Rename as many things as possible to TesseraCT in terraform

cmd/aws/main.go

@@ -64,7 +64,7 @@ var (
 	inMemoryAntispamCacheSize  = flag.Uint("inmemory_antispam_cache_size", 256<<10, "Maximum number of entries to keep in the in-memory antispam cache.")
 	rootsPemFile               = flag.String("roots_pem_file", "", "Path to the file containing root certificates that are acceptable to the log. The certs are served through get-roots endpoint.")
 	rejectExpired              = flag.Bool("reject_expired", false, "If true then the certificate validity period will be checked against the current time during the validation of submissions. This will cause expired certificates to be rejected.")
-	rejectUnexpired            = flag.Bool("reject_unexpired", false, "If true then CTFE rejects certificates that are either currently valid or not yet valid.")
+	rejectUnexpired            = flag.Bool("reject_unexpired", false, "If true then TesseraCT rejects certificates that are either currently valid or not yet valid.")
 	extKeyUsages               = flag.String("ext_key_usages", "", "If set, will restrict the set of such usages that the server will accept. By default all are accepted. The values specified must be ones known to the x509 package.")
 	rejectExtensions           = flag.String("reject_extension", "", "A list of X.509 extension OIDs, in dotted string form (e.g. '2.3.4.5') which, if present, should cause submissions to be rejected.")
 	signerPublicKeySecretName  = flag.String("signer_public_key_secret_name", "", "Public key secret name for checkpoints and SCTs signer")

cmd/gcp/main.go

@@ -58,7 +58,7 @@ var (
 	inMemoryAntispamCacheSize  = flag.Uint("inmemory_antispam_cache_size", 256<<10, "Maximum number of entries to keep in the in-memory antispam cache.")
 	rootsPemFile               = flag.String("roots_pem_file", "", "Path to the file containing root certificates that are acceptable to the log. The certs are served through get-roots endpoint.")
 	rejectExpired              = flag.Bool("reject_expired", false, "If true then the certificate validity period will be checked against the current time during the validation of submissions. This will cause expired certificates to be rejected.")
-	rejectUnexpired            = flag.Bool("reject_unexpired", false, "If true then CTFE rejects certificates that are either currently valid or not yet valid.")
+	rejectUnexpired            = flag.Bool("reject_unexpired", false, "If true then TesseraCT rejects certificates that are either currently valid or not yet valid.")
 	extKeyUsages               = flag.String("ext_key_usages", "", "If set, will restrict the set of such usages that the server will accept. By default all are accepted. The values specified must be ones known to the x509 package.")
 	rejectExtensions           = flag.String("reject_extension", "", "A list of X.509 extension OIDs, in dotted string form (e.g. '2.3.4.5') which, if present, should cause submissions to be rejected.")
 	signerPublicKeySecretName  = flag.String("signer_public_key_secret_name", "", "Public key secret name for checkpoints and SCTs signer. Format: projects/{projectId}/secrets/{secretName}/versions/{secretVersion}.")

deployment/live/aws/test/README.md

@@ -76,17 +76,17 @@ Store the Aurora RDS database and S3 bucket information into the environment var
 export TESSERACT_DB_HOST=$(terragrunt output -raw rds_aurora_cluster_endpoint)
 export TESSERACT_DB_PASSWORD=$(aws secretsmanager get-secret-value --secret-id $(terragrunt output -json rds_aurora_cluster_master_user_secret | jq --raw-output .[0].secret_arn) --query SecretString --output text | jq --raw-output .password)
 export TESSERACT_BUCKET_NAME=$(terragrunt output -raw s3_bucket_name)
-export SCTFE_SIGNER_ECDSA_P256_PUBLIC_KEY_ID=$(terragrunt output -raw ecdsa_p256_public_key_id)
-export SCTFE_SIGNER_ECDSA_P256_PRIVATE_KEY_ID=$(terragrunt output -raw ecdsa_p256_private_key_id)
+export TESSERACT_SIGNER_ECDSA_P256_PUBLIC_KEY_ID=$(terragrunt output -raw ecdsa_p256_public_key_id)
+export TESSERACT_SIGNER_ECDSA_P256_PRIVATE_KEY_ID=$(terragrunt output -raw ecdsa_p256_private_key_id)
 ```
 
 Connect the VM and Aurora database following [these instructions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/tutorial-ec2-rds-option1.html#option1-task3-connect-ec2-instance-to-rds-database), it takes a few clicks in the UI.
 
-## Run the TesseraCT
+## Run TesseraCT
 
 ### With fake chains
 
-On the VM, run the following command to bring up the TesseraCT:
+On the VM, run the following command to bring up TesseraCT:
 
 ```bash
 go run ./cmd/aws \
@@ -100,8 +100,8 @@ go run ./cmd/aws \
   --db_user=tesseract \
   --db_password=${TESSERACT_DB_PASSWORD} \
   --antispam_db_name=antispam_db \
-  --signer_public_key_secret_name=${SCTFE_SIGNER_ECDSA_P256_PUBLIC_KEY_ID} \
-  --signer_private_key_secret_name=${SCTFE_SIGNER_ECDSA_P256_PRIVATE_KEY_ID}
+  --signer_public_key_secret_name=${TESSERACT_SIGNER_ECDSA_P256_PUBLIC_KEY_ID} \
+  --signer_private_key_secret_name=${TESSERACT_SIGNER_ECDSA_P256_PRIVATE_KEY_ID}
 ```
 
 In a different terminal you can either mint and submit certificates manually, or
@@ -121,15 +121,15 @@ openssl x509 -req -days 3650 -in /tmp/httpschain/cert.csr -CAkey internal/testda
 cat internal/testdata/fake-ca.cert >> /tmp/httpschain/chain.pem
 ```
 
-Finally, submit the chain to the TesseraCT:
+Finally, submit the chain to TesseraCT:
 
 ```bash
 go run github.com/google/certificate-transparency-go/client/ctclient@master upload --cert_chain=/tmp/httpschain/chain.pem --skip_https_verify --log_uri=http://localhost:6962/test-static-ct
 ```
 
 #### Automatically generate chains
 
-Save the TesseraCT repo's path:
+Save TesseraCT repo's path:
 
 ```bash
 export TESSERACT_REPO=$(pwd)
@@ -179,7 +179,7 @@ go run ./client/ctclient get-roots --log_uri=${SRC_LOG_URI} --text=false > /tmp/
 sed -i 's-""-"/tmp/hammercfg/roots.pem"-g' /tmp/hammercfg/hammer.cfg
 ```
 
-Run the TesseraCT with the same roots:
+Run TesseraCT with the same roots:
 
 ```bash
 cd ${TESSERACT_REPO}
@@ -194,8 +194,8 @@ go run ./cmd/aws \
   --db_user=tesseract \
   --db_password=${TESSERACT_DB_PASSWORD} \
   --antispam_db_name=antispam_db \
-  --signer_public_key_secret_name=${SCTFE_SIGNER_ECDSA_P256_PUBLIC_KEY_ID} \
-  --signer_private_key_secret_name=${SCTFE_SIGNER_ECDSA_P256_PRIVATE_KEY_ID}
+  --signer_public_key_secret_name=${TESSERACT_SIGNER_ECDSA_P256_PUBLIC_KEY_ID} \
+  --signer_private_key_secret_name=${TESSERACT_SIGNER_ECDSA_P256_PRIVATE_KEY_ID}
   -v=3
 ```
 

deployment/live/gcp/static-ct-staging/logs/arche2025h1/README.md

@@ -25,7 +25,7 @@ awk \
 
 
 ### Automatic Deployment
-This GCP SCTFE preloaded staging environment is designed to be deployed by the Cloud Build ([Terraform module](/deployment/modules/gcp/cloudbuild/tesseract/), [Terragrunt configuration](/deployment/live/gcp/static-ct-staging/cloudbuild/arche2025h1/)).
+This GCP TesseraCT preloaded staging environment is designed to be deployed by the Cloud Build ([Terraform module](/deployment/modules/gcp/cloudbuild/tesseract/), [Terragrunt configuration](/deployment/live/gcp/static-ct-staging/cloudbuild/arche2025h1/)).
 
 ### Manual Deployment
 TODO(phboneff): come back to this, Cloud Run doesn't trigger a deployment if the tag does not change value.
@@ -51,10 +51,10 @@ Build and push the Docker image to Artifact Registry repository:
 
 ```sh
 gcloud auth configure-docker ${GOOGLE_REGION}-docker.pkg.dev
-docker build -f ./cmd/gcp/Dockerfile -t tesseract-gcp:latest .
-docker build -f ./cmd/gcp/staging/Dockerfile -t conformance-gcp:latest .
-docker tag conformance-gcp:latest ${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT}/docker-staging/conformance-gcp:latest
-docker push ${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT}/docker-staging/conformance-gcp
+docker build -f ./cmd/gcp/Dockerfile -t tesseract-binary-gcp:latest .
+docker build -f ./cmd/gcp/staging/Dockerfile -t tesseract-gcp:latest .
+docker tag tesseract-gcp:latest ${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT}/docker-staging/tesseract-gcp:latest
+docker push ${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT}/docker-staging/tesseract-gcp
 ```
 
 Terraforming the project can be done by:

deployment/live/gcp/static-ct-staging/logs/arche2025h1/terragrunt.hcl

@@ -7,7 +7,7 @@ locals {
   docker_env          = local.env
   base_name           = include.root.locals.base_name
   origin_suffix       = include.root.locals.origin_suffix
-  server_docker_image = "${include.root.locals.location}-docker.pkg.dev/${include.root.locals.project_id}/docker-${local.env}/conformance-gcp:${include.root.locals.docker_container_tag}"
+  server_docker_image = "${include.root.locals.location}-docker.pkg.dev/${include.root.locals.project_id}/docker-${local.env}/tesseract-gcp:${include.root.locals.docker_container_tag}"
   spanner_pu          = 500
 }
 

deployment/live/gcp/static-ct-staging/logs/arche2025h2/README.md

@@ -25,7 +25,7 @@ awk \
 
 
 ### Automatic Deployment
-This GCP SCTFE preloaded staging environment is designed to be deployed by the Cloud Build ([Terraform module](/deployment/modules/gcp/cloudbuild/tesseract/), [Terragrunt configuration](/deployment/live/gcp/static-ct-staging/cloudbuild/arche2025h2/)).
+This GCP TesseraCT preloaded staging environment is designed to be deployed by the Cloud Build ([Terraform module](/deployment/modules/gcp/cloudbuild/tesseract/), [Terragrunt configuration](/deployment/live/gcp/static-ct-staging/cloudbuild/arche2025h2/)).
 
 ### Manual Deployment
 TODO(phboneff): come back to this, Cloud Run doesn't trigger a deployment if the tag does not change value.
@@ -51,10 +51,10 @@ Build and push the Docker image to Artifact Registry repository:
 
 ```sh
 gcloud auth configure-docker ${GOOGLE_REGION}-docker.pkg.dev
-docker build -f ./cmd/gcp/Dockerfile -t tesseract-gcp:latest .
-docker build -f ./cmd/gcp/staging/Dockerfile -t conformance-gcp:latest .
-docker tag conformance-gcp:latest ${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT}/docker-staging/conformance-gcp:latest
-docker push ${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT}/docker-staging/conformance-gcp
+docker build -f ./cmd/gcp/Dockerfile -t tesseract-binary-gcp:latest .
+docker build -f ./cmd/gcp/staging/Dockerfile -t tesseract-gcp:latest .
+docker tag tesseract-gcp:latest ${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT}/docker-staging/tesseract-gcp:latest
+docker push ${GOOGLE_REGION}-docker.pkg.dev/${GOOGLE_PROJECT}/docker-staging/tesseract-gcp
 ```
 
 Terraforming the project can be done by:

deployment/live/gcp/static-ct-staging/logs/arche2025h2/terragrunt.hcl

@@ -7,7 +7,7 @@ locals {
   docker_env          = local.env
   base_name           = include.root.locals.base_name
   origin_suffix       = include.root.locals.origin_suffix
-  server_docker_image = "${include.root.locals.location}-docker.pkg.dev/${include.root.locals.project_id}/docker-${local.env}/conformance-gcp:${include.root.locals.docker_container_tag}"
+  server_docker_image = "${include.root.locals.location}-docker.pkg.dev/${include.root.locals.project_id}/docker-${local.env}/tesseract-gcp:${include.root.locals.docker_container_tag}"
   spanner_pu          = 500
 }
 

deployment/live/gcp/static-ct/logs/ci/README.md

@@ -1,9 +1,9 @@
-# GCP SCTFE CI Environment
+# GCP TesseraCT CI Environment
 
 ## Overview
 
 This config uses the [gcp/cloudrun](/deployment/modules/gcp/tesseract/cloudrun) module to
-define a CI environment to run the SCTFE on Cloud Run, backed by Trillian Tessera.
+define a CI environment to run TesseraCT on Cloud Run, backed by Trillian Tessera.
 
 At a high level, this environment consists of:
 - One Spanner instance with two databases:
@@ -15,7 +15,7 @@ At a high level, this environment consists of:
 
 ### Automatic Deployment
 
-This GCP SCTFE conformance CI environment is designed to be deployed by the Cloud Build ([Terraform module](/deployment/modules/gcp/cloudbuild/conformance/), [Terragrunt configuration](/deployment/live/gcp/static-ct/cloudbuild/prod/)).
+This GCP TesseraCT conformance CI environment is designed to be deployed by the Cloud Build ([Terraform module](/deployment/modules/gcp/cloudbuild/conformance/), [Terragrunt configuration](/deployment/live/gcp/static-ct/cloudbuild/prod/)).
 
 ### Manual Deployment
 

deployment/live/gcp/test/README.md

@@ -1,4 +1,4 @@
-# GCP SCTFE Test Environment
+# GCP TesseraCT Test Environment
 
 ## Prerequisites
 You'll need to have a VM running in the same GCP project that you can SSH to,
@@ -9,7 +9,7 @@ installed, and your favourite terminal multiplexer.
 ## Overview
 
 This config uses the [gcp/test](/deployment/modules/gcp/test) module to
-define a test environment to run the SCTFE, backed by Trillian Tessera.
+define a test environment to run TesseraCT, backed by Trillian Tessera.
 
 At a high level, this environment consists of:
 - One Spanner instance with two databases:
@@ -42,15 +42,15 @@ Terraforming the project can be done by:
 Store the Secret Manager resource ID of signer key pair into the environment variables:
 
 ```sh
-export SCTFE_SIGNER_ECDSA_P256_PUBLIC_KEY_ID=$(terragrunt output -raw ecdsa_p256_public_key_id)
-export SCTFE_SIGNER_ECDSA_P256_PRIVATE_KEY_ID=$(terragrunt output -raw ecdsa_p256_private_key_id)
+export TESSERACT_SIGNER_ECDSA_P256_PUBLIC_KEY_ID=$(terragrunt output -raw ecdsa_p256_public_key_id)
+export TESSERACT_SIGNER_ECDSA_P256_PRIVATE_KEY_ID=$(terragrunt output -raw ecdsa_p256_private_key_id)
 ```
 
-## Run the SCTFE
+## Run TesseraCT
 
 ### With fake chains
 
-On the VM, run the following command to bring up the SCTFE:
+On the VM, run the following command to bring up TesseraCT:
 
 ```bash
 go run ./cmd/gcp/ \
@@ -59,8 +59,8 @@ go run ./cmd/gcp/ \
   --spanner_antispam_db_path=projects/${GOOGLE_PROJECT}/instances/${TESSERA_BASE_NAME}/databases/${TESSERA_BASE_NAME}-antispam-db \
   --roots_pem_file=./internal/testdata/fake-ca.cert \
   --origin=${TESSERA_BASE_NAME} \
-  --signer_public_key_secret_name=${SCTFE_SIGNER_ECDSA_P256_PUBLIC_KEY_ID} \
-  --signer_private_key_secret_name=${SCTFE_SIGNER_ECDSA_P256_PRIVATE_KEY_ID}
+  --signer_public_key_secret_name=${TESSERACT_SIGNER_ECDSA_P256_PUBLIC_KEY_ID} \
+  --signer_private_key_secret_name=${TESSERACT_SIGNER_ECDSA_P256_PRIVATE_KEY_ID}
 ```
 
 In a different terminal you can either mint and submit certificates manually, or
@@ -80,18 +80,18 @@ openssl x509 -req -days 3650 -in /tmp/httpschain/cert.csr -CAkey internal/testda
 cat internal/testdata/fake-ca.cert >> /tmp/httpschain/chain.pem
 ```
 
-Finally, submit the chain to the SCTFE:
+Finally, submit the chain to TesseraCT:
 
 ```bash
 go run github.com/google/certificate-transparency-go/client/ctclient@master upload --cert_chain=/tmp/httpschain/chain.pem --skip_https_verify --log_uri=http://localhost:6962/${TESSERA_BASE_NAME}
 ```
 
 #### Automatically generate chains
 
-Save the SCTFE repo's path:
+Save TesseraCT repo's path:
 
 ```bash
-export SCTFE_REPO=$(pwd)
+export TESSERACT_REPO=$(pwd)
 ```
 
 Clone the [certificate-transparency-go](https://github.com/google/certificate-transparency-go) repo, and from there run:
@@ -111,19 +111,19 @@ go run ./trillian/integration/ct_hammer/ \
   --skip_https_verify=true \
   --operations=10000 \
   --rate_limit=150 \
-  --log_config=${SCTFE_REPO}/internal/testdata/hammer.cfg \
+  --log_config=${TESSERACT_REPO}/internal/testdata/hammer.cfg \
   --testdata_dir=./trillian/testdata/
 ```
 
 ### With real HTTPS certificates
 
-We'll run a SCTFE and copy certificates from an existing RFC6962 log to it.
+We'll run a TESSERACT and copy certificates from an existing RFC6962 log to it.
 It uses the [ct_hammer tool from certificate-transparency-go](https://github.com/google/certificate-transparency-go/tree/aceb1d4481907b00c087020a3930c7bd691a0110/trillian/integration/ct_hammer).
 
 First, set a few environment variables:
 
 ```bash
-export SCTFE_REPO=$(pwd)
+export TESSERACT_REPO=$(pwd)
 export SRC_LOG_URI=https://ct.googleapis.com/logs/xenon2022
 ```
 
@@ -133,23 +133,23 @@ To do so, clone the [certificate-transparency-go](https://github.com/google/cert
 ```bash
 export CTGO_REPO=$(pwd)
 mkdir -p /tmp/hammercfg
-cp ${SCTFE_REPO}/internal/testdata/hammer.cfg /tmp/hammercfg
+cp ${TESSERACT_REPO}/internal/testdata/hammer.cfg /tmp/hammercfg
 go run ./client/ctclient get-roots --log_uri=${SRC_LOG_URI} --text=false > /tmp/hammercfg/roots.pem
 sed -i 's-""-"/tmp/hammercfg/roots.pem"-g' /tmp/hammercfg/hammer.cfg
 ```
 
-Run the SCTFE with the same roots:
+Run TesseraCT with the same roots:
 
 ```bash
-cd ${SCTFE_REPO}
+cd ${TESSERACT_REPO}
 go run ./cmd/gcp/ \
   --bucket=${GOOGLE_PROJECT}-${TESSERA_BASE_NAME}-bucket \
   --spanner_db_path=projects/${GOOGLE_PROJECT}/instances/${TESSERA_BASE_NAME}/databases/${TESSERA_BASE_NAME}-db \
   --roots_pem_file=/tmp/hammercfg/roots.pem \
   --origin=${TESSERA_BASE_NAME} \
   --spanner_antispam_db_path=projects/${GOOGLE_PROJECT}/instances/${TESSERA_BASE_NAME}/databases/${TESSERA_BASE_NAME}-antispam-db \
-  --signer_public_key_secret_name=${SCTFE_SIGNER_ECDSA_P256_PUBLIC_KEY_ID} \
-  --signer_private_key_secret_name=${SCTFE_SIGNER_ECDSA_P256_PRIVATE_KEY_ID} \
+  --signer_public_key_secret_name=${TESSERACT_SIGNER_ECDSA_P256_PUBLIC_KEY_ID} \
+  --signer_private_key_secret_name=${TESSERACT_SIGNER_ECDSA_P256_PRIVATE_KEY_ID} \
   -v=3
 ```
 

deployment/modules/aws/secretsmanager/main.tf

@@ -13,7 +13,7 @@ provider "aws" {
 }
 
 # Secrets Manager
-resource "aws_secretsmanager_secret" "sctfe_ecdsa_p256_public_key" {
+resource "aws_secretsmanager_secret" "tesseract_ecdsa_p256_public_key" {
   name = "${var.base_name}-ecdsa-p256-public-key"
   recovery_window_in_days = 0
 
@@ -22,12 +22,12 @@ resource "aws_secretsmanager_secret" "sctfe_ecdsa_p256_public_key" {
   }
 }
 
-resource "aws_secretsmanager_secret_version" "sctfe_ecdsa_p256_public_key" {
-  secret_id     = aws_secretsmanager_secret.sctfe_ecdsa_p256_public_key.id
+resource "aws_secretsmanager_secret_version" "tesseract_ecdsa_p256_public_key" {
+  secret_id     = aws_secretsmanager_secret.tesseract_ecdsa_p256_public_key.id
   secret_string = var.tls_private_key_ecdsa_p256_public_key_pem
 }
 
-resource "aws_secretsmanager_secret" "sctfe_ecdsa_p256_private_key" {
+resource "aws_secretsmanager_secret" "tesseract_ecdsa_p256_private_key" {
   name = "${var.base_name}-ecdsa-p256-private-key"
   recovery_window_in_days = 0
 
@@ -36,7 +36,7 @@ resource "aws_secretsmanager_secret" "sctfe_ecdsa_p256_private_key" {
   }
 }
 
-resource "aws_secretsmanager_secret_version" "sctfe_ecdsa_p256_private_key" {
-  secret_id     = aws_secretsmanager_secret.sctfe_ecdsa_p256_private_key.id
+resource "aws_secretsmanager_secret_version" "tesseract_ecdsa_p256_private_key" {
+  secret_id     = aws_secretsmanager_secret.tesseract_ecdsa_p256_private_key.id
   secret_string = var.tls_private_key_ecdsa_p256_private_key_pem
 }

deployment/modules/aws/secretsmanager/outputs.tf

@@ -1,15 +1,15 @@
 output "ecdsa_p256_public_key_id" {
   description = "Signer public key (P256_SHA256)"
-  value       = aws_secretsmanager_secret.sctfe_ecdsa_p256_public_key.name
+  value       = aws_secretsmanager_secret.tesseract_ecdsa_p256_public_key.name
 }
 
 output "ecdsa_p256_public_key_data" {
   description = "Signer public key (P256_SHA256) data from secret manager"
-  value       = aws_secretsmanager_secret_version.sctfe_ecdsa_p256_public_key.secret_string
+  value       = aws_secretsmanager_secret_version.tesseract_ecdsa_p256_public_key.secret_string
   sensitive   = true
 }
 
 output "ecdsa_p256_private_key_id" {
   description = "Signer private key (P256_SHA256)"
-  value       = aws_secretsmanager_secret.sctfe_ecdsa_p256_private_key.name
+  value       = aws_secretsmanager_secret.tesseract_ecdsa_p256_private_key.name
 }