TLS Provider

The TLS provider provides utilities for working with Transport Layer Security keys and certificates. It provides resources that allow private keys, certificates and certificate requests to be created as part of a Terraform deployment.

Another name for Transport Layer Security is Secure Sockets Layer, or SSL. TLS and SSL are equivalent when considering the resources managed by this provider.

This provider is not particularly useful on its own, but it can be used to create certificates and credentials that can then be used with other providers when creating resources that expose TLS services or that themselves provision TLS certificates.

Use the navigation to the left to read about the available resources.

Example Usage

# DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
from constructs import Construct
from cdktf import Token, TerraformStack
#
# Provider bindings are generated by running `cdktf get`.
# See https://cdk.tf/provider-generation for more details.
#
from imports.aws.iam_server_certificate import IamServerCertificate
from imports.tls.private_key import PrivateKey
from imports.tls.self_signed_cert import SelfSignedCert
class MyConvertedCode(TerraformStack):
    def __init__(self, scope, name):
        super().__init__(scope, name)
        example = PrivateKey(self, "example",
            algorithm="ECDSA"
        )
        tls_self_signed_cert_example = SelfSignedCert(self, "example_1",
            allowed_uses=["key_encipherment", "digital_signature", "server_auth"],
            dns_names=["example.com", "example.net"],
            early_renewal_hours=3,
            key_algorithm=example.algorithm,
            private_key_pem=example.private_key_pem,
            subject=SelfSignedCertSubject(
                common_name="example.com",
                organization="ACME Examples, Inc"
            ),
            validity_period_hours=12
        )
        # This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.
        tls_self_signed_cert_example.override_logical_id("example")
        aws_iam_server_certificate_example = IamServerCertificate(self, "example_2",
            certificate_body=Token.as_string(tls_self_signed_cert_example.cert_pem),
            name="example_self_signed_cert",
            private_key=example.private_key_pem
        )
        # This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.
        aws_iam_server_certificate_example.override_logical_id("example")

Configuring Proxy

# DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
from constructs import Construct
from cdktf import TerraformStack
#
# Provider bindings are generated by running `cdktf get`.
# See https://cdk.tf/provider-generation for more details.
#
from imports.tls.data_tls_certificate import DataTlsCertificate
from imports.tls.provider import TlsProvider
class MyConvertedCode(TerraformStack):
    def __init__(self, scope, name):
        super().__init__(scope, name)
        TlsProvider(self, "tls",
            proxy=TlsProviderProxy(
                url="https://corporate.proxy.service"
            )
        )
        DataTlsCertificate(self, "test",
            url="https://example.com"
        )
# DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
from constructs import Construct
from cdktf import TerraformStack
#
# Provider bindings are generated by running `cdktf get`.
# See https://cdk.tf/provider-generation for more details.
#
from imports.tls.data_tls_certificate import DataTlsCertificate
from imports.tls.provider import TlsProvider
class MyConvertedCode(TerraformStack):
    def __init__(self, scope, name):
        super().__init__(scope, name)
        TlsProvider(self, "tls",
            proxy=TlsProviderProxy(
                from_env=True
            )
        )
        DataTlsCertificate(self, "test",
            url="https://example.com"
        )

Schema

Optional

Nested Schema for proxy

Optional:

Limitations

ECDSA with P224 elliptic curve

When using ECDSA with P224, all the (computed) attributes that have to do with OpenSSH will have a value of "" (empty string). This applies to different resources and data sources offered by this provider, like the tls_private_key resource or the tls_public_key data source.

The attributes affected are:

This is because the SSH ECC Algorithm Integration (RFC 5656) restricts support for elliptic curves to "nistp256", "nistp384" and "nistp521".

Secrets and Terraform state

Some resources that can be created with this provider, like tls_private_key, are considered "secrets", and as such are marked by this provider as _sensitive_, so to help practitioner to not accidentally leak their value in logs or other form of output.

It's important to remember that the values that constitute the "state" of those resources will be stored in the Terraform state file. This includes the "secrets", that will be part of the state file unencrypted.

Because of these limitations, use of these resources for production deployments is _not_ recommended. Failing that, protecting the content of the state file is strongly recommended.

The more general advice is that it's better to generate "secrets" outside of Terraform, and then distribute them securely to the system where Terraform will make use of them.