Creates a self-signed TLS certificate in PEM (RFC 1421) format.
resource "tls_self_signed_cert" "example" {
private_key_pem = file("private_key.pem")
subject {
common_name = "example.com"
organization = "ACME Examples, Inc"
}
validity_period_hours = 12
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
}
allowed_uses
(List of String) List of key usages allowed for the issued certificate. Values are defined in RFC 5280 and combine flags defined by both Key Usages and Extended Key Usages. Accepted values: any_extended
, cert_signing
, client_auth
, code_signing
, content_commitment
, crl_signing
, data_encipherment
, decipher_only
, digital_signature
, email_protection
, encipher_only
, ipsec_end_system
, ipsec_tunnel
, ipsec_user
, key_agreement
, key_encipherment
, microsoft_commercial_code_signing
, microsoft_kernel_code_signing
, microsoft_server_gated_crypto
, netscape_server_gated_crypto
, ocsp_signing
, server_auth
, timestamping
.private_key_pem
(String, Sensitive) Private key in PEM (RFC 1421) format, that the certificate will belong to. This can be read from a separate file using the file
interpolation function.validity_period_hours
(Number) Number of hours, after initial issuing, that the certificate will remain valid for.dns_names
(List of String) List of DNS names for which a certificate is being requested (i.e. certificate subjects).early_renewal_hours
(Number) The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default: 0
)ip_addresses
(List of String) List of IP addresses for which a certificate is being requested (i.e. certificate subjects).is_ca_certificate
(Boolean) Is the generated certificate representing a Certificate Authority (CA) (default: false
).set_authority_key_id
(Boolean) Should the generated certificate include an authority key identifier: for self-signed certificates this is the same value as the subject key identifier (default: false
).set_subject_key_id
(Boolean) Should the generated certificate include a subject key identifier (default: false
).subject
(Block List) The subject for which a certificate is being requested. The acceptable arguments are all optional and their naming is based upon Issuer Distinguished Names (RFC5280) section. (see below for nested schema)uris
(List of String) List of URIs for which a certificate is being requested (i.e. certificate subjects).cert_pem
(String) Certificate data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n
at the end of the PEM. In case this disrupts your use case, we recommend using trimspace()
.id
(String) Unique identifier for this resource: the certificate serial number.key_algorithm
(String) Name of the algorithm used when generating the private key provided in private_key_pem
.ready_for_renewal
(Boolean) Is the certificate either expired (i.e. beyond the validity_period_hours
) or ready for an early renewal (i.e. within the early_renewal_hours
)?validity_end_time
(String) The time until which the certificate is invalid, expressed as an RFC3339 timestamp.validity_start_time
(String) The time after which the certificate is valid, expressed as an RFC3339 timestamp.subject
Optional:
common_name
(String) Distinguished name: CN
country
(String) Distinguished name: C
locality
(String) Distinguished name: L
organization
(String) Distinguished name: O
organizational_unit
(String) Distinguished name: OU
postal_code
(String) Distinguished name: PC
province
(String) Distinguished name: ST
serial_number
(String) Distinguished name: SERIALNUMBER
street_address
(List of String) Distinguished name: STREET
This resource considers its instances to have been deleted after either their validity
periods ends (i.e. beyond the validity_period_hours
)
or the early renewal period is reached (i.e. within the early_renewal_hours
):
when this happens, the ready_for_renewal
attribute will be true
.
At this time, applying the Terraform configuration will cause a new certificate to be
generated for the instance.
Therefore in a development environment with frequent deployments it may be convenient to set a relatively-short expiration time and use early renewal to automatically provision a new certificate when the current one is about to expire.
The creation of a new certificate may of course cause dependent resources to be updated or replaced, depending on the lifecycle rules applying to those resources.