The TLS provider provides utilities for working with Transport Layer Security keys and certificates. It provides resources that allow private keys, certificates and certificate requests to be created as part of a Terraform deployment.
Another name for Transport Layer Security is Secure Sockets Layer, or SSL. TLS and SSL are equivalent when considering the resources managed by this provider.
This provider is not particularly useful on its own, but it can be used to create certificates and credentials that can then be used with other providers when creating resources that expose TLS services or that themselves provision TLS certificates.
Use the navigation to the left to read about the available resources.
// DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
import { Construct } from "constructs";
import { Token, TerraformStack } from "cdktf";
/*
* Provider bindings are generated by running `cdktf get`.
* See https://cdk.tf/provider-generation for more details.
*/
import { IamServerCertificate } from "./.gen/providers/aws/iam-server-certificate";
import { PrivateKey } from "./.gen/providers/tls/private-key";
import { SelfSignedCert } from "./.gen/providers/tls/self-signed-cert";
class MyConvertedCode extends TerraformStack {
constructor(scope: Construct, name: string) {
super(scope, name);
const example = new PrivateKey(this, "example", {
algorithm: "ECDSA",
});
const tlsSelfSignedCertExample = new SelfSignedCert(this, "example_1", {
allowedUses: ["key_encipherment", "digital_signature", "server_auth"],
dnsNames: ["example.com", "example.net"],
earlyRenewalHours: 3,
keyAlgorithm: example.algorithm,
privateKeyPem: example.privateKeyPem,
subject: {
commonName: "example.com",
organization: "ACME Examples, Inc",
},
validityPeriodHours: 12,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
tlsSelfSignedCertExample.overrideLogicalId("example");
const awsIamServerCertificateExample = new IamServerCertificate(
this,
"example_2",
{
certificateBody: Token.asString(tlsSelfSignedCertExample.certPem),
name: "example_self_signed_cert",
privateKey: example.privateKeyPem,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamServerCertificateExample.overrideLogicalId("example");
}
}
// DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
import { Construct } from "constructs";
import { TerraformStack } from "cdktf";
/*
* Provider bindings are generated by running `cdktf get`.
* See https://cdk.tf/provider-generation for more details.
*/
import { DataTlsCertificate } from "./.gen/providers/tls/data-tls-certificate";
import { TlsProvider } from "./.gen/providers/tls/provider";
class MyConvertedCode extends TerraformStack {
constructor(scope: Construct, name: string) {
super(scope, name);
new TlsProvider(this, "tls", {
proxy: {
url: "https://corporate.proxy.service",
},
});
new DataTlsCertificate(this, "test", {
url: "https://example.com",
});
}
}
// DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
import { Construct } from "constructs";
import { TerraformStack } from "cdktf";
/*
* Provider bindings are generated by running `cdktf get`.
* See https://cdk.tf/provider-generation for more details.
*/
import { DataTlsCertificate } from "./.gen/providers/tls/data-tls-certificate";
import { TlsProvider } from "./.gen/providers/tls/provider";
class MyConvertedCode extends TerraformStack {
constructor(scope: Construct, name: string) {
super(scope, name);
new TlsProvider(this, "tls", {
proxy: {
fromEnv: true,
},
});
new DataTlsCertificate(this, "test", {
url: "https://example.com",
});
}
}
proxy
(Block List) Proxy used by resources and data sources that connect to external endpoints. (see below for nested schema)proxy
Optional:
fromEnv
(Boolean) When true
the provider will discover the proxy configuration from environment variables. This is based upon http.ProxyFromEnvironment
and it supports the same environment variables (default: true
).password
(String, Sensitive) Password used for Basic authentication against the Proxy.url
(String) URL used to connect to the Proxy. Accepted schemes are: http
, https
, socks5
.username
(String) Username (or Token) used for Basic authentication against the Proxy.ecdsa
with p224
elliptic curveWhen using ecdsa
with p224
, all the (computed) attributes
that have to do with OpenSSH will have a value of ""
(empty string).
This applies to different resources and data sources offered by this provider,
like the tlsPrivateKey
resource or the tlsPublicKey
data source.
The attributes affected are:
publicKeyOpenssh
privateKeyOpenssh
publicKeyFingerprintMd5
publicKeyFingerprintSha256
This is because the SSH ECC Algorithm Integration (RFC 5656) restricts support for elliptic curves to "nistp256", "nistp384" and "nistp521".
Some resources that can be created with this provider, like tlsPrivateKey
, are
considered "secrets", and as such are marked by this provider as _sensitive_, so to
help practitioner to not accidentally leak their value in logs or other form of output.
It's important to remember that the values that constitute the "state" of those resources will be stored in the Terraform state file. This includes the "secrets", that will be part of the state file unencrypted.
Because of these limitations, use of these resources for production deployments is _not_ recommended. Failing that, protecting the content of the state file is strongly recommended.
The more general advice is that it's better to generate "secrets" outside of Terraform, and then distribute them securely to the system where Terraform will make use of them.