github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/website/source/docs/providers/tls/r/locally_signed_cert.html.md

github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/website/source/docs/providers/tls/r/locally_signed_cert.html.md (about)

     1  ---
     2  layout: "tls"
     3  page_title: "TLS: tls_locally_signed_cert"
     4  sidebar_current: "docs-tls-resource-locally-signed-cert"
     5  description: |-
     6    Creates a locally-signed TLS certificate in PEM format.
     7  ---
     8  
     9  # tls\_locally\_signed\_cert
    10  
    11  Generates a TLS certificate using a *Certificate Signing Request* (CSR) and
    12  signs it with a provided certificate authority (CA) private key.
    13  
    14  Locally-signed certificates are generally only trusted by client software when
    15  setup to use the provided CA. They are normally used in development environments
    16  or when deployed internally to an organization.
    17  
    18  ## Example Usage
    19  
    20  ```hcl
    21  resource "tls_locally_signed_cert" "example" {
    22    cert_request_pem   = "${file("cert_request.pem")}"
    23    ca_key_algorithm   = "ECDSA"
    24    ca_private_key_pem = "${file("ca_private_key.pem")}"
    25    ca_cert_pem        = "${file("ca_cert.pem")}"
    26  
    27    validity_period_hours = 12
    28  
    29    allowed_uses = [
    30      "key_encipherment",
    31      "digital_signature",
    32      "server_auth",
    33    ]
    34  }
    35  ```
    36  
    37  ## Argument Reference
    38  
    39  The following arguments are supported:
    40  
    41  * `cert_request_pem` - (Required) PEM-encoded request certificate data.
    42  
    43  * `ca_key_algorithm` - (Required) The name of the algorithm for the key provided
    44    in `ca_private_key_pem`.
    45  
    46  * `ca_private_key_pem` - (Required) PEM-encoded private key data for the CA.
    47    This can be read from a separate file using the ``file`` interpolation
    48    function.
    49  
    50  * `ca_cert_pem` - (Required) PEM-encoded certificate data for the CA.
    51  
    52  * `validity_period_hours` - (Required) The number of hours after initial issuing that the
    53    certificate will become invalid.
    54  
    55  * `allowed_uses` - (Required) List of keywords each describing a use that is permitted
    56    for the issued certificate. The valid keywords are listed below.
    57  
    58  * `early_renewal_hours` - (Optional) If set, the resource will consider the certificate to
    59    have expired the given number of hours before its actual expiry time. This can be useful
    60    to deploy an updated certificate in advance of the expiration of the current certificate.
    61    Note however that the old certificate remains valid until its true expiration time, since
    62    this resource does not (and cannot) support certificate revocation. Note also that this
    63    advance update can only be performed should the Terraform configuration be applied during the
    64    early renewal period.
    65  
    66  * `is_ca_certificate` - (Optional) Boolean controlling whether the CA flag will be set in the
    67    generated certificate. Defaults to `false`, meaning that the certificate does not represent
    68    a certificate authority.
    69  
    70  The `allowed_uses` list accepts the following keywords, combining the set of flags defined by
    71  both [Key Usage](https://tools.ietf.org/html/rfc5280#section-4.2.1.3) and
    72  [Extended Key Usage](https://tools.ietf.org/html/rfc5280#section-4.2.1.12) in
    73  [RFC5280](https://tools.ietf.org/html/rfc5280):
    74  
    75  * `digital_signature`
    76  * `content_commitment`
    77  * `key_encipherment`
    78  * `data_encipherment`
    79  * `key_agreement`
    80  * `cert_signing`
    81  * `crl_signing`
    82  * `encipher_only`
    83  * `decipher_only`
    84  * `any_extended`
    85  * `server_auth`
    86  * `client_auth`
    87  * `code_signing`
    88  * `email_protection`
    89  * `ipsec_end_system`
    90  * `ipsec_tunnel`
    91  * `ipsec_user`
    92  * `timestamping`
    93  * `ocsp_signing`
    94  * `microsoft_server_gated_crypto`
    95  * `netscape_server_gated_crypto`
    96  
    97  ## Attributes Reference
    98  
    99  The following attributes are exported:
   100  
   101  * `cert_pem` - The certificate data in PEM format.
   102  * `validity_start_time` - The time after which the certificate is valid, as an
   103    [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
   104  * `validity_end_time` - The time until which the certificate is invalid, as an
   105    [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
   106  
   107  ## Automatic Renewal
   108  
   109  This resource considers its instances to have been deleted after either their validity
   110  periods ends or the early renewal period is reached. At this time, applying the
   111  Terraform configuration will cause a new certificate to be generated for the instance.
   112  
   113  Therefore in a development environment with frequent deployments it may be convenient
   114  to set a relatively-short expiration time and use early renewal to automatically provision
   115  a new certificate when the current one is about to expire.
   116  
   117  The creation of a new certificate may of course cause dependent resources to be updated
   118  or replaced, depending on the lifecycle rules applying to those resources.