Welcome to Pulumi Registry, your window into the cloud. Read the announcement.

AWS Classic

v4.29.0 published on Monday, Nov 22, 2021 by Pulumi

Certificate

The ACM certificate resource allows requesting and management of certificates from the Amazon Certificate Manager.

It deals with requesting certificates and managing their attributes and life-cycle. This resource does not deal with validation of a certificate but can provide inputs for other resources implementing the validation. It does not wait for a certificate to be issued. Use a aws.acm.CertificateValidation resource for this.

Most commonly, this resource is used together with aws.route53.Record and aws.acm.CertificateValidation to request a DNS validated certificate, deploy the required validation records and wait for validation to complete.

Domain validation through E-Mail is also supported but should be avoided as it requires a manual step outside of this provider.

Example Usage

Create Certificate

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var cert = new Aws.Acm.Certificate("cert", new Aws.Acm.CertificateArgs
        {
            DomainName = "example.com",
            Tags = 
            {
                { "Environment", "test" },
            },
            ValidationMethod = "DNS",
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/acm"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := acm.NewCertificate(ctx, "cert", &acm.CertificateArgs{
			DomainName: pulumi.String("example.com"),
			Tags: pulumi.StringMap{
				"Environment": pulumi.String("test"),
			},
			ValidationMethod: pulumi.String("DNS"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import pulumi_aws as aws

cert = aws.acm.Certificate("cert",
    domain_name="example.com",
    tags={
        "Environment": "test",
    },
    validation_method="DNS")
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const cert = new aws.acm.Certificate("cert", {
    domainName: "example.com",
    tags: {
        Environment: "test",
    },
    validationMethod: "DNS",
});

Existing Certificate Body Import

using Pulumi;
using Aws = Pulumi.Aws;
using Tls = Pulumi.Tls;

class MyStack : Stack
{
    public MyStack()
    {
        var examplePrivateKey = new Tls.PrivateKey("examplePrivateKey", new Tls.PrivateKeyArgs
        {
            Algorithm = "RSA",
        });
        var exampleSelfSignedCert = new Tls.SelfSignedCert("exampleSelfSignedCert", new Tls.SelfSignedCertArgs
        {
            KeyAlgorithm = "RSA",
            PrivateKeyPem = examplePrivateKey.PrivateKeyPem,
            Subjects = 
            {
                new Tls.Inputs.SelfSignedCertSubjectArgs
                {
                    CommonName = "example.com",
                    Organization = "ACME Examples, Inc",
                },
            },
            ValidityPeriodHours = 12,
            AllowedUses = 
            {
                "key_encipherment",
                "digital_signature",
                "server_auth",
            },
        });
        var cert = new Aws.Acm.Certificate("cert", new Aws.Acm.CertificateArgs
        {
            PrivateKey = examplePrivateKey.PrivateKeyPem,
            CertificateBody = exampleSelfSignedCert.CertPem,
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/acm"
	"github.com/pulumi/pulumi-tls/sdk/v4/go/tls"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		examplePrivateKey, err := tls.NewPrivateKey(ctx, "examplePrivateKey", &tls.PrivateKeyArgs{
			Algorithm: pulumi.String("RSA"),
		})
		if err != nil {
			return err
		}
		exampleSelfSignedCert, err := tls.NewSelfSignedCert(ctx, "exampleSelfSignedCert", &tls.SelfSignedCertArgs{
			KeyAlgorithm:  pulumi.String("RSA"),
			PrivateKeyPem: examplePrivateKey.PrivateKeyPem,
			Subjects: SelfSignedCertSubjectArray{
				&SelfSignedCertSubjectArgs{
					CommonName:   pulumi.String("example.com"),
					Organization: pulumi.String("ACME Examples, Inc"),
				},
			},
			ValidityPeriodHours: pulumi.Int(12),
			AllowedUses: pulumi.StringArray{
				pulumi.String("key_encipherment"),
				pulumi.String("digital_signature"),
				pulumi.String("server_auth"),
			},
		})
		if err != nil {
			return err
		}
		_, err = acm.NewCertificate(ctx, "cert", &acm.CertificateArgs{
			PrivateKey:      examplePrivateKey.PrivateKeyPem,
			CertificateBody: exampleSelfSignedCert.CertPem,
		})
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import pulumi_aws as aws
import pulumi_tls as tls

example_private_key = tls.PrivateKey("examplePrivateKey", algorithm="RSA")
example_self_signed_cert = tls.SelfSignedCert("exampleSelfSignedCert",
    key_algorithm="RSA",
    private_key_pem=example_private_key.private_key_pem,
    subjects=[tls.SelfSignedCertSubjectArgs(
        common_name="example.com",
        organization="ACME Examples, Inc",
    )],
    validity_period_hours=12,
    allowed_uses=[
        "key_encipherment",
        "digital_signature",
        "server_auth",
    ])
cert = aws.acm.Certificate("cert",
    private_key=example_private_key.private_key_pem,
    certificate_body=example_self_signed_cert.cert_pem)
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as tls from "@pulumi/tls";

const examplePrivateKey = new tls.PrivateKey("examplePrivateKey", {algorithm: "RSA"});
const exampleSelfSignedCert = new tls.SelfSignedCert("exampleSelfSignedCert", {
    keyAlgorithm: "RSA",
    privateKeyPem: examplePrivateKey.privateKeyPem,
    subjects: [{
        commonName: "example.com",
        organization: "ACME Examples, Inc",
    }],
    validityPeriodHours: 12,
    allowedUses: [
        "key_encipherment",
        "digital_signature",
        "server_auth",
    ],
});
const cert = new aws.acm.Certificate("cert", {
    privateKey: examplePrivateKey.privateKeyPem,
    certificateBody: exampleSelfSignedCert.certPem,
});

Referencing domain_validation_options With for_each Based Resources

Coming soon!

Coming soon!

import pulumi
import pulumi_aws as aws

example = []
for range in [{"key": k, "value": v} for [k, v] in enumerate({dvo.domainName: {
    name: dvo.resourceRecordName,
    record: dvo.resourceRecordValue,
    type: dvo.resourceRecordType,
} for dvo in aws_acm_certificate.example.domain_validation_options})]:
    example.append(aws.route53.Record(f"example-{range['key']}",
        allow_overwrite=True,
        name=range["value"]["name"],
        records=[range["value"]["record"]],
        ttl=60,
        type=range["value"]["type"],
        zone_id=aws_route53_zone["example"]["zone_id"]))
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example: aws.route53.Record[];
for (const range of Object.entries(.reduce((__obj, dvo) => { ...__obj, [dvo.domainName]: {
    name: dvo.resourceRecordName,
    record: dvo.resourceRecordValue,
    type: dvo.resourceRecordType,
} })).map(([k, v]) => {key: k, value: v})) {
    example.push(new aws.route53.Record(`example-${range.key}`, {
        allowOverwrite: true,
        name: range.value.name,
        records: [range.value.record],
        ttl: 60,
        type: range.value.type,
        zoneId: aws_route53_zone.example.zone_id,
    }));
}

Create a Certificate Resource

new Certificate(name: string, args?: CertificateArgs, opts?: CustomResourceOptions);
@overload
def Certificate(resource_name: str,
                opts: Optional[ResourceOptions] = None,
                certificate_authority_arn: Optional[str] = None,
                certificate_body: Optional[str] = None,
                certificate_chain: Optional[str] = None,
                domain_name: Optional[str] = None,
                options: Optional[CertificateOptionsArgs] = None,
                private_key: Optional[str] = None,
                subject_alternative_names: Optional[Sequence[str]] = None,
                tags: Optional[Mapping[str, str]] = None,
                validation_method: Optional[str] = None)
@overload
def Certificate(resource_name: str,
                args: Optional[CertificateArgs] = None,
                opts: Optional[ResourceOptions] = None)
func NewCertificate(ctx *Context, name string, args *CertificateArgs, opts ...ResourceOption) (*Certificate, error)
public Certificate(string name, CertificateArgs? args = null, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args CertificateArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args CertificateArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args CertificateArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args CertificateArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

Certificate Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The Certificate resource accepts the following input properties:

CertificateAuthorityArn string
ARN of an ACM PCA
CertificateBody string
The certificate’s PEM-formatted public key
CertificateChain string

The certificate’s PEM-formatted chain

  • Creating a private CA issued certificate
DomainName string
A domain name for which the certificate should be issued
Options CertificateOptionsArgs

Configuration block used to set certificate options. Detailed below.

  • Importing an existing certificate
PrivateKey string
The certificate’s PEM-formatted private key
SubjectAlternativeNames List<string>
Set of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]).
Tags Dictionary<string, string>
A map of tags to assign to the resource..
ValidationMethod string
Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into the provider.
CertificateAuthorityArn string
ARN of an ACM PCA
CertificateBody string
The certificate’s PEM-formatted public key
CertificateChain string

The certificate’s PEM-formatted chain

  • Creating a private CA issued certificate
DomainName string
A domain name for which the certificate should be issued
Options CertificateOptionsArgs

Configuration block used to set certificate options. Detailed below.

  • Importing an existing certificate
PrivateKey string
The certificate’s PEM-formatted private key
SubjectAlternativeNames []string
Set of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]).
Tags map[string]string
A map of tags to assign to the resource..
ValidationMethod string
Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into the provider.
certificateAuthorityArn string
ARN of an ACM PCA
certificateBody string
The certificate’s PEM-formatted public key
certificateChain string

The certificate’s PEM-formatted chain

  • Creating a private CA issued certificate
domainName string
A domain name for which the certificate should be issued
options CertificateOptionsArgs

Configuration block used to set certificate options. Detailed below.

  • Importing an existing certificate
privateKey string
The certificate’s PEM-formatted private key
subjectAlternativeNames string[]
Set of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]).
tags {[key: string]: string}
A map of tags to assign to the resource..
validationMethod string
Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into the provider.
certificate_authority_arn str
ARN of an ACM PCA
certificate_body str
The certificate’s PEM-formatted public key
certificate_chain str

The certificate’s PEM-formatted chain

  • Creating a private CA issued certificate
domain_name str
A domain name for which the certificate should be issued
options CertificateOptionsArgs

Configuration block used to set certificate options. Detailed below.

  • Importing an existing certificate
private_key str
The certificate’s PEM-formatted private key
subject_alternative_names Sequence[str]
Set of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]).
tags Mapping[str, str]
A map of tags to assign to the resource..
validation_method str
Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into the provider.

Outputs

All input properties are implicitly available as output properties. Additionally, the Certificate resource produces the following output properties:

Arn string
The ARN of the certificate
DomainValidationOptions List<CertificateDomainValidationOption>
Set of domain validation objects which can be used to complete certificate validation. Can have more than one element, e.g., if SANs are defined. Only set if DNS-validation was used.
Id string
The provider-assigned unique ID for this managed resource.
Status string
Status of the certificate.
TagsAll Dictionary<string, string>
A map of tags assigned to the resource, including those inherited from the provider .
ValidationEmails List<string>
A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.
Arn string
The ARN of the certificate
DomainValidationOptions []CertificateDomainValidationOption
Set of domain validation objects which can be used to complete certificate validation. Can have more than one element, e.g., if SANs are defined. Only set if DNS-validation was used.
Id string
The provider-assigned unique ID for this managed resource.
Status string
Status of the certificate.
TagsAll map[string]string
A map of tags assigned to the resource, including those inherited from the provider .
ValidationEmails []string
A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.
arn string
The ARN of the certificate
domainValidationOptions CertificateDomainValidationOption[]
Set of domain validation objects which can be used to complete certificate validation. Can have more than one element, e.g., if SANs are defined. Only set if DNS-validation was used.
id string
The provider-assigned unique ID for this managed resource.
status string
Status of the certificate.
tagsAll {[key: string]: string}
A map of tags assigned to the resource, including those inherited from the provider .
validationEmails string[]
A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.
arn str
The ARN of the certificate
domain_validation_options Sequence[CertificateDomainValidationOption]
Set of domain validation objects which can be used to complete certificate validation. Can have more than one element, e.g., if SANs are defined. Only set if DNS-validation was used.
id str
The provider-assigned unique ID for this managed resource.
status str
Status of the certificate.
tags_all Mapping[str, str]
A map of tags assigned to the resource, including those inherited from the provider .
validation_emails Sequence[str]
A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.

Look up an Existing Certificate Resource

Get an existing Certificate resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: CertificateState, opts?: CustomResourceOptions): Certificate
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        arn: Optional[str] = None,
        certificate_authority_arn: Optional[str] = None,
        certificate_body: Optional[str] = None,
        certificate_chain: Optional[str] = None,
        domain_name: Optional[str] = None,
        domain_validation_options: Optional[Sequence[CertificateDomainValidationOptionArgs]] = None,
        options: Optional[CertificateOptionsArgs] = None,
        private_key: Optional[str] = None,
        status: Optional[str] = None,
        subject_alternative_names: Optional[Sequence[str]] = None,
        tags: Optional[Mapping[str, str]] = None,
        tags_all: Optional[Mapping[str, str]] = None,
        validation_emails: Optional[Sequence[str]] = None,
        validation_method: Optional[str] = None) -> Certificate
func GetCertificate(ctx *Context, name string, id IDInput, state *CertificateState, opts ...ResourceOption) (*Certificate, error)
public static Certificate Get(string name, Input<string> id, CertificateState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

Arn string
The ARN of the certificate
CertificateAuthorityArn string
ARN of an ACM PCA
CertificateBody string
The certificate’s PEM-formatted public key
CertificateChain string

The certificate’s PEM-formatted chain

  • Creating a private CA issued certificate
DomainName string
A domain name for which the certificate should be issued
DomainValidationOptions List<CertificateDomainValidationOptionArgs>
Set of domain validation objects which can be used to complete certificate validation. Can have more than one element, e.g., if SANs are defined. Only set if DNS-validation was used.
Options CertificateOptionsArgs

Configuration block used to set certificate options. Detailed below.

  • Importing an existing certificate
PrivateKey string
The certificate’s PEM-formatted private key
Status string
Status of the certificate.
SubjectAlternativeNames List<string>
Set of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]).
Tags Dictionary<string, string>
A map of tags to assign to the resource..
TagsAll Dictionary<string, string>
A map of tags assigned to the resource, including those inherited from the provider .
ValidationEmails List<string>
A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.
ValidationMethod string
Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into the provider.
Arn string
The ARN of the certificate
CertificateAuthorityArn string
ARN of an ACM PCA
CertificateBody string
The certificate’s PEM-formatted public key
CertificateChain string

The certificate’s PEM-formatted chain

  • Creating a private CA issued certificate
DomainName string
A domain name for which the certificate should be issued
DomainValidationOptions []CertificateDomainValidationOptionArgs
Set of domain validation objects which can be used to complete certificate validation. Can have more than one element, e.g., if SANs are defined. Only set if DNS-validation was used.
Options CertificateOptionsArgs

Configuration block used to set certificate options. Detailed below.

  • Importing an existing certificate
PrivateKey string
The certificate’s PEM-formatted private key
Status string
Status of the certificate.
SubjectAlternativeNames []string
Set of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]).
Tags map[string]string
A map of tags to assign to the resource..
TagsAll map[string]string
A map of tags assigned to the resource, including those inherited from the provider .
ValidationEmails []string
A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.
ValidationMethod string
Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into the provider.
arn string
The ARN of the certificate
certificateAuthorityArn string
ARN of an ACM PCA
certificateBody string
The certificate’s PEM-formatted public key
certificateChain string

The certificate’s PEM-formatted chain

  • Creating a private CA issued certificate
domainName string
A domain name for which the certificate should be issued
domainValidationOptions CertificateDomainValidationOptionArgs[]
Set of domain validation objects which can be used to complete certificate validation. Can have more than one element, e.g., if SANs are defined. Only set if DNS-validation was used.
options CertificateOptionsArgs

Configuration block used to set certificate options. Detailed below.

  • Importing an existing certificate
privateKey string
The certificate’s PEM-formatted private key
status string
Status of the certificate.
subjectAlternativeNames string[]
Set of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]).
tags {[key: string]: string}
A map of tags to assign to the resource..
tagsAll {[key: string]: string}
A map of tags assigned to the resource, including those inherited from the provider .
validationEmails string[]
A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.
validationMethod string
Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into the provider.
arn str
The ARN of the certificate
certificate_authority_arn str
ARN of an ACM PCA
certificate_body str
The certificate’s PEM-formatted public key
certificate_chain str

The certificate’s PEM-formatted chain

  • Creating a private CA issued certificate
domain_name str
A domain name for which the certificate should be issued
domain_validation_options Sequence[CertificateDomainValidationOptionArgs]
Set of domain validation objects which can be used to complete certificate validation. Can have more than one element, e.g., if SANs are defined. Only set if DNS-validation was used.
options CertificateOptionsArgs

Configuration block used to set certificate options. Detailed below.

  • Importing an existing certificate
private_key str
The certificate’s PEM-formatted private key
status str
Status of the certificate.
subject_alternative_names Sequence[str]
Set of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]).
tags Mapping[str, str]
A map of tags to assign to the resource..
tags_all Mapping[str, str]
A map of tags assigned to the resource, including those inherited from the provider .
validation_emails Sequence[str]
A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.
validation_method str
Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into the provider.

Supporting Types

CertificateDomainValidationOption

DomainName string
A domain name for which the certificate should be issued
ResourceRecordName string
The name of the DNS record to create to validate the certificate
ResourceRecordType string
The type of DNS record to create
ResourceRecordValue string
The value the DNS record needs to have
DomainName string
A domain name for which the certificate should be issued
ResourceRecordName string
The name of the DNS record to create to validate the certificate
ResourceRecordType string
The type of DNS record to create
ResourceRecordValue string
The value the DNS record needs to have
domainName string
A domain name for which the certificate should be issued
resourceRecordName string
The name of the DNS record to create to validate the certificate
resourceRecordType string
The type of DNS record to create
resourceRecordValue string
The value the DNS record needs to have
domain_name str
A domain name for which the certificate should be issued
resource_record_name str
The name of the DNS record to create to validate the certificate
resource_record_type str
The type of DNS record to create
resource_record_value str
The value the DNS record needs to have

CertificateOptions

CertificateTransparencyLoggingPreference string
Specifies whether certificate details should be added to a certificate transparency log. Valid values are ENABLED or DISABLED. See https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-transparency for more details.
CertificateTransparencyLoggingPreference string
Specifies whether certificate details should be added to a certificate transparency log. Valid values are ENABLED or DISABLED. See https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-transparency for more details.
certificateTransparencyLoggingPreference string
Specifies whether certificate details should be added to a certificate transparency log. Valid values are ENABLED or DISABLED. See https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-transparency for more details.
certificate_transparency_logging_preference str
Specifies whether certificate details should be added to a certificate transparency log. Valid values are ENABLED or DISABLED. See https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-transparency for more details.

Import

Certificates can be imported using their ARN, e.g.,

 $ pulumi import aws:acm/certificate:Certificate cert arn:aws:acm:eu-central-1:123456789012:certificate/7e7a28d2-163f-4b8f-b9cd-822f96c08d6a

Package Details

Repository
https://github.com/pulumi/pulumi-aws
License
Apache-2.0
Notes
This Pulumi package is based on the aws Terraform Provider.