This page documents the language specification for the tls package. If you're looking for help working with the inputs, outputs, or functions of tls resources in a Pulumi program, please see the resource documentation for examples and API reference.

Pulumi TLS¶

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-tls repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-tls repo.

class pulumi_tls.AwaitableGetPublicKeyResult(algorithm=None, id=None, private_key_pem=None, public_key_fingerprint_md5=None, public_key_openssh=None, public_key_pem=None)¶

class pulumi_tls.CertRequest(resource_name, opts=None, dns_names=None, ip_addresses=None, key_algorithm=None, private_key_pem=None, subjects=None, uris=None, __props__=None, __name__=None, __opts__=None)¶

Create a CertRequest resource with the given unique name, props, and options. :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[list] dns_names: List of DNS names for which a certificate is being requested. :param pulumi.Input[list] ip_addresses: List of IP addresses for which a certificate is being requested. :param pulumi.Input[str] key_algorithm: The name of the algorithm for the key provided

in private_key_pem.

Parameters

private_key_pem (pulumi.Input[str]) – PEM-encoded private key that the certificate will belong to
subjects (pulumi.Input[list]) – The subject for which a certificate is being requested. This is a nested configuration block whose structure is described below.
uris (pulumi.Input[list]) – List of URIs for which a certificate is being requested.

The subjects object supports the following:

commonName (pulumi.Input[str])
country (pulumi.Input[str])
locality (pulumi.Input[str])
organization (pulumi.Input[str])
organizationalUnit (pulumi.Input[str])
postalCode (pulumi.Input[str])
province (pulumi.Input[str])
serialNumber (pulumi.Input[str])
streetAddresses (pulumi.Input[list])

cert_request_pem: pulumi.Output[str] = None¶: The certificate request data in PEM format.

dns_names: pulumi.Output[list] = None¶: List of DNS names for which a certificate is being requested.

ip_addresses: pulumi.Output[list] = None¶: List of IP addresses for which a certificate is being requested.

key_algorithm: pulumi.Output[str] = None¶: The name of the algorithm for the key provided in private_key_pem.

private_key_pem: pulumi.Output[str] = None¶: PEM-encoded private key that the certificate will belong to

subjects: pulumi.Output[list] = None¶

The subject for which a certificate is being requested. This is a nested configuration block whose structure is described below.

commonName (str)
country (str)
locality (str)
organization (str)
organizationalUnit (str)
postalCode (str)
province (str)
serialNumber (str)
streetAddresses (list)

uris: pulumi.Output[list] = None¶: List of URIs for which a certificate is being requested.

static get(resource_name, id, opts=None, cert_request_pem=None, dns_names=None, ip_addresses=None, key_algorithm=None, private_key_pem=None, subjects=None, uris=None)¶

Get an existing CertRequest resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
cert_request_pem (pulumi.Input[str]) – The certificate request data in PEM format.
dns_names (pulumi.Input[list]) – List of DNS names for which a certificate is being requested.
ip_addresses (pulumi.Input[list]) – List of IP addresses for which a certificate is being requested.
key_algorithm (pulumi.Input[str]) – The name of the algorithm for the key provided in private_key_pem.
private_key_pem (pulumi.Input[str]) – PEM-encoded private key that the certificate will belong to
subjects (pulumi.Input[list]) – The subject for which a certificate is being requested. This is a nested configuration block whose structure is described below.
uris (pulumi.Input[list]) – List of URIs for which a certificate is being requested.

The subjects object supports the following:

commonName (pulumi.Input[str])
country (pulumi.Input[str])
locality (pulumi.Input[str])
organization (pulumi.Input[str])
organizationalUnit (pulumi.Input[str])
postalCode (pulumi.Input[str])
province (pulumi.Input[str])
serialNumber (pulumi.Input[str])
streetAddresses (pulumi.Input[list])

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_tls.GetPublicKeyResult(algorithm=None, id=None, private_key_pem=None, public_key_fingerprint_md5=None, public_key_openssh=None, public_key_pem=None)¶

A collection of values returned by getPublicKey.

id = None¶: The provider-assigned unique ID for this managed resource.

private_key_pem = None¶: The private key data in PEM format.

public_key_fingerprint_md5 = None¶: The md5 hash of the public key data in OpenSSH MD5 hash format, e.g. aa:bb:cc:.... Only available if the selected private key format is compatible, as per the rules for public_key_openssh.

public_key_openssh = None¶: The public key data in OpenSSH authorized_keys format, if the selected private key format is compatible. All RSA keys are supported, and ECDSA keys with curves “P256”, “P384” and “P521” are supported. This attribute is empty if an incompatible ECDSA curve is selected.

public_key_pem = None¶: The public key data in PEM format.

class pulumi_tls.LocallySignedCert(resource_name, opts=None, allowed_uses=None, ca_cert_pem=None, ca_key_algorithm=None, ca_private_key_pem=None, cert_request_pem=None, early_renewal_hours=None, is_ca_certificate=None, set_subject_key_id=None, validity_period_hours=None, __props__=None, __name__=None, __opts__=None)¶

Create a LocallySignedCert resource with the given unique name, props, and options. :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[list] allowed_uses: List of keywords each describing a use that is permitted

for the issued certificate. The valid keywords are listed below.

Parameters

ca_cert_pem (pulumi.Input[str]) – PEM-encoded certificate data for the CA.
ca_key_algorithm (pulumi.Input[str]) – The name of the algorithm for the key provided in ca_private_key_pem.
ca_private_key_pem (pulumi.Input[str]) – PEM-encoded private key data for the CA. This can be read from a separate file using the file interpolation function.
cert_request_pem (pulumi.Input[str]) – PEM-encoded request certificate data.
early_renewal_hours (pulumi.Input[float]) – Number of hours before the certificates expiry when a new certificate will be generated
is_ca_certificate (pulumi.Input[bool]) – Boolean controlling whether the CA flag will be set in the generated certificate. Defaults to false, meaning that the certificate does not represent a certificate authority.
set_subject_key_id (pulumi.Input[bool]) – If true, the certificate will include the subject key identifier. Defaults to false, in which case the subject key identifier is not set at all.
validity_period_hours (pulumi.Input[float]) – The number of hours after initial issuing that the certificate will become invalid.

allowed_uses: pulumi.Output[list] = None¶: List of keywords each describing a use that is permitted for the issued certificate. The valid keywords are listed below.

ca_cert_pem: pulumi.Output[str] = None¶: PEM-encoded certificate data for the CA.

ca_key_algorithm: pulumi.Output[str] = None¶: The name of the algorithm for the key provided in ca_private_key_pem.

ca_private_key_pem: pulumi.Output[str] = None¶: PEM-encoded private key data for the CA. This can be read from a separate file using the file interpolation function.

cert_pem: pulumi.Output[str] = None¶: The certificate data in PEM format.

cert_request_pem: pulumi.Output[str] = None¶: PEM-encoded request certificate data.

early_renewal_hours: pulumi.Output[float] = None¶: Number of hours before the certificates expiry when a new certificate will be generated

is_ca_certificate: pulumi.Output[bool] = None¶: Boolean controlling whether the CA flag will be set in the generated certificate. Defaults to false, meaning that the certificate does not represent a certificate authority.

set_subject_key_id: pulumi.Output[bool] = None¶: If true, the certificate will include the subject key identifier. Defaults to false, in which case the subject key identifier is not set at all.

validity_end_time: pulumi.Output[str] = None¶: The time until which the certificate is invalid, as an RFC3339 timestamp.

validity_period_hours: pulumi.Output[float] = None¶: The number of hours after initial issuing that the certificate will become invalid.

validity_start_time: pulumi.Output[str] = None¶: The time after which the certificate is valid, as an RFC3339 timestamp.

static get(resource_name, id, opts=None, allowed_uses=None, ca_cert_pem=None, ca_key_algorithm=None, ca_private_key_pem=None, cert_pem=None, cert_request_pem=None, early_renewal_hours=None, is_ca_certificate=None, ready_for_renewal=None, set_subject_key_id=None, validity_end_time=None, validity_period_hours=None, validity_start_time=None)¶

Get an existing LocallySignedCert resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
allowed_uses (pulumi.Input[list]) – List of keywords each describing a use that is permitted for the issued certificate. The valid keywords are listed below.
ca_cert_pem (pulumi.Input[str]) – PEM-encoded certificate data for the CA.
ca_key_algorithm (pulumi.Input[str]) – The name of the algorithm for the key provided in ca_private_key_pem.
ca_private_key_pem (pulumi.Input[str]) – PEM-encoded private key data for the CA. This can be read from a separate file using the file interpolation function.
cert_pem (pulumi.Input[str]) – The certificate data in PEM format.
cert_request_pem (pulumi.Input[str]) – PEM-encoded request certificate data.
early_renewal_hours (pulumi.Input[float]) – Number of hours before the certificates expiry when a new certificate will be generated
is_ca_certificate (pulumi.Input[bool]) – Boolean controlling whether the CA flag will be set in the generated certificate. Defaults to false, meaning that the certificate does not represent a certificate authority.
set_subject_key_id (pulumi.Input[bool]) – If true, the certificate will include the subject key identifier. Defaults to false, in which case the subject key identifier is not set at all.
validity_end_time (pulumi.Input[str]) –
The time until which the certificate is invalid, as an RFC3339 timestamp.
validity_period_hours (pulumi.Input[float]) – The number of hours after initial issuing that the certificate will become invalid.
validity_start_time (pulumi.Input[str]) –
The time after which the certificate is valid, as an RFC3339 timestamp.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_tls.PrivateKey(resource_name, opts=None, algorithm=None, ecdsa_curve=None, rsa_bits=None, __props__=None, __name__=None, __opts__=None)¶

Create a PrivateKey resource with the given unique name, props, and options. :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[str] algorithm: The name of the algorithm to use for

the key. Currently-supported values are “RSA” and “ECDSA”.

Parameters

ecdsa_curve (pulumi.Input[str]) – When algorithm is “ECDSA”, the name of the elliptic curve to use. May be any one of “P224”, “P256”, “P384” or “P521”, with “P224” as the default.
rsa_bits (pulumi.Input[float]) – When algorithm is “RSA”, the size of the generated RSA key in bits. Defaults to 2048.

algorithm: pulumi.Output[str] = None¶: The name of the algorithm to use for the key. Currently-supported values are “RSA” and “ECDSA”.

ecdsa_curve: pulumi.Output[str] = None¶: When algorithm is “ECDSA”, the name of the elliptic curve to use. May be any one of “P224”, “P256”, “P384” or “P521”, with “P224” as the default.

private_key_pem: pulumi.Output[str] = None¶: The private key data in PEM format.

public_key_fingerprint_md5: pulumi.Output[str] = None¶: The md5 hash of the public key data in OpenSSH MD5 hash format, e.g. aa:bb:cc:.... Only available if the selected private key format is compatible, as per the rules for public_key_openssh.

public_key_openssh: pulumi.Output[str] = None¶: The public key data in OpenSSH authorized_keys format, if the selected private key format is compatible. All RSA keys are supported, and ECDSA keys with curves “P256”, “P384” and “P521” are supported. This attribute is empty if an incompatible ECDSA curve is selected.

public_key_pem: pulumi.Output[str] = None¶: The public key data in PEM format.

rsa_bits: pulumi.Output[float] = None¶: When algorithm is “RSA”, the size of the generated RSA key in bits. Defaults to 2048.

static get(resource_name, id, opts=None, algorithm=None, ecdsa_curve=None, private_key_pem=None, public_key_fingerprint_md5=None, public_key_openssh=None, public_key_pem=None, rsa_bits=None)¶

Get an existing PrivateKey resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
algorithm (pulumi.Input[str]) – The name of the algorithm to use for the key. Currently-supported values are “RSA” and “ECDSA”.
ecdsa_curve (pulumi.Input[str]) – When algorithm is “ECDSA”, the name of the elliptic curve to use. May be any one of “P224”, “P256”, “P384” or “P521”, with “P224” as the default.
private_key_pem (pulumi.Input[str]) – The private key data in PEM format.
public_key_fingerprint_md5 (pulumi.Input[str]) – The md5 hash of the public key data in OpenSSH MD5 hash format, e.g. aa:bb:cc:.... Only available if the selected private key format is compatible, as per the rules for public_key_openssh.
public_key_openssh (pulumi.Input[str]) – The public key data in OpenSSH authorized_keys format, if the selected private key format is compatible. All RSA keys are supported, and ECDSA keys with curves “P256”, “P384” and “P521” are supported. This attribute is empty if an incompatible ECDSA curve is selected.
public_key_pem (pulumi.Input[str]) – The public key data in PEM format.
rsa_bits (pulumi.Input[float]) – When algorithm is “RSA”, the size of the generated RSA key in bits. Defaults to 2048.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_tls.Provider(resource_name, opts=None, __props__=None, __name__=None, __opts__=None)¶

The provider type for the tls package. By default, resources use package-wide configuration settings, however an explicit Provider instance may be created and passed during resource construction to achieve fine-grained programmatic control over provider settings. See the documentation for more information.

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_tls.SelfSignedCert(resource_name, opts=None, allowed_uses=None, dns_names=None, early_renewal_hours=None, ip_addresses=None, is_ca_certificate=None, key_algorithm=None, private_key_pem=None, set_subject_key_id=None, subjects=None, uris=None, validity_period_hours=None, __props__=None, __name__=None, __opts__=None)¶

Create a SelfSignedCert resource with the given unique name, props, and options. :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[list] allowed_uses: List of keywords each describing a use that is permitted

for the issued certificate. The valid keywords are listed below.

Parameters

dns_names (pulumi.Input[list]) – List of DNS names for which a certificate is being requested.
early_renewal_hours (pulumi.Input[float]) – Number of hours before the certificates expiry when a new certificate will be generated
ip_addresses (pulumi.Input[list]) – List of IP addresses for which a certificate is being requested.
is_ca_certificate (pulumi.Input[bool]) – Boolean controlling whether the CA flag will be set in the generated certificate. Defaults to false, meaning that the certificate does not represent a certificate authority.
key_algorithm (pulumi.Input[str]) – The name of the algorithm for the key provided in private_key_pem.
private_key_pem (pulumi.Input[str]) – PEM-encoded private key that the certificate will belong to
set_subject_key_id (pulumi.Input[bool]) – If true, the certificate will include the subject key identifier. Defaults to false, in which case the subject key identifier is not set at all.
subjects (pulumi.Input[list]) – The subject for which a certificate is being requested. This is a nested configuration block whose structure matches the corresponding block for .CertRequest.
uris (pulumi.Input[list]) – List of URIs for which a certificate is being requested.
validity_period_hours (pulumi.Input[float]) – The number of hours after initial issuing that the certificate will become invalid.

The subjects object supports the following:

commonName (pulumi.Input[str])
country (pulumi.Input[str])
locality (pulumi.Input[str])
organization (pulumi.Input[str])
organizationalUnit (pulumi.Input[str])
postalCode (pulumi.Input[str])
province (pulumi.Input[str])
serialNumber (pulumi.Input[str])
streetAddresses (pulumi.Input[list])

allowed_uses: pulumi.Output[list] = None¶: List of keywords each describing a use that is permitted for the issued certificate. The valid keywords are listed below.

cert_pem: pulumi.Output[str] = None¶: The certificate data in PEM format.

dns_names: pulumi.Output[list] = None¶: List of DNS names for which a certificate is being requested.

early_renewal_hours: pulumi.Output[float] = None¶: Number of hours before the certificates expiry when a new certificate will be generated

ip_addresses: pulumi.Output[list] = None¶: List of IP addresses for which a certificate is being requested.

is_ca_certificate: pulumi.Output[bool] = None¶: Boolean controlling whether the CA flag will be set in the generated certificate. Defaults to false, meaning that the certificate does not represent a certificate authority.

key_algorithm: pulumi.Output[str] = None¶: The name of the algorithm for the key provided in private_key_pem.

private_key_pem: pulumi.Output[str] = None¶: PEM-encoded private key that the certificate will belong to

set_subject_key_id: pulumi.Output[bool] = None¶: If true, the certificate will include the subject key identifier. Defaults to false, in which case the subject key identifier is not set at all.

subjects: pulumi.Output[list] = None¶

The subject for which a certificate is being requested. This is a nested configuration block whose structure matches the corresponding block for .CertRequest.

commonName (str)
country (str)
locality (str)
organization (str)
organizationalUnit (str)
postalCode (str)
province (str)
serialNumber (str)
streetAddresses (list)

uris: pulumi.Output[list] = None¶: List of URIs for which a certificate is being requested.

validity_end_time: pulumi.Output[str] = None¶: The time until which the certificate is invalid, as an RFC3339 timestamp.

validity_period_hours: pulumi.Output[float] = None¶: The number of hours after initial issuing that the certificate will become invalid.

validity_start_time: pulumi.Output[str] = None¶: The time after which the certificate is valid, as an RFC3339 timestamp.

static get(resource_name, id, opts=None, allowed_uses=None, cert_pem=None, dns_names=None, early_renewal_hours=None, ip_addresses=None, is_ca_certificate=None, key_algorithm=None, private_key_pem=None, ready_for_renewal=None, set_subject_key_id=None, subjects=None, uris=None, validity_end_time=None, validity_period_hours=None, validity_start_time=None)¶

Get an existing SelfSignedCert resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
allowed_uses (pulumi.Input[list]) – List of keywords each describing a use that is permitted for the issued certificate. The valid keywords are listed below.
cert_pem (pulumi.Input[str]) – The certificate data in PEM format.
dns_names (pulumi.Input[list]) – List of DNS names for which a certificate is being requested.
early_renewal_hours (pulumi.Input[float]) – Number of hours before the certificates expiry when a new certificate will be generated
ip_addresses (pulumi.Input[list]) – List of IP addresses for which a certificate is being requested.
is_ca_certificate (pulumi.Input[bool]) – Boolean controlling whether the CA flag will be set in the generated certificate. Defaults to false, meaning that the certificate does not represent a certificate authority.
key_algorithm (pulumi.Input[str]) – The name of the algorithm for the key provided in private_key_pem.
private_key_pem (pulumi.Input[str]) – PEM-encoded private key that the certificate will belong to
set_subject_key_id (pulumi.Input[bool]) – If true, the certificate will include the subject key identifier. Defaults to false, in which case the subject key identifier is not set at all.
subjects (pulumi.Input[list]) – The subject for which a certificate is being requested. This is a nested configuration block whose structure matches the corresponding block for .CertRequest.
uris (pulumi.Input[list]) – List of URIs for which a certificate is being requested.
validity_end_time (pulumi.Input[str]) –
The time until which the certificate is invalid, as an RFC3339 timestamp.
validity_period_hours (pulumi.Input[float]) – The number of hours after initial issuing that the certificate will become invalid.
validity_start_time (pulumi.Input[str]) –
The time after which the certificate is valid, as an RFC3339 timestamp.

The subjects object supports the following:

commonName (pulumi.Input[str])
country (pulumi.Input[str])
locality (pulumi.Input[str])
organization (pulumi.Input[str])
organizationalUnit (pulumi.Input[str])
postalCode (pulumi.Input[str])
province (pulumi.Input[str])
serialNumber (pulumi.Input[str])
streetAddresses (pulumi.Input[list])

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

pulumi_tls.get_public_key(private_key_pem=None, opts=None)¶

Use this data source to get the public key from a PEM-encoded private key for use in other resources.

import pulumi
import pulumi_tls as tls

example = tls.get_public_key(private_key_pem=(lambda path: open(path).read())("~/.ssh/id_rsa"))

Parameters: private_key_pem (str) – The private key to use. Currently-supported key types are “RSA” or “ECDSA”.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud

Pulumi TLS¶

On This Page