Certificate

The ACM certificate resource allows requesting and management of certificates from the Amazon Certificate Manager.

It deals with requesting certificates and managing their attributes and life-cycle. This resource does not deal with validation of a certificate but can provide inputs for other resources implementing the validation. It does not wait for a certificate to be issued. Use a aws.acm.CertificateValidation resource for this.

Most commonly, this resource is used together with aws.route53.Record and aws.acm.CertificateValidation to request a DNS validated certificate, deploy the required validation records and wait for validation to complete.

Domain validation through E-Mail is also supported but should be avoided as it requires a manual step outside of this provider.

It’s recommended to specify create_before_destroy = true in a lifecycle block to replace a certificate which is currently in use (eg, by aws.lb.Listener).

Example Usage

Certificate creation

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var cert = new Aws.Acm.Certificate("cert", new Aws.Acm.CertificateArgs
        {
            DomainName = "example.com",
            Tags = 
            {
                { "Environment", "test" },
            },
            ValidationMethod = "DNS",
        });
    }

}

package main

import (
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/acm"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := acm.NewCertificate(ctx, "cert", &acm.CertificateArgs{
            DomainName: pulumi.String("example.com"),
            Tags: pulumi.StringMap{
                "Environment": pulumi.String("test"),
            },
            ValidationMethod: pulumi.String("DNS"),
        })
        if err != nil {
            return err
        }
        return nil
    })
}

import pulumi
import pulumi_aws as aws

cert = aws.acm.Certificate("cert",
    domain_name="example.com",
    tags={
        "Environment": "test",
    },
    validation_method="DNS")

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const cert = new aws.acm.Certificate("cert", {
    domainName: "example.com",
    tags: {
        Environment: "test",
    },
    validationMethod: "DNS",
});

Importing an existing certificate

using Pulumi;
using Aws = Pulumi.Aws;
using Tls = Pulumi.Tls;

class MyStack : Stack
{
    public MyStack()
    {
        var examplePrivateKey = new Tls.PrivateKey("examplePrivateKey", new Tls.PrivateKeyArgs
        {
            Algorithm = "RSA",
        });
        var exampleSelfSignedCert = new Tls.SelfSignedCert("exampleSelfSignedCert", new Tls.SelfSignedCertArgs
        {
            AllowedUses = 
            {
                "key_encipherment",
                "digital_signature",
                "server_auth",
            },
            KeyAlgorithm = "RSA",
            PrivateKeyPem = examplePrivateKey.PrivateKeyPem,
            Subjects = 
            {
                new Tls.Inputs.SelfSignedCertSubjectArgs
                {
                    CommonName = "example.com",
                    Organization = "ACME Examples, Inc",
                },
            },
            ValidityPeriodHours = 12,
        });
        var cert = new Aws.Acm.Certificate("cert", new Aws.Acm.CertificateArgs
        {
            CertificateBody = exampleSelfSignedCert.CertPem,
            PrivateKey = examplePrivateKey.PrivateKeyPem,
        });
    }

}

package main

import (
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/acm"
    "github.com/pulumi/pulumi-tls/sdk/v2/go/tls"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        examplePrivateKey, err := tls.NewPrivateKey(ctx, "examplePrivateKey", &tls.PrivateKeyArgs{
            Algorithm: pulumi.String("RSA"),
        })
        if err != nil {
            return err
        }
        exampleSelfSignedCert, err := tls.NewSelfSignedCert(ctx, "exampleSelfSignedCert", &tls.SelfSignedCertArgs{
            AllowedUses: pulumi.StringArray{
                pulumi.String("key_encipherment"),
                pulumi.String("digital_signature"),
                pulumi.String("server_auth"),
            },
            KeyAlgorithm:  pulumi.String("RSA"),
            PrivateKeyPem: examplePrivateKey.PrivateKeyPem,
            Subjects: tls.SelfSignedCertSubjectArray{
                &tls.SelfSignedCertSubjectArgs{
                    CommonName:   pulumi.String("example.com"),
                    Organization: pulumi.String("ACME Examples, Inc"),
                },
            },
            ValidityPeriodHours: pulumi.Int(12),
        })
        if err != nil {
            return err
        }
        _, err = acm.NewCertificate(ctx, "cert", &acm.CertificateArgs{
            CertificateBody: exampleSelfSignedCert.CertPem,
            PrivateKey:      examplePrivateKey.PrivateKeyPem,
        })
        if err != nil {
            return err
        }
        return nil
    })
}

import pulumi
import pulumi_aws as aws
import pulumi_tls as tls

example_private_key = tls.PrivateKey("examplePrivateKey", algorithm="RSA")
example_self_signed_cert = tls.SelfSignedCert("exampleSelfSignedCert",
    allowed_uses=[
        "key_encipherment",
        "digital_signature",
        "server_auth",
    ],
    key_algorithm="RSA",
    private_key_pem=example_private_key.private_key_pem,
    subjects=[{
        "commonName": "example.com",
        "organization": "ACME Examples, Inc",
    }],
    validity_period_hours=12)
cert = aws.acm.Certificate("cert",
    certificate_body=example_self_signed_cert.cert_pem,
    private_key=example_private_key.private_key_pem)

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as tls from "@pulumi/tls";

const examplePrivateKey = new tls.PrivateKey("example", {
    algorithm: "RSA",
});
const exampleSelfSignedCert = new tls.SelfSignedCert("example", {
    allowedUses: [
        "key_encipherment",
        "digital_signature",
        "server_auth",
    ],
    keyAlgorithm: "RSA",
    privateKeyPem: examplePrivateKey.privateKeyPem,
    subjects: [{
        commonName: "example.com",
        organization: "ACME Examples, Inc",
    }],
    validityPeriodHours: 12,
});
const cert = new aws.acm.Certificate("cert", {
    certificateBody: exampleSelfSignedCert.certPem,
    privateKey: examplePrivateKey.privateKeyPem,
});

Create a Certificate Resource

new Certificate(name: string, args?: CertificateArgs, opts?: CustomResourceOptions);

def Certificate(resource_name, opts=None, certificate_authority_arn=None, certificate_body=None, certificate_chain=None, domain_name=None, options=None, private_key=None, subject_alternative_names=None, tags=None, validation_method=None, __props__=None);

func NewCertificate(ctx *Context, name string, args *CertificateArgs, opts ...ResourceOption) (*Certificate, error)

public Certificate(string name, CertificateArgs? args = null, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args CertificateArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args CertificateArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args CertificateArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

Certificate Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The Certificate resource accepts the following input properties:

CertificateAuthorityArn string: ARN of an ACMPCA
CertificateBody string: The certificate’s PEM-formatted public key
CertificateChain string: The certificate’s PEM-formatted chain * Creating a private CA issued certificate
DomainName string: A domain name for which the certificate should be issued
Options CertificateOptionsArgs: Configuration block used to set certificate options. Detailed below. * Importing an existing certificate
PrivateKey string: The certificate’s PEM-formatted private key
SubjectAlternativeNames List<string>: A list of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]) to trigger recreation.
Tags Dictionary<string, string>: A map of tags to assign to the resource.
ValidationMethod string: Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into the provider.

CertificateAuthorityArn string: ARN of an ACMPCA
CertificateBody string: The certificate’s PEM-formatted public key
CertificateChain string: The certificate’s PEM-formatted chain * Creating a private CA issued certificate
DomainName string: A domain name for which the certificate should be issued
Options CertificateOptions: Configuration block used to set certificate options. Detailed below. * Importing an existing certificate
PrivateKey string: The certificate’s PEM-formatted private key
SubjectAlternativeNames []string: A list of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]) to trigger recreation.
Tags map[string]string: A map of tags to assign to the resource.
ValidationMethod string: Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into the provider.

certificateAuthorityArn string: ARN of an ACMPCA
certificateBody string: The certificate’s PEM-formatted public key
certificateChain string: The certificate’s PEM-formatted chain * Creating a private CA issued certificate
domainName string: A domain name for which the certificate should be issued
options CertificateOptions: Configuration block used to set certificate options. Detailed below. * Importing an existing certificate
privateKey string: The certificate’s PEM-formatted private key
subjectAlternativeNames string[]: A list of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]) to trigger recreation.
tags {[key: string]: string}: A map of tags to assign to the resource.
validationMethod string: Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into the provider.

certificate_authority_arn str: ARN of an ACMPCA
certificate_body str: The certificate’s PEM-formatted public key
certificate_chain str: The certificate’s PEM-formatted chain * Creating a private CA issued certificate
domain_name str: A domain name for which the certificate should be issued
options Dict[CertificateOptions]: Configuration block used to set certificate options. Detailed below. * Importing an existing certificate
private_key str: The certificate’s PEM-formatted private key
subject_alternative_names List[str]: A list of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]) to trigger recreation.
tags Dict[str, str]: A map of tags to assign to the resource.
validation_method str: Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into the provider.

Outputs

All input properties are implicitly available as output properties. Additionally, the Certificate resource produces the following output properties:

Arn string: The ARN of the certificate
DomainValidationOptions List<CertificateDomainValidationOption>: A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if DNS-validation was used.
Id string: The provider-assigned unique ID for this managed resource.
Status string: Status of the certificate.
ValidationEmails List<string>: A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.

Arn string: The ARN of the certificate
DomainValidationOptions []CertificateDomainValidationOption: A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if DNS-validation was used.
Id string: The provider-assigned unique ID for this managed resource.
Status string: Status of the certificate.
ValidationEmails []string: A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.

arn string: The ARN of the certificate
domainValidationOptions CertificateDomainValidationOption[]: A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if DNS-validation was used.
id string: The provider-assigned unique ID for this managed resource.
status string: Status of the certificate.
validationEmails string[]: A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.

arn str: The ARN of the certificate
domain_validation_options List[CertificateDomainValidationOption]: A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if DNS-validation was used.
id str: The provider-assigned unique ID for this managed resource.
status str: Status of the certificate.
validation_emails List[str]: A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.

Look up an Existing Certificate Resource

Get an existing Certificate resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: CertificateState, opts?: CustomResourceOptions): Certificate

static get(resource_name, id, opts=None, arn=None, certificate_authority_arn=None, certificate_body=None, certificate_chain=None, domain_name=None, domain_validation_options=None, options=None, private_key=None, status=None, subject_alternative_names=None, tags=None, validation_emails=None, validation_method=None, __props__=None);

func GetCertificate(ctx *Context, name string, id IDInput, state *CertificateState, opts ...ResourceOption) (*Certificate, error)

public static Certificate Get(string name, Input<string> id, CertificateState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Arn string: The ARN of the certificate
CertificateAuthorityArn string: ARN of an ACMPCA
CertificateBody string: The certificate’s PEM-formatted public key
CertificateChain string: The certificate’s PEM-formatted chain * Creating a private CA issued certificate
DomainName string: A domain name for which the certificate should be issued
DomainValidationOptions List<CertificateDomainValidationOptionArgs>: A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if DNS-validation was used.
Options CertificateOptionsArgs: Configuration block used to set certificate options. Detailed below. * Importing an existing certificate
PrivateKey string: The certificate’s PEM-formatted private key
Status string: Status of the certificate.
SubjectAlternativeNames List<string>: A list of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]) to trigger recreation.
Tags Dictionary<string, string>: A map of tags to assign to the resource.
ValidationEmails List<string>: A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.
ValidationMethod string: Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into the provider.

Arn string: The ARN of the certificate
CertificateAuthorityArn string: ARN of an ACMPCA
CertificateBody string: The certificate’s PEM-formatted public key
CertificateChain string: The certificate’s PEM-formatted chain * Creating a private CA issued certificate
DomainName string: A domain name for which the certificate should be issued
DomainValidationOptions []CertificateDomainValidationOption: A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if DNS-validation was used.
Options CertificateOptions: Configuration block used to set certificate options. Detailed below. * Importing an existing certificate
PrivateKey string: The certificate’s PEM-formatted private key
Status string: Status of the certificate.
SubjectAlternativeNames []string: A list of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]) to trigger recreation.
Tags map[string]string: A map of tags to assign to the resource.
ValidationEmails []string: A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.
ValidationMethod string: Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into the provider.

arn string: The ARN of the certificate
certificateAuthorityArn string: ARN of an ACMPCA
certificateBody string: The certificate’s PEM-formatted public key
certificateChain string: The certificate’s PEM-formatted chain * Creating a private CA issued certificate
domainName string: A domain name for which the certificate should be issued
domainValidationOptions CertificateDomainValidationOption[]: A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if DNS-validation was used.
options CertificateOptions: Configuration block used to set certificate options. Detailed below. * Importing an existing certificate
privateKey string: The certificate’s PEM-formatted private key
status string: Status of the certificate.
subjectAlternativeNames string[]: A list of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]) to trigger recreation.
tags {[key: string]: string}: A map of tags to assign to the resource.
validationEmails string[]: A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.
validationMethod string: Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into the provider.

arn str: The ARN of the certificate
certificate_authority_arn str: ARN of an ACMPCA
certificate_body str: The certificate’s PEM-formatted public key
certificate_chain str: The certificate’s PEM-formatted chain * Creating a private CA issued certificate
domain_name str: A domain name for which the certificate should be issued
domain_validation_options List[CertificateDomainValidationOption]: A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if DNS-validation was used.
options Dict[CertificateOptions]: Configuration block used to set certificate options. Detailed below. * Importing an existing certificate
private_key str: The certificate’s PEM-formatted private key
status str: Status of the certificate.
subject_alternative_names List[str]: A list of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]) to trigger recreation.
tags Dict[str, str]: A map of tags to assign to the resource.
validation_emails List[str]: A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.
validation_method str: Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into the provider.

Supporting Types

CertificateDomainValidationOption

See the output API doc for this type.

DomainName string: A domain name for which the certificate should be issued
ResourceRecordName string: The name of the DNS record to create to validate the certificate
ResourceRecordType string: The type of DNS record to create
ResourceRecordValue string: The value the DNS record needs to have

DomainName string: A domain name for which the certificate should be issued
ResourceRecordName string: The name of the DNS record to create to validate the certificate
ResourceRecordType string: The type of DNS record to create
ResourceRecordValue string: The value the DNS record needs to have

domainName string: A domain name for which the certificate should be issued
resourceRecordName string: The name of the DNS record to create to validate the certificate
resourceRecordType string: The type of DNS record to create
resourceRecordValue string: The value the DNS record needs to have

domain_name str: A domain name for which the certificate should be issued
resourceRecordName str: The name of the DNS record to create to validate the certificate
resourceRecordType str: The type of DNS record to create
resourceRecordValue str: The value the DNS record needs to have

CertificateOptions

See the input and output API doc for this type.

CertificateTransparencyLoggingPreference string: Specifies whether certificate details should be added to a certificate transparency log. Valid values are ENABLED or DISABLED. See https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-transparency for more details.

CertificateTransparencyLoggingPreference string: Specifies whether certificate details should be added to a certificate transparency log. Valid values are ENABLED or DISABLED. See https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-transparency for more details.

certificateTransparencyLoggingPreference string: Specifies whether certificate details should be added to a certificate transparency log. Valid values are ENABLED or DISABLED. See https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-transparency for more details.

certificateTransparencyLoggingPreference str: Specifies whether certificate details should be added to a certificate transparency log. Valid values are ENABLED or DISABLED. See https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-transparency for more details.

Package Details

Repository: https://github.com/pulumi/pulumi-aws
License: Apache-2.0
Notes: This Pulumi package is based on the aws Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud