github.com/minamijoyo/terraform@v0.7.8-0.20161029001309-18b3736ba44b/website/source/docs/providers/tls/r/locally_signed_cert.html.md

github.com/minamijoyo/terraform@v0.7.8-0.20161029001309-18b3736ba44b/website/source/docs/providers/tls/r/locally_signed_cert.html.md (about)

     1  ---
     2  layout: "tls"
     3  page_title: "TLS: tls_locally_signed_cert"
     4  sidebar_current: "docs-tls-resource-locally-signed-cert"
     5  description: |-
     6    Creates a locally-signed TLS certificate in PEM format.
     7  ---
     8  
     9  # tls\_locally\_signed\_cert
    10  
    11  Generates a TLS certificate using a *Certificate Signing Request* (CSR) and
    12  signs it with a provided certificate authority (CA) private key.
    13  
    14  Locally-signed certificates are generally only trusted by client software when
    15  setup to use the provided CA. They are normally used in development environments
    16  or when deployed internally to an organization.
    17  
    18  ## Example Usage
    19  
    20  ```
    21  resource "tls_locally_signed_cert" "example" {
    22      cert_request_pem = "${file(\"cert_request.pem\")}"
    23  
    24      ca_key_algorithm = "ECDSA"
    25      ca_private_key_pem = "${file(\"ca_private_key.pem\")}"
    26      ca_cert_pem = "${file(\"ca_cert.pem\")}"
    27  
    28      validity_period_hours = 12
    29  
    30      allowed_uses = [
    31          "key_encipherment",
    32          "digital_signature",
    33          "server_auth",
    34      ]
    35  }
    36  ```
    37  
    38  ## Argument Reference
    39  
    40  The following arguments are supported:
    41  
    42  * `cert_request_pem` - (Required) PEM-encoded request certificate data.
    43  
    44  * `ca_key_algorithm` - (Required) The name of the algorithm for the key provided
    45    in `ca_private_key_pem`.
    46  
    47  * `ca_private_key_pem` - (Required) PEM-encoded private key data for the CA.
    48    This can be read from a separate file using the ``file`` interpolation
    49    function.
    50  
    51  * `ca_cert_pem` - (Required) PEM-encoded certificate data for the CA.
    52  
    53  * `validity_period_hours` - (Required) The number of hours after initial issuing that the
    54    certificate will become invalid.
    55  
    56  * `allowed_uses` - (Required) List of keywords each describing a use that is permitted
    57    for the issued certificate. The valid keywords are listed below.
    58  
    59  * `early_renewal_hours` - (Optional) If set, the resource will consider the certificate to
    60    have expired the given number of hours before its actual expiry time. This can be useful
    61    to deploy an updated certificate in advance of the expiration of the current certificate.
    62    Note however that the old certificate remains valid until its true expiration time, since
    63    this resource does not (and cannot) support certificate revocation. Note also that this
    64    advance update can only be performed should the Terraform configuration be applied during the
    65    early renewal period.
    66  
    67  * `is_ca_certificate` - (Optional) Boolean controlling whether the CA flag will be set in the
    68    generated certificate. Defaults to `false`, meaning that the certificate does not represent
    69    a certificate authority.
    70  
    71  The `allowed_uses` list accepts the following keywords, combining the set of flags defined by
    72  both [Key Usage](https://tools.ietf.org/html/rfc5280#section-4.2.1.3) and
    73  [Extended Key Usage](https://tools.ietf.org/html/rfc5280#section-4.2.1.12) in
    74  [RFC5280](https://tools.ietf.org/html/rfc5280):
    75  
    76  * `digital_signature`
    77  * `content_commitment`
    78  * `key_encipherment`
    79  * `data_encipherment`
    80  * `key_agreement`
    81  * `cert_signing`
    82  * `encipher_only`
    83  * `decipher_only`
    84  * `any_extended`
    85  * `server_auth`
    86  * `client_auth`
    87  * `code_signing`
    88  * `email_protection`
    89  * `ipsec_end_system`
    90  * `ipsec_tunnel`
    91  * `ipsec_user`
    92  * `timestamping`
    93  * `ocsp_signing`
    94  * `microsoft_server_gated_crypto`
    95  * `netscape_server_gated_crypto`
    96  
    97  ## Attributes Reference
    98  
    99  The following attributes are exported:
   100  
   101  * `cert_pem` - The certificate data in PEM format.
   102  * `validity_start_time` - The time after which the certificate is valid, as an
   103    [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
   104  * `validity_end_time` - The time until which the certificate is invalid, as an
   105    [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
   106  
   107  ## Automatic Renewal
   108  
   109  This resource considers its instances to have been deleted after either their validity
   110  periods ends or the early renewal period is reached. At this time, applying the
   111  Terraform configuration will cause a new certificate to be generated for the instance.
   112  
   113  Therefore in a development environment with frequent deployments it may be convenient
   114  to set a relatively-short expiration time and use early renewal to automatically provision
   115  a new certificate when the current one is about to expire.
   116  
   117  The creation of a new certificate may of course cause dependent resources to be updated
   118  or replaced, depending on the lifecycle rules applying to those resources.