TLS Provider

The TLS provider provides utilities for working with Transport Layer Security keys and certificates. It provides resources that allow private keys, certificates and certificate requests to be created as part of a Terraform deployment.

Another name for Transport Layer Security is Secure Sockets Layer, or SSL. TLS and SSL are equivalent when considering the resources managed by this provider.

This provider is not particularly useful on its own, but it can be used to create certificates and credentials that can then be used with other providers when creating resources that expose TLS services or that themselves provision TLS certificates.

Use the navigation to the left to read about the available resources.

Example Usage

// DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
import { Construct } from "constructs";
import { Token, TerraformStack } from "cdktf";
/*
 * Provider bindings are generated by running `cdktf get`.
 * See https://cdk.tf/provider-generation for more details.
 */
import { IamServerCertificate } from "./.gen/providers/aws/iam-server-certificate";
import { PrivateKey } from "./.gen/providers/tls/private-key";
import { SelfSignedCert } from "./.gen/providers/tls/self-signed-cert";
class MyConvertedCode extends TerraformStack {
  constructor(scope: Construct, name: string) {
    super(scope, name);
    const example = new PrivateKey(this, "example", {
      algorithm: "ECDSA",
    });
    const tlsSelfSignedCertExample = new SelfSignedCert(this, "example_1", {
      allowedUses: ["key_encipherment", "digital_signature", "server_auth"],
      dnsNames: ["example.com", "example.net"],
      earlyRenewalHours: 3,
      keyAlgorithm: example.algorithm,
      privateKeyPem: example.privateKeyPem,
      subject: {
        commonName: "example.com",
        organization: "ACME Examples, Inc",
      },
      validityPeriodHours: 12,
    });
    /*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
    tlsSelfSignedCertExample.overrideLogicalId("example");
    const awsIamServerCertificateExample = new IamServerCertificate(
      this,
      "example_2",
      {
        certificateBody: Token.asString(tlsSelfSignedCertExample.certPem),
        name: "example_self_signed_cert",
        privateKey: example.privateKeyPem,
      }
    );
    /*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
    awsIamServerCertificateExample.overrideLogicalId("example");
  }
}

Configuring Proxy

// DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
import { Construct } from "constructs";
import { TerraformStack } from "cdktf";
/*
 * Provider bindings are generated by running `cdktf get`.
 * See https://cdk.tf/provider-generation for more details.
 */
import { DataTlsCertificate } from "./.gen/providers/tls/data-tls-certificate";
import { TlsProvider } from "./.gen/providers/tls/provider";
class MyConvertedCode extends TerraformStack {
  constructor(scope: Construct, name: string) {
    super(scope, name);
    new TlsProvider(this, "tls", {
      proxy: {
        url: "https://corporate.proxy.service",
      },
    });
    new DataTlsCertificate(this, "test", {
      url: "https://example.com",
    });
  }
}
// DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
import { Construct } from "constructs";
import { TerraformStack } from "cdktf";
/*
 * Provider bindings are generated by running `cdktf get`.
 * See https://cdk.tf/provider-generation for more details.
 */
import { DataTlsCertificate } from "./.gen/providers/tls/data-tls-certificate";
import { TlsProvider } from "./.gen/providers/tls/provider";
class MyConvertedCode extends TerraformStack {
  constructor(scope: Construct, name: string) {
    super(scope, name);
    new TlsProvider(this, "tls", {
      proxy: {
        fromEnv: true,
      },
    });
    new DataTlsCertificate(this, "test", {
      url: "https://example.com",
    });
  }
}

Schema

Optional

Nested Schema for proxy

Optional:

Limitations

ecdsa with p224 elliptic curve

When using ecdsa with p224, all the (computed) attributes that have to do with OpenSSH will have a value of "" (empty string). This applies to different resources and data sources offered by this provider, like the tlsPrivateKey resource or the tlsPublicKey data source.

The attributes affected are:

This is because the SSH ECC Algorithm Integration (RFC 5656) restricts support for elliptic curves to "nistp256", "nistp384" and "nistp521".

Secrets and Terraform state

Some resources that can be created with this provider, like tlsPrivateKey, are considered "secrets", and as such are marked by this provider as _sensitive_, so to help practitioner to not accidentally leak their value in logs or other form of output.

It's important to remember that the values that constitute the "state" of those resources will be stored in the Terraform state file. This includes the "secrets", that will be part of the state file unencrypted.

Because of these limitations, use of these resources for production deployments is _not_ recommended. Failing that, protecting the content of the state file is strongly recommended.

The more general advice is that it's better to generate "secrets" outside of Terraform, and then distribute them securely to the system where Terraform will make use of them.