Resource: aws_acm_certificate

The ACM certificate resource allows requesting and management of certificates from the Amazon Certificate Manager.

ACM certificates can be created in three ways: Amazon-issued, where AWS provides the certificate authority and automatically manages renewal; imported certificates, issued by another certificate authority; and private certificates, issued using an ACM Private Certificate Authority.

Amazon-Issued Certificates

For Amazon-issued certificates, this resource deals with requesting certificates and managing their attributes and life-cycle. This resource does not deal with validation of a certificate but can provide inputs for other resources implementing the validation. It does not wait for a certificate to be issued. Use a aws_acm_certificate_validation resource for this.

Most commonly, this resource is used together with aws_route53_record and aws_acm_certificate_validation to request a DNS validated certificate, deploy the required validation records and wait for validation to complete.

Domain validation through email is also supported but should be avoided as it requires a manual step outside of Terraform.

It's recommended to specify create_before_destroy = true in a lifecycle block to replace a certificate which is currently in use (eg, by aws_lb_listener).

Certificates Imported from Other Certificate Authority

Imported certificates can be used to make certificates created with an external certificate authority available for AWS services.

As they are not managed by AWS, imported certificates are not eligible for automatic renewal. New certificate materials can be supplied to an existing imported certificate to update it in place.

Private Certificates

Private certificates are issued by an ACM Private Cerificate Authority, which can be created using the resource type aws_acmpca_certificate_authority.

Private certificates created using this resource are eligible for managed renewal if they have been exported or associated with another AWS service. See managed renewal documentation for more information. By default, a certificate is valid for 395 days and the managed renewal process will start 60 days before expiration. To renew the certificate earlier than 60 days before expiration, configure early_renewal_duration.

Example Usage

Create Certificate

resource "aws_acm_certificate" "cert" {
  domain_name       = "example.com"
  validation_method = "DNS"

  tags = {
    Environment = "test"
  }

  lifecycle {
    create_before_destroy = true
  }
}

Custom Domain Validation Options

resource "aws_acm_certificate" "cert" {
  domain_name       = "testing.example.com"
  validation_method = "EMAIL"

  validation_option {
    domain_name       = "testing.example.com"
    validation_domain = "example.com"
  }
}

Existing Certificate Body Import

resource "tls_private_key" "example" {
  algorithm = "RSA"
}

resource "tls_self_signed_cert" "example" {
  key_algorithm   = "RSA"
  private_key_pem = tls_private_key.example.private_key_pem

  subject {
    common_name  = "example.com"
    organization = "ACME Examples, Inc"
  }

  validity_period_hours = 12

  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "server_auth",
  ]
}

resource "aws_acm_certificate" "cert" {
  private_key      = tls_private_key.example.private_key_pem
  certificate_body = tls_self_signed_cert.example.cert_pem
}

Referencing domain_validation_options With for_each Based Resources

See the aws_acm_certificate_validation resource for a full example of performing DNS validation.

resource "aws_route53_record" "example" {
  for_each = {
    for dvo in aws_acm_certificate.example.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = aws_route53_zone.example.zone_id
}

Argument Reference

This resource supports the following arguments:

options Configuration Block

Supported nested arguments for the options configuration block:

validation_option Configuration Block

Supported nested arguments for the validation_option configuration block:

Attribute Reference

This resource exports the following attributes in addition to the arguments above:

Domain validation objects export the following attributes:

Renewal summary objects export the following attributes:

Import

In Terraform v1.5.0 and later, use an import block to import certificates using their ARN. For example:

import {
  to = aws_acm_certificate.cert
  id = "arn:aws:acm:eu-central-1:123456789012:certificate/7e7a28d2-163f-4b8f-b9cd-822f96c08d6a"
}

Using terraform import, import certificates using their ARN. For example:

% terraform import aws_acm_certificate.cert arn:aws:acm:eu-central-1:123456789012:certificate/7e7a28d2-163f-4b8f-b9cd-822f96c08d6a