Skip to content

ACM Certificates

Because the aws_acm_certificate resource supports so many options, (Creating an Amazon issued certificate, Importing an existing certificate, and Creating a private CA issued certificate. See acm_certificate documentation) depending on the various arguments supplied and our module of course supports referencing existing certificates in ACM using a data source, the module needs to be extremely flexible.

To accomplish this, we added a certificate_action attribute to the certificates variable that allows you to specify which action you want to take for each certificate. The options are import_certificate (default), create_amazon_issued_certificate (not yet implemented), create_private_ca_issued_certificate (not yet implemented), and reference_existing_certificate (uses data source). Depending on which action you choose, different attributes will be required or optional. Not all options are currently supported, but this should be flexible enough for us to add any additional options in the future as needed.

Create a Generic, Self-Signed Placeholder Certificate

This would typically be used for testing, development, or as a temporary certificate until a proper one can be obtained. In this example defining certificate_action is optional because it defaults to import_certificate. 

1
2
3
certificates = {
    cert1 = {}
}

Reference an Existing Certificate in ACM

This option uses a data source to look up an existing certificate in ACM that was created outside of Terraform. You can filter by domain, key types, statuses, types, and tags to find the appropriate certificate. See the data source documentation for more details on the available filters. This must only return one certificate or Terraform will output an error. If multiple certificates match the filters, consider using the most_recent attribute to get the latest one. 

1
2
3
4
5
6
7
8
9
certificates = {
    cert1 = {}
    cert2 = {
        certificate_action = "reference_existing_certificate"
        domain = "example.com"
        key_types = ["RSA_2048"]
        most_recent = true
    }
}

Import an Existing Certificate

To import an existing certificate, provide the private_key, certificate_body and optionally the certificate_chain attributes. You can define the values using heredoc syntax for better readability as shown below or use file functions to read from external files. This option is not recommended without more thought going into secret management for the private key. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
certificates = {
    cert1 = {
        private_key = <<-EOT
        -----BEGIN PRIVATE KEY-----
        MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgM/qJeVMQW62d0FLA
        ApkKqywiNfMx/OSlt6IJJv0cqQ6hRANCAASCUGOsak/vu5lmUgmCzWJIwV8fFxhF
        2hrFhChyhtzREXLSxTZLWWgI+f/L+9Du1ezwfyljoWb+SN4qFiSoX1xl
        -----END PRIVATE KEY-----
        EOT
        certificate_body = <<-EOT
        -----BEGIN CERTIFICATE-----
        MIICQzCCAemgAwIBAgIUIiIA6bRQEZOnWvmE72cNRFOJGpAwCgYIKoZIzj0EAwIw
        UTEcMBoGA1UEAwwTSW50ZXJtZWRpYXRlIEVDQyBDQTELMAkGA1UEBhMCVVMxEjAQ
        BgNVBAgMCUxvdWlzaWFuYTEQMA4GA1UEBwwHU2xpZGVsbDAeFw0yNTEyMDQyMjU2
        MTNaFw0yNjEyMDQyMjU2MTNaMFAxGzAZBgNVBAMMEnNhcHBoaXJlaGVhbHRoLmNv
        bTELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCUxvdWlzaWFuYTEQMA4GA1UEBwwHU2xp
        ZGVsbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIJQY6xqT++7mWZSCYLNYkjB
        Xx8XGEXaGsWEKHKG3NERctLFNktZaAj5/8v70O7V7PB/KWOhZv5I3ioWJKhfXGWj
        gZ8wgZwwHQYDVR0OBBYEFMXCIo/MN5a6Qq5l+GAVXV2LNWmcMB8GA1UdIwQYMBaA
        FJ4/ZoX5QzsG9hU80ZJCvk+XKNmpMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
        BggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHREEFjAUghJz
        YXBwaGlyZWhlYWx0aC5jb20wCgYIKoZIzj0EAwIDSAAwRQIgP16nkNHRGfHUQZqo
        2XmfCGQvmTpdEO3ugyrrobk17AUCIQCvnduREBBIdl5YSQ38AsWnghSrPekdnlk6
        OWyOL+vRwA==
        -----END CERTIFICATE-----
        EOT
        certificate_chain = <<-EOT
        -----BEGIN CERTIFICATE-----
        MIICAjCCAaigAwIBAgIUOUbsUh6rPwDeRCUoDp1REfewiQwwCgYIKoZIzj0EAwIw
        STEUMBIGA1UEAwwLUm9vdCBFQ0MgQ0ExCzAJBgNVBAYTAlVTMRIwEAYDVQQIDAlM
        b3Vpc2lhbmExEDAOBgNVBAcMB1NsaWRlbGwwHhcNMjUxMjA0MjI1NTQ4WhcNMjYx
        MjA0MjI1NTQ4WjBRMRwwGgYDVQQDDBNJbnRlcm1lZGlhdGUgRUNDIENBMQswCQYD
        VQQGEwJVUzESMBAGA1UECAwJTG91aXNpYW5hMRAwDgYDVQQHDAdTbGlkZWxsMFkw
        EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbtx7ibn3cS3vTRorxg16n8Cxay1POdDv
        yTbk5JO6UmyLjkr0QjIXDsS3nNcWU9JNE+dHFvEEmh3pVpW0Az5nj6NmMGQwHQYD
        VR0OBBYEFJ4/ZoX5QzsG9hU80ZJCvk+XKNmpMB8GA1UdIwQYMBaAFGaSrgNHGjUP
        8AerYx5W1HedeaYFMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEA
        MAoGCCqGSM49BAMCA0gAMEUCIQCwT+9QV2+cgurI+DMGk9LcpIVUP3hA3Uxm9F2j
        1lAYWgIgfcMqiGWGX9wcg6xknea9R+ywiRaQEQuEl4eJdBM6kGA=
        -----END CERTIFICATE-----
        EOT
    }
}