Creates a PEM (and OpenSSH) formatted private key.
Generates a secure private key and encodes it in PEM (RFC 1421) and OpenSSH PEM (RFC 4716) formats. This resource is primarily intended for easily bootstrapping throwaway development environments.
This is a logical resource, so it contributes only to the current Terraform state and does not create any external managed resources.
# ECDSA key with P384 elliptic curve
resource "tls_private_key" "ecdsa-p384-example" {
algorithm = "ECDSA"
ecdsa_curve = "P384"
}
# RSA key of size 4096 bits
resource "tls_private_key" "rsa-4096-example" {
algorithm = "RSA"
rsa_bits = 4096
}
# ED25519 key
resource "tls_private_key" "ed25519-example" {
algorithm = "ED25519"
}
algorithm
(String) Name of the algorithm to use when generating the private key. Currently-supported values are: RSA
, ECDSA
, ED25519
.ecdsa_curve
(String) When algorithm
is ECDSA
, the name of the elliptic curve to use. Currently-supported values are: P224
, P256
, P384
, P521
. (default: P224
).rsa_bits
(Number) When algorithm
is RSA
, the size of the generated RSA key, in bits (default: 2048
).id
(String) Unique identifier for this resource: hexadecimal representation of the SHA1 checksum of the resource.private_key_openssh
(String, Sensitive) Private key data in OpenSSH PEM (RFC 4716) format.private_key_pem
(String, Sensitive) Private key data in PEM (RFC 1421) format.private_key_pem_pkcs8
(String, Sensitive) Private key data in PKCS#8 PEM (RFC 5208) format.public_key_fingerprint_md5
(String) The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. aa:bb:cc:...
. Only available if the selected private key format is compatible, similarly to public_key_openssh
and the ECDSA P224 limitations.public_key_fingerprint_sha256
(String) The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. SHA256:...
. Only available if the selected private key format is compatible, similarly to public_key_openssh
and the ECDSA P224 limitations.public_key_openssh
(String) The public key data in "Authorized Keys" format. This is not populated for ECDSA
with curve P224
, as it is not supported. NOTE: the underlying libraries that generate this value append a \n
at the end of the PEM. In case this disrupts your use case, we recommend using trimspace()
.public_key_pem
(String) Public key data in PEM (RFC 1421) format. NOTE: the underlying libraries that generate this value append a \n
at the end of the PEM. In case this disrupts your use case, we recommend using trimspace()
.Since a private key is a logical resource that lives only in the Terraform state, it will persist until it is explicitly destroyed by the user.
In order to force the generation of a new key within an existing state, the private key instance can be "tainted":
terraform taint tls_private_key.example
A new key will then be generated on the next terraform apply
.