Creates a TLS certificate in PEM (RFC 1421) format using a Certificate Signing Request (CSR) and signs it with a provided (local) Certificate Authority (CA).
// DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
import { Construct } from "constructs";
import { Fn, Token, TerraformStack } from "cdktf";
/*
* Provider bindings are generated by running `cdktf get`.
* See https://cdk.tf/provider-generation for more details.
*/
import { LocallySignedCert } from "./.gen/providers/tls/locally-signed-cert";
class MyConvertedCode extends TerraformStack {
constructor(scope: Construct, name: string) {
super(scope, name);
new LocallySignedCert(this, "example", {
allowedUses: ["key_encipherment", "digital_signature", "server_auth"],
caCertPem: Token.asString(Fn.file("ca_cert.pem")),
caPrivateKeyPem: Token.asString(Fn.file("ca_private_key.pem")),
certRequestPem: Token.asString(Fn.file("cert_request.pem")),
validityPeriodHours: 12,
});
}
}
allowedUses
(List of String) List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values: any_extended
, cert_signing
, client_auth
, code_signing
, content_commitment
, crl_signing
, data_encipherment
, decipher_only
, digital_signature
, email_protection
, encipher_only
, ipsec_end_system
, ipsec_tunnel
, ipsec_user
, key_agreement
, key_encipherment
, microsoft_commercial_code_signing
, microsoft_kernel_code_signing
, microsoft_server_gated_crypto
, netscape_server_gated_crypto
, ocsp_signing
, server_auth
, timestamping
.caCertPem
(String) Certificate data of the Certificate Authority (CA) in PEM (RFC 1421) format.caPrivateKeyPem
(String, Sensitive) Private key of the Certificate Authority (CA) used to sign the certificate, in PEM (RFC 1421) format.certRequestPem
(String) Certificate request data in PEM (RFC 1421) format.validityPeriodHours
(Number) Number of hours, after initial issuing, that the certificate will remain valid for.earlyRenewalHours
(Number) The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default: 0
)isCaCertificate
(Boolean) Is the generated certificate representing a Certificate Authority (CA) (default: false
).setSubjectKeyId
(Boolean) Should the generated certificate include a subject key identifier (default: false
).caKeyAlgorithm
(String) Name of the algorithm used when generating the private key provided in ca_private_key_pem
.certPem
(String) Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n
at the end of the PEM. In case this disrupts your use case, we recommend using trimspace()
.id
(String) Unique identifier for this resource: the certificate serial number.readyForRenewal
(Boolean) Is the certificate either expired (i.e. beyond the validity_period_hours
) or ready for an early renewal (i.e. within the early_renewal_hours
)?validityEndTime
(String) The time until which the certificate is invalid, expressed as an RFC3339 timestamp.validityStartTime
(String) The time after which the certificate is valid, expressed as an RFC3339 timestamp.This resource considers its instances to have been deleted after either their validity
periods ends (i.e. beyond the validityPeriodHours
)
or the early renewal period is reached (i.e. within the earlyRenewalHours
):
when this happens, the readyForRenewal
attribute will be true
.
At this time, applying the Terraform configuration will cause a new certificate to be
generated for the instance.
Therefore in a development environment with frequent deployments it may be convenient to set a relatively-short expiration time and use early renewal to automatically provision a new certificate when the current one is about to expire.
The creation of a new certificate may of course cause dependent resources to be updated or replaced, depending on the lifecycle rules applying to those resources.