1. Docs
  2. Reference
  3. API
  4. pulumi_aws
  5. acmpca

This page documents the language specification for the aws package. If you're looking for help working with the inputs, outputs, or functions of aws resources in a Pulumi program, please see the resource documentation for examples and API reference.

acmpca

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-aws repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-aws repo.

class pulumi_aws.acmpca.AwaitableGetCertificateAuthorityResult(arn=None, certificate=None, certificate_chain=None, certificate_signing_request=None, id=None, not_after=None, not_before=None, revocation_configurations=None, serial=None, status=None, tags=None, type=None)
class pulumi_aws.acmpca.CertificateAuthority(resource_name, opts=None, certificate_authority_configuration=None, enabled=None, permanent_deletion_time_in_days=None, revocation_configuration=None, tags=None, type=None, __props__=None, __name__=None, __opts__=None)

Provides a resource to manage AWS Certificate Manager Private Certificate Authorities (ACM PCA Certificate Authorities).

NOTE: Creating this resource will leave the certificate authority in a PENDING_CERTIFICATE status, which means it cannot yet issue certificates. To complete this setup, you must fully sign the certificate authority CSR available in the certificate_signing_request attribute and import the signed certificate using the AWS SDK, CLI or Console. This provider can support another resource to manage that workflow automatically in the future.

import pulumi
import pulumi_aws as aws

example = aws.acmpca.CertificateAuthority("example",
    certificate_authority_configuration={
        "keyAlgorithm": "RSA_4096",
        "signingAlgorithm": "SHA512WITHRSA",
        "subject": {
            "commonName": "example.com",
        },
    },
    permanent_deletion_time_in_days=7)

import pulumi
import pulumi_aws as aws

example_bucket = aws.s3.Bucket("exampleBucket")
acmpca_bucket_access = pulumi.Output.all(example_bucket.arn, example_bucket.arn).apply(lambda exampleBucketArn, exampleBucketArn1: aws.iam.get_policy_document(statements=[{
    "actions": [
        "s3:GetBucketAcl",
        "s3:GetBucketLocation",
        "s3:PutObject",
        "s3:PutObjectAcl",
    ],
    "principals": [{
        "identifiers": ["acm-pca.amazonaws.com"],
        "type": "Service",
    }],
    "resources": [
        example_bucket_arn,
        f"{example_bucket_arn1}/*",
    ],
}]))
example_bucket_policy = aws.s3.BucketPolicy("exampleBucketPolicy",
    bucket=example_bucket.id,
    policy=acmpca_bucket_access.json)
example_certificate_authority = aws.acmpca.CertificateAuthority("exampleCertificateAuthority",
    certificate_authority_configuration={
        "keyAlgorithm": "RSA_4096",
        "signingAlgorithm": "SHA512WITHRSA",
        "subject": {
            "commonName": "example.com",
        },
    },
    revocation_configuration={
        "crlConfiguration": {
            "customCname": "crl.example.com",
            "enabled": True,
            "expirationInDays": 7,
            "s3_bucket_name": example_bucket.id,
        },
    })
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • certificate_authority_configuration (pulumi.Input[dict]) – Nested argument containing algorithms and certificate subject information. Defined below.

  • enabled (pulumi.Input[bool]) – Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.

  • permanent_deletion_time_in_days (pulumi.Input[float]) – The number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.

  • revocation_configuration (pulumi.Input[dict]) – Nested argument containing revocation configuration. Defined below.

  • tags (pulumi.Input[dict]) – Specifies a key-value map of user-defined tags that are attached to the certificate authority.

  • type (pulumi.Input[str]) – The type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.

The certificate_authority_configuration object supports the following:

  • keyAlgorithm (pulumi.Input[str]) - Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.

  • signingAlgorithm (pulumi.Input[str]) - Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.

  • subject (pulumi.Input[dict]) - Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.

    • commonName (pulumi.Input[str]) - Fully qualified domain name (FQDN) associated with the certificate subject.

    • country (pulumi.Input[str]) - Two digit code that specifies the country in which the certificate subject located.

    • distinguishedNameQualifier (pulumi.Input[str]) - Disambiguating information for the certificate subject.

    • generationQualifier (pulumi.Input[str]) - Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third.

    • givenName (pulumi.Input[str]) - First name.

    • initials (pulumi.Input[str]) - Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname.

    • locality (pulumi.Input[str]) - The locality (such as a city or town) in which the certificate subject is located.

    • organization (pulumi.Input[str]) - Legal name of the organization with which the certificate subject is affiliated.

    • organizationalUnit (pulumi.Input[str]) - A subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated.

    • pseudonym (pulumi.Input[str]) - Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza.

    • state (pulumi.Input[str]) - State in which the subject of the certificate is located.

    • surname (pulumi.Input[str]) - Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first.

    • title (pulumi.Input[str]) - A title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject.

The revocation_configuration object supports the following:

  • crlConfiguration (pulumi.Input[dict]) - Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.

    • customCname (pulumi.Input[str]) - Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don’t want the name of your S3 bucket to be public.

    • enabled (pulumi.Input[bool]) - Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.

    • expirationInDays (pulumi.Input[float]) - Number of days until a certificate expires. Must be between 1 and 5000.

    • s3_bucket_name (pulumi.Input[str]) - Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket.

arn: pulumi.Output[str] = None

Amazon Resource Name (ARN) of the certificate authority.

certificate: pulumi.Output[str] = None

Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.

certificate_authority_configuration: pulumi.Output[dict] = None

Nested argument containing algorithms and certificate subject information. Defined below.

  • keyAlgorithm (str) - Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.

  • signingAlgorithm (str) - Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.

  • subject (dict) - Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.

    • commonName (str) - Fully qualified domain name (FQDN) associated with the certificate subject.

    • country (str) - Two digit code that specifies the country in which the certificate subject located.

    • distinguishedNameQualifier (str) - Disambiguating information for the certificate subject.

    • generationQualifier (str) - Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third.

    • givenName (str) - First name.

    • initials (str) - Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname.

    • locality (str) - The locality (such as a city or town) in which the certificate subject is located.

    • organization (str) - Legal name of the organization with which the certificate subject is affiliated.

    • organizationalUnit (str) - A subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated.

    • pseudonym (str) - Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza.

    • state (str) - State in which the subject of the certificate is located.

    • surname (str) - Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first.

    • title (str) - A title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject.

certificate_chain: pulumi.Output[str] = None

Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.

certificate_signing_request: pulumi.Output[str] = None

The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.

enabled: pulumi.Output[bool] = None

Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.

not_after: pulumi.Output[str] = None

Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.

not_before: pulumi.Output[str] = None

Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.

permanent_deletion_time_in_days: pulumi.Output[float] = None

The number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.

revocation_configuration: pulumi.Output[dict] = None

Nested argument containing revocation configuration. Defined below.

  • crlConfiguration (dict) - Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.

    • customCname (str) - Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don’t want the name of your S3 bucket to be public.

    • enabled (bool) - Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.

    • expirationInDays (float) - Number of days until a certificate expires. Must be between 1 and 5000.

    • s3_bucket_name (str) - Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket.

serial: pulumi.Output[str] = None

Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.

status: pulumi.Output[str] = None

Status of the certificate authority.

tags: pulumi.Output[dict] = None

Specifies a key-value map of user-defined tags that are attached to the certificate authority.

type: pulumi.Output[str] = None

The type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.

static get(resource_name, id, opts=None, arn=None, certificate=None, certificate_authority_configuration=None, certificate_chain=None, certificate_signing_request=None, enabled=None, not_after=None, not_before=None, permanent_deletion_time_in_days=None, revocation_configuration=None, serial=None, status=None, tags=None, type=None)

Get an existing CertificateAuthority resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – Amazon Resource Name (ARN) of the certificate authority.

  • certificate (pulumi.Input[str]) – Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.

  • certificate_authority_configuration (pulumi.Input[dict]) – Nested argument containing algorithms and certificate subject information. Defined below.

  • certificate_chain (pulumi.Input[str]) – Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.

  • certificate_signing_request (pulumi.Input[str]) – The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.

  • enabled (pulumi.Input[bool]) – Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.

  • not_after (pulumi.Input[str]) – Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.

  • not_before (pulumi.Input[str]) – Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.

  • permanent_deletion_time_in_days (pulumi.Input[float]) – The number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.

  • revocation_configuration (pulumi.Input[dict]) – Nested argument containing revocation configuration. Defined below.

  • serial (pulumi.Input[str]) – Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.

  • status (pulumi.Input[str]) – Status of the certificate authority.

  • tags (pulumi.Input[dict]) – Specifies a key-value map of user-defined tags that are attached to the certificate authority.

  • type (pulumi.Input[str]) – The type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.

The certificate_authority_configuration object supports the following:

  • keyAlgorithm (pulumi.Input[str]) - Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.

  • signingAlgorithm (pulumi.Input[str]) - Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.

  • subject (pulumi.Input[dict]) - Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.

    • commonName (pulumi.Input[str]) - Fully qualified domain name (FQDN) associated with the certificate subject.

    • country (pulumi.Input[str]) - Two digit code that specifies the country in which the certificate subject located.

    • distinguishedNameQualifier (pulumi.Input[str]) - Disambiguating information for the certificate subject.

    • generationQualifier (pulumi.Input[str]) - Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third.

    • givenName (pulumi.Input[str]) - First name.

    • initials (pulumi.Input[str]) - Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname.

    • locality (pulumi.Input[str]) - The locality (such as a city or town) in which the certificate subject is located.

    • organization (pulumi.Input[str]) - Legal name of the organization with which the certificate subject is affiliated.

    • organizationalUnit (pulumi.Input[str]) - A subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated.

    • pseudonym (pulumi.Input[str]) - Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza.

    • state (pulumi.Input[str]) - State in which the subject of the certificate is located.

    • surname (pulumi.Input[str]) - Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first.

    • title (pulumi.Input[str]) - A title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject.

The revocation_configuration object supports the following:

  • crlConfiguration (pulumi.Input[dict]) - Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.

    • customCname (pulumi.Input[str]) - Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don’t want the name of your S3 bucket to be public.

    • enabled (pulumi.Input[bool]) - Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.

    • expirationInDays (pulumi.Input[float]) - Number of days until a certificate expires. Must be between 1 and 5000.

    • s3_bucket_name (pulumi.Input[str]) - Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.acmpca.GetCertificateAuthorityResult(arn=None, certificate=None, certificate_chain=None, certificate_signing_request=None, id=None, not_after=None, not_before=None, revocation_configurations=None, serial=None, status=None, tags=None, type=None)

A collection of values returned by getCertificateAuthority.

certificate = None

Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.

certificate_chain = None

Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.

certificate_signing_request = None

The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.

id = None

The provider-assigned unique ID for this managed resource.

not_after = None

Date and time after which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.

not_before = None

Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.

revocation_configurations = None

Nested attribute containing revocation configuration.

  • revocation_configuration.0.crl_configuration - Nested attribute containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority.

  • revocation_configuration.0.crl_configuration.0.custom_cname - Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point.

  • revocation_configuration.0.crl_configuration.0.enabled - Boolean value that specifies whether certificate revocation lists (CRLs) are enabled.

  • revocation_configuration.0.crl_configuration.0.expiration_in_days - Number of days until a certificate expires.

  • revocation_configuration.0.crl_configuration.0.s3_bucket_name - Name of the S3 bucket that contains the CRL.

serial = None

Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.

status = None

Status of the certificate authority.

tags = None

Specifies a key-value map of user-defined tags that are attached to the certificate authority.

type = None

The type of the certificate authority.

pulumi_aws.acmpca.get_certificate_authority(arn=None, revocation_configurations=None, tags=None, opts=None)

Get information on a AWS Certificate Manager Private Certificate Authority (ACM PCA Certificate Authority).

import pulumi
import pulumi_aws as aws

example = aws.acmpca.get_certificate_authority(arn="arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012")
Parameters

  • arn (str) – Amazon Resource Name (ARN) of the certificate authority.

  • revocation_configurations (list) – Nested attribute containing revocation configuration.

* `revocation_configuration.0.crl_configuration` - Nested attribute containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority.
* `revocation_configuration.0.crl_configuration.0.custom_cname` - Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point.
* `revocation_configuration.0.crl_configuration.0.enabled` - Boolean value that specifies whether certificate revocation lists (CRLs) are enabled.
* `revocation_configuration.0.crl_configuration.0.expiration_in_days` - Number of days until a certificate expires.
* `revocation_configuration.0.crl_configuration.0.s3_bucket_name` - Name of the S3 bucket that contains the CRL.
Parameters

tags (dict) – Specifies a key-value map of user-defined tags that are attached to the certificate authority.

The revocation_configurations object supports the following:

  • crlConfigurations (list)

    • customCname (str)

    • enabled (bool)

    • expirationInDays (float)

    • s3_bucket_name (str)