Module acm

@pulumi/aws > acm

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-aws repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-aws repo.

class Certificate

extends CustomResource

The ACM certificate resource allows requesting and management of certificates from the Amazon Certificate Manager.

It deals with requesting certificates and managing their attributes and life-cycle. This resource does not deal with validation of a certificate but can provide inputs for other resources implementing the validation. It does not wait for a certificate to be issued. Use a aws.acm.CertificateValidation resource for this.

Most commonly, this resource is used to together with aws.route53.Record and aws.acm.CertificateValidation to request a DNS validated certificate, deploy the required validation records and wait for validation to complete.

Domain validation through E-Mail is also supported but should be avoided as it requires a manual step outside of this provider.

It’s recommended to specify createBeforeDestroy = true in a [lifecycle][1] block to replace a certificate which is currently in use (eg, by aws.lb.Listener).

Example Usage

Certificate creation

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const cert = new aws.acm.Certificate("cert", {
    domainName: "example.com",
    tags: {
        Environment: "test",
    },
    validationMethod: "DNS",
});

Importation of existing certificate

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as tls from "@pulumi/tls";

const examplePrivateKey = new tls.PrivateKey("example", {
    algorithm: "RSA",
});
const exampleSelfSignedCert = new tls.SelfSignedCert("example", {
    allowedUses: [
        "keyEncipherment",
        "digitalSignature",
        "serverAuth",
    ],
    keyAlgorithm: "RSA",
    privateKeyPem: examplePrivateKey.privateKeyPem,
    subjects: [{
        commonName: "example.com",
        organization: "ACME Examples, Inc",
    }],
    validityPeriodHours: 12,
});
const cert = new aws.acm.Certificate("cert", {
    certificateBody: exampleSelfSignedCert.certPem,
    privateKey: examplePrivateKey.privateKeyPem,
});

options Configuration Block

Supported nested arguments for the options configuration block:

This content is derived from https://github.com/terraform-providers/terraform-provider-aws/blob/master/website/docs/r/acm_certificate.html.markdown.

constructor

new Certificate(name: string, args?: CertificateArgs, opts?: pulumi.CustomResourceOptions)

Create a Certificate resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: CertificateState, opts?: pulumi.CustomResourceOptions): Certificate

Get an existing Certificate resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): boolean

Returns true if the given object is an instance of Certificate. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The ARN of the certificate

property certificateAuthorityArn

public certificateAuthorityArn: pulumi.Output<string | undefined>;

ARN of an ACMPCA

property certificateBody

public certificateBody: pulumi.Output<string | undefined>;

The certificate’s PEM-formatted public key

property certificateChain

public certificateChain: pulumi.Output<string | undefined>;

The certificate’s PEM-formatted chain * Creating a private CA issued certificate

property domainName

public domainName: pulumi.Output<string>;

A domain name for which the certificate should be issued

property domainValidationOptions

public domainValidationOptions: pulumi.Output<{
    domainName: string;
    resourceRecordName: string;
    resourceRecordType: string;
    resourceRecordValue: string;
}[]>;

A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if DNS-validation was used.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property options

public options: pulumi.Output<{
    certificateTransparencyLoggingPreference: undefined | string;
} | undefined>;

property privateKey

public privateKey: pulumi.Output<string | undefined>;

The certificate’s PEM-formatted private key

property subjectAlternativeNames

public subjectAlternativeNames: pulumi.Output<string[]>;

A list of domains that should be SANs in the issued certificate

property tags

public tags: pulumi.Output<{[key: string]: any} | undefined>;

A mapping of tags to assign to the resource.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property validationEmails

public validationEmails: pulumi.Output<string[]>;

A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.

property validationMethod

public validationMethod: pulumi.Output<string>;

Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into state managed by this provider. * Importing an existing certificate

class CertificateValidation

extends CustomResource

This resource represents a successful validation of an ACM certificate in concert with other resources.

Most commonly, this resource is used together with aws.route53.Record and aws.acm.Certificate to request a DNS validated certificate, deploy the required validation records and wait for validation to complete.

WARNING: This resource implements a part of the validation workflow. It does not represent a real-world entity in AWS, therefore changing or deleting this resource on its own has no immediate effect.

Example Usage

DNS Validation with Route 53

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const certCertificate = new aws.acm.Certificate("cert", {
    domainName: "example.com",
    validationMethod: "DNS",
});
const zone = pulumi.output(aws.route53.getZone({
    name: "example.com.",
    privateZone: false,
}));
const certValidation = new aws.route53.Record("certValidation", {
    records: [certCertificate.domainValidationOptions[0].resourceRecordValue],
    ttl: 60,
    type: certCertificate.domainValidationOptions[0].resourceRecordType,
    zoneId: zone.id,
});
const certCertificateValidation = new aws.acm.CertificateValidation("cert", {
    certificateArn: certCertificate.arn,
    validationRecordFqdns: [certValidation.fqdn],
});
const frontEnd = new aws.lb.Listener("frontEnd", {
    // [...]
    certificateArn: certCertificateValidation.certificateArn,
});

Alternative Domains DNS Validation with Route 53

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const certCertificate = new aws.acm.Certificate("cert", {
    domainName: "example.com",
    subjectAlternativeNames: [
        "www.example.com",
        "example.org",
    ],
    validationMethod: "DNS",
});
const zone = pulumi.output(aws.route53.getZone({
    name: "example.com.",
    privateZone: false,
}));
const zoneAlt = pulumi.output(aws.route53.getZone({
    name: "example.org.",
    privateZone: false,
}));
const certValidation = new aws.route53.Record("certValidation", {
    records: [certCertificate.domainValidationOptions[0].resourceRecordValue],
    ttl: 60,
    type: certCertificate.domainValidationOptions[0].resourceRecordType,
    zoneId: zone.id,
});
const certValidationAlt1 = new aws.route53.Record("certValidationAlt1", {
    records: [certCertificate.domainValidationOptions[1].resourceRecordValue],
    ttl: 60,
    type: certCertificate.domainValidationOptions[1].resourceRecordType,
    zoneId: zone.id,
});
const certValidationAlt2 = new aws.route53.Record("certValidationAlt2", {
    records: [certCertificate.domainValidationOptions[2].resourceRecordValue],
    ttl: 60,
    type: certCertificate.domainValidationOptions[2].resourceRecordType,
    zoneId: zoneAlt.id,
});
const certCertificateValidation = new aws.acm.CertificateValidation("cert", {
    certificateArn: certCertificate.arn,
    validationRecordFqdns: [
        certValidation.fqdn,
        certValidationAlt1.fqdn,
        certValidationAlt2.fqdn,
    ],
});
const frontEnd = new aws.lb.Listener("frontEnd", {
    // [...]
    certificateArn: certCertificateValidation.certificateArn,
});

Email Validation

In this situation, the resource is simply a waiter for manual email approval of ACM certificates.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const certCertificate = new aws.acm.Certificate("cert", {
    domainName: "example.com",
    validationMethod: "EMAIL",
});
const certCertificateValidation = new aws.acm.CertificateValidation("cert", {
    certificateArn: certCertificate.arn,
});

This content is derived from https://github.com/terraform-providers/terraform-provider-aws/blob/master/website/docs/r/acm_certificate_validation.html.markdown.

constructor

new CertificateValidation(name: string, args: CertificateValidationArgs, opts?: pulumi.CustomResourceOptions)

Create a CertificateValidation resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: CertificateValidationState, opts?: pulumi.CustomResourceOptions): CertificateValidation

Get an existing CertificateValidation resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): boolean

Returns true if the given object is an instance of CertificateValidation. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property certificateArn

public certificateArn: pulumi.Output<string>;

The ARN of the certificate that is being validated.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property validationRecordFqdns

public validationRecordFqdns: pulumi.Output<string[] | undefined>;

List of FQDNs that implement the validation. Only valid for DNS validation method ACM certificates. If this is set, the resource can implement additional sanity checks and has an explicit dependency on the resource that is implementing the validation

function getCertificate

getCertificate(args: GetCertificateArgs, opts?: pulumi.InvokeOptions): Promise<GetCertificateResult> & GetCertificateResult

Use this data source to get the ARN of a certificate in AWS Certificate Manager (ACM), you can reference it by domain without having to hard code the ARNs as input.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Find a RSA 4096 bit certificate
const example = pulumi.output(aws.acm.getCertificate({
    domain: "tf.example.com",
    keyTypes: ["RSA_4096"],
}));

This content is derived from https://github.com/terraform-providers/terraform-provider-aws/blob/master/website/docs/d/acm_certificate.html.markdown.

interface CertificateArgs

The set of arguments for constructing a Certificate resource.

property certificateAuthorityArn

certificateAuthorityArn?: pulumi.Input<string>;

ARN of an ACMPCA

property certificateBody

certificateBody?: pulumi.Input<string>;

The certificate’s PEM-formatted public key

property certificateChain

certificateChain?: pulumi.Input<string>;

The certificate’s PEM-formatted chain * Creating a private CA issued certificate

property domainName

domainName?: pulumi.Input<string>;

A domain name for which the certificate should be issued

property options

options?: pulumi.Input<{
    certificateTransparencyLoggingPreference: pulumi.Input<string>;
}>;

property privateKey

privateKey?: pulumi.Input<string>;

The certificate’s PEM-formatted private key

property subjectAlternativeNames

subjectAlternativeNames?: pulumi.Input<pulumi.Input<string>[]>;

A list of domains that should be SANs in the issued certificate

property tags

tags?: pulumi.Input<{[key: string]: any}>;

A mapping of tags to assign to the resource.

property validationMethod

validationMethod?: pulumi.Input<string>;

Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into state managed by this provider. * Importing an existing certificate

interface CertificateState

Input properties used for looking up and filtering Certificate resources.

property arn

arn?: pulumi.Input<string>;

The ARN of the certificate

property certificateAuthorityArn

certificateAuthorityArn?: pulumi.Input<string>;

ARN of an ACMPCA

property certificateBody

certificateBody?: pulumi.Input<string>;

The certificate’s PEM-formatted public key

property certificateChain

certificateChain?: pulumi.Input<string>;

The certificate’s PEM-formatted chain * Creating a private CA issued certificate

property domainName

domainName?: pulumi.Input<string>;

A domain name for which the certificate should be issued

property domainValidationOptions

domainValidationOptions?: pulumi.Input<pulumi.Input<{
    domainName: pulumi.Input<string>;
    resourceRecordName: pulumi.Input<string>;
    resourceRecordType: pulumi.Input<string>;
    resourceRecordValue: pulumi.Input<string>;
}>[]>;

A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if DNS-validation was used.

property options

options?: pulumi.Input<{
    certificateTransparencyLoggingPreference: pulumi.Input<string>;
}>;

property privateKey

privateKey?: pulumi.Input<string>;

The certificate’s PEM-formatted private key

property subjectAlternativeNames

subjectAlternativeNames?: pulumi.Input<pulumi.Input<string>[]>;

A list of domains that should be SANs in the issued certificate

property tags

tags?: pulumi.Input<{[key: string]: any}>;

A mapping of tags to assign to the resource.

property validationEmails

validationEmails?: pulumi.Input<pulumi.Input<string>[]>;

A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.

property validationMethod

validationMethod?: pulumi.Input<string>;

Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into state managed by this provider. * Importing an existing certificate

interface CertificateValidationArgs

The set of arguments for constructing a CertificateValidation resource.

property certificateArn

certificateArn: pulumi.Input<string>;

The ARN of the certificate that is being validated.

property validationRecordFqdns

validationRecordFqdns?: pulumi.Input<pulumi.Input<string>[]>;

List of FQDNs that implement the validation. Only valid for DNS validation method ACM certificates. If this is set, the resource can implement additional sanity checks and has an explicit dependency on the resource that is implementing the validation

interface CertificateValidationState

Input properties used for looking up and filtering CertificateValidation resources.

property certificateArn

certificateArn?: pulumi.Input<string>;

The ARN of the certificate that is being validated.

property validationRecordFqdns

validationRecordFqdns?: pulumi.Input<pulumi.Input<string>[]>;

List of FQDNs that implement the validation. Only valid for DNS validation method ACM certificates. If this is set, the resource can implement additional sanity checks and has an explicit dependency on the resource that is implementing the validation

interface GetCertificateArgs

A collection of arguments for invoking getCertificate.

property domain

domain: string;

The domain of the certificate to look up. If no certificate is found with this name, an error will be returned.

property keyTypes

keyTypes?: string[];

A list of key algorithms to filter certificates. By default, ACM does not return all certificate types when searching. Valid values are RSA_1024, RSA_2048, RSA_4096, EC_prime256v1, EC_secp384r1, and EC_secp521r1.

property mostRecent

mostRecent?: undefined | false | true;

If set to true, it sorts the certificates matched by previous criteria by the NotBefore field, returning only the most recent one. If set to false, it returns an error if more than one certificate is found. Defaults to false.

property statuses

statuses?: string[];

A list of statuses on which to filter the returned list. Valid values are PENDING_VALIDATION, ISSUED, INACTIVE, EXPIRED, VALIDATION_TIMED_OUT, REVOKED and FAILED. If no value is specified, only certificates in the ISSUED state are returned.

property types

types?: string[];

A list of types on which to filter the returned list. Valid values are AMAZON_ISSUED and IMPORTED.

interface GetCertificateResult

A collection of values returned by getCertificate.

property arn

arn: string;

Set to the ARN of the found certificate, suitable for referencing in other resources that support ACM certificates.

property domain

domain: string;

property id

id: string;

id is the provider-assigned unique ID for this managed resource.

property keyTypes

keyTypes?: string[];

property mostRecent

mostRecent?: undefined | false | true;

property statuses

statuses?: string[];

property types

types?: string[];