn-check  ## Build the certificate manager OCI function
+	$(call log_info,Building certificate manager function...)
+	@cd functions/certmgr && fn build
+	$(call log_success,Certificate manager function built successfully)
+
+# Deploy the certificate manager function to OCI
+fn-deploy-certmgr: fn-check  ## Deploy certificate manager function to OCI (requires OCI config)
+	$(call log_info,Deploying certificate manager function...)
+	@if [ -z "$(FN_APP)" ]; then \
+		echo -e "$(RED)[ERROR]$(NC) FN_APP environment variable not set."; \
+		echo -e "$(BLUE)[INFO]$(NC) Set FN_APP to the OCI Function Application name"; \
+		exit 1; \
+	fi
+	@cd functions/certmgr && fn deploy --app $(FN_APP)
+	$(call log_success,Certificate manager function deployed)
+
+# Invoke the certificate manager function manually (for testing)
+fn-invoke-certmgr: fn-check  ## Invoke certificate manager function manually for testing
+	$(call log_info,Invoking certificate manager function...)
+	@if [ -z "$(FN_APP)" ]; then \
+		echo -e "$(RED)[ERROR]$(NC) FN_APP environment variable not set."; \
+		exit 1; \
+	fi
+	@fn invoke $(FN_APP) certmgr
+	$(call log_success,Function invoked)
+
+# View certificate manager function logs
+fn-logs-certmgr: fn-check  ## View certificate manager function logs
+	$(call log_info,Fetching certificate manager function logs...)
+	@if [ -z "$(FN_APP)" ]; then \
+		echo -e "$(RED)[ERROR]$(NC) FN_APP environment variable not set."; \
+		exit 1; \
+	fi
+	@fn logs $(FN_APP) certmgr
+
 # ============================================================================
 # TERRAFORM INFRASTRUCTURE MANAGEMENT
 # ============================================================================
@@ -1630,6 +1680,12 @@ help:
 	@echo "  start-containers-environment - Start development with containers"
 	@echo "  build-containers-all         - Run full container build and report"
 	@echo ""
+	@echo "OCI Functions (Certificate Manager):"
+	@echo "  fn-build-certmgr             - Build the certificate manager function"
+	@echo "  fn-deploy-certmgr            - Deploy certificate manager to OCI"
+	@echo "  fn-invoke-certmgr            - Invoke certificate manager for testing"
+	@echo "  fn-logs-certmgr              - View certificate manager logs"
+	@echo ""
 	@echo "Terraform Infrastructure Management:"
 	@echo "  tf-init                      - Initialize Terraform (TF_ENV=oci-free-tier)"
 	@echo "  tf-validate                  - Validate Terraform configuration"

functions/certmgr/acme.go

@@ -0,0 +1,225 @@
+package main
+
+import (
+	"context"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"time"
+
+	"golang.org/x/crypto/acme"
+)
+
+// ACMEClient wraps the ACME client for Let's Encrypt operations
+type ACMEClient struct {
+	client    *acme.Client
+	directory string
+	email     string
+}
+
+// Certificate represents a TLS certificate with its private key
+type Certificate struct {
+	CertificatePEM string
+	PrivateKeyPEM  string
+	IssuerPEM      string
+	NotAfter       time.Time
+}
+
+// NewACMEClient creates a new ACME client
+func NewACMEClient(directory, email string, accountKey crypto.Signer) *ACMEClient {
+	client := &acme.Client{
+		Key:          accountKey,
+		DirectoryURL: directory,
+	}
+
+	return &ACMEClient{
+		client:    client,
+		directory: directory,
+		email:     email,
+	}
+}
+
+// GenerateAccountKey generates a new ECDSA private key for the ACME account
+func GenerateAccountKey() (*ecdsa.PrivateKey, error) {
+	return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+}
+
+// EncodeAccountKey encodes an ECDSA private key to PEM format
+func EncodeAccountKey(key *ecdsa.PrivateKey) (string, error) {
+	der, err := x509.MarshalECPrivateKey(key)
+	if err != nil {
+		return "", fmt.Errorf("failed to marshal account key: %w", err)
+	}
+
+	block := &pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: der,
+	}
+
+	return string(pem.EncodeToMemory(block)), nil
+}
+
+// DecodeAccountKey decodes a PEM-encoded ECDSA private key
+func DecodeAccountKey(pemData string) (*ecdsa.PrivateKey, error) {
+	block, _ := pem.Decode([]byte(pemData))
+	if block == nil {
+		return nil, fmt.Errorf("failed to decode PEM block")
+	}
+
+	return x509.ParseECPrivateKey(block.Bytes)
+}
+
+// RegisterAccount registers or retrieves an existing ACME account
+func (c *ACMEClient) RegisterAccount(ctx context.Context) error {
+	account := &acme.Account{
+		Contact: []string{"mailto:" + c.email},
+	}
+
+	_, err := c.client.Register(ctx, account, acme.AcceptTOS)
+	if err != nil && err != acme.ErrAccountAlreadyExists {
+		return fmt.Errorf("failed to register ACME account: %w", err)
+	}
+
+	return nil
+}
+
+// RequestCertificate requests a new certificate using DNS-01 challenge
+// It returns the DNS challenge token that must be set as a TXT record
+func (c *ACMEClient) RequestCertificate(ctx context.Context, domain string) (*acme.Authorization, *acme.Challenge, error) {
+	// Create a new order
+	order, err := c.client.AuthorizeOrder(ctx, acme.DomainIDs(domain))
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to create order: %w", err)
+	}
+
+	// Get the authorization
+	if len(order.AuthzURLs) == 0 {
+		return nil, nil, fmt.Errorf("no authorization URLs in order")
+	}
+
+	auth, err := c.client.GetAuthorization(ctx, order.AuthzURLs[0])
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to get authorization: %w", err)
+	}
+
+	// Find the DNS-01 challenge
+	var dnsChallenge *acme.Challenge
+	for _, ch := range auth.Challenges {
+		if ch.Type == "dns-01" {
+			dnsChallenge = ch
+			break
+		}
+	}
+
+	if dnsChallenge == nil {
+		return nil, nil, fmt.Errorf("no DNS-01 challenge found")
+	}
+
+	return auth, dnsChallenge, nil
+}
+
+// GetDNSChallengeRecord returns the TXT record value for the DNS-01 challenge
+func (c *ACMEClient) GetDNSChallengeRecord(challenge *acme.Challenge) (string, error) {
+	return c.client.DNS01ChallengeRecord(challenge.Token)
+}
+
+// AcceptChallenge notifies the ACME server that the challenge is ready
+func (c *ACMEClient) AcceptChallenge(ctx context.Context, challenge *acme.Challenge) error {
+	_, err := c.client.Accept(ctx, challenge)
+	return err
+}
+
+// WaitForAuthorization waits for the authorization to be valid
+func (c *ACMEClient) WaitForAuthorization(ctx context.Context, auth *acme.Authorization) error {
+	_, err := c.client.WaitAuthorization(ctx, auth.URI)
+	return err
+}
+
+// FinalizeCertificate finalizes the order and retrieves the certificate
+func (c *ACMEClient) FinalizeCertificate(ctx context.Context, domain string) (*Certificate, error) {
+	// Generate a new private key for the certificate
+	certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate certificate key: %w", err)
+	}
+
+	// Create a CSR
+	csr := &x509.CertificateRequest{
+		Subject: pkix.Name{
+			CommonName: domain,
+		},
+		DNSNames: []string{domain},
+	}
+
+	csrDER, err := x509.CreateCertificateRequest(rand.Reader, csr, certKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create CSR: %w", err)
+	}
+
+	// Create a new order and finalize it
+	order, err := c.client.AuthorizeOrder(ctx, acme.DomainIDs(domain))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create order for finalization: %w", err)
+	}
+
+	// Wait for order to be ready
+	order, err = c.client.WaitOrder(ctx, order.URI)
+	if err != nil {
+		return nil, fmt.Errorf("failed to wait for order: %w", err)
+	}
+
+	// Finalize the order
+	certChain, _, err := c.client.CreateOrderCert(ctx, order.FinalizeURL, csrDER, true)
+	if err != nil {
+		return nil, fmt.Errorf("failed to finalize order: %w", err)
+	}
+
+	// Parse the certificate chain
+	if len(certChain) == 0 {
+		return nil, fmt.Errorf("empty certificate chain")
+	}
+
+	// Parse the first certificate to get expiry
+	cert, err := x509.ParseCertificate(certChain[0])
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse certificate: %w", err)
+	}
+
+	// Encode certificate chain to PEM
+	var certPEM, issuerPEM string
+	for i, certDER := range certChain {
+		block := &pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: certDER,
+		}
+		if i == 0 {
+			certPEM = string(pem.EncodeToMemory(block))
+		} else {
+			issuerPEM += string(pem.EncodeToMemory(block))
+		}
+	}
+
+	// Encode private key to PEM
+	keyDER, err := x509.MarshalECPrivateKey(certKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal private key: %w", err)
+	}
+
+	keyBlock := &pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: keyDER,
+	}
+	keyPEM := string(pem.EncodeToMemory(keyBlock))
+
+	return &Certificate{
+		CertificatePEM: certPEM,
+		PrivateKeyPEM:  keyPEM,
+		IssuerPEM:      issuerPEM,
+		NotAfter:       cert.NotAfter,
+	}, nil
+}

functions/certmgr/config.go

@@ -0,0 +1,82 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"strconv"
+)
+
+// Config holds the certificate manager configuration
+type Config struct {
+	Domain         string
+	DNSZoneID      string
+	ACMEEmail      string
+	RenewalDays    int
+	LoadBalancerID string
+	VaultID        string
+	VaultKeyID     string
+	CompartmentID  string
+	NamePrefix     string
+	ACMEDirectory  string
+	DryRun         bool
+}
+
+// LoadConfig loads configuration from environment variables
+func LoadConfig() (*Config, error) {
+	config := &Config{
+		Domain:         os.Getenv("CERTMGR_DOMAIN"),
+		DNSZoneID:      os.Getenv("CERTMGR_DNS_ZONE_ID"),
+		ACMEEmail:      os.Getenv("CERTMGR_ACME_EMAIL"),
+		LoadBalancerID: os.Getenv("CERTMGR_LB_ID"),
+		VaultID:        os.Getenv("CERTMGR_VAULT_ID"),
+		VaultKeyID:     os.Getenv("CERTMGR_VAULT_KEY_ID"),
+		CompartmentID:  os.Getenv("CERTMGR_COMPARTMENT_ID"),
+		NamePrefix:     os.Getenv("CERTMGR_NAME_PREFIX"),
+		ACMEDirectory:  os.Getenv("CERTMGR_ACME_DIRECTORY"),
+		DryRun:         os.Getenv("CERTMGR_DRY_RUN") == "true",
+	}
+
+	// Default name prefix
+	if config.NamePrefix == "" {
+		config.NamePrefix = "tmi"
+	}
+
+	// Parse renewal days with default
+	renewalDaysStr := os.Getenv("CERTMGR_RENEWAL_DAYS")
+	if renewalDaysStr == "" {
+		config.RenewalDays = 30
+	} else {
+		days, err := strconv.Atoi(renewalDaysStr)
+		if err != nil {
+			return nil, fmt.Errorf("invalid CERTMGR_RENEWAL_DAYS: %w", err)
+		}
+		config.RenewalDays = days
+	}
+
+	// Default ACME directory to staging
+	if config.ACMEDirectory == "" {
+		config.ACMEDirectory = "https://acme-staging-v02.api.letsencrypt.org/directory"
+	}
+
+	// Validate required fields
+	if config.Domain == "" {
+		return nil, fmt.Errorf("CERTMGR_DOMAIN is required")
+	}
+	if config.DNSZoneID == "" {
+		return nil, fmt.Errorf("CERTMGR_DNS_ZONE_ID is required")
+	}
+	if config.ACMEEmail == "" {
+		return nil, fmt.Errorf("CERTMGR_ACME_EMAIL is required")
+	}
+	if config.LoadBalancerID == "" {
+		return nil, fmt.Errorf("CERTMGR_LB_ID is required")
+	}
+	if config.VaultID == "" {
+		return nil, fmt.Errorf("CERTMGR_VAULT_ID is required")
+	}
+	if config.VaultKeyID == "" {
+		return nil, fmt.Errorf("CERTMGR_VAULT_KEY_ID is required")
+	}
+
+	return config, nil
+}