pulumi-aws-kotlin/com.pulumi.aws.acm.kotlin/Certificate

Certificate

class Certificate : KotlinCustomResource

The ACM certificate resource allows requesting and management of certificates from the Amazon Certificate Manager. ACM certificates can be created in three ways: Amazon-issued, where AWS provides the certificate authority and automatically manages renewal; imported certificates, issued by another certificate authority; and private certificates, issued using an ACM Private Certificate Authority.

Amazon-Issued Certificates

For Amazon-issued certificates, this resource deals with requesting certificates and managing their attributes and life-cycle. This resource does not deal with validation of a certificate but can provide inputs for other resources implementing the validation. It does not wait for a certificate to be issued. Use a aws.acm.CertificateValidation resource for this. Most commonly, this resource is used together with aws.route53.Record and aws.acm.CertificateValidation to request a DNS validated certificate, deploy the required validation records and wait for validation to complete. Domain validation through email is also supported but should be avoided as it requires a manual step outside of this provider.

Certificates Imported from Other Certificate Authority

Imported certificates can be used to make certificates created with an external certificate authority available for AWS services. As they are not managed by AWS, imported certificates are not eligible for automatic renewal. New certificate materials can be supplied to an existing imported certificate to update it in place.

Private Certificates

Private certificates are issued by an ACM Private Cerificate Authority, which can be created using the resource type aws.acmpca.CertificateAuthority. Private certificates created using this resource are eligible for managed renewal if they have been exported or associated with another AWS service. See managed renewal documentation for more information. By default, a certificate is valid for 395 days and the managed renewal process will start 60 days before expiration. To renew the certificate earlier than 60 days before expiration, configure early_renewal_duration.

Example Usage

Create Certificate

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.acm.Certificate;
import com.pulumi.aws.acm.CertificateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var cert = new Certificate("cert", CertificateArgs.builder()
            .domainName("example.com")
            .tags(Map.of("Environment", "test"))
            .validationMethod("DNS")
            .build());
    }
}
Content copied to clipboard

Custom Domain Validation Options

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.acm.Certificate;
import com.pulumi.aws.acm.CertificateArgs;
import com.pulumi.aws.acm.inputs.CertificateValidationOptionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var cert = new Certificate("cert", CertificateArgs.builder()
            .domainName("testing.example.com")
            .validationMethod("EMAIL")
            .validationOptions(CertificateValidationOptionArgs.builder()
                .domainName("testing.example.com")
                .validationDomain("example.com")
                .build())
            .build());
    }
}
Content copied to clipboard

Existing Certificate Body Import

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.tls.PrivateKey;
import com.pulumi.tls.PrivateKeyArgs;
import com.pulumi.tls.SelfSignedCert;
import com.pulumi.tls.SelfSignedCertArgs;
import com.pulumi.tls.inputs.SelfSignedCertSubjectArgs;
import com.pulumi.aws.acm.Certificate;
import com.pulumi.aws.acm.CertificateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var examplePrivateKey = new PrivateKey("examplePrivateKey", PrivateKeyArgs.builder()
            .algorithm("RSA")
            .build());
        var exampleSelfSignedCert = new SelfSignedCert("exampleSelfSignedCert", SelfSignedCertArgs.builder()
            .keyAlgorithm("RSA")
            .privateKeyPem(examplePrivateKey.privateKeyPem())
            .subject(SelfSignedCertSubjectArgs.builder()
                .commonName("example.com")
                .organization("ACME Examples, Inc")
                .build())
            .validityPeriodHours(12)
            .allowedUses(
                "key_encipherment",
                "digital_signature",
                "server_auth")
            .build());
        var cert = new Certificate("cert", CertificateArgs.builder()
            .privateKey(examplePrivateKey.privateKeyPem())
            .certificateBody(exampleSelfSignedCert.certPem())
            .build());
    }
}
Content copied to clipboard

Referencing domain_validation_options With for_each Based Resources

See the aws.acm.CertificateValidation resource for a full example of performing DNS validation. No Java example available.

Import

Certificates can be imported using their ARN, e.g.,

$ pulumi import aws:acm/certificate:Certificate cert arn:aws:acm:eu-central-1:123456789012:certificate/7e7a28d2-163f-4b8f-b9cd-822f96c08d6a
Content copied to clipboard

Properties

Link copied to clipboard
val arn: Output<String>

ARN of the certificate

Link copied to clipboard
val certificateAuthorityArn: Output<String>?

ARN of an ACM PCA

Link copied to clipboard
val certificateBody: Output<String>?

Certificate's PEM-formatted public key

Link copied to clipboard
val certificateChain: Output<String>?

Certificate's PEM-formatted chain

Link copied to clipboard
val domainName: Output<String>

Fully qualified domain name (FQDN) in the certificate.

Link copied to clipboard
val domainValidationOptions: Output<List<CertificateDomainValidationOption>>

Set of domain validation objects which can be used to complete certificate validation. Can have more than one element, e.g., if SANs are defined. Only set if DNS-validation was used.

Link copied to clipboard
val earlyRenewalDuration: Output<String>?

Amount of time to start automatic renewal process before expiration. Has no effect if less than 60 days. Represented by either a subset of RFC 3339 duration supporting years, months, and days (e.g., P90D), or a string such as 2160h.

Link copied to clipboard
val id: Output<String>
Link copied to clipboard
val keyAlgorithm: Output<String>

Specifies the algorithm of the public and private key pair that your Amazon issued certificate uses to encrypt data. See ACM Certificate characteristics for more details.

Link copied to clipboard
val notAfter: Output<String>

Expiration date and time of the certificate.

Link copied to clipboard
val notBefore: Output<String>

Start of the validity period of the certificate.

Link copied to clipboard
val options: Output<CertificateOptions>

Configuration block used to set certificate options. Detailed below.

Link copied to clipboard
val pendingRenewal: Output<Boolean>

true if a Private certificate eligible for managed renewal is within the early_renewal_duration period.

Link copied to clipboard
val privateKey: Output<String>?

Certificate's PEM-formatted private key

Link copied to clipboard
val pulumiChildResources: Set<KotlinResource>
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
val renewalEligibility: Output<String>

Whether the certificate is eligible for managed renewal.

Link copied to clipboard
val renewalSummaries: Output<List<CertificateRenewalSummary>>

Contains information about the status of ACM's managed renewal for the certificate.

Link copied to clipboard
val status: Output<String>

Status of the certificate.

Link copied to clipboard
val subjectAlternativeNames: Output<List<String>>

Set of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([])

Link copied to clipboard
val tags: Output<Map<String, String>>?

Map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Link copied to clipboard
val tagsAll: Output<Map<String, String>>

Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Link copied to clipboard
val type: Output<String>

Source of the certificate.

Link copied to clipboard
val urn: Output<String>
Link copied to clipboard
val validationEmails: Output<List<String>>

List of addresses that received a validation email. Only set if EMAIL validation was used.

Link copied to clipboard
val validationMethod: Output<String>

Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into the provider.

Link copied to clipboard
val validationOptions: Output<List<CertificateValidationOption>>?

Configuration block used to specify information about the initial validation of each domain name. Detailed below.