Skip to content

aws.acm-certificate resource

Description

Certificate manages an ACM certificate created by one of two paths chosen by which fields are set. With domain-name set, RequestCertificate issues an Amazon-managed certificate (validated by DNS or email) or, with certificate-authority-arn, a certificate signed by a private CA. With private-key set instead, ImportCertificate brings in an externally issued certificate from its PEM body, private key, and optional chain. The domain identity, key algorithm, alternative names, validation method, and validation options are fixed at creation, so a change to any of them replaces the certificate; the imported material and the transparency-logging option are reconciled in place. After create, and after a re-import, the resource waits until ACM assigns the DNS validation records and returns them as domain-validation-options, the value a downstream validation resource reads.

Source: internal/service/acm/certificate_rsrc.go:39

Example usage:

imports: {
  aws: 'github.com/cloudboss/unobin-library-aws'
}

resources: {
  example: aws.acm-certificate {
    # Set input fields here.
  }
}

Inputs

domain-name

optional(string)

DomainName is the fully qualified domain the certificate secures. Setting it selects request mode. ACM rejects a name ending in a dot.

certificate-authority-arn

optional(string)

CertificateAuthorityArn issues the certificate from a private CA instead of from Amazon's public CA. Must be a valid ACM PCA ARN.

key-algorithm

optional(string)

subject-alternative-names

list(string)

SubjectAlternativeNames are additional domains the certificate covers. Each is 1 to 253 characters and may not end in a dot. ACM also adds domain-name to this set server-side, so the read-back output includes it.

validation-method

optional(string)

validation-option

list(object) 
list(
  object({
    domain-name: string
    validation-domain: string
  })
)

ValidationOption sets the email domain for email validation of each named domain. It is fixed at creation.

options

optional(object) 
optional(
  object({
    certificate-transparency-logging-preference: optional(string)
    export: optional(string)
  })
)

Options holds the transparency-logging and export preferences. It is set at creation; the transparency preference is reconciled in place by UpdateCertificateOptions, while the export preference is create-only.

certificate-body

optional(string)

CertificateBody is the PEM-encoded certificate to import. Setting it selects import mode and requires private-key.

private-key

optional(string)

sensitive

PrivateKey is the PEM-encoded private key matching the imported certificate. Setting it selects import mode.

certificate-chain

optional(string)

CertificateChain is the PEM-encoded chain of intermediate certificates for an imported certificate.

tags

map(string)

Input Constraints

Field combinations

Exactly one of domain-name or private-key.

Forbidden together: private-key, domain-name, certificate-authority-arn, key-algorithm, subject-alternative-names, validation-method, validation-option, and options.

Forbidden together: domain-name, certificate-body, private-key, and certificate-chain.

Required together: certificate-body and private-key.

Forbidden together: certificate-authority-arn and validation-method.

Domain name rules

a domain-name request requires certificate-authority-arn or validation-method.

Rule logic
When
input.domain-name != null
Require
input.certificate-authority-arn != null
|| input.validation-method != null

Validation method rules

validation-method must be DNS or EMAIL.

Rule logic
When
input.validation-method != null
Require
input.validation-method == 'DNS'
|| input.validation-method == 'EMAIL'

Key algorithm rules

key-algorithm must be a valid ACM key algorithm.

Rule logic
When
input.key-algorithm != null
Require
input.key-algorithm == 'RSA_1024'
|| input.key-algorithm == 'RSA_2048'
|| input.key-algorithm == 'RSA_3072'
|| input.key-algorithm == 'RSA_4096'
|| input.key-algorithm == 'EC_prime256v1'
|| input.key-algorithm == 'EC_secp384r1'
|| input.key-algorithm == 'EC_secp521r1'

Options rules

options certificate-transparency-logging-preference must be ENABLED or DISABLED.

Rule logic
When
input.options.certificate-transparency-logging-preference != null
Require
input.options.certificate-transparency-logging-preference == 'ENABLED'
|| input.options.certificate-transparency-logging-preference == 'DISABLED'

options export must be ENABLED or DISABLED.

Rule logic
When
input.options.export != null
Require
input.options.export == 'ENABLED'
|| input.options.export == 'DISABLED'

Outputs

arn

string

domain-name

string

status

string

type

string

not-after

string

not-before

string

renewal-eligibility

string

validation-emails

list(string)

domain-validation-options

list(object) 
list(
  object({
    domain-name: string
    resource-record-name: string
    resource-record-type: string
    resource-record-value: string
  })
)