Resource: aws_acm_certificate

The ACM certificate resource allows requesting and management of certificates from the Amazon Certificate Manager.

It deals with requesting certificates and managing their attributes and life-cycle. This resource does not deal with validation of a certificate but can provide inputs for other resources implementing the validation. It does not wait for a certificate to be issued. Use a aws_acm_certificate_validation resource for this.

Most commonly, this resource is used together with aws_route53_record and aws_acm_certificate_validation to request a DNS validated certificate, deploy the required validation records and wait for validation to complete.

Domain validation through email is also supported but should be avoided as it requires a manual step outside of Terraform.

It’s recommended to specify create_before_destroy = true in a lifecycle block to replace a certificate which is currently in use (eg, by aws_lb_listener).

Example Usage

Create Certificate

resource "aws_acm_certificate" "cert" {
domain_name = "example.com"
validation_method = "DNS"
tags = {
Environment = "test"
}
lifecycle {
create_before_destroy = true
}
}

Custom Domain Validation Options

resource "aws_acm_certificate" "cert" {
domain_name = "testing.example.com"
validation_method = "EMAIL"
validation_option {
domain_name = "testing.example.com"
validation_domain = "example.com"
}
}

Existing Certificate Body Import

resource "tls_private_key" "example" {
algorithm = "RSA"
}
resource "tls_self_signed_cert" "example" {
key_algorithm = "RSA"
private_key_pem = tls_private_key.example.private_key_pem
subject {
common_name = "example.com"
organization = "ACME Examples, Inc"
}
validity_period_hours = 12 allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
}
resource "aws_acm_certificate" "cert" {
private_key = tls_private_key.example.private_key_pem
certificate_body = tls_self_signed_cert.example.cert_pem
}

Referencing domain_validation_options With for_each Based Resources

See the aws_acm_certificate_validation resource for a full example of performing DNS validation.

resource "aws_route53_record" "example" {
for_each = {
for dvo in aws_acm_certificate.example.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}
allow_overwrite = true
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = aws_route53_zone.example.zone_id
}

Argument Reference

The following arguments are supported:

  • Creating an Amazon issued certificate
  • domain_name - (Required) A domain name for which the certificate should be issued
  • subject_alternative_names - (Optional) Set of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]) or use the terraform taint command to trigger recreation.
  • validation_method - (Required) Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into Terraform.
  • options - (Optional) Configuration block used to set certificate options. Detailed below.
  • validation_option - (Optional) Configuration block used to specify information about the initial validation of each domain name. Detailed below.
  • Importing an existing certificate
  • private_key - (Required) The certificate's PEM-formatted private key
  • certificate_body - (Required) The certificate's PEM-formatted public key
  • certificate_chain - (Optional) The certificate's PEM-formatted chain
  • Creating a private CA issued certificate
  • domain_name - (Required) A domain name for which the certificate should be issued
  • certificate_authority_arn - (Required) ARN of an ACM PCA
  • subject_alternative_names - (Optional) Set of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]) or use the terraform taint command to trigger recreation.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

options Configuration Block

Supported nested arguments for the options configuration block:

validation_option Configuration Block

Supported nested arguments for the validation_option configuration block:

  • domain_name - (Required) A fully qualified domain name (FQDN) in the certificate.
  • validation_domain - (Required) The domain name that you want ACM to use to send you validation emails. This domain name is the suffix of the email addresses that you want ACM to use. This must be the same as the domain_name value or a superdomain of the domain_name value. For example, if you request a certificate for "testing.example.com", you can specify "example.com" for this value.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The ARN of the certificate
  • arn - The ARN of the certificate
  • domain_name - The domain name for which the certificate is issued
  • domain_validation_options - Set of domain validation objects which can be used to complete certificate validation. Can have more than one element, e.g., if SANs are defined. Only set if DNS-validation was used.
  • status - Status of the certificate.
  • tags_all - A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
  • validation_emails - A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.

Domain validation objects export the following attributes:

Import

Certificates can be imported using their ARN, e.g.,

$ terraform import aws_acm_certificate.cert arn:aws:acm:eu-central-1:123456789012:certificate/7e7a28d2-163f-4b8f-b9cd-822f96c08d6a

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rakesh Tripathi

Rakesh Tripathi

Consulting Engineer, Software Developer, Infra, Quora