Certificate
data class CertificateAuthorityArgs(val certificateAuthorityConfiguration: Output<CertificateAuthorityCertificateAuthorityConfigurationArgs>? = null, val enabled: Output<Boolean>? = null, val keyStorageSecurityStandard: Output<String>? = null, val permanentDeletionTimeInDays: Output<Int>? = null, val revocationConfiguration: Output<CertificateAuthorityRevocationConfigurationArgs>? = null, val tags: Output<Map<String, String>>? = null, val type: Output<String>? = null, val usageMode: Output<String>? = null) : ConvertibleToJava<CertificateAuthorityArgs>
Provides a resource to manage AWS Certificate Manager Private Certificate Authorities (ACM PCA Certificate Authorities).
NOTE: Creating this resource will leave the certificate authority in a
PENDING_CERTIFICATEstatus, which means it cannot yet issue certificates. To complete this setup, you must fully sign the certificate authority CSR available in thecertificate_signing_requestattribute. Theaws.acmpca.CertificateAuthorityCertificateresource can be used for this purpose.
Example Usage
Basic
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.acmpca.CertificateAuthority("example", {
certificateAuthorityConfiguration: {
keyAlgorithm: "RSA_4096",
signingAlgorithm: "SHA512WITHRSA",
subject: {
commonName: "example.com",
},
},
permanentDeletionTimeInDays: 7,
});Content copied to clipboard
import pulumi
import pulumi_aws as aws
example = aws.acmpca.CertificateAuthority("example",
certificate_authority_configuration={
"key_algorithm": "RSA_4096",
"signing_algorithm": "SHA512WITHRSA",
"subject": {
"common_name": "example.com",
},
},
permanent_deletion_time_in_days=7)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Acmpca.CertificateAuthority("example", new()
{
CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
{
KeyAlgorithm = "RSA_4096",
SigningAlgorithm = "SHA512WITHRSA",
Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
{
CommonName = "example.com",
},
},
PermanentDeletionTimeInDays = 7,
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/acmpca"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := acmpca.NewCertificateAuthority(ctx, "example", &acmpca.CertificateAuthorityArgs{
CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
KeyAlgorithm: pulumi.String("RSA_4096"),
SigningAlgorithm: pulumi.String("SHA512WITHRSA"),
Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
CommonName: pulumi.String("example.com"),
},
},
PermanentDeletionTimeInDays: pulumi.Int(7),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.acmpca.CertificateAuthority;
import com.pulumi.aws.acmpca.CertificateAuthorityArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new CertificateAuthority("example", CertificateAuthorityArgs.builder()
.certificateAuthorityConfiguration(CertificateAuthorityCertificateAuthorityConfigurationArgs.builder()
.keyAlgorithm("RSA_4096")
.signingAlgorithm("SHA512WITHRSA")
.subject(CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs.builder()
.commonName("example.com")
.build())
.build())
.permanentDeletionTimeInDays(7)
.build());
}
}Content copied to clipboard
resources:
example:
type: aws:acmpca:CertificateAuthority
properties:
certificateAuthorityConfiguration:
keyAlgorithm: RSA_4096
signingAlgorithm: SHA512WITHRSA
subject:
commonName: example.com
permanentDeletionTimeInDays: 7Content copied to clipboard
Short-lived certificate
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.acmpca.CertificateAuthority("example", {
usageMode: "SHORT_LIVED_CERTIFICATE",
certificateAuthorityConfiguration: {
keyAlgorithm: "RSA_4096",
signingAlgorithm: "SHA512WITHRSA",
subject: {
commonName: "example.com",
},
},
});Content copied to clipboard
import pulumi
import pulumi_aws as aws
example = aws.acmpca.CertificateAuthority("example",
usage_mode="SHORT_LIVED_CERTIFICATE",
certificate_authority_configuration={
"key_algorithm": "RSA_4096",
"signing_algorithm": "SHA512WITHRSA",
"subject": {
"common_name": "example.com",
},
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Acmpca.CertificateAuthority("example", new()
{
UsageMode = "SHORT_LIVED_CERTIFICATE",
CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
{
KeyAlgorithm = "RSA_4096",
SigningAlgorithm = "SHA512WITHRSA",
Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
{
CommonName = "example.com",
},
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/acmpca"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := acmpca.NewCertificateAuthority(ctx, "example", &acmpca.CertificateAuthorityArgs{
UsageMode: pulumi.String("SHORT_LIVED_CERTIFICATE"),
CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
KeyAlgorithm: pulumi.String("RSA_4096"),
SigningAlgorithm: pulumi.String("SHA512WITHRSA"),
Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
CommonName: pulumi.String("example.com"),
},
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.acmpca.CertificateAuthority;
import com.pulumi.aws.acmpca.CertificateAuthorityArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new CertificateAuthority("example", CertificateAuthorityArgs.builder()
.usageMode("SHORT_LIVED_CERTIFICATE")
.certificateAuthorityConfiguration(CertificateAuthorityCertificateAuthorityConfigurationArgs.builder()
.keyAlgorithm("RSA_4096")
.signingAlgorithm("SHA512WITHRSA")
.subject(CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs.builder()
.commonName("example.com")
.build())
.build())
.build());
}
}Content copied to clipboard
resources:
example:
type: aws:acmpca:CertificateAuthority
properties:
usageMode: SHORT_LIVED_CERTIFICATE
certificateAuthorityConfiguration:
keyAlgorithm: RSA_4096
signingAlgorithm: SHA512WITHRSA
subject:
commonName: example.comContent copied to clipboard
Enable Certificate Revocation List
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.s3.BucketV2("example", {
bucket: "example",
forceDestroy: true,
});
const acmpcaBucketAccess = aws.iam.getPolicyDocumentOutput({
statements: [{
actions: [
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:PutObjectAcl",
],
resources: [
example.arn,
pulumi.interpolate`${example.arn}/*`,
],
principals: [{
identifiers: ["acm-pca.amazonaws.com"],
type: "Service",
}],
}],
});
const exampleBucketPolicy = new aws.s3.BucketPolicy("example", {
bucket: example.id,
policy: acmpcaBucketAccess.apply(acmpcaBucketAccess => acmpcaBucketAccess.json),
});
const exampleCertificateAuthority = new aws.acmpca.CertificateAuthority("example", {
certificateAuthorityConfiguration: {
keyAlgorithm: "RSA_4096",
signingAlgorithm: "SHA512WITHRSA",
subject: {
commonName: "example.com",
},
},
revocationConfiguration: {
crlConfiguration: {
customCname: "crl.example.com",
enabled: true,
expirationInDays: 7,
s3BucketName: example.id,
s3ObjectAcl: "BUCKET_OWNER_FULL_CONTROL",
},
},
}, {
dependsOn: [exampleBucketPolicy],
});Content copied to clipboard
import pulumi
import pulumi_aws as aws
example = aws.s3.BucketV2("example",
bucket="example",
force_destroy=True)
acmpca_bucket_access = aws.iam.get_policy_document_output(statements=[{
"actions": [
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:PutObjectAcl",
],
"resources": [
example.arn,
example.arn.apply(lambda arn: f"{arn}/*"),
],
"principals": [{
"identifiers": ["acm-pca.amazonaws.com"],
"type": "Service",
}],
}])
example_bucket_policy = aws.s3.BucketPolicy("example",
bucket=example.id,
policy=acmpca_bucket_access.json)
example_certificate_authority = aws.acmpca.CertificateAuthority("example",
certificate_authority_configuration={
"key_algorithm": "RSA_4096",
"signing_algorithm": "SHA512WITHRSA",
"subject": {
"common_name": "example.com",
},
},
revocation_configuration={
"crl_configuration": {
"custom_cname": "crl.example.com",
"enabled": True,
"expiration_in_days": 7,
"s3_bucket_name": example.id,
"s3_object_acl": "BUCKET_OWNER_FULL_CONTROL",
},
},
opts = pulumi.ResourceOptions(depends_on=[example_bucket_policy]))Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.S3.BucketV2("example", new()
{
Bucket = "example",
ForceDestroy = true,
});
var acmpcaBucketAccess = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:PutObjectAcl",
},
Resources = new[]
{
example.Arn,
$"{example.Arn}/*",
},
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Identifiers = new[]
{
"acm-pca.amazonaws.com",
},
Type = "Service",
},
},
},
},
});
var exampleBucketPolicy = new Aws.S3.BucketPolicy("example", new()
{
Bucket = example.Id,
Policy = acmpcaBucketAccess.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
var exampleCertificateAuthority = new Aws.Acmpca.CertificateAuthority("example", new()
{
CertificateAuthorityConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs
{
KeyAlgorithm = "RSA_4096",
SigningAlgorithm = "SHA512WITHRSA",
Subject = new Aws.Acmpca.Inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs
{
CommonName = "example.com",
},
},
RevocationConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationArgs
{
CrlConfiguration = new Aws.Acmpca.Inputs.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs
{
CustomCname = "crl.example.com",
Enabled = true,
ExpirationInDays = 7,
S3BucketName = example.Id,
S3ObjectAcl = "BUCKET_OWNER_FULL_CONTROL",
},
},
}, new CustomResourceOptions
{
DependsOn =
{
exampleBucketPolicy,
},
});
});Content copied to clipboard
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/acmpca"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := s3.NewBucketV2(ctx, "example", &s3.BucketV2Args{
Bucket: pulumi.String("example"),
ForceDestroy: pulumi.Bool(true),
})
if err != nil {
return err
}
acmpcaBucketAccess := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
Statements: iam.GetPolicyDocumentStatementArray{
&iam.GetPolicyDocumentStatementArgs{
Actions: pulumi.StringArray{
pulumi.String("s3:GetBucketAcl"),
pulumi.String("s3:GetBucketLocation"),
pulumi.String("s3:PutObject"),
pulumi.String("s3:PutObjectAcl"),
},
Resources: pulumi.StringArray{
example.Arn,
example.Arn.ApplyT(func(arn string) (string, error) {
return fmt.Sprintf("%v/*", arn), nil
}).(pulumi.StringOutput),
},
Principals: iam.GetPolicyDocumentStatementPrincipalArray{
&iam.GetPolicyDocumentStatementPrincipalArgs{
Identifiers: pulumi.StringArray{
pulumi.String("acm-pca.amazonaws.com"),
},
Type: pulumi.String("Service"),
},
},
},
},
}, nil)
exampleBucketPolicy, err := s3.NewBucketPolicy(ctx, "example", &s3.BucketPolicyArgs{
Bucket: example.ID(),
Policy: pulumi.String(acmpcaBucketAccess.ApplyT(func(acmpcaBucketAccess iam.GetPolicyDocumentResult) (*string, error) {
return &acmpcaBucketAccess.Json, nil
}).(pulumi.StringPtrOutput)),
})
if err != nil {
return err
}
_, err = acmpca.NewCertificateAuthority(ctx, "example", &acmpca.CertificateAuthorityArgs{
CertificateAuthorityConfiguration: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationArgs{
KeyAlgorithm: pulumi.String("RSA_4096"),
SigningAlgorithm: pulumi.String("SHA512WITHRSA"),
Subject: &acmpca.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs{
CommonName: pulumi.String("example.com"),
},
},
RevocationConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationArgs{
CrlConfiguration: &acmpca.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs{
CustomCname: pulumi.String("crl.example.com"),
Enabled: pulumi.Bool(true),
ExpirationInDays: pulumi.Int(7),
S3BucketName: example.ID(),
S3ObjectAcl: pulumi.String("BUCKET_OWNER_FULL_CONTROL"),
},
},
}, pulumi.DependsOn([]pulumi.Resource{
exampleBucketPolicy,
}))
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.s3.BucketPolicy;
import com.pulumi.aws.s3.BucketPolicyArgs;
import com.pulumi.aws.acmpca.CertificateAuthority;
import com.pulumi.aws.acmpca.CertificateAuthorityArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityRevocationConfigurationArgs;
import com.pulumi.aws.acmpca.inputs.CertificateAuthorityRevocationConfigurationCrlConfigurationArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new BucketV2("example", BucketV2Args.builder()
.bucket("example")
.forceDestroy(true)
.build());
final var acmpcaBucketAccess = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.actions(
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:PutObjectAcl")
.resources(
example.arn(),
example.arn().applyValue(arn -> String.format("%s/*", arn)))
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.identifiers("acm-pca.amazonaws.com")
.type("Service")
.build())
.build())
.build());
var exampleBucketPolicy = new BucketPolicy("exampleBucketPolicy", BucketPolicyArgs.builder()
.bucket(example.id())
.policy(acmpcaBucketAccess.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(acmpcaBucketAccess -> acmpcaBucketAccess.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
.build());
var exampleCertificateAuthority = new CertificateAuthority("exampleCertificateAuthority", CertificateAuthorityArgs.builder()
.certificateAuthorityConfiguration(CertificateAuthorityCertificateAuthorityConfigurationArgs.builder()
.keyAlgorithm("RSA_4096")
.signingAlgorithm("SHA512WITHRSA")
.subject(CertificateAuthorityCertificateAuthorityConfigurationSubjectArgs.builder()
.commonName("example.com")
.build())
.build())
.revocationConfiguration(CertificateAuthorityRevocationConfigurationArgs.builder()
.crlConfiguration(CertificateAuthorityRevocationConfigurationCrlConfigurationArgs.builder()
.customCname("crl.example.com")
.enabled(true)
.expirationInDays(7)
.s3BucketName(example.id())
.s3ObjectAcl("BUCKET_OWNER_FULL_CONTROL")
.build())
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(exampleBucketPolicy)
.build());
}
}Content copied to clipboard
resources:
example:
type: aws:s3:BucketV2
properties:
bucket: example
forceDestroy: true
exampleBucketPolicy:
type: aws:s3:BucketPolicy
name: example
properties:
bucket: ${example.id}
policy: ${acmpcaBucketAccess.json}
exampleCertificateAuthority:
type: aws:acmpca:CertificateAuthority
name: example
properties:
certificateAuthorityConfiguration:
keyAlgorithm: RSA_4096
signingAlgorithm: SHA512WITHRSA
subject:
commonName: example.com
revocationConfiguration:
crlConfiguration:
customCname: crl.example.com
enabled: true
expirationInDays: 7
s3BucketName: ${example.id}
s3ObjectAcl: BUCKET_OWNER_FULL_CONTROL
options:
dependsOn:
- ${exampleBucketPolicy}
variables:
acmpcaBucketAccess:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- actions:
- s3:GetBucketAcl
- s3:GetBucketLocation
- s3:PutObject
- s3:PutObjectAcl
resources:
- ${example.arn}
- ${example.arn}/*
principals:
- identifiers:
- acm-pca.amazonaws.com
type: ServiceContent copied to clipboard
Import
Using pulumi import, import aws_acmpca_certificate_authority using the certificate authority ARN. For example:
$ pulumi import aws:acmpca/certificateAuthority:CertificateAuthority example arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012Content copied to clipboard
Constructors
Link copied to clipboard
constructor(certificateAuthorityConfiguration: Output<CertificateAuthorityCertificateAuthorityConfigurationArgs>? = null, enabled: Output<Boolean>? = null, keyStorageSecurityStandard: Output<String>? = null, permanentDeletionTimeInDays: Output<Int>? = null, revocationConfiguration: Output<CertificateAuthorityRevocationConfigurationArgs>? = null, tags: Output<Map<String, String>>? = null, type: Output<String>? = null, usageMode: Output<String>? = null)
Properties
Link copied to clipboard
val certificateAuthorityConfiguration: Output<CertificateAuthorityCertificateAuthorityConfigurationArgs>? = null
Nested argument containing algorithms and certificate subject information. Defined below.
Link copied to clipboard
Cryptographic key management compliance standard used for handling CA keys. Defaults to FIPS_140_2_LEVEL_3_OR_HIGHER. Valid values: FIPS_140_2_LEVEL_3_OR_HIGHER and FIPS_140_2_LEVEL_2_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation.
Link copied to clipboard
Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
Link copied to clipboard
Nested argument containing revocation configuration. Defined below.
Link copied to clipboard
Link copied to clipboard
Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE. //////