diff --git a/modules/amazon-issued-cert/README.md b/modules/amazon-issued-cert/README.md
index 767e1f3..d9dc612 100644
--- a/modules/amazon-issued-cert/README.md
+++ b/modules/amazon-issued-cert/README.md
@@ -3,20 +3,22 @@
This module creates following resources.
- `aws_acm_certificate`
+- `aws_acm_certificate_validation` (Optional)
+- `aws_route53_record` (Optional)
## Requirements
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.5 |
-| [aws](#requirement\_aws) | >= 4.27 |
+| [terraform](#requirement\_terraform) | >= 1.6 |
+| [aws](#requirement\_aws) | >= 4.58 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 5.19.0 |
+| [aws](#provider\_aws) | 5.26.0 |
## Modules
@@ -29,25 +31,27 @@ This module creates following resources.
| Name | Type |
|------|------|
| [aws_acm_certificate.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource |
-| [aws_acm_certificate_validation.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation) | resource |
+| [aws_acm_certificate_validation.dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation) | resource |
+| [aws_acm_certificate_validation.email](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation) | resource |
| [aws_route53_record.validation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [subject\_name](#input\_subject\_name) | (Required) A domain name for which the certificate should be issued. | `string` | n/a | yes |
-| [certificate\_transparency\_logging\_enabled](#input\_certificate\_transparency\_logging\_enabled) | (Optional) Specifies whether certificate details should be added to a certificate transparency log. | `bool` | `true` | no |
+| [domain\_name](#input\_domain\_name) | (Required) A domain name for which the certificate should be issued. FQDN (Fully qualified domain name), such as `www.example.com`, that you want to secure with an ACM certificate. Use an asterisk (*) to create a wildcard certificate that protects several sites in the same domain. | `string` | n/a | yes |
+| [name](#input\_name) | (Required) The name of the certificate. | `string` | n/a | yes |
+| [certificate\_transparency\_logging\_enabled](#input\_certificate\_transparency\_logging\_enabled) | (Optional) Whether to add the certificate to a certificate transparency log. Transparency makes it possible to detect SSL/TLS certificates that have been mistakenly or maliciously issued. Certificates that have not been logged typically produce an error message in a browser. Defaults to `true`. | `bool` | `true` | no |
+| [dns\_validation](#input\_dns\_validation) | (Optional) The configuration for the DNS validation. `dns_validation` as defined below.
(Optional) `enabled` - Whether to process DNS validation by creating the necessary domain records in the module. Defaults to `false`.
(Optional) `managed_zones` - List of Hosted Zones to automatically manage the records for DNS validation as a map. The key is the name of Hosted Zone. The value is the ID of Hosted Zone. | object({
enabled = optional(bool, false)
managed_zones = optional(map(string), {})
}) | `{}` | no |
+| [email\_validation](#input\_email\_validation) | (Optional) The configuration for the Email validation. `email_validation` as defined below.
(Optional) `enabled` - Whether to process Email validation by waiting the manual approval. Defaults to `false`. | object({
enabled = optional(bool, false)
}) | `{}` | no |
+| [key\_algorithm](#input\_key\_algorithm) | (Optional) The algorithm of the public and private key pair that your Amazon issued certificate uses to encrypt data. RSA is the default key algorithm for ACM certificates. Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering security comparable to RSA keys but with greater computing efficiency. However, ECDSA is not supported by all network clients. Some AWS services may require RSA keys, or only support ECDSA keys of a particular size, while others allow the use of either RSA and ECDSA keys to ensure that compatibility is not broken. Supported values are `RSA_1024`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `ECDSA_P256`, `ECDSA_P384`, `ECDSA_P521`. Defaults to `RSA_2048`. | `string` | `"RSA_2048"` | no |
| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
-| [name](#input\_name) | (Optional) The name of the certificate. | `string` | `""` | no |
| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
-| [subject\_alternative\_names](#input\_subject\_alternative\_names) | (Optional) List of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list (`[]`) or use the `terraform taint` command to trigger recreation. | `list(string)` | `[]` | no |
+| [subject\_alternative\_names](#input\_subject\_alternative\_names) | (Optional) A list of additional FQDNs (Fully qualified domain names) to be included in SANs of the issued certificate. | `list(string)` | `[]` | no |
| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
-| [validation\_dns\_managed](#input\_validation\_dns\_managed) | (Optional) Specifies whether validation should be managed by the module when `validation_method` is `DNS`. | `bool` | `false` | no |
-| [validation\_dns\_managed\_zones](#input\_validation\_dns\_managed\_zones) | (Optional) List of Hosted Zones to automatically manage the records for DNS validation as a map. The key is the name of Hosted Zone. The value is the ID of Hosted Zone. | `map(string)` | `{}` | no |
-| [validation\_method](#input\_validation\_method) | (Optional) Which method to use for validation. `DNS` or `EMAIL` are valid, `NONE` can be used for certificates that were imported into ACM and then into Terraform. | `string` | `"DNS"` | no |
+| [validation\_method](#input\_validation\_method) | (Optional) Which method to use for validation. Valid values are `DNS` or `EMAIL`. Only support `DNS` validation method in this module. | `string` | `"DNS"` | no |
## Outputs
@@ -55,13 +59,15 @@ This module creates following resources.
|------|-------------|
| [arn](#output\_arn) | The ARN of the certificate. |
| [certificate\_transparency\_logging\_enabled](#output\_certificate\_transparency\_logging\_enabled) | Whether or not the certificate transparency logging is enabled. |
+| [domain\_name](#output\_domain\_name) | The domain name for which the certificate is issued. |
| [effective\_date](#output\_effective\_date) | Effective date and time of the certificate. Start of the validity period of the certificate. |
| [expiration\_date](#output\_expiration\_date) | Expiration date and time of the certificate. |
+| [id](#output\_id) | The ID of the certificate. |
+| [key\_algorithm](#output\_key\_algorithm) | The algorithm of the public and private key pair to encrypt data. |
| [name](#output\_name) | The name of the certificate. |
+| [renewal](#output\_renewal) | The configuration for the certificate renewal.
`eligibility` - Whether the certificate is eligible for managed renewal.
`summary` - The information about the status of ACM's managed renewal for the certificate. |
| [status](#output\_status) | Status of the certificate. |
-| [subject\_alternative\_names](#output\_subject\_alternative\_names) | List of domains that is SANs in the issued certificate. |
-| [subject\_name](#output\_subject\_name) | The domain name for which the certificate is issued. |
-| [validation\_domain\_records](#output\_validation\_domain\_records) | List of domain validation objects which can be used to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if `DNS` validation was used. |
-| [validation\_emails](#output\_validation\_emails) | A list of addresses that received a validation E-Mail. Only set if `EMAIL` validation was used. |
-| [validation\_method](#output\_validation\_method) | The method to use for validation. |
+| [subject\_alternative\_names](#output\_subject\_alternative\_names) | The list of additional FQDNs (Fully qualified domain names) to be included in SANs of the issued certificate. |
+| [type](#output\_type) | The type of the certificate. |
+| [validation](#output\_validation) | The configuration for the certificate validation.
`method` - The method to use to validate the domain ownership for requesting a public certificate.
`domain_records` - A map of domain validation records which can be used to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if `validation.method` is `DNS`.
`emails` - A list of addresses that received a validation E-Mail. Only set if `validation.method` is `EMAIL`. |
diff --git a/modules/amazon-issued-cert/main.tf b/modules/amazon-issued-cert/main.tf
index fdd5cca..83bf6a0 100644
--- a/modules/amazon-issued-cert/main.tf
+++ b/modules/amazon-issued-cert/main.tf
@@ -14,16 +14,42 @@ locals {
} : {}
}
+locals {
+ key_algorithms = {
+ "RSA_1024" = "RSA_1024"
+ "RSA_2048" = "RSA_2048"
+ "RSA_3072" = "RSA_3072"
+ "RSA_4096" = "RSA_4096"
+ "ECDSA_P256" = "EC_prime256v1"
+ "ECDSA_P384" = "EC_secp384r1"
+ "ECDSA_P521" = "EC_secp521r1"
+ }
+}
+
+
+###################################################
+# ACM Certificate
+###################################################
+
+# INFO: Not supported attributes
+# - `certificate_authority_arn`
+# - `certificate_body`
+# - `certificate_chain`
+# - `private_key`
+# TODO: Support `EMAIL` validation method
+# - `validation_options`
resource "aws_acm_certificate" "this" {
- domain_name = var.subject_name
+ domain_name = var.domain_name
subject_alternative_names = var.subject_alternative_names
- validation_method = var.validation_method
+ key_algorithm = local.key_algorithms[var.key_algorithm]
options {
certificate_transparency_logging_preference = var.certificate_transparency_logging_enabled ? "ENABLED" : "DISABLED"
}
+ validation_method = var.validation_method
+
tags = merge(
{
"Name" = local.metadata.name
@@ -43,30 +69,49 @@ resource "aws_acm_certificate" "this" {
###################################################
locals {
- subject_names = concat([var.subject_name], var.subject_alternative_names)
+ subject_names = concat([var.domain_name], var.subject_alternative_names)
- validation_dns_managed = var.validation_method == "DNS" && var.validation_dns_managed
- validation_domain_records = {
+ dns_validation_enabled = var.validation_method == "DNS" && var.dns_validation.enabled
+ dns_validation_records = {
for record in aws_acm_certificate.this.domain_validation_options :
- record.domain_name => record
+ record.domain_name => {
+ name = record.resource_record_name
+ type = record.resource_record_type
+ value = record.resource_record_value
+ }
}
}
resource "aws_route53_record" "validation" {
- for_each = toset(local.validation_dns_managed ? local.subject_names : [])
+ for_each = toset(local.dns_validation_enabled ? local.subject_names : [])
- zone_id = var.validation_dns_managed_zones[replace(each.value, "*.", "")]
- type = local.validation_domain_records[each.value].resource_record_type
- name = local.validation_domain_records[each.value].resource_record_name
- records = [local.validation_domain_records[each.value].resource_record_value]
+ zone_id = var.dns_validation.managed_zones[replace(each.value, "*.", "")]
+ name = local.dns_validation_records[each.value].name
+ type = local.dns_validation_records[each.value].type
+ records = [local.dns_validation_records[each.value].value]
ttl = 60
allow_overwrite = true
}
-resource "aws_acm_certificate_validation" "this" {
- count = local.validation_dns_managed ? 1 : 0
+resource "aws_acm_certificate_validation" "dns" {
+ count = local.dns_validation_enabled ? 1 : 0
certificate_arn = aws_acm_certificate.this.arn
validation_record_fqdns = values(aws_route53_record.validation)[*].fqdn
}
+
+
+###################################################
+# Email Validation
+###################################################
+
+locals {
+ email_validation_enabled = var.validation_method == "EMAIL" && var.email_validation.enabled
+}
+
+resource "aws_acm_certificate_validation" "email" {
+ count = local.email_validation_enabled ? 1 : 0
+
+ certificate_arn = aws_acm_certificate.this.arn
+}
diff --git a/modules/amazon-issued-cert/migrations.tf b/modules/amazon-issued-cert/migrations.tf
new file mode 100644
index 0000000..9520186
--- /dev/null
+++ b/modules/amazon-issued-cert/migrations.tf
@@ -0,0 +1,5 @@
+# INFO: [2023-11-17] Change the name of `aws_acm_certificate_validation` resource for DNS validation
+moved {
+ from = aws_acm_certificate_validation.this
+ to = aws_acm_certificate_validation.dns
+}
diff --git a/modules/amazon-issued-cert/outputs.tf b/modules/amazon-issued-cert/outputs.tf
index 7f3ca19..5d9f74a 100644
--- a/modules/amazon-issued-cert/outputs.tf
+++ b/modules/amazon-issued-cert/outputs.tf
@@ -3,6 +3,11 @@ output "name" {
value = var.name
}
+output "id" {
+ description = "The ID of the certificate."
+ value = aws_acm_certificate.this.id
+}
+
output "arn" {
description = "The ARN of the certificate."
value = aws_acm_certificate.this.arn
@@ -13,16 +18,29 @@ output "status" {
value = aws_acm_certificate.this.status
}
-output "subject_name" {
+output "type" {
+ description = "The type of the certificate."
+ value = aws_acm_certificate.this.type
+}
+
+output "domain_name" {
description = "The domain name for which the certificate is issued."
value = aws_acm_certificate.this.domain_name
}
output "subject_alternative_names" {
- description = "List of domains that is SANs in the issued certificate."
+ description = "The list of additional FQDNs (Fully qualified domain names) to be included in SANs of the issued certificate."
value = aws_acm_certificate.this.subject_alternative_names
}
+output "key_algorithm" {
+ description = "The algorithm of the public and private key pair to encrypt data."
+ value = {
+ for k, v in local.key_algorithms :
+ v => k
+ }[aws_acm_certificate.this.key_algorithm]
+}
+
output "certificate_transparency_logging_enabled" {
description = "Whether or not the certificate transparency logging is enabled."
value = var.certificate_transparency_logging_enabled
@@ -38,17 +56,41 @@ output "expiration_date" {
value = aws_acm_certificate.this.not_after
}
-output "validation_method" {
- description = "The method to use for validation."
- value = aws_acm_certificate.this.validation_method
-}
-
-output "validation_domain_records" {
- description = "List of domain validation objects which can be used to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if `DNS` validation was used."
- value = aws_acm_certificate.this.domain_validation_options
+output "validation" {
+ description = < {
+ name = option.resource_record_name
+ type = option.resource_record_type
+ value = option.resource_record_value
+ }
+ }
+ : {}
+ )
+ emails = (aws_acm_certificate.this.validation_method == "EMAIL"
+ ? aws_acm_certificate.this.validation_emails
+ : []
+ )
+ }
}
-output "validation_emails" {
- description = "A list of addresses that received a validation E-Mail. Only set if `EMAIL` validation was used."
- value = aws_acm_certificate.this.validation_emails
+output "renewal" {
+ description = < [aws](#provider\_aws) | 5.19.0 |
+| [aws](#provider\_aws) | 5.26.0 |
## Modules
@@ -35,10 +35,10 @@ This module creates following resources.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [certificate\_body](#input\_certificate\_body) | (Required) Certificate's PEM-formatted public key. | `string` | n/a | yes |
+| [name](#input\_name) | (Required) The name of the certificate. | `string` | n/a | yes |
| [private\_key](#input\_private\_key) | (Required) Certificate's PEM-formatted private key. | `string` | n/a | yes |
| [certificate\_chain](#input\_certificate\_chain) | (Optional) Certificate's PEM-formatted chain. | `string` | `null` | no |
| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
-| [name](#input\_name) | (Optional) The name of the certificate. | `string` | `""` | no |
| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
@@ -49,10 +49,12 @@ This module creates following resources.
| Name | Description |
|------|-------------|
| [arn](#output\_arn) | The ARN of the certificate. |
+| [domain\_name](#output\_domain\_name) | The domain name for which the certificate is issued. |
| [effective\_date](#output\_effective\_date) | Effective date and time of the certificate. Start of the validity period of the certificate. |
| [expiration\_date](#output\_expiration\_date) | Expiration date and time of the certificate. |
+| [id](#output\_id) | The ID of the certificate. |
| [name](#output\_name) | The name of the certificate. |
| [status](#output\_status) | Status of the certificate. |
-| [subject\_alternative\_names](#output\_subject\_alternative\_names) | List of domains that is SANs in the issued certificate. |
-| [subject\_name](#output\_subject\_name) | The domain name for which the certificate is issued. |
+| [subject\_alternative\_names](#output\_subject\_alternative\_names) | The list of additional FQDNs (Fully qualified domain names) to be included in SANs of the issued certificate. |
+| [type](#output\_type) | The type of the certificate. |
diff --git a/modules/imported-cert/main.tf b/modules/imported-cert/main.tf
index 52ec00d..ab63226 100644
--- a/modules/imported-cert/main.tf
+++ b/modules/imported-cert/main.tf
@@ -14,6 +14,19 @@ locals {
} : {}
}
+
+###################################################
+# ACM Certificate
+###################################################
+
+# INFO: Not supported attributes
+# - `certificate_authority_arn`
+# - `domain_name`
+# - `key_algorithm`
+# - `options`
+# - `subject_alternative_names`
+# - `validation_method`
+# - `validation_option`
resource "aws_acm_certificate" "this" {
private_key = var.private_key
certificate_body = var.certificate_body
diff --git a/modules/imported-cert/outputs.tf b/modules/imported-cert/outputs.tf
index 55b5df8..cf0708c 100644
--- a/modules/imported-cert/outputs.tf
+++ b/modules/imported-cert/outputs.tf
@@ -3,6 +3,11 @@ output "name" {
value = var.name
}
+output "id" {
+ description = "The ID of the certificate."
+ value = aws_acm_certificate.this.id
+}
+
output "arn" {
description = "The ARN of the certificate."
value = aws_acm_certificate.this.arn
@@ -13,13 +18,18 @@ output "status" {
value = aws_acm_certificate.this.status
}
-output "subject_name" {
+output "type" {
+ description = "The type of the certificate."
+ value = aws_acm_certificate.this.type
+}
+
+output "domain_name" {
description = "The domain name for which the certificate is issued."
value = aws_acm_certificate.this.domain_name
}
output "subject_alternative_names" {
- description = "List of domains that is SANs in the issued certificate."
+ description = "The list of additional FQDNs (Fully qualified domain names) to be included in SANs of the issued certificate."
value = aws_acm_certificate.this.subject_alternative_names
}
diff --git a/modules/imported-cert/variables.tf b/modules/imported-cert/variables.tf
index a30a3c4..9afc665 100644
--- a/modules/imported-cert/variables.tf
+++ b/modules/imported-cert/variables.tf
@@ -1,7 +1,6 @@
variable "name" {
- description = "(Optional) The name of the certificate."
+ description = "(Required) The name of the certificate."
type = string
- default = ""
nullable = false
}
@@ -21,6 +20,7 @@ variable "certificate_chain" {
description = "(Optional) Certificate's PEM-formatted chain."
type = string
default = null
+ nullable = true
}
variable "tags" {
diff --git a/modules/private-ca-issued-cert/README.md b/modules/private-ca-issued-cert/README.md
index a738eb7..6cfb7bc 100644
--- a/modules/private-ca-issued-cert/README.md
+++ b/modules/private-ca-issued-cert/README.md
@@ -16,7 +16,7 @@ This module creates following resources.
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 5.19.0 |
+| [aws](#provider\_aws) | 5.26.0 |
## Modules
@@ -34,14 +34,15 @@ This module creates following resources.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [certificate\_authority\_arn](#input\_certificate\_authority\_arn) | (Required) The ARN of an ACMPCA. | `string` | n/a | yes |
-| [subject\_name](#input\_subject\_name) | (Required) A domain name for which the certificate should be issued. | `string` | n/a | yes |
+| [certificate\_authority](#input\_certificate\_authority) | (Required) The ARN (Amazon Resource Name) of the AWS PCA (Private Certificate Authority) that will be used to issue the certificate. | `string` | n/a | yes |
+| [domain\_name](#input\_domain\_name) | (Required) A domain name for which the certificate should be issued. FQDN (Fully qualified domain name), such as `www.example.com`, that you want to secure with an ACM certificate. Use an asterisk (*) to create a wildcard certificate that protects several sites in the same domain. | `string` | n/a | yes |
+| [name](#input\_name) | (Required) The name of the certificate. | `string` | n/a | yes |
+| [key\_algorithm](#input\_key\_algorithm) | (Optional) The algorithm of the public and private key pair that your Amazon issued certificate uses to encrypt data. RSA is the default key algorithm for ACM certificates. Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering security comparable to RSA keys but with greater computing efficiency. However, ECDSA is not supported by all network clients. Some AWS services may require RSA keys, or only support ECDSA keys of a particular size, while others allow the use of either RSA and ECDSA keys to ensure that compatibility is not broken. Supported values are `RSA_1024`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `ECDSA_P256`, `ECDSA_P384`, `ECDSA_P521`. Defaults to `RSA_2048`. | `string` | `"RSA_2048"` | no |
| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
-| [name](#input\_name) | (Optional) The name of the certificate. | `string` | `""` | no |
| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
-| [subject\_alternative\_names](#input\_subject\_alternative\_names) | (Optional) List of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list (`[]`) or use the `terraform taint` command to trigger recreation. | `list(string)` | `[]` | no |
+| [subject\_alternative\_names](#input\_subject\_alternative\_names) | (Optional) A list of additional FQDNs (Fully qualified domain names) to be included in SANs of the issued certificate. | `list(string)` | `[]` | no |
| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
## Outputs
@@ -49,11 +50,14 @@ This module creates following resources.
| Name | Description |
|------|-------------|
| [arn](#output\_arn) | The ARN of the certificate. |
-| [certificate\_authority\_arn](#output\_certificate\_authority\_arn) | The ARN of an ACMPCA. |
+| [certificate\_authority](#output\_certificate\_authority) | The ARN (Amazon Resource Name) of the AWS PCA (Private Certificate Authority). |
+| [domain\_name](#output\_domain\_name) | The domain name for which the certificate is issued. |
| [effective\_date](#output\_effective\_date) | Effective date and time of the certificate. Start of the validity period of the certificate. |
| [expiration\_date](#output\_expiration\_date) | Expiration date and time of the certificate. |
+| [id](#output\_id) | The ID of the certificate. |
+| [key\_algorithm](#output\_key\_algorithm) | The algorithm of the public and private key pair to encrypt data. |
| [name](#output\_name) | The name of the certificate. |
| [status](#output\_status) | Status of the certificate. |
-| [subject\_alternative\_names](#output\_subject\_alternative\_names) | List of domains that is SANs in the issued certificate. |
-| [subject\_name](#output\_subject\_name) | The domain name for which the certificate is issued. |
+| [subject\_alternative\_names](#output\_subject\_alternative\_names) | The list of additional FQDNs (Fully qualified domain names) to be included in SANs of the issued certificate. |
+| [type](#output\_type) | The type of the certificate. |
diff --git a/modules/private-ca-issued-cert/main.tf b/modules/private-ca-issued-cert/main.tf
index 67fa3e9..952e56d 100644
--- a/modules/private-ca-issued-cert/main.tf
+++ b/modules/private-ca-issued-cert/main.tf
@@ -14,11 +14,36 @@ locals {
} : {}
}
+locals {
+ key_algorithms = {
+ "RSA_1024" = "RSA_1024"
+ "RSA_2048" = "RSA_2048"
+ "RSA_3072" = "RSA_3072"
+ "RSA_4096" = "RSA_4096"
+ "ECDSA_P256" = "EC_prime256v1"
+ "ECDSA_P384" = "EC_secp384r1"
+ "ECDSA_P521" = "EC_secp521r1"
+ }
+}
+
+
+###################################################
+# ACM Certificate
+###################################################
+
+# INFO: Not supported attributes
+# - `certificate_body`
+# - `certificate_chain`
+# - `private_key`
+# - `validation_method`
+# - `validation_options`
resource "aws_acm_certificate" "this" {
- domain_name = var.subject_name
+ certificate_authority_arn = var.certificate_authority
+
+ domain_name = var.domain_name
subject_alternative_names = var.subject_alternative_names
- certificate_authority_arn = var.certificate_authority_arn
+ key_algorithm = local.key_algorithms[var.key_algorithm]
tags = merge(
{
diff --git a/modules/private-ca-issued-cert/outputs.tf b/modules/private-ca-issued-cert/outputs.tf
index 8754fc9..e903853 100644
--- a/modules/private-ca-issued-cert/outputs.tf
+++ b/modules/private-ca-issued-cert/outputs.tf
@@ -3,6 +3,11 @@ output "name" {
value = var.name
}
+output "id" {
+ description = "The ID of the certificate."
+ value = aws_acm_certificate.this.id
+}
+
output "arn" {
description = "The ARN of the certificate."
value = aws_acm_certificate.this.arn
@@ -13,18 +18,31 @@ output "status" {
value = aws_acm_certificate.this.status
}
-output "subject_name" {
+output "type" {
+ description = "The type of the certificate."
+ value = aws_acm_certificate.this.type
+}
+
+output "domain_name" {
description = "The domain name for which the certificate is issued."
value = aws_acm_certificate.this.domain_name
}
output "subject_alternative_names" {
- description = "List of domains that is SANs in the issued certificate."
+ description = "The list of additional FQDNs (Fully qualified domain names) to be included in SANs of the issued certificate."
value = aws_acm_certificate.this.subject_alternative_names
}
-output "certificate_authority_arn" {
- description = "The ARN of an ACMPCA."
+output "key_algorithm" {
+ description = "The algorithm of the public and private key pair to encrypt data."
+ value = {
+ for k, v in local.key_algorithms :
+ v => k
+ }[aws_acm_certificate.this.key_algorithm]
+}
+
+output "certificate_authority" {
+ description = "The ARN (Amazon Resource Name) of the AWS PCA (Private Certificate Authority)."
value = aws_acm_certificate.this.certificate_authority_arn
}
diff --git a/modules/private-ca-issued-cert/variables.tf b/modules/private-ca-issued-cert/variables.tf
index b618d0b..6e82eca 100644
--- a/modules/private-ca-issued-cert/variables.tf
+++ b/modules/private-ca-issued-cert/variables.tf
@@ -1,25 +1,38 @@
variable "name" {
- description = "(Optional) The name of the certificate."
+ description = "(Required) The name of the certificate."
type = string
- default = ""
nullable = false
}
-variable "subject_name" {
- description = "(Required) A domain name for which the certificate should be issued."
+variable "domain_name" {
+ description = "(Required) A domain name for which the certificate should be issued. FQDN (Fully qualified domain name), such as `www.example.com`, that you want to secure with an ACM certificate. Use an asterisk (*) to create a wildcard certificate that protects several sites in the same domain."
type = string
+ nullable = false
}
variable "subject_alternative_names" {
- description = "(Optional) List of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list (`[]`) or use the `terraform taint` command to trigger recreation."
+ description = "(Optional) A list of additional FQDNs (Fully qualified domain names) to be included in SANs of the issued certificate."
type = list(string)
default = []
nullable = false
}
-variable "certificate_authority_arn" {
- description = "(Required) The ARN of an ACMPCA."
+variable "key_algorithm" {
+ description = "(Optional) The algorithm of the public and private key pair that your Amazon issued certificate uses to encrypt data. RSA is the default key algorithm for ACM certificates. Elliptic Curve Digital Signature Algorithm (ECDSA) keys are smaller, offering security comparable to RSA keys but with greater computing efficiency. However, ECDSA is not supported by all network clients. Some AWS services may require RSA keys, or only support ECDSA keys of a particular size, while others allow the use of either RSA and ECDSA keys to ensure that compatibility is not broken. Supported values are `RSA_1024`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `ECDSA_P256`, `ECDSA_P384`, `ECDSA_P521`. Defaults to `RSA_2048`."
+ type = string
+ default = "RSA_2048"
+ nullable = false
+
+ validation {
+ condition = contains(["RSA_1024", "RSA_2048", "RSA_3072", "RSA_4096", "ECDSA_P256", "ECDSA_P384", "ECDSA_P521"], var.key_algorithm)
+ error_message = "Valid values for `key_algorithm` are `RSA_1024`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `ECDSA_P256`, `ECDSA_P384`, `ECDSA_P521`."
+ }
+}
+
+variable "certificate_authority" {
+ description = "(Required) The ARN (Amazon Resource Name) of the AWS PCA (Private Certificate Authority) that will be used to issue the certificate."
type = string
+ nullable = false
}
variable "tags" {