1. Docs
  2. Reference
  3. API
  4. @pulumi/aws
  5. acm

Module acm

This page documents the language specification for the aws package. If you're looking for help working with the inputs, outputs, or functions of aws resources in a Pulumi program, please see the resource documentation for examples and API reference.

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-aws repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-aws repo.

Resources

Functions

Others

Resources

Resource Certificate

class Certificate extends CustomResource

The ACM certificate resource allows requesting and management of certificates from the Amazon Certificate Manager.

It deals with requesting certificates and managing their attributes and life-cycle. This resource does not deal with validation of a certificate but can provide inputs for other resources implementing the validation. It does not wait for a certificate to be issued. Use a aws.acm.CertificateValidation resource for this.

Most commonly, this resource is used together with aws.route53.Record and aws.acm.CertificateValidation to request a DNS validated certificate, deploy the required validation records and wait for validation to complete.

Domain validation through E-Mail is also supported but should be avoided as it requires a manual step outside of this provider.

It’s recommended to specify createBeforeDestroy = true in a lifecycle block to replace a certificate which is currently in use (eg, by aws.lb.Listener).

Example Usage

Certificate creation
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const cert = new aws.acm.Certificate("cert", {
    domainName: "example.com",
    tags: {
        Environment: "test",
    },
    validationMethod: "DNS",
});
Importing an existing certificate
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as tls from "@pulumi/tls";

const examplePrivateKey = new tls.PrivateKey("example", {
    algorithm: "RSA",
});
const exampleSelfSignedCert = new tls.SelfSignedCert("example", {
    allowedUses: [
        "key_encipherment",
        "digital_signature",
        "server_auth",
    ],
    keyAlgorithm: "RSA",
    privateKeyPem: examplePrivateKey.privateKeyPem,
    subjects: [{
        commonName: "example.com",
        organization: "ACME Examples, Inc",
    }],
    validityPeriodHours: 12,
});
const cert = new aws.acm.Certificate("cert", {
    certificateBody: exampleSelfSignedCert.certPem,
    privateKey: examplePrivateKey.privateKeyPem,
});

constructor

new Certificate(name: string, args?: CertificateArgs, opts?: pulumi.CustomResourceOptions)

Create a Certificate resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: CertificateState, opts?: pulumi.CustomResourceOptions): Certificate

Get an existing Certificate resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Certificate

Returns true if the given object is an instance of Certificate. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The ARN of the certificate

property certificateAuthorityArn

public certificateAuthorityArn: pulumi.Output<string | undefined>;

ARN of an ACMPCA

property certificateBody

public certificateBody: pulumi.Output<string | undefined>;

The certificate’s PEM-formatted public key

property certificateChain

public certificateChain: pulumi.Output<string | undefined>;

The certificate’s PEM-formatted chain * Creating a private CA issued certificate

property domainName

public domainName: pulumi.Output<string>;

A domain name for which the certificate should be issued

property domainValidationOptions

public domainValidationOptions: pulumi.Output<CertificateDomainValidationOption[]>;

A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if DNS-validation was used.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property options

public options: pulumi.Output<CertificateOptions | undefined>;

Configuration block used to set certificate options. Detailed below. * Importing an existing certificate

property privateKey

public privateKey: pulumi.Output<string | undefined>;

The certificate’s PEM-formatted private key

property status

public status: pulumi.Output<string>;

Status of the certificate.

property subjectAlternativeNames

public subjectAlternativeNames: pulumi.Output<string[]>;

A list of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]).

property tags

public tags: pulumi.Output<{[key: string]: any} | undefined>;

A map of tags to assign to the resource.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property validationEmails

public validationEmails: pulumi.Output<string[]>;

A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.

property validationMethod

public validationMethod: pulumi.Output<string>;

Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into state managed by this provider.

Resource CertificateValidation

class CertificateValidation extends CustomResource

This resource represents a successful validation of an ACM certificate in concert with other resources.

Most commonly, this resource is used together with aws.route53.Record and aws.acm.Certificate to request a DNS validated certificate, deploy the required validation records and wait for validation to complete.

WARNING: This resource implements a part of the validation workflow. It does not represent a real-world entity in AWS, therefore changing or deleting this resource on its own has no immediate effect.

Example Usage

DNS Validation with Route 53
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const certCertificate = new aws.acm.Certificate("cert", {
    domainName: "example.com",
    validationMethod: "DNS",
});
const zone = pulumi.output(aws.route53.getZone({
    name: "example.com.",
    privateZone: false,
}, { async: true }));
const certValidation = new aws.route53.Record("cert_validation", {
    name: certCertificate.domainValidationOptions[0].resourceRecordName,
    records: [certCertificate.domainValidationOptions[0].resourceRecordValue],
    ttl: 60,
    type: certCertificate.domainValidationOptions[0].resourceRecordType,
    zoneId: zone.zoneId!,
});
const certCertificateValidation = new aws.acm.CertificateValidation("cert", {
    certificateArn: certCertificate.arn,
    validationRecordFqdns: [certValidation.fqdn],
});
const frontEnd = new aws.lb.Listener("front_end", {
    // [...]
    certificateArn: certCertificateValidation.certificateArn,
});
Alternative Domains DNS Validation with Route 53
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const certCertificate = new aws.acm.Certificate("cert", {
    domainName: "example.com",
    subjectAlternativeNames: [
        "www.example.com",
        "example.org",
    ],
    validationMethod: "DNS",
});
const zone = pulumi.output(aws.route53.getZone({
    name: "example.com.",
    privateZone: false,
}, { async: true }));
const zoneAlt = pulumi.output(aws.route53.getZone({
    name: "example.org.",
    privateZone: false,
}, { async: true }));
const certValidation = new aws.route53.Record("cert_validation", {
    name: certCertificate.domainValidationOptions[0].resourceRecordName,
    records: [certCertificate.domainValidationOptions[0].resourceRecordValue],
    ttl: 60,
    type: certCertificate.domainValidationOptions[0].resourceRecordType,
    zoneId: zone.zoneId!,
});
const certValidationAlt1 = new aws.route53.Record("cert_validation_alt1", {
    name: certCertificate.domainValidationOptions[1].resourceRecordName,
    records: [certCertificate.domainValidationOptions[1].resourceRecordValue],
    ttl: 60,
    type: certCertificate.domainValidationOptions[1].resourceRecordType,
    zoneId: zone.zoneId!,
});
const certValidationAlt2 = new aws.route53.Record("cert_validation_alt2", {
    name: certCertificate.domainValidationOptions[2].resourceRecordName,
    records: [certCertificate.domainValidationOptions[2].resourceRecordValue],
    ttl: 60,
    type: certCertificate.domainValidationOptions[2].resourceRecordType,
    zoneId: zoneAlt.zoneId!,
});
const certCertificateValidation = new aws.acm.CertificateValidation("cert", {
    certificateArn: certCertificate.arn,
    validationRecordFqdns: [
        certValidation.fqdn,
        certValidationAlt1.fqdn,
        certValidationAlt2.fqdn,
    ],
});
const frontEnd = new aws.lb.Listener("front_end", {
    // [...]
    certificateArn: certCertificateValidation.certificateArn,
});
Email Validation
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const certCertificate = new aws.acm.Certificate("cert", {
    domainName: "example.com",
    validationMethod: "EMAIL",
});
const certCertificateValidation = new aws.acm.CertificateValidation("cert", {
    certificateArn: certCertificate.arn,
});

constructor

new CertificateValidation(name: string, args: CertificateValidationArgs, opts?: pulumi.CustomResourceOptions)

Create a CertificateValidation resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: CertificateValidationState, opts?: pulumi.CustomResourceOptions): CertificateValidation

Get an existing CertificateValidation resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is CertificateValidation

Returns true if the given object is an instance of CertificateValidation. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property certificateArn

public certificateArn: pulumi.Output<string>;

The ARN of the certificate that is being validated.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property validationRecordFqdns

public validationRecordFqdns: pulumi.Output<string[] | undefined>;

List of FQDNs that implement the validation. Only valid for DNS validation method ACM certificates. If this is set, the resource can implement additional sanity checks and has an explicit dependency on the resource that is implementing the validation

Functions

Function getCertificate

getCertificate(args: GetCertificateArgs, opts?: pulumi.InvokeOptions): Promise<GetCertificateResult>

Use this data source to get the ARN of a certificate in AWS Certificate Manager (ACM), you can reference it by domain without having to hard code the ARNs as input.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Find a RSA 4096 bit certificate
const example = pulumi.output(aws.acm.getCertificate({
    domain: "tf.example.com",
    keyTypes: ["RSA_4096"],
}, { async: true }));

Others

interface CertificateArgs

interface CertificateArgs

The set of arguments for constructing a Certificate resource.

property certificateAuthorityArn

certificateAuthorityArn?: pulumi.Input<string>;

ARN of an ACMPCA

property certificateBody

certificateBody?: pulumi.Input<string>;

The certificate’s PEM-formatted public key

property certificateChain

certificateChain?: pulumi.Input<string>;

The certificate’s PEM-formatted chain * Creating a private CA issued certificate

property domainName

domainName?: pulumi.Input<string>;

A domain name for which the certificate should be issued

property options

options?: pulumi.Input<CertificateOptions>;

Configuration block used to set certificate options. Detailed below. * Importing an existing certificate

property privateKey

privateKey?: pulumi.Input<string>;

The certificate’s PEM-formatted private key

property subjectAlternativeNames

subjectAlternativeNames?: pulumi.Input<pulumi.Input<string>[]>;

A list of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]).

property tags

tags?: pulumi.Input<{[key: string]: any}>;

A map of tags to assign to the resource.

property validationMethod

validationMethod?: pulumi.Input<string>;

Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into state managed by this provider.

interface CertificateState

interface CertificateState

Input properties used for looking up and filtering Certificate resources.

property arn

arn?: pulumi.Input<string>;

The ARN of the certificate

property certificateAuthorityArn

certificateAuthorityArn?: pulumi.Input<string>;

ARN of an ACMPCA

property certificateBody

certificateBody?: pulumi.Input<string>;

The certificate’s PEM-formatted public key

property certificateChain

certificateChain?: pulumi.Input<string>;

The certificate’s PEM-formatted chain * Creating a private CA issued certificate

property domainName

domainName?: pulumi.Input<string>;

A domain name for which the certificate should be issued

property domainValidationOptions

domainValidationOptions?: pulumi.Input<pulumi.Input<CertificateDomainValidationOption>[]>;

A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if DNS-validation was used.

property options

options?: pulumi.Input<CertificateOptions>;

Configuration block used to set certificate options. Detailed below. * Importing an existing certificate

property privateKey

privateKey?: pulumi.Input<string>;

The certificate’s PEM-formatted private key

property status

status?: pulumi.Input<string>;

Status of the certificate.

property subjectAlternativeNames

subjectAlternativeNames?: pulumi.Input<pulumi.Input<string>[]>;

A list of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]).

property tags

tags?: pulumi.Input<{[key: string]: any}>;

A map of tags to assign to the resource.

property validationEmails

validationEmails?: pulumi.Input<pulumi.Input<string>[]>;

A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.

property validationMethod

validationMethod?: pulumi.Input<string>;

Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into state managed by this provider.

interface CertificateValidationArgs

interface CertificateValidationArgs

The set of arguments for constructing a CertificateValidation resource.

property certificateArn

certificateArn: pulumi.Input<string>;

The ARN of the certificate that is being validated.

property validationRecordFqdns

validationRecordFqdns?: pulumi.Input<pulumi.Input<string>[]>;

List of FQDNs that implement the validation. Only valid for DNS validation method ACM certificates. If this is set, the resource can implement additional sanity checks and has an explicit dependency on the resource that is implementing the validation

interface CertificateValidationState

interface CertificateValidationState

Input properties used for looking up and filtering CertificateValidation resources.

property certificateArn

certificateArn?: pulumi.Input<string>;

The ARN of the certificate that is being validated.

property validationRecordFqdns

validationRecordFqdns?: pulumi.Input<pulumi.Input<string>[]>;

List of FQDNs that implement the validation. Only valid for DNS validation method ACM certificates. If this is set, the resource can implement additional sanity checks and has an explicit dependency on the resource that is implementing the validation

interface GetCertificateArgs

interface GetCertificateArgs

A collection of arguments for invoking getCertificate.

property domain

domain: string;

The domain of the certificate to look up. If no certificate is found with this name, an error will be returned.

property keyTypes

keyTypes?: string[];

A list of key algorithms to filter certificates. By default, ACM does not return all certificate types when searching. Valid values are RSA_1024, RSA_2048, RSA_4096, EC_prime256v1, EC_secp384r1, and EC_secp521r1.

property mostRecent

mostRecent?: undefined | false | true;

If set to true, it sorts the certificates matched by previous criteria by the NotBefore field, returning only the most recent one. If set to false, it returns an error if more than one certificate is found. Defaults to false.

property statuses

statuses?: string[];

A list of statuses on which to filter the returned list. Valid values are PENDING_VALIDATION, ISSUED, INACTIVE, EXPIRED, VALIDATION_TIMED_OUT, REVOKED and FAILED. If no value is specified, only certificates in the ISSUED state are returned.

property tags

tags?: undefined | {[key: string]: any};

A mapping of tags for the resource.

property types

types?: string[];

A list of types on which to filter the returned list. Valid values are AMAZON_ISSUED and IMPORTED.

interface GetCertificateResult

interface GetCertificateResult

A collection of values returned by getCertificate.

property arn

arn: string;

Set to the ARN of the found certificate, suitable for referencing in other resources that support ACM certificates.

property domain

domain: string;

property id

id: string;

The provider-assigned unique ID for this managed resource.

property keyTypes

keyTypes?: string[];

property mostRecent

mostRecent?: undefined | false | true;

property statuses

statuses?: string[];

property tags

tags: {[key: string]: any};

A mapping of tags for the resource.

property types

types?: string[];