The ACM certificate resource allows requesting and management of certificates from the Amazon Certificate Manager.
It deals with requesting certificates and managing their attributes and life-cycle. This resource does not deal with validation of a certificate but can provide inputs for other resources implementing the validation. It does not wait for a certificate to be issued. Use a aws_acm_certificate_validation
resource for this.
Most commonly, this resource is used to together with aws_route53_record
and aws_acm_certificate_validation
to request a DNS validated certificate, deploy the required validation records and wait for validation to complete.
Domain validation through E-Mail is also supported but should be avoided as it requires a manual step outside of Terraform.
It's recommended to specify create_before_destroy = true
in a lifecycle block to replace a certificate which is currently in use (eg, by aws_lb_listener
).
resource "aws_acm_certificate" "cert" { domain_name = "example.com" validation_method = "DNS" tags { Environment = "test" } lifecycle { create_before_destroy = true } }
The following arguments are supported:
domain_name
- (Required) A domain name for which the certificate should be issued subject_alternative_names
- (Optional) A list of domains that should be SANs in the issued certificate validation_method
- (Required) Which method to use for validation. DNS
or EMAIL
are valid, NONE
can be used for certificates that were imported into ACM and then into Terraform. tags
- (Optional) A mapping of tags to assign to the resource. In addition to all arguments above, the following attributes are exported:
id
- The ARN of the certificate arn
- The ARN of the certificate domain_validation_options
- A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if DNS
-validation was used. validation_emails
- A list of addresses that received a validation E-Mail. Only set if EMAIL
-validation was used. Domain validation objects export the following attributes:
domain_name
- The domain to be validated resource_record_name
- The name of the DNS record to create to validate the certificate resource_record_type
- The type of DNS record to create resource_record_value
- The value the DNS record needs to have Certificates can be imported using their ARN, e.g.
$ terraform import aws_acm_certificate.cert arn:aws:acm:eu-central-1:123456789012:certificate/7e7a28d2-163f-4b8f-b9cd-822f96c08d6a
WARNING: Importing certificates that are not
AMAZON_ISSUED
is supported but may lead to fragile terraform projects: Once such a resource is destroyed, it can't be recreated.
© 2018 HashiCorpLicensed under the MPL 2.0 License.
https://www.terraform.io/docs/providers/aws/r/acm_certificate.html