
Before requesting a certificate, you will need a valid, registered domain (e.g. example.com).
Let's say you have the following files on your Terraform server.
├── required_providers.tf
├── amazon_certificate_management(directory)
│ ├── certificates.tf
│ ├── provider.tf
required_providers.tf will almost always have this.
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
}
}
}
Let's say provider.tf has the following. In this example, the "default" profile in /home/username/.aws/config and /home/username/.aws/credentials is being used. This assumes you have setup Terraform as described in Amazon Web Services (AWS) - Getting Started with Terraform.
provider "aws" {
alias = "default"
profile = "default"
region = "default"
}
There are 3 types of certificates that can be "created":
- Public Certificates issued by Amazon Web Services (AWS) Certificate Authority (Amazon Root CA 1) - These certificate are valid for 13 months (395 days) and should be automatically renewed 60 days before expiration. If ACM is unable to renew the certificate after 15 days, you will receive an email with further instructions on how to manually fix the renewal problem.
- Public Certificates that were issued by some other Certificate Authority (such as Let's Encrypt CA)
- Private Certificates using an ACM Private Certificate Authority
And certificates.tf could have something like this. In this example, this creates a Public Certificate issued by Amazon Web Services (AWS) Certificate Authority (Amazon Root CA 1).
resource "aws_acm_certificate" "example_com_certificate" {
domain_name = "example.com"
validation_method = "DNS"
subject_alternative_names = ["example.com", "*.example.com"]
tags = {
environment = "staging"
}
lifecycle {
create_before_destroy = true
}
}
You may need to reissue the terraform init command.
terraform init
The terraform plan command can be used to see what Terraform will try to do.
terraform plan
The terraform apply command can be used to create or update the private key and public certificate.
terraform apply -auto-approve
Did you find this article helpful?
If so, consider buying me a coffee over at