├── .changes
    ├── 4.0.4.md
    ├── 4.0.5.md
    ├── 4.0.6.md
    ├── 4.1.0.md
    └── unreleased
    │   └── .gitkeep
├── .changie.yaml
├── .copywrite.hcl
├── .github
    ├── CODEOWNERS
    ├── CONTRIBUTING.md
    ├── ISSUE_TEMPLATE
    │   ├── Bug_Report.yml
    │   ├── Feature_Request.yml
    │   └── config.yml
    ├── SUPPORT.md
    ├── dependabot.yml
    ├── labeler-issue-triage.yml
    ├── labeler-pull-request-triage.yml
    ├── pull_request_template.md
    └── workflows
    │   ├── build.yml
    │   ├── ci-changie.yml
    │   ├── compliance.yml
    │   ├── issue-comment-triage.yml
    │   ├── issue-opened.yml
    │   ├── lock.yml
    │   ├── pull-request.yml
    │   └── test.yml
├── .gitignore
├── .golangci.yml
├── .release
    ├── ci.hcl
    ├── release-metadata.hcl
    ├── security-scan.hcl
    └── terraform-provider-tls-artifacts.hcl
├── CHANGELOG.md
├── DESIGN.md
├── GNUmakefile
├── LICENSE
├── META.d
    └── _summary.yaml
├── README.md
├── docs
    ├── cdktf
    │   ├── python
    │   │   ├── data-sources
    │   │   │   ├── certificate.md
    │   │   │   └── public_key.md
    │   │   ├── ephemeral-resources
    │   │   │   └── private_key.md
    │   │   ├── index.md
    │   │   └── resources
    │   │   │   ├── cert_request.md
    │   │   │   ├── locally_signed_cert.md
    │   │   │   ├── private_key.md
    │   │   │   └── self_signed_cert.md
    │   └── typescript
    │   │   ├── data-sources
    │   │       ├── certificate.md
    │   │       └── public_key.md
    │   │   ├── ephemeral-resources
    │   │       └── private_key.md
    │   │   ├── index.md
    │   │   └── resources
    │   │       ├── cert_request.md
    │   │       ├── locally_signed_cert.md
    │   │       ├── private_key.md
    │   │       └── self_signed_cert.md
    ├── data-sources
    │   ├── certificate.md
    │   └── public_key.md
    ├── ephemeral-resources
    │   └── private_key.md
    ├── index.md
    └── resources
    │   ├── cert_request.md
    │   ├── locally_signed_cert.md
    │   ├── private_key.md
    │   └── self_signed_cert.md
├── examples
    ├── data-sources
    │   ├── tls_certificate
    │   │   ├── content-example.tf
    │   │   └── data-source.tf
    │   └── tls_public_key
    │   │   └── data-source.tf
    ├── ephemeral-resources
    │   └── tls_private_key
    │   │   └── ephemeral-resource.tf
    ├── provider
    │   ├── provider.tf
    │   ├── provider_with_proxy.tf
    │   └── provider_with_proxy_from_env.tf
    └── resources
    │   ├── tls_cert_request
    │       └── resource.tf
    │   ├── tls_locally_signed_cert
    │       └── resource.tf
    │   ├── tls_private_key
    │       └── resource.tf
    │   └── tls_self_signed_cert
    │       └── resource.tf
├── go.mod
├── go.sum
├── internal
    └── provider
    │   ├── attribute_plan_modifier_bool
    │       └── default_value.go
    │   ├── attribute_validator
    │       └── url_with_scheme.go
    │   ├── common.go
    │   ├── common_cert.go
    │   ├── common_key.go
    │   ├── data_source_certificate.go
    │   ├── data_source_certificate_test.go
    │   ├── data_source_public_key.go
    │   ├── data_source_public_key_test.go
    │   ├── ephemeral_private_key.go
    │   ├── ephemeral_private_key_test.go
    │   ├── fixtures
    │       ├── certificate.pem
    │       ├── fixtures.go
    │       ├── private.pem
    │       └── public.pem
    │   ├── models.go
    │   ├── provider.go
    │   ├── provider_test.go
    │   ├── resource_cert_request.go
    │   ├── resource_cert_request_test.go
    │   ├── resource_locally_signed_cert.go
    │   ├── resource_locally_signed_cert_test.go
    │   ├── resource_private_key.go
    │   ├── resource_private_key_test.go
    │   ├── resource_self_signed_cert.go
    │   ├── resource_self_signed_cert_test.go
    │   ├── testutils
    │       ├── local_server.go
    │       └── test_check_func.go
    │   └── types.go
├── main.go
├── templates
    ├── data-sources
    │   └── certificate.md.tmpl
    ├── index.md.tmpl
    └── resources
    │   ├── cert_request.md.tmpl
    │   ├── locally_signed_cert.md.tmpl
    │   ├── private_key.md.tmpl
    │   └── self_signed_cert.md.tmpl
├── terraform-registry-manifest.json
├── tools
    ├── go.mod
    ├── go.sum
    └── tools.go
└── version
    └── VERSION


/.changes/4.0.5.md:
--------------------------------------------------------------------------------
1 | ## 4.0.5 (November 27, 2023)
2 | 
3 | NOTES:
4 | 
5 | * This release introduces no functional changes. It does however include dependency updates which address upstream CVEs. ([#432](https://github.com/hashicorp/terraform-provider-tls/issues/432))
6 | 
7 | 


--------------------------------------------------------------------------------
/.changes/4.0.6.md:
--------------------------------------------------------------------------------
1 | ## 4.0.6 (September 11, 2024)
2 | 
3 | NOTES:
4 | 
5 | * all: This release introduces no functional changes. It does however include dependency updates which address upstream CVEs. ([#552](https://github.com/hashicorp/terraform-provider-tls/issues/552))
6 | 
7 | 


--------------------------------------------------------------------------------
/.changes/4.1.0.md:
--------------------------------------------------------------------------------
 1 | ## 4.1.0 (April 23, 2025)
 2 | 
 3 | NOTES:
 4 | 
 5 | * New [ephemeral resource](https://developer.hashicorp.com/terraform/language/resources/ephemeral) `tls_private_key` now supports [ephemeral values](https://developer.hashicorp.com/terraform/language/values/variables#exclude-values-from-state). ([#637](https://github.com/hashicorp/terraform-provider-tls/issues/637))
 6 | 
 7 | FEATURES:
 8 | 
 9 | * ephemeral/tls_private_key: New ephemeral resource that generates a PEM formatted private key. When used in combination with a managed resource write-only attribute, Terraform will not store the private key data in the plan or state file. ([#637](https://github.com/hashicorp/terraform-provider-tls/issues/637))
10 | 
11 | ENHANCEMENTS:
12 | 
13 | * tls_cert_request: Added optional `email_address` attribute ([#35](https://github.com/hashicorp/terraform-provider-tls/issues/35))
14 | * tls_self_signed_cert: Added optional `email_address` attribute ([#35](https://github.com/hashicorp/terraform-provider-tls/issues/35))
15 | 
16 | 


--------------------------------------------------------------------------------
/.changes/unreleased/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/hashicorp/terraform-provider-tls/12bfb46f9792db2c6e2ea67e687967b2cb0a0e42/.changes/unreleased/.gitkeep


--------------------------------------------------------------------------------
/.changie.yaml:
--------------------------------------------------------------------------------
 1 | # DO NOT EDIT - This GitHub Workflow is managed by automation
 2 | # https://github.com/hashicorp/terraform-devex-repos
 3 | changesDir: .changes
 4 | unreleasedDir: unreleased
 5 | changelogPath: CHANGELOG.md
 6 | versionExt: md
 7 | versionFormat: '## {{.Version}} ({{.Time.Format "January 02, 2006"}})'
 8 | kindFormat: '{{.Kind}}:'
 9 | changeFormat: '* {{.Body}} ([#{{.Custom.Issue}}](https://github.com/hashicorp/terraform-provider-tls/issues/{{.Custom.Issue}}))'
10 | custom:
11 |   - key: Issue
12 |     label: Issue/PR Number
13 |     type: int
14 |     minInt: 1
15 | kinds:
16 |   - label: BREAKING CHANGES
17 |   - label: NOTES
18 |   - label: FEATURES
19 |   - label: ENHANCEMENTS
20 |   - label: BUG FIXES
21 | newlines:
22 |   afterKind: 1
23 |   beforeKind: 1
24 |   endOfVersion: 2
25 | 


--------------------------------------------------------------------------------
/.copywrite.hcl:
--------------------------------------------------------------------------------
 1 | schema_version = 1
 2 | 
 3 | project {
 4 |   license        = "MPL-2.0"
 5 |   copyright_year = 2017
 6 | 
 7 |   header_ignore = [
 8 |     # internal catalog metadata (prose)
 9 |     "META.d/**/*.yaml",
10 | 
11 |     # changie tooling configuration and CHANGELOG entries (prose)
12 |     ".changes/unreleased/*.yaml",
13 |     ".changie.yaml",
14 | 
15 |     # examples used within documentation (prose)
16 |     "examples/**",
17 | 
18 |     # GitHub issue template configuration
19 |     ".github/ISSUE_TEMPLATE/*.yml",
20 | 
21 |     # GitHub Actions workflow-specific configurations
22 |     ".github/labeler-*.yml",
23 | 
24 |     # golangci-lint tooling configuration
25 |     ".golangci.yml",
26 | 
27 |     # Release Engineering tooling configuration
28 |     ".release/*.hcl",
29 |   ]
30 | }
31 | 


--------------------------------------------------------------------------------
/.github/CODEOWNERS:
--------------------------------------------------------------------------------
1 | * @hashicorp/terraform-core-plugins
2 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/Bug_Report.yml:
--------------------------------------------------------------------------------
 1 | name: Bug Report
 2 | description: Something is incorrect or not working as expected.
 3 | labels: ["bug"]
 4 | body:
 5 |   - type: markdown
 6 |     attributes:
 7 |       value: |
 8 |         Thank you for taking the time to fill out this bug report! Please note that this issue tracker is only used for bug reports and feature requests. Other issues will be closed.
 9 | 
10 |         If you have a configuration, workflow, or other question, please go back to the issue chooser and select one of the question links.
11 |   - type: textarea
12 |     id: versions
13 |     attributes:
14 |       label: Terraform CLI and Provider Versions
15 |       description: What versions of Terraform CLI and the provider?
16 |       placeholder: Output of `terraform version` from configuration directory
17 |     validations:
18 |       required: true
19 |   - type: textarea
20 |     id: terraform-configuration
21 |     attributes:
22 |       label: Terraform Configuration
23 |       description: Please copy and paste any relevant Terraform configuration. This will be automatically formatted into code, so no need for backticks.
24 |       render: terraform
25 |     validations:
26 |       required: true
27 |   - type: textarea
28 |     id: expected-behavior
29 |     attributes:
30 |       label: Expected Behavior
31 |       description: What did you expect to happen?
32 |       placeholder: Description of what should have happened.
33 |     validations:
34 |       required: true
35 |   - type: textarea
36 |     id: actual-behavior
37 |     attributes:
38 |       label: Actual Behavior
39 |       description: What actually happened?
40 |       placeholder: Description of what actually happened.
41 |     validations:
42 |       required: true
43 |   - type: textarea
44 |     id: reproduction-steps
45 |     attributes:
46 |       label: Steps to Reproduce
47 |       description: List of steps to reproduce the issue.
48 |       value: |
49 |         1. `terraform apply`
50 |     validations:
51 |       required: true
52 |   - type: dropdown
53 |     id: impact
54 |     attributes:
55 |       label: How much impact is this issue causing?
56 |       description: High represents completely not able to use the provider or unexpected destruction of data/infrastructure. Medium represents unable to upgrade provider version or an issue with potential workaround. Low represents minor provider code, configuration, or documentation issues.
57 |       options:
58 |         - High
59 |         - Medium
60 |         - Low
61 |     validations:
62 |       required: true
63 |   - type: input
64 |     id: logs
65 |     attributes:
66 |       label: Logs
67 |       description: Please provide a link to a [GitHub Gist](https://gist.github.com) containing TRACE log output. [Terraform Debugging Documentation](https://www.terraform.io/internals/debugging)
68 |       placeholder: https://gist.github.com/example/12345678
69 |     validations:
70 |       required: false
71 |   - type: textarea
72 |     id: additional-information
73 |     attributes:
74 |       label: Additional Information
75 |       description: Are there any additional details about your environment, workflow, or recent changes that might be relevant? Have you discovered a workaround? Are there links to other related issues?
76 |     validations:
77 |       required: false
78 |   - type: checkboxes
79 |     id: terms
80 |     attributes:
81 |       label: Code of Conduct
82 |       description: By submitting this issue, you agree to follow our [Community Guidelines](https://www.hashicorp.com/community-guidelines).
83 |       options:
84 |         - label: I agree to follow this project's Code of Conduct
85 |           required: true
86 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/Feature_Request.yml:
--------------------------------------------------------------------------------
 1 | name: Feature Request
 2 | description: Something is missing or could be improved.
 3 | labels: ["enhancement"]
 4 | body:
 5 |   - type: markdown
 6 |     attributes:
 7 |       value: |
 8 |         Thank you for taking the time to fill out this feature request! Please note that this issue tracker is only used for bug reports and feature requests. Other issues will be closed.
 9 | 
10 |         If you have a configuration, workflow, or other question, please go back to the issue chooser and select one of the question links.
11 |   - type: textarea
12 |     id: versions
13 |     attributes:
14 |       label: Terraform CLI and Provider Versions
15 |       description: What versions of Terraform CLI and the provider?
16 |       placeholder: Output of `terraform version` from configuration directory
17 |     validations:
18 |       required: true
19 |   - type: textarea
20 |     id: use-case
21 |     attributes:
22 |       label: Use Cases or Problem Statement
23 |       description: What use cases or problems are you trying to solve?
24 |       placeholder: Description of use cases or problems.
25 |     validations:
26 |       required: true
27 |   - type: textarea
28 |     id: proposal
29 |     attributes:
30 |       label: Proposal
31 |       description: What solutions would you prefer?
32 |       placeholder: Description of proposed solutions.
33 |     validations:
34 |       required: true
35 |   - type: dropdown
36 |     id: impact
37 |     attributes:
38 |       label: How much impact is this issue causing?
39 |       description: High represents completely not able to use the provider without this. Medium represents unable to solve a specific problem or understand something. Low represents minor provider code, configuration, or documentation issues.
40 |       options:
41 |         - High
42 |         - Medium
43 |         - Low
44 |     validations:
45 |       required: true
46 |   - type: textarea
47 |     id: additional-information
48 |     attributes:
49 |       label: Additional Information
50 |       description: Are there any additional details about your environment, workflow, or recent changes that might be relevant? Have you discovered a workaround? Are there links to other related issues?
51 |     validations:
52 |       required: false
53 |   - type: checkboxes
54 |     id: terms
55 |     attributes:
56 |       label: Code of Conduct
57 |       description: By submitting this issue, you agree to follow our [Community Guidelines](https://www.hashicorp.com/community-guidelines).
58 |       options:
59 |         - label: I agree to follow this project's Code of Conduct
60 |           required: true
61 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/config.yml:
--------------------------------------------------------------------------------
1 | blank_issues_enabled: false
2 | contact_links:
3 |   - name: Terraform Provider Questions
4 |     url: https://discuss.hashicorp.com/c/terraform-providers/31
5 |     about: GitHub issues in this repository are only intended for bug reports and feature requests. Other issues will be closed. Please ask and answer questions through the Terraform Provider section of HashiCorp Discuss.
6 |   - name: Terraform Language or Workflow Questions
7 |     url: https://discuss.hashicorp.com/c/terraform-core
8 |     about: Please ask and answer language or workflow related questions through the Terraform Core section of HashiCorp Discuss.
9 | 


--------------------------------------------------------------------------------
/.github/SUPPORT.md:
--------------------------------------------------------------------------------
1 | # Support
2 | 
3 | * Project [README](../README.md)
4 | * Official [Documentation](https://registry.terraform.io/providers/hashicorp/tls/latest/docs)
5 | * Providers [Discuss forums](https://discuss.hashicorp.com/c/terraform-providers/31)
6 | * Terraform [Community](https://www.terraform.io/community.html) page
7 | 


--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
 1 | # See GitHub's docs for more information on this file:
 2 | # https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates
 3 | version: 2
 4 | updates:
 5 |   # Maintain dependencies for Go modules
 6 |   - package-ecosystem: "gomod"
 7 |     directory: "/"
 8 |     schedule:
 9 |       # Check for updates to Go modules every weekday
10 |       interval: "daily"
11 |   - package-ecosystem: "gomod"
12 |     directory: "/tools"
13 |     schedule:
14 |       interval: "daily"
15 |   - package-ecosystem: "github-actions"
16 |     directory: "/"
17 |     schedule:
18 |       interval: "daily"
19 | 


--------------------------------------------------------------------------------
/.github/labeler-issue-triage.yml:
--------------------------------------------------------------------------------
1 | bug:
2 |   - 'panic:'
3 | crash:
4 |   - 'panic:'
5 | 


--------------------------------------------------------------------------------
/.github/labeler-pull-request-triage.yml:
--------------------------------------------------------------------------------
1 | dependencies:
2 |   - changed-files:
3 |       - any-glob-to-any-file: .github/dependabot.yml
4 |       - any-glob-to-any-file: go.mod
5 |       - any-glob-to-any-file: go.sum
6 | documentation:
7 |   - changed-files:
8 |       - any-glob-to-any-file: website/**/*


--------------------------------------------------------------------------------
/.github/pull_request_template.md:
--------------------------------------------------------------------------------
 1 | ## Related Issue
 2 | 
 3 | Fixes # <!-- INSERT ISSUE NUMBER -->
 4 | 
 5 | ## Description
 6 | 
 7 | In plain English, describe your approach to addressing the issue linked above. For example, if you made a particular design decision, let us know why you chose this path instead of another solution.
 8 | 
 9 | <!-- heimdall_github_prtemplate:grc-pci_dss-2024-01-05 -->
10 | ## Rollback Plan
11 | 
12 | - [ ] If a change needs to be reverted, we will roll out an update to the code within 7 days.
13 | 
14 | ## Changes to Security Controls
15 | 
16 | Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.
17 | 


--------------------------------------------------------------------------------
/.github/workflows/ci-changie.yml:
--------------------------------------------------------------------------------
 1 | # DO NOT EDIT - This GitHub Workflow is managed by automation
 2 | # https://github.com/hashicorp/terraform-devex-repos
 3 | 
 4 | # Continuous integration handling for changie
 5 | name: ci-changie
 6 | 
 7 | on:
 8 |   pull_request:
 9 |     paths:
10 |       - .changes/unreleased/*.yaml
11 |       - .changie.yaml
12 |       - .github/workflows/ci-changie.yml
13 | 
14 | permissions:
15 |   contents: read
16 | 
17 | jobs:
18 |   check:
19 |     runs-on: ubuntu-latest
20 |     steps:
21 |       # Ensure terraform-devex-repos is updated on version changes.
22 |       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
23 |       # Ensure terraform-devex-repos is updated on version changes.
24 |       - uses: miniscruff/changie-action@6dcc2533cac0495148ed4046c438487e4dceaa23 # v2.0.0
25 |         with:
26 |           version: latest
27 |           args: batch patch --dry-run
28 | 


--------------------------------------------------------------------------------
/.github/workflows/compliance.yml:
--------------------------------------------------------------------------------
 1 | name: compliance
 2 | 
 3 | on:
 4 |   pull_request:
 5 | 
 6 | permissions:
 7 |   contents: read
 8 | 
 9 | jobs:
10 |   # Reference: ENGSRV-059
11 |   copywrite:
12 |     runs-on: ubuntu-latest
13 |     steps:
14 |       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
15 |       - uses: hashicorp/setup-copywrite@32638da2d4e81d56a0764aa1547882fc4d209636 # v1.1.3
16 |       - run: copywrite headers --plan
17 |       - run: copywrite license --plan
18 | 


--------------------------------------------------------------------------------
/.github/workflows/issue-comment-triage.yml:
--------------------------------------------------------------------------------
 1 | # DO NOT EDIT - This GitHub Workflow is managed by automation
 2 | # https://github.com/hashicorp/terraform-devex-repos
 3 | name: Issue Comment Triage
 4 | 
 5 | on:
 6 |   issue_comment:
 7 |     types: [created]
 8 | 
 9 | jobs:
10 |   issue_comment_triage:
11 |     runs-on: ubuntu-latest
12 |     env:
13 |       # issue_comment events are triggered by comments on issues and pull requests. Checking the
14 |       # value of github.event.issue.pull_request tells us whether the issue is an issue or is
15 |       # actually a pull request, allowing us to dynamically set the gh subcommand:
16 |       # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#issue_comment-on-issues-only-or-pull-requests-only
17 |       COMMAND: ${{ github.event.issue.pull_request && 'pr' || 'issue' }}
18 |       GH_TOKEN: ${{ github.token }}
19 |     steps:
20 |       - name: 'Remove waiting-response on comment'
21 |         run: gh ${{ env.COMMAND }} edit ${{ github.event.issue.html_url }} --remove-label waiting-response
22 | 


--------------------------------------------------------------------------------
/.github/workflows/issue-opened.yml:
--------------------------------------------------------------------------------
 1 | name: Issue Opened Triage
 2 | 
 3 | on:
 4 |   issues:
 5 |     types: [opened]
 6 | 
 7 | jobs:
 8 |   issue_triage:
 9 |     runs-on: ubuntu-latest
10 |     steps:
11 |     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
12 |     - uses: github/issue-labeler@c1b0f9f52a63158c4adc09425e858e87b32e9685 # v3.4
13 |       with:
14 |         repo-token: "${{ secrets.GITHUB_TOKEN }}"
15 |         configuration-path: .github/labeler-issue-triage.yml
16 |         enable-versioned-regex: 0
17 | 


--------------------------------------------------------------------------------
/.github/workflows/lock.yml:
--------------------------------------------------------------------------------
 1 | # DO NOT EDIT - This GitHub Workflow is managed by automation
 2 | # https://github.com/hashicorp/terraform-devex-repos
 3 | name: 'Lock Threads'
 4 | 
 5 | on:
 6 |   schedule:
 7 |     - cron: '51 8 * * *'
 8 | 
 9 | jobs:
10 |   lock:
11 |     runs-on: ubuntu-latest
12 |     steps:
13 |       # NOTE: When TSCCR updates the GitHub action version, update the template workflow file to avoid drift:
14 |       # https://github.com/hashicorp/terraform-devex-repos/blob/main/modules/repo/workflows/lock.tftpl
15 |       - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1
16 |         with:
17 |           github-token: ${{ github.token }}
18 |           issue-inactive-days: '30'
19 |           issue-lock-reason: resolved
20 |           pr-inactive-days: '30'
21 |           pr-lock-reason: resolved
22 | 


--------------------------------------------------------------------------------
/.github/workflows/pull-request.yml:
--------------------------------------------------------------------------------
 1 | name: "Pull Request Triage"
 2 | 
 3 | on: [pull_request_target]
 4 | 
 5 | permissions:
 6 |   # CodelyTV/pr-size-labeler uses issues URL for labeling
 7 |   issues: write
 8 |   pull-requests: write
 9 | 
10 | jobs:
11 |   triage:
12 |     runs-on: ubuntu-latest
13 |     steps:
14 |     - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
15 |       with:
16 |         configuration-path: .github/labeler-pull-request-triage.yml
17 |         repo-token: "${{ secrets.GITHUB_TOKEN }}"
18 |     - uses: CodelyTV/pr-size-labeler@1c3422395d899286d5ee2c809fd5aed264d5eb9b # v1.10.2
19 |       with:
20 |         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
21 |         xs_label: 'size/XS'
22 |         xs_max_size: '30'
23 |         s_label: 'size/S'
24 |         s_max_size: '60'
25 |         m_label: 'size/M'
26 |         m_max_size: '150'
27 |         l_label: 'size/L'
28 |         l_max_size: '300'
29 |         xl_label: 'size/XL'
30 |         message_if_xl: ''
31 |         files_to_ignore: 'go.sum'
32 | 


--------------------------------------------------------------------------------
/.github/workflows/test.yml:
--------------------------------------------------------------------------------
 1 | name: Test
 2 | 
 3 | on:
 4 |   pull_request:
 5 |     branches: [ main ]
 6 |     paths-ignore:
 7 |       - 'README.md'
 8 |       - 'CHANGELOG.md'
 9 |       - 'website/*'
10 |   push:
11 |     branches: [ main ]
12 |     paths-ignore:
13 |       - 'README.md'
14 |       - 'CHANGELOG.md'
15 |       - 'website/*'
16 | 
17 | jobs:
18 | 
19 |   build:
20 |     name: Build
21 |     runs-on: ubuntu-latest
22 |     timeout-minutes: 5
23 | 
24 |     steps:
25 | 
26 |     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
27 |     - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
28 |       with:
29 |         go-version-file: 'go.mod'
30 | 
31 |     - name: Run linters
32 |       uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
33 |       with:
34 |         version: latest
35 | 
36 |     # We need the latest version of Terraform for our documentation generation to use
37 |     - name: Set up Terraform
38 |       uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
39 |       with:
40 |         terraform_wrapper: false
41 | 
42 |     - name: Generate
43 |       run: make generate
44 | 
45 |     - name: Confirm no diff
46 |       run: |
47 |         git diff --compact-summary --exit-code || \
48 |           (echo "*** Unexpected differences after code generation. Run 'make generate' and commit."; exit 1)
49 | 
50 |     - name: Build
51 |       run: make build
52 | 
53 |   test:
54 |     name: 'Acc. Tests (OS: ${{ matrix.os }} / TF: ${{ matrix.terraform }})'
55 |     needs: build
56 |     runs-on: ${{ matrix.os }}
57 |     timeout-minutes: 15
58 | 
59 |     strategy:
60 |       fail-fast: false
61 |       matrix:
62 |         os:
63 |           - macos-latest
64 |           - windows-latest
65 |           - ubuntu-latest
66 |         terraform: ${{ fromJSON(vars.TF_VERSIONS_PROTOCOL_V5) }}
67 | 
68 |     steps:
69 | 
70 |     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
71 |     - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
72 |       with:
73 |         go-version-file: 'go.mod'
74 | 
75 |     - name: Setup Terraform ${{ matrix.terraform }}
76 |       uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
77 |       with:
78 |         terraform_version: ${{ matrix.terraform }}
79 |         terraform_wrapper: false
80 | 
81 |     - name: Run acceptance test
82 |       run: make testacc
83 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | *.dll
 2 | *.exe
 3 | .DS_Store
 4 | example.tf
 5 | terraform.tfplan
 6 | terraform.tfstate
 7 | bin/
 8 | modules-dev/
 9 | /pkg/
10 | website/.vagrant
11 | website/.bundle
12 | website/build
13 | website/node_modules
14 | .vagrant/
15 | *.backup
16 | ./*.tfstate
17 | .terraform/
18 | *.log
19 | *.bak
20 | *~
21 | .*.swp
22 | .idea/
23 | *.iws
24 | *.iml
25 | *.test
26 | 
27 | website/vendor
28 | 
29 | # Test exclusions
30 | !command/test-fixtures/**/*.tfstate
31 | !command/test-fixtures/**/.terraform/
32 | 


--------------------------------------------------------------------------------
/.golangci.yml:
--------------------------------------------------------------------------------
 1 | version: "2"
 2 | linters:
 3 |   default: none
 4 |   enable:
 5 |     - copyloopvar
 6 |     - durationcheck
 7 |     - errcheck
 8 |     - forcetypeassert
 9 |     - godot
10 |     - govet
11 |     - ineffassign
12 |     - makezero
13 |     - misspell
14 |     - nilerr
15 |     - predeclared
16 |     - staticcheck
17 |     - unconvert
18 |     - unparam
19 |     - unused
20 |     - usetesting
21 |   exclusions:
22 |     generated: lax
23 |     presets:
24 |       - comments
25 |       - common-false-positives
26 |       - legacy
27 |       - std-error-handling
28 |     paths:
29 |       - third_party$
30 |       - builtin$
31 |       - examples$
32 | issues:
33 |   max-issues-per-linter: 0
34 |   max-same-issues: 0
35 | formatters:
36 |   enable:
37 |     - gofmt
38 |   exclusions:
39 |     generated: lax
40 |     paths:
41 |       - third_party$
42 |       - builtin$
43 |       - examples$
44 | 


--------------------------------------------------------------------------------
/.release/ci.hcl:
--------------------------------------------------------------------------------
 1 | # Reference: https://github.com/hashicorp/crt-core-helloworld/blob/main/.release/ci.hcl (private repository)
 2 | 
 3 | schema = "2"
 4 | 
 5 | project "terraform-provider-tls" {
 6 |   // team is currently unused and has no meaning
 7 |   // but is required to be non-empty by CRT orchestator
 8 |   team = "_UNUSED_"
 9 | 
10 |   slack {
11 |     notification_channel = "C02BASDVCDT" // #feed-terraform-sdk
12 |   }
13 | 
14 |   github {
15 |     organization     = "hashicorp"
16 |     repository       = "terraform-provider-tls"
17 |     release_branches = ["main", "release/**"]
18 |   }
19 | }
20 | 
21 | event "merge" {
22 | }
23 | 
24 | event "build" {
25 |   action "build" {
26 |     depends = ["merge"]
27 | 
28 |     organization = "hashicorp"
29 |     repository   = "terraform-provider-tls"
30 |     workflow     = "build"
31 |   }
32 | }
33 | 
34 | event "prepare" {
35 |   # `prepare` is the Common Release Tooling (CRT) artifact processing workflow.
36 |   # It prepares artifacts for potential promotion to staging and production.
37 |   # For example, it scans and signs artifacts.
38 | 
39 |   depends = ["build"]
40 | 
41 |   action "prepare" {
42 |     organization = "hashicorp"
43 |     repository   = "crt-workflows-common"
44 |     workflow     = "prepare"
45 |     depends      = ["build"]
46 |   }
47 | 
48 |   notification {
49 |     on = "fail"
50 |   }
51 | }
52 | 
53 | event "trigger-staging" {
54 | }
55 | 
56 | event "promote-staging" {
57 |   action "promote-staging" {
58 |     organization = "hashicorp"
59 |     repository   = "crt-workflows-common"
60 |     workflow     = "promote-staging"
61 |     depends      = null
62 |     config       = "release-metadata.hcl"
63 |   }
64 | 
65 |   depends = ["trigger-staging"]
66 | 
67 |   notification {
68 |     on = "always"
69 |   }
70 | }
71 | 
72 | event "trigger-production" {
73 | }
74 | 
75 | event "promote-production" {
76 |   action "promote-production" {
77 |     organization = "hashicorp"
78 |     repository   = "crt-workflows-common"
79 |     workflow     = "promote-production"
80 |     depends      = null
81 |     config       = ""
82 |   }
83 | 
84 |   depends = ["trigger-production"]
85 | 
86 |   notification {
87 |     on = "always"
88 |   }
89 | }
90 | 


--------------------------------------------------------------------------------
/.release/release-metadata.hcl:
--------------------------------------------------------------------------------
1 | url_source_repository         = "https://github.com/hashicorp/terraform-provider-tls"
2 | url_project_website           = "https://registry.terraform.io/providers/hashicorp/tls"
3 | url_license                   = "https://github.com/hashicorp/terraform-provider-tls/blob/main/LICENSE"
4 | url_release_notes             = "https://github.com/hashicorp/terraform-provider-tls/blob/main/CHANGELOG.md"
5 | 


--------------------------------------------------------------------------------
/.release/security-scan.hcl:
--------------------------------------------------------------------------------
 1 | # Reference: https://github.com/hashicorp/security-scanner/blob/main/CONFIG.md#binary (private repository)
 2 | 
 3 | binary {
 4 |   secrets {
 5 |     all = true
 6 |   }
 7 |   go_modules   = true
 8 |   osv          = true
 9 |   oss_index    = false
10 |   nvd          = false
11 | }
12 | 


--------------------------------------------------------------------------------
/.release/terraform-provider-tls-artifacts.hcl:
--------------------------------------------------------------------------------
 1 | schema = 1
 2 | artifacts {
 3 |   zip = [
 4 |     "terraform-provider-tls_${version}_darwin_amd64.zip",
 5 |     "terraform-provider-tls_${version}_darwin_arm64.zip",
 6 |     "terraform-provider-tls_${version}_freebsd_386.zip",
 7 |     "terraform-provider-tls_${version}_freebsd_amd64.zip",
 8 |     "terraform-provider-tls_${version}_freebsd_arm.zip",
 9 |     "terraform-provider-tls_${version}_linux_386.zip",
10 |     "terraform-provider-tls_${version}_linux_amd64.zip",
11 |     "terraform-provider-tls_${version}_linux_arm.zip",
12 |     "terraform-provider-tls_${version}_linux_arm64.zip",
13 |     "terraform-provider-tls_${version}_windows_386.zip",
14 |     "terraform-provider-tls_${version}_windows_amd64.zip",
15 |   ]
16 | }


--------------------------------------------------------------------------------
/DESIGN.md:
--------------------------------------------------------------------------------
 1 | # TLS Provider Design
 2 | 
 3 | The TLS Provider offers a small surface area compared to other providers (like
 4 | [AWS](https://registry.terraform.io/providers/hashicorp/aws/latest),
 5 | [Google](https://registry.terraform.io/providers/hashicorp/google/latest),
 6 | [Azure](https://registry.terraform.io/providers/hashicorp/azurerm/latest), ...),
 7 | and focuses on covering the needs of working with entities like
 8 | keys and certificates, that are part of
 9 | [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security).
10 | 
11 | Below we have a collection of _Goals_ and _Patterns_: they represent the guiding principles applied during
12 | the development of this provider. Some are in place, others are ongoing processes, others are still just inspirational.
13 |  
14 | ## Goals
15 | 
16 | * [_Stability over features_](.github/CONTRIBUTING.md) 
17 | * Support [cryptography](https://en.wikipedia.org/wiki/Cryptography) _primitives_ necessary to Terraform configurations
18 | * Provide managed resourced and data sources to manipulate and interact with **Keys, Certificates and Certificate Requests**
19 | * Support formats, backed by [IETF RFCs](https://www.ietf.org/standards/rfcs/):
20 |   * [Privacy Enhancement for Internet Electronic Mail (PEM) (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421)
21 |   * [Internet X.509 Public Key Infrastructure Certificate (RFC 5280)](https://datatracker.ietf.org/doc/html/rfc5280)
22 |   * [Secure Shell (SSH) Public Key Format (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716),
23 |     as well as [SSH Private Key format](https://coolaj86.com/articles/the-openssh-private-key-format/)
24 |   * [Public-Key Cryptography Standards (PKCS) #8 (RFC 5208)](https://datatracker.ietf.org/doc/html/rfc5208)
25 |   * [Distinguished Names representation (RFC 2253)](https://datatracker.ietf.org/doc/html/rfc2253)
26 |   * [Timestamps (RFC 3339)](https://datatracker.ietf.org/doc/html/rfc3339)
27 | * Support specific cryptography key algorithms:
28 |   * [`RSA`](https://en.wikipedia.org/wiki/RSA_(cryptosystem))
29 |   * [`ECDSA`](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm)
30 |     with curves `P224`, `P256`, `P384` and `P521`
31 |   * [`ED25519`](https://ed25519.cr.yp.to/)
32 | * For implementation of cryptographic primitives we will stick with Golang [crypto](https://pkg.go.dev/crypto)
33 |   and [x/crypto](https://pkg.go.dev/golang.org/x/crypto)
34 |   * Cryptography is a non-trivial subject, and not all provider maintainers can also be domain experts
35 |   * We will only support technologies that are covered by these libraries
36 |   * In rare cases we _might_ consider using implementations from other repositories, but they will be
37 |     entirely at the discretion of the maintenance team to judge the quality, maintenance status and community adoption
38 |     of those repositories
39 | * Provide a comprehensive documentation
40 | * Highlight intended and unadvisable usages
41 | 
42 | ### About formats and key algorithms
43 | 
44 | Cryptography and security are an evolving and changing subject; for this reason the set of technologies supported 
45 | will need to be reassessed over time by the maintenance team,
46 | while also evaluating incoming [feature requests](.github/CONTRIBUTING.md#feature-requests).
47 | 
48 | ## Patterns
49 | 
50 | Specific to this provider:
51 | 
52 | * **Consistency**: once a format or algorithm is adopted, all resources and data sources should support it (if appropriate)
53 | * **`PEM` and `OpenSSH PEM`**: Entities that support [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421)
54 |   should also support [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716), unless there is a good
55 |   reason not to.
56 | * **No ["security by obscurity"](https://en.wikipedia.org/wiki/Security_through_obscurity)**: We should be clear
57 |   in implementation and documentation that this provider doesn't provide "security" per se, but it's up to the
58 |   practitioner to ensure it, by setting in place the right infrastructure, like storing the Terraform state in
59 |   accordance with [recommendations](https://www.terraform.io/language/state/sensitive-data#recommendations).
60 | 
61 | General to development:
62 | 
63 | * **Avoid repetition**: the entities managed can sometimes require similar pieces of logic and/or schema to be realised.
64 |   When this happens it's important to keep the code shared in communal sections, so to avoid having to modify code
65 |   in multiple places when they start changing.
66 | * **Test expectations as well as bugs**: While it's typical to write tests to exercise a new functionality, it's key
67 |   to also provide tests for issues that get identified and fixed, so to prove resolution as well as avoid regression.
68 | * **Automate boring tasks**: Processes that are manual, repetitive and can be automated, should be.
69 |   In addition to be a time-saving practice, this ensures consistency and reduces human error (ex. static code analysis).
70 | * **Semantic versioning**: Adhering to HashiCorp's own
71 |   [Versioning Specification](https://www.terraform.io/plugin/sdkv2/best-practices/versioning#versioning-specification)
72 |   ensures we provide a consistent practitioner experience, and a clear process to deprecation and decommission.
73 | 


--------------------------------------------------------------------------------
/GNUmakefile:
--------------------------------------------------------------------------------
 1 | default: build
 2 | 
 3 | build:
 4 | 	go build -v ./...
 5 | 
 6 | install: build
 7 | 	go install -v ./...
 8 | 
 9 | # See https://golangci-lint.run/
10 | lint:
11 | 	golangci-lint run
12 | 
13 | # Generate docs and copywrite headers
14 | generate:
15 | 	cd tools; go generate ./...
16 | 
17 | fmt:
18 | 	gofmt -s -w -e .
19 | 
20 | test:
21 | 	go test -v -cover -timeout=120s -parallel=4 ./...
22 | 
23 | testacc:
24 | 	TF_ACC=1 go test -v -cover -timeout 120m ./...
25 | 
26 | .PHONY: build install lint generate fmt test testacc
27 | 


--------------------------------------------------------------------------------
/META.d/_summary.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | schema: 1.1
 3 | 
 4 | partition: tf-ecosystem
 5 | 
 6 | summary:
 7 |   owner: team-tf-core-plugins
 8 |   description: |
 9 |     Utility provider that works with Transport Layer Security keys and certificates. It provides resources that allow private keys, certificates and certficate requests to be created as part of a Terraform deployment.
10 |   visibility: public


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Terraform Provider: TLS
  2 | 
  3 | The TLS provider provides utilities for working with *Transport Layer Security*
  4 | keys and certificates. It provides resources that
  5 | allow private keys, certificates and certificate requests to be
  6 | created as part of a Terraform deployment.
  7 | 
  8 | ## Documentation, questions and discussions
  9 | 
 10 | Official documentation on how to use this provider can be found on the 
 11 | [Terraform Registry](https://registry.terraform.io/providers/hashicorp/tls/latest/docs).
 12 | In case of specific questions or discussions, please use the
 13 | HashiCorp [Terraform Providers Discuss forums](https://discuss.hashicorp.com/c/terraform-providers/31),
 14 | in accordance with HashiCorp [Community Guidelines](https://www.hashicorp.com/community-guidelines).
 15 | 
 16 | We also provide:
 17 | 
 18 | * [Support](.github/SUPPORT.md) page for help when using the provider
 19 | * [Contributing](.github/CONTRIBUTING.md) guidelines in case you want to help this project
 20 | * [Design](DESIGN.md) documentation to understand the scope and maintenance decisions
 21 | 
 22 | The remainder of this document will focus on the development aspects of the provider.
 23 | 
 24 | ## Compatibility
 25 | 
 26 | Compatibility table between this provider, the [Terraform Plugin Protocol](https://www.terraform.io/plugin/how-terraform-works#terraform-plugin-protocol)
 27 | version it implements, and Terraform:
 28 | 
 29 | | TLS Provider | Terraform Plugin Protocol | Terraform |
 30 | |:------------:|:-------------------------:|:---------:|
 31 | |   `>= 4.x`   |            `5`            | `>= 0.12` |
 32 | |   `>= 3.x`   |            `5`            | `>= 0.12` |
 33 | |   `>= 2.x`   |        `4` and `5`        | `<= 0.12` |
 34 | |   `>= 0.x`   |            `4`            | `<= 0.11` |
 35 | 
 36 | Details can be found querying the [Registry API](https://www.terraform.io/internals/provider-registry-protocol#list-available-versions)
 37 | that return all the details about which version are currently available for a particular provider.
 38 | [Here](https://registry.terraform.io/v1/providers/hashicorp/tls/versions) are the details for TLS (JSON response).
 39 | 
 40 | ## Requirements
 41 | 
 42 | * [Terraform](https://www.terraform.io/downloads)
 43 | * [Go](https://go.dev/doc/install) (1.23)
 44 | * [GNU Make](https://www.gnu.org/software/make/)
 45 | * [golangci-lint](https://golangci-lint.run/usage/install/#local-installation) (optional)
 46 | 
 47 | ## Development
 48 | 
 49 | ### Building
 50 | 
 51 | 1. `git clone` this repository and `cd` into its directory
 52 | 2. `make` will trigger the Golang build
 53 | 
 54 | The provided `GNUmakefile` defines additional commands generally useful during development,
 55 | like for running tests, generating documentation, code formatting and linting.
 56 | Taking a look at it's content is recommended.
 57 | 
 58 | ### Testing
 59 | 
 60 | In order to test the provider, you can run
 61 | 
 62 | * `make test` to run provider tests
 63 | * `make testacc` to run provider acceptance tests
 64 | 
 65 | It's important to note that acceptance tests (`testacc`) will actually spawn
 66 | `terraform` and the provider. Read more about they work on the
 67 | [official page](https://www.terraform.io/plugin/sdkv2/testing/acceptance-tests).
 68 | 
 69 | ### Generating documentation
 70 | 
 71 | This provider uses [terraform-plugin-docs](https://github.com/hashicorp/terraform-plugin-docs/)
 72 | to generate documentation and store it in the `docs/` directory.
 73 | Once a release is cut, the Terraform Registry will download the documentation from `docs/`
 74 | and associate it with the release version. Read more about how this works on the
 75 | [official page](https://www.terraform.io/registry/providers/docs).
 76 | 
 77 | Use `make generate` to ensure the documentation is regenerated with any changes.
 78 | 
 79 | ### Using a development build
 80 | 
 81 | If [running tests and acceptance tests](#testing) isn't enough, it's possible to set up a local terraform configuration
 82 | to use a development builds of the provider. This can be achieved by leveraging the Terraform CLI
 83 | [configuration file development overrides](https://www.terraform.io/cli/config/config-file#development-overrides-for-provider-developers).
 84 | 
 85 | First, use `make install` to place a fresh development build of the provider in your
 86 | [`${GOBIN}`](https://pkg.go.dev/cmd/go#hdr-Compile_and_install_packages_and_dependencies)
 87 | (defaults to `${GOPATH}/bin` or `${HOME}/go/bin` if `${GOPATH}` is not set). Repeat
 88 | this every time you make changes to the provider locally.
 89 | 
 90 | Then, setup your environment following [these instructions](https://www.terraform.io/plugin/debugging#terraform-cli-development-overrides)
 91 | to make your local terraform use your local build.
 92 | 
 93 | ### Testing GitHub Actions
 94 | 
 95 | This project uses [GitHub Actions](https://docs.github.com/en/actions/automating-builds-and-tests) to realize its CI.
 96 | 
 97 | Sometimes it might be helpful to locally reproduce the behaviour of those actions,
 98 | and for this we use [act](https://github.com/nektos/act). Once installed, you can _simulate_ the actions executed
 99 | when opening a PR with:
100 | 
101 | ```shell
102 | # List of workflows for the 'pull_request' action
103 | $ act -l pull_request
104 | 
105 | # Execute the workflows associated with the `pull_request' action 
106 | $ act pull_request
107 | ```
108 | 
109 | ## Releasing
110 | 
111 | The releasable builds are generated from the [build GH workflow](./.github/workflows/build.yml) and the release/promotion process
112 | is completed via internal HashiCorp deployment tooling. Prior to release, the changelog should be updated in `main` with
113 | the changie tool, example:
114 | 
115 | ```sh
116 | changie batch 4.1.0 && changie merge
117 | ```
118 | 
119 | ## License
120 | 
121 | [Mozilla Public License v2.0](./LICENSE)
122 | 


--------------------------------------------------------------------------------
/docs/cdktf/python/data-sources/certificate.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | page_title: "tls_certificate Data Source - terraform-provider-tls"
  3 | subcategory: ""
  4 | description: |-
  5 |   Get information about the TLS certificates securing a host.
  6 |   Use this data source to get information, such as SHA1 fingerprint or serial number, about the TLS certificates that protects a URL.
  7 | ---
  8 | 
  9 | 
 10 | <!-- Please do not edit this file, it is generated. -->
 11 | # tls_certificate (Data Source)
 12 | 
 13 | Get information about the TLS certificates securing a host.
 14 | 
 15 | Use this data source to get information, such as SHA1 fingerprint or serial number, about the TLS certificates that protects a URL.
 16 | 
 17 | ## Example Usage
 18 | 
 19 | ### URL Usage
 20 | ```python
 21 | # DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
 22 | from constructs import Construct
 23 | from cdktf import Fn, Token, TerraformStack
 24 | #
 25 | # Provider bindings are generated by running `cdktf get`.
 26 | # See https://cdk.tf/provider-generation for more details.
 27 | #
 28 | from imports.aws.eks_cluster import EksCluster
 29 | from imports.aws.iam_openid_connect_provider import IamOpenidConnectProvider
 30 | from imports.tls.data_tls_certificate import DataTlsCertificate
 31 | class MyConvertedCode(TerraformStack):
 32 |     def __init__(self, scope, name, *, roleArn, vpcConfig):
 33 |         super().__init__(scope, name)
 34 |         example = EksCluster(self, "example",
 35 |             name="example",
 36 |             role_arn=role_arn,
 37 |             vpc_config=vpc_config
 38 |         )
 39 |         data_tls_certificate_example = DataTlsCertificate(self, "example_1",
 40 |             url=Token.as_string(
 41 |                 Fn.lookup_nested(example.identity, ["0", "oidc", "0", "issuer"]))
 42 |         )
 43 |         # This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.
 44 |         data_tls_certificate_example.override_logical_id("example")
 45 |         aws_iam_openid_connect_provider_example = IamOpenidConnectProvider(self, "example_2",
 46 |             client_id_list=["sts.amazonaws.com"],
 47 |             thumbprint_list=[
 48 |                 Token.as_string(
 49 |                     Fn.lookup_nested(data_tls_certificate_example.certificates, ["0", "sha1_fingerprint"
 50 |                     ]))
 51 |             ],
 52 |             url=Token.as_string(
 53 |                 Fn.lookup_nested(example.identity, ["0", "oidc", "0", "issuer"]))
 54 |         )
 55 |         # This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.
 56 |         aws_iam_openid_connect_provider_example.override_logical_id("example")
 57 | ```
 58 | 
 59 | ### Content Usage
 60 | ```python
 61 | # DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
 62 | from constructs import Construct
 63 | from cdktf import Fn, Token, TerraformStack
 64 | #
 65 | # Provider bindings are generated by running `cdktf get`.
 66 | # See https://cdk.tf/provider-generation for more details.
 67 | #
 68 | from imports.tls.data_tls_certificate import DataTlsCertificate
 69 | class MyConvertedCode(TerraformStack):
 70 |     def __init__(self, scope, name):
 71 |         super().__init__(scope, name)
 72 |         DataTlsCertificate(self, "example_content",
 73 |             content=Token.as_string(Fn.file("example.pem"))
 74 |         )
 75 | ```
 76 | 
 77 | <!-- 
 78 |     Schema ORIGINALLY generated by tfplugindocs,
 79 |     then manually tweaked to circumvent current limitations.
 80 | 
 81 |     This should be revisited, once https://github.com/hashicorp/terraform-plugin-docs/issues/66 is resolved.
 82 | -->
 83 | ## Schema
 84 | 
 85 | ### Optional
 86 | 
 87 | - `url` (String) The URL of the website to get the certificates from. Cannot be used with `content`.
 88 | - `content` (String) The content of the certificate in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. Cannot be used with `url`.
 89 | - `verify_chain` (Boolean) Whether to verify the certificate chain while parsing it or not (default: `true`). Cannot be used with `content`.
 90 | 
 91 | ### Read-Only
 92 | 
 93 | - `id` (String) Unique identifier of this data source: hashing of the certificates in the chain.
 94 | - `certificates` (List of Object) The certificates protecting the site, with the root of the chain first. (see [below for nested schema](#nestedatt--certificates))
 95 | 
 96 | <a id="nestedatt--certificates"></a>
 97 | ### Nested Schema for `certificates`
 98 | 
 99 | Read-Only:
100 | 
101 | - `is_ca` (Boolean) `true` if the certificate is of a CA (Certificate Authority).
102 | - `issuer` (String) Who verified and signed the certificate, roughly following [RFC2253](https://tools.ietf.org/html/rfc2253).
103 | - `not_after` (String) The time until which the certificate is invalid, as an [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
104 | - `not_before` (String) The time after which the certificate is valid, as an [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
105 | - `public_key_algorithm` (String) The key algorithm used to create the certificate.
106 | - `serial_number` (String) Number that uniquely identifies the certificate with the CA's system.
107 |   The `format` function can be used to convert this _base 10_ number into other bases, such as hex.
108 | - `sha1_fingerprint` (String) The SHA1 fingerprint of the public key of the certificate.
109 | - `signature_algorithm` (String) The algorithm used to sign the certificate.
110 | - `subject` (String) The entity the certificate belongs to, roughly following [RFC2253](https://tools.ietf.org/html/rfc2253).
111 | - `version` (Number) The version the certificate is in.
112 | - `cert_pem` (String) Certificate data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
113 | 
114 | <!-- cache-key: cdktf-0.20.8 input-aa0448a429be224544a948790292f3b630d2ecf0739247bd90334feadefa8419 -->


--------------------------------------------------------------------------------
/docs/cdktf/python/data-sources/public_key.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | <!-- Please do not edit this file, it is generated. -->
 4 | # generated by https://github.com/hashicorp/terraform-plugin-docs
 5 | page_title: "tls_public_key Data Source - terraform-provider-tls"
 6 | subcategory: ""
 7 | description: |-
 8 |   Get a public key from a PEM-encoded private key.
 9 |   Use this data source to get the public key from a PEM (RFC 1421) https://datatracker.ietf.org/doc/html/rfc1421 or OpenSSH PEM (RFC 4716) https://datatracker.ietf.org/doc/html/rfc4716 formatted private key, for use in other resources.
10 | ---
11 | 
12 | # tls_public_key (Data Source)
13 | 
14 | Get a public key from a PEM-encoded private key.
15 | 
16 | Use this data source to get the public key from a [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) or [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) formatted private key, for use in other resources.
17 | 
18 | ## Example Usage
19 | 
20 | ```python
21 | # DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
22 | from constructs import Construct
23 | from cdktf import Fn, Token, TerraformStack
24 | #
25 | # Provider bindings are generated by running `cdktf get`.
26 | # See https://cdk.tf/provider-generation for more details.
27 | #
28 | from imports.tls.data_tls_public_key import DataTlsPublicKey
29 | from imports.tls.private_key import PrivateKey
30 | class MyConvertedCode(TerraformStack):
31 |     def __init__(self, scope, name):
32 |         super().__init__(scope, name)
33 |         ed25519_example = PrivateKey(self, "ed25519-example",
34 |             algorithm="ED25519"
35 |         )
36 |         DataTlsPublicKey(self, "private_key_openssh-example",
37 |             private_key_openssh=Token.as_string(Fn.file("~/.ssh/id_rsa_rfc4716"))
38 |         )
39 |         DataTlsPublicKey(self, "private_key_pem-example",
40 |             private_key_pem=ed25519_example.private_key_pem
41 |         )
42 | ```
43 | 
44 | <!-- schema generated by tfplugindocs -->
45 | ## Schema
46 | 
47 | ### Optional
48 | 
49 | - `private_key_openssh` (String, Sensitive) The private key (in  [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) format) to extract the public key from. This is _mutually exclusive_ with `private_key_pem`. Currently-supported algorithms for keys are: `RSA`, `ECDSA`, `ED25519`.
50 | - `private_key_pem` (String, Sensitive) The private key (in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format) to extract the public key from. This is _mutually exclusive_ with `private_key_openssh`. Currently-supported algorithms for keys are: `RSA`, `ECDSA`, `ED25519`.
51 | 
52 | ### Read-Only
53 | 
54 | - `algorithm` (String) The name of the algorithm used by the given private key. Possible values are: `RSA`, `ECDSA`, `ED25519`.
55 | - `id` (String) Unique identifier for this data source: hexadecimal representation of the SHA1 checksum of the data source.
56 | - `public_key_fingerprint_md5` (String) The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. `aa:bb:cc:...`. Only available if the selected private key format is compatible, as per the rules for `public_key_openssh` and [ECDSA P224 limitations](../../docs#limitations).
57 | - `public_key_fingerprint_sha256` (String) The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. `SHA256:...`. Only available if the selected private key format is compatible, as per the rules for `public_key_openssh` and [ECDSA P224 limitations](../../docs#limitations).
58 | - `public_key_openssh` (String) The public key, in  [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) format. This is also known as ['Authorized Keys'](https://www.ssh.com/academy/ssh/authorized_keys/openssh#format-of-the-authorized-keys-file) format. This is not populated for `ECDSA` with curve `P224`, as it is [not supported](../../docs#limitations). **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
59 | - `public_key_pem` (String) The public key, in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
60 | 
61 | <!-- cache-key: cdktf-0.20.8 input-025d5bde39901a91ba6cb60272c97a78a0c01a6de59d77d7dea035490ff6ee0a -->


--------------------------------------------------------------------------------
/docs/cdktf/python/ephemeral-resources/private_key.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | <!-- Please do not edit this file, it is generated. -->
 4 | # generated by https://github.com/hashicorp/terraform-plugin-docs
 5 | page_title: "tls_private_key Ephemeral Resource - terraform-provider-tls"
 6 | subcategory: ""
 7 | description: |-
 8 |   -> If the managed resource doesn't have a write-only argument available for the private key (first introduced in Terraform 1.11), then the private key can only be created with the managed resource variant of tls_private_key https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key.
 9 |   Creates a PEM (and OpenSSH) formatted private key.
10 |   Generates a secure private key and encodes it in PEM (RFC 1421) https://datatracker.ietf.org/doc/html/rfc1421 and OpenSSH PEM (RFC 4716) https://datatracker.ietf.org/doc/html/rfc4716 formats.
11 |   The primary use-case for generating an ephemeral private key is to be used in combination with a write-only argument in a managed resource, which will avoid Terraform storing the private key data in the plan or state file.
12 | ---
13 | 
14 | # tls_private_key (Ephemeral Resource)
15 | 
16 | -> If the managed resource doesn't have a write-only argument available for the private key (first introduced in Terraform 1.11), then the private key can only be created with the managed resource variant of [`tls_private_key`](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key).
17 | 
18 | Creates a PEM (and OpenSSH) formatted private key.
19 | 
20 | Generates a secure private key and encodes it in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) and [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) formats. 
21 | 
22 | The primary use-case for generating an ephemeral private key is to be used in combination with a write-only argument in a managed resource, which will avoid Terraform storing the private key data in the plan or state file.
23 | 
24 | ## Example Usage
25 | 
26 | ```python
27 | # DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
28 | from constructs import Construct
29 | from cdktf import TerraformStack
30 | class MyConvertedCode(TerraformStack):
31 |     def __init__(self, scope, name):
32 |         super().__init__(scope, name)
33 | ```
34 | 
35 | <!-- schema generated by tfplugindocs -->
36 | ## Schema
37 | 
38 | ### Required
39 | 
40 | - `algorithm` (String) Name of the algorithm to use when generating the private key. Currently-supported values are: `RSA`, `ECDSA`, `ED25519`.
41 | 
42 | ### Optional
43 | 
44 | - `ecdsa_curve` (String) When `algorithm` is `ECDSA`, the name of the elliptic curve to use. Currently-supported values are: `P224`, `P256`, `P384`, `P521`. (default: `P224`).
45 | - `rsa_bits` (Number) When `algorithm` is `RSA`, the size of the generated RSA key, in bits (default: `2048`).
46 | 
47 | ### Read-Only
48 | 
49 | - `private_key_openssh` (String, Sensitive) Private key data in [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) format.
50 | - `private_key_pem` (String, Sensitive) Private key data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.
51 | - `private_key_pem_pkcs8` (String, Sensitive) Private key data in [PKCS#8 PEM (RFC 5208)](https://datatracker.ietf.org/doc/html/rfc5208) format.
52 | - `public_key_fingerprint_md5` (String) The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. `aa:bb:cc:...`. Only available if the selected private key format is compatible, similarly to `public_key_openssh` and the [ECDSA P224 limitations](../../docs#limitations).
53 | - `public_key_fingerprint_sha256` (String) The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. `SHA256:...`. Only available if the selected private key format is compatible, similarly to `public_key_openssh` and the [ECDSA P224 limitations](../../docs#limitations).
54 | - `public_key_openssh` (String) The public key data in ["Authorized Keys"](https://www.ssh.com/academy/ssh/authorized_keys/openssh#format-of-the-authorized-keys-file) format. This is not populated for `ECDSA` with curve `P224`, as it is [not supported](../../docs#limitations). **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
55 | - `public_key_pem` (String) Public key data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
56 | 
57 | <!-- cache-key: cdktf-0.20.8 input-858687a65cc896d43aaec3ef675d1b25abdf572fd68d3440f2ec1829134aebe2 -->


--------------------------------------------------------------------------------
/docs/cdktf/python/index.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | page_title: "Provider: TLS"
  3 | description: |-
  4 |   The TLS provider provides utilities for working with Transport Layer Security keys and certificates.
  5 | ---
  6 | 
  7 | 
  8 | <!-- Please do not edit this file, it is generated. -->
  9 | # TLS Provider
 10 | 
 11 | The TLS provider provides utilities for working with *Transport Layer Security*
 12 | keys and certificates. It provides resources that
 13 | allow private keys, certificates and certificate requests to be
 14 | created as part of a Terraform deployment.
 15 | 
 16 | Another name for Transport Layer Security is *Secure Sockets Layer*,
 17 | or SSL. TLS and SSL are equivalent when considering the resources
 18 | managed by this provider.
 19 | 
 20 | This provider is not particularly useful on its own, but it can be
 21 | used to create certificates and credentials that can then be used
 22 | with other providers when creating resources that expose TLS
 23 | services or that themselves provision TLS certificates.
 24 | 
 25 | Use the navigation to the left to read about the available resources.
 26 | 
 27 | ## Example Usage
 28 | 
 29 | ```python
 30 | # DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
 31 | from constructs import Construct
 32 | from cdktf import Token, TerraformStack
 33 | #
 34 | # Provider bindings are generated by running `cdktf get`.
 35 | # See https://cdk.tf/provider-generation for more details.
 36 | #
 37 | from imports.aws.iam_server_certificate import IamServerCertificate
 38 | from imports.tls.private_key import PrivateKey
 39 | from imports.tls.self_signed_cert import SelfSignedCert
 40 | class MyConvertedCode(TerraformStack):
 41 |     def __init__(self, scope, name):
 42 |         super().__init__(scope, name)
 43 |         example = PrivateKey(self, "example",
 44 |             algorithm="ECDSA"
 45 |         )
 46 |         tls_self_signed_cert_example = SelfSignedCert(self, "example_1",
 47 |             allowed_uses=["key_encipherment", "digital_signature", "server_auth"],
 48 |             dns_names=["example.com", "example.net"],
 49 |             early_renewal_hours=3,
 50 |             key_algorithm=example.algorithm,
 51 |             private_key_pem=example.private_key_pem,
 52 |             subject=[SelfSignedCertSubject(
 53 |                 common_name="example.com",
 54 |                 organization="ACME Examples, Inc"
 55 |             )
 56 |             ],
 57 |             validity_period_hours=12
 58 |         )
 59 |         # This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.
 60 |         tls_self_signed_cert_example.override_logical_id("example")
 61 |         aws_iam_server_certificate_example = IamServerCertificate(self, "example_2",
 62 |             certificate_body=Token.as_string(tls_self_signed_cert_example.cert_pem),
 63 |             name="example_self_signed_cert",
 64 |             private_key=example.private_key_pem
 65 |         )
 66 |         # This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.
 67 |         aws_iam_server_certificate_example.override_logical_id("example")
 68 | ```
 69 | 
 70 | ### Configuring Proxy
 71 | 
 72 | ```python
 73 | # DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
 74 | from constructs import Construct
 75 | from cdktf import TerraformStack
 76 | #
 77 | # Provider bindings are generated by running `cdktf get`.
 78 | # See https://cdk.tf/provider-generation for more details.
 79 | #
 80 | from imports.tls.data_tls_certificate import DataTlsCertificate
 81 | from imports.tls.provider import TlsProvider
 82 | class MyConvertedCode(TerraformStack):
 83 |     def __init__(self, scope, name):
 84 |         super().__init__(scope, name)
 85 |         TlsProvider(self, "tls",
 86 |             proxy=[TlsProviderProxy(
 87 |                 url="https://corporate.proxy.service"
 88 |             )
 89 |             ]
 90 |         )
 91 |         DataTlsCertificate(self, "test",
 92 |             url="https://example.com"
 93 |         )
 94 | ```
 95 | 
 96 | ```python
 97 | # DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
 98 | from constructs import Construct
 99 | from cdktf import TerraformStack
100 | #
101 | # Provider bindings are generated by running `cdktf get`.
102 | # See https://cdk.tf/provider-generation for more details.
103 | #
104 | from imports.tls.data_tls_certificate import DataTlsCertificate
105 | from imports.tls.provider import TlsProvider
106 | class MyConvertedCode(TerraformStack):
107 |     def __init__(self, scope, name):
108 |         super().__init__(scope, name)
109 |         TlsProvider(self, "tls",
110 |             proxy=[TlsProviderProxy(
111 |                 from_env=True
112 |             )
113 |             ]
114 |         )
115 |         DataTlsCertificate(self, "test",
116 |             url="https://example.com"
117 |         )
118 | ```
119 | 
120 | <!-- schema generated by tfplugindocs -->
121 | ## Schema
122 | 
123 | ### Optional
124 | 
125 | - `proxy` (Block List) Proxy used by resources and data sources that connect to external endpoints. (see [below for nested schema](#nestedblock--proxy))
126 | 
127 | <a id="nestedblock--proxy"></a>
128 | ### Nested Schema for `proxy`
129 | 
130 | Optional:
131 | 
132 | - `from_env` (Boolean) When `true` the provider will discover the proxy configuration from environment variables. This is based upon [`http.ProxyFromEnvironment`](https://pkg.go.dev/net/http#ProxyFromEnvironment) and it supports the same environment variables (default: `true`).
133 | - `password` (String, Sensitive) Password used for Basic authentication against the Proxy.
134 | - `url` (String) URL used to connect to the Proxy. Accepted schemes are: `http`, `https`, `socks5`.
135 | - `username` (String) Username (or Token) used for Basic authentication against the Proxy.
136 | 
137 | ## Limitations
138 | 
139 | ### `ECDSA` with `P224` elliptic curve
140 | 
141 | When using `ECDSA` with `P224`, all the (computed) attributes
142 | that have to do with [OpenSSH](https://www.openssh.com/) will have a value of `""` (empty string).
143 | This applies to different resources and data sources offered by this provider,
144 | like the `tls_private_key` resource or the `tls_public_key` data source.
145 | 
146 | The attributes affected are:
147 | 
148 | * `.public_key_openssh`
149 | * `.private_key_openssh`
150 | * `.public_key_fingerprint_md5`
151 | * `.public_key_fingerprint_sha256`
152 | 
153 | This is because the SSH ECC Algorithm Integration ([RFC 5656](https://datatracker.ietf.org/doc/html/rfc5656))
154 | restricts support for elliptic curves to "nistp256", "nistp384" and "nistp521".
155 | 
156 | ### Secrets and Terraform state
157 | 
158 | Some resources that can be created with this provider, like `tls_private_key`, are
159 | considered "secrets", and as such are marked by this provider as _sensitive_, so to
160 | help practitioner to not accidentally leak their value in logs or other form of output.
161 | 
162 | It's important to remember that the values that constitute the "state" of those
163 | resources will be stored in the [Terraform state](https://www.terraform.io/language/state) file.
164 | This includes the "secrets", that will be part of the state file *unencrypted*.
165 | 
166 | Because of these limitations, **use of these resources for production deployments is _not_ recommended**.
167 | Failing that, **protecting the content of the state file is strongly recommended**.
168 | 
169 | The more general advice is that it's better to generate "secrets" outside of Terraform,
170 | and then distribute them securely to the system where Terraform will make use of them.
171 | 
172 | <!-- cache-key: cdktf-0.20.8 input-9629aac943b54f5dd10ea0b4a5ac545ba133cdf7ce49405f60bebc3525e333fa -->


--------------------------------------------------------------------------------
/docs/cdktf/python/resources/cert_request.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | page_title: "tls_cert_request Resource - terraform-provider-tls"
 3 | subcategory: ""
 4 | description: |-
 5 |   Creates a Certificate Signing Request (CSR) in PEM (RFC 1421) https://datatracker.ietf.org/doc/html/rfc1421 format.
 6 |   PEM is the typical format used to request a certificate from a Certificate Authority (CA).
 7 |   This resource is intended to be used in conjunction with a Terraform provider for a particular certificate authority in order to provision a new certificate.
 8 | ---
 9 | 
10 | 
11 | <!-- Please do not edit this file, it is generated. -->
12 | # tls_cert_request (Resource)
13 | 
14 | Creates a Certificate Signing Request (CSR) in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.
15 | 
16 | PEM is the typical format used to request a certificate from a Certificate Authority (CA).
17 | 
18 | This resource is intended to be used in conjunction with a Terraform provider for a particular certificate authority in order to provision a new certificate.
19 | 
20 | This is a *logical resource*, so it contributes only to the current Terraform
21 | state and does not create any external managed resources.
22 | 
23 | 
24 | ## Example Usage
25 | 
26 | ```python
27 | # DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
28 | from constructs import Construct
29 | from cdktf import Fn, Token, TerraformStack
30 | #
31 | # Provider bindings are generated by running `cdktf get`.
32 | # See https://cdk.tf/provider-generation for more details.
33 | #
34 | from imports.tls.cert_request import CertRequest
35 | class MyConvertedCode(TerraformStack):
36 |     def __init__(self, scope, name):
37 |         super().__init__(scope, name)
38 |         CertRequest(self, "example",
39 |             private_key_pem=Token.as_string(Fn.file("private_key.pem")),
40 |             subject=[CertRequestSubject(
41 |                 common_name="example.com",
42 |                 organization="ACME Examples, Inc"
43 |             )
44 |             ]
45 |         )
46 | ```
47 | 
48 | <!-- schema generated by tfplugindocs -->
49 | ## Schema
50 | 
51 | ### Required
52 | 
53 | - `private_key_pem` (String, Sensitive) Private key in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format, that the certificate will belong to. This can be read from a separate file using the [`file`](https://www.terraform.io/language/functions/file) interpolation function.
54 | 
55 | ### Optional
56 | 
57 | - `dns_names` (List of String) List of DNS names for which a certificate is being requested (i.e. certificate subjects).
58 | - `ip_addresses` (List of String) List of IP addresses for which a certificate is being requested (i.e. certificate subjects).
59 | - `subject` (Block List) The subject for which a certificate is being requested. The acceptable arguments are all optional and their naming is based upon [Issuer Distinguished Names (RFC5280)](https://tools.ietf.org/html/rfc5280#section-4.1.2.4) section. (see [below for nested schema](#nestedblock--subject))
60 | - `uris` (List of String) List of URIs for which a certificate is being requested (i.e. certificate subjects).
61 | 
62 | ### Read-Only
63 | 
64 | - `cert_request_pem` (String) The certificate request data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
65 | - `id` (String) Unique identifier for this resource: hexadecimal representation of the SHA1 checksum of the resource.
66 | - `key_algorithm` (String) Name of the algorithm used when generating the private key provided in `private_key_pem`.
67 | 
68 | <a id="nestedblock--subject"></a>
69 | ### Nested Schema for `subject`
70 | 
71 | Optional:
72 | 
73 | - `common_name` (String) Distinguished name: `CN`
74 | - `country` (String) Distinguished name: `C`
75 | - `email_address` (String) ASN.1 Object Identifier (OID): `1.2.840.113549.1.9.1`
76 | - `locality` (String) Distinguished name: `L`
77 | - `organization` (String) Distinguished name: `O`
78 | - `organizational_unit` (String) Distinguished name: `OU`
79 | - `postal_code` (String) Distinguished name: `PC`
80 | - `province` (String) Distinguished name: `ST`
81 | - `serial_number` (String) Distinguished name: `SERIALNUMBER`
82 | - `street_address` (List of String) Distinguished name: `STREET`
83 | 
84 | <!-- cache-key: cdktf-0.20.8 input-5fc3454a287e0ef0992677dd4a77aa057e244661e06a2fdf1bd98cf262a46a61 -->


--------------------------------------------------------------------------------
/docs/cdktf/python/resources/locally_signed_cert.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | page_title: "tls_locally_signed_cert Resource - terraform-provider-tls"
 3 | subcategory: ""
 4 | description: |-
 5 |   Creates a TLS certificate in PEM (RFC 1421) https://datatracker.ietf.org/doc/html/rfc1421 format using a Certificate Signing Request (CSR) and signs it with a provided (local) Certificate Authority (CA).
 6 | ---
 7 | 
 8 | 
 9 | <!-- Please do not edit this file, it is generated. -->
10 | # tls_locally_signed_cert (Resource)
11 | 
12 | Creates a TLS certificate in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format using a Certificate Signing Request (CSR) and signs it with a provided (local) Certificate Authority (CA).
13 | 
14 | -> **Note** Locally-signed certificates are generally only trusted by client software when
15 | setup to use the provided CA. They are normally used in development environments
16 | or when deployed internally to an organization.
17 | 
18 | ## Example Usage
19 | 
20 | ```python
21 | # DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
22 | from constructs import Construct
23 | from cdktf import Fn, Token, TerraformStack
24 | #
25 | # Provider bindings are generated by running `cdktf get`.
26 | # See https://cdk.tf/provider-generation for more details.
27 | #
28 | from imports.tls.locally_signed_cert import LocallySignedCert
29 | class MyConvertedCode(TerraformStack):
30 |     def __init__(self, scope, name):
31 |         super().__init__(scope, name)
32 |         LocallySignedCert(self, "example",
33 |             allowed_uses=["key_encipherment", "digital_signature", "server_auth"],
34 |             ca_cert_pem=Token.as_string(Fn.file("ca_cert.pem")),
35 |             ca_private_key_pem=Token.as_string(Fn.file("ca_private_key.pem")),
36 |             cert_request_pem=Token.as_string(Fn.file("cert_request.pem")),
37 |             validity_period_hours=12
38 |         )
39 | ```
40 | 
41 | <!-- schema generated by tfplugindocs -->
42 | ## Schema
43 | 
44 | ### Required
45 | 
46 | - `allowed_uses` (List of String) List of key usages allowed for the issued certificate. Values are defined in [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280) and combine flags defined by both [Key Usages](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3) and [Extended Key Usages](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12). Accepted values: `any_extended`, `cert_signing`, `client_auth`, `code_signing`, `content_commitment`, `crl_signing`, `data_encipherment`, `decipher_only`, `digital_signature`, `email_protection`, `encipher_only`, `ipsec_end_system`, `ipsec_tunnel`, `ipsec_user`, `key_agreement`, `key_encipherment`, `microsoft_commercial_code_signing`, `microsoft_kernel_code_signing`, `microsoft_server_gated_crypto`, `netscape_server_gated_crypto`, `ocsp_signing`, `server_auth`, `timestamping`.
47 | - `ca_cert_pem` (String) Certificate data of the Certificate Authority (CA) in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.
48 | - `ca_private_key_pem` (String, Sensitive) Private key of the Certificate Authority (CA) used to sign the certificate, in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.
49 | - `cert_request_pem` (String) Certificate request data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.
50 | - `validity_period_hours` (Number) Number of hours, after initial issuing, that the certificate will remain valid for.
51 | 
52 | ### Optional
53 | 
54 | - `early_renewal_hours` (Number) The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default: `0`)
55 | - `is_ca_certificate` (Boolean) Is the generated certificate representing a Certificate Authority (CA) (default: `false`).
56 | - `set_subject_key_id` (Boolean) Should the generated certificate include a [subject key identifier](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2) (default: `false`).
57 | 
58 | ### Read-Only
59 | 
60 | - `ca_key_algorithm` (String) Name of the algorithm used when generating the private key provided in `ca_private_key_pem`.
61 | - `cert_pem` (String) Certificate data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
62 | - `id` (String) Unique identifier for this resource: the certificate serial number.
63 | - `ready_for_renewal` (Boolean) Is the certificate either expired (i.e. beyond the `validity_period_hours`) or ready for an early renewal (i.e. within the `early_renewal_hours`)?
64 | - `validity_end_time` (String) The time until which the certificate is invalid, expressed as an [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
65 | - `validity_start_time` (String) The time after which the certificate is valid, expressed as an [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
66 | 
67 | ## Automatic Renewal
68 | 
69 | This resource considers its instances to have been deleted after either their validity
70 | periods ends (i.e. beyond the `validity_period_hours`)
71 | or the early renewal period is reached (i.e. within the `early_renewal_hours`):
72 | when this happens, the `ready_for_renewal` attribute will be `true`.
73 | At this time, applying the Terraform configuration will cause a new certificate to be
74 | generated for the instance.
75 | 
76 | Therefore in a development environment with frequent deployments it may be convenient
77 | to set a relatively-short expiration time and use early renewal to automatically provision
78 | a new certificate when the current one is about to expire.
79 | 
80 | The creation of a new certificate may of course cause dependent resources to be updated
81 | or replaced, depending on the lifecycle rules applying to those resources.
82 | 
83 | <!-- cache-key: cdktf-0.20.8 input-68f5a3ac6e15730702eda898fd0b26d83e0623e2680b4782c44d4d8fba2cfe8f -->


--------------------------------------------------------------------------------
/docs/cdktf/python/resources/private_key.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | page_title: "tls_private_key Resource - terraform-provider-tls"
 3 | subcategory: ""
 4 | description: |-
 5 |   -> If the managed resource supports a write-only attribute for the private key (first introduced in Terraform 1.11), then the ephemeral variant of tls_private_key https://registry.terraform.io/providers/hashicorp/tls/latest/docs/ephemeral-resources/private_key should be used, when possible, to avoid storing the private key data in the plan or state file.
 6 |   Creates a PEM (and OpenSSH) formatted private key.
 7 |   Generates a secure private key and encodes it in PEM (RFC 1421) https://datatracker.ietf.org/doc/html/rfc1421 and OpenSSH PEM (RFC 4716) https://datatracker.ietf.org/doc/html/rfc4716 formats. This resource is primarily intended for easily bootstrapping throwaway development environments.
 8 | ---
 9 | 
10 | 
11 | <!-- Please do not edit this file, it is generated. -->
12 | # tls_private_key (Resource)
13 | 
14 | -> If the managed resource supports a write-only attribute for the private key (first introduced in Terraform 1.11), then the ephemeral variant of [`tls_private_key`](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/ephemeral-resources/private_key) should be used, when possible, to avoid storing the private key data in the plan or state file.
15 | 
16 | Creates a PEM (and OpenSSH) formatted private key.
17 | 
18 | Generates a secure private key and encodes it in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) and [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) formats. This resource is primarily intended for easily bootstrapping throwaway development environments.
19 | 
20 | ~> **Security Notice** The private key generated by this resource will
21 | be stored *unencrypted* in your Terraform state file. **Use of this resource
22 | for production deployments is *not* recommended**. Instead, generate
23 | a private key file outside of Terraform and distribute it securely
24 | to the system where Terraform will be run.
25 | 
26 | This is a *logical resource*, so it contributes only to the current Terraform
27 | state and does not create any external managed resources.
28 | 
29 | 
30 | ## Example Usage
31 | 
32 | ```python
33 | # DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
34 | from constructs import Construct
35 | from cdktf import TerraformStack
36 | #
37 | # Provider bindings are generated by running `cdktf get`.
38 | # See https://cdk.tf/provider-generation for more details.
39 | #
40 | from imports.tls.private_key import PrivateKey
41 | class MyConvertedCode(TerraformStack):
42 |     def __init__(self, scope, name):
43 |         super().__init__(scope, name)
44 |         PrivateKey(self, "ecdsa-p384-example",
45 |             algorithm="ECDSA",
46 |             ecdsa_curve="P384"
47 |         )
48 |         PrivateKey(self, "ed25519-example",
49 |             algorithm="ED25519"
50 |         )
51 |         PrivateKey(self, "rsa-4096-example",
52 |             algorithm="RSA",
53 |             rsa_bits=4096
54 |         )
55 | ```
56 | 
57 | <!-- schema generated by tfplugindocs -->
58 | ## Schema
59 | 
60 | ### Required
61 | 
62 | - `algorithm` (String) Name of the algorithm to use when generating the private key. Currently-supported values are: `RSA`, `ECDSA`, `ED25519`.
63 | 
64 | ### Optional
65 | 
66 | - `ecdsa_curve` (String) When `algorithm` is `ECDSA`, the name of the elliptic curve to use. Currently-supported values are: `P224`, `P256`, `P384`, `P521`. (default: `P224`).
67 | - `rsa_bits` (Number) When `algorithm` is `RSA`, the size of the generated RSA key, in bits (default: `2048`).
68 | 
69 | ### Read-Only
70 | 
71 | - `id` (String) Unique identifier for this resource: hexadecimal representation of the SHA1 checksum of the resource.
72 | - `private_key_openssh` (String, Sensitive) Private key data in [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) format.
73 | - `private_key_pem` (String, Sensitive) Private key data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.
74 | - `private_key_pem_pkcs8` (String, Sensitive) Private key data in [PKCS#8 PEM (RFC 5208)](https://datatracker.ietf.org/doc/html/rfc5208) format.
75 | - `public_key_fingerprint_md5` (String) The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. `aa:bb:cc:...`. Only available if the selected private key format is compatible, similarly to `public_key_openssh` and the [ECDSA P224 limitations](../../docs#limitations).
76 | - `public_key_fingerprint_sha256` (String) The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. `SHA256:...`. Only available if the selected private key format is compatible, similarly to `public_key_openssh` and the [ECDSA P224 limitations](../../docs#limitations).
77 | - `public_key_openssh` (String) The public key data in ["Authorized Keys"](https://www.ssh.com/academy/ssh/authorized_keys/openssh#format-of-the-authorized-keys-file) format. This is not populated for `ECDSA` with curve `P224`, as it is [not supported](../../docs#limitations). **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
78 | - `public_key_pem` (String) Public key data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
79 | 
80 | ## Generating a New Key
81 | 
82 | Since a private key is a logical resource that lives only in the Terraform state,
83 | it will persist until it is explicitly destroyed by the user.
84 | 
85 | In order to force the generation of a new key within an existing state, the
86 | private key instance can be "tainted":
87 | 
88 | ```
89 | terraform taint tls_private_key.example
90 | ```
91 | 
92 | A new key will then be generated on the next ``terraform apply``.
93 | 
94 | <!-- cache-key: cdktf-0.20.8 input-fa6a54a5b4a6d273bd8578f6498da92e11a57bc5a256bc7bf76da5af3c84ca2d -->


--------------------------------------------------------------------------------
/docs/cdktf/typescript/data-sources/certificate.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | page_title: "tls_certificate Data Source - terraform-provider-tls"
  3 | subcategory: ""
  4 | description: |-
  5 |   Get information about the TLS certificates securing a host.
  6 |   Use this data source to get information, such as SHA1 fingerprint or serial number, about the TLS certificates that protects a URL.
  7 | ---
  8 | 
  9 | 
 10 | <!-- Please do not edit this file, it is generated. -->
 11 | # tls_certificate (Data Source)
 12 | 
 13 | Get information about the TLS certificates securing a host.
 14 | 
 15 | Use this data source to get information, such as SHA1 fingerprint or serial number, about the TLS certificates that protects a URL.
 16 | 
 17 | ## Example Usage
 18 | 
 19 | ### URL Usage
 20 | ```typescript
 21 | // DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
 22 | import { Construct } from "constructs";
 23 | import { Fn, Token, TerraformStack } from "cdktf";
 24 | /*
 25 |  * Provider bindings are generated by running `cdktf get`.
 26 |  * See https://cdk.tf/provider-generation for more details.
 27 |  */
 28 | import { EksCluster } from "./.gen/providers/aws/eks-cluster";
 29 | import { IamOpenidConnectProvider } from "./.gen/providers/aws/iam-openid-connect-provider";
 30 | import { DataTlsCertificate } from "./.gen/providers/tls/data-tls-certificate";
 31 | interface MyConfig {
 32 |   roleArn: any;
 33 |   vpcConfig: any;
 34 | }
 35 | class MyConvertedCode extends TerraformStack {
 36 |   constructor(scope: Construct, name: string, config: MyConfig) {
 37 |     super(scope, name);
 38 |     const example = new EksCluster(this, "example", {
 39 |       name: "example",
 40 |       roleArn: config.roleArn,
 41 |       vpcConfig: config.vpcConfig,
 42 |     });
 43 |     const dataTlsCertificateExample = new DataTlsCertificate(
 44 |       this,
 45 |       "example_1",
 46 |       {
 47 |         url: Token.asString(
 48 |           Fn.lookupNested(example.identity, ["0", "oidc", "0", "issuer"])
 49 |         ),
 50 |       }
 51 |     );
 52 |     /*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
 53 |     dataTlsCertificateExample.overrideLogicalId("example");
 54 |     const awsIamOpenidConnectProviderExample = new IamOpenidConnectProvider(
 55 |       this,
 56 |       "example_2",
 57 |       {
 58 |         clientIdList: ["sts.amazonaws.com"],
 59 |         thumbprintList: [
 60 |           Token.asString(
 61 |             Fn.lookupNested(dataTlsCertificateExample.certificates, [
 62 |               "0",
 63 |               "sha1_fingerprint",
 64 |             ])
 65 |           ),
 66 |         ],
 67 |         url: Token.asString(
 68 |           Fn.lookupNested(example.identity, ["0", "oidc", "0", "issuer"])
 69 |         ),
 70 |       }
 71 |     );
 72 |     /*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
 73 |     awsIamOpenidConnectProviderExample.overrideLogicalId("example");
 74 |   }
 75 | }
 76 | 
 77 | ```
 78 | 
 79 | ### Content Usage
 80 | ```typescript
 81 | // DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
 82 | import { Construct } from "constructs";
 83 | import { Fn, Token, TerraformStack } from "cdktf";
 84 | /*
 85 |  * Provider bindings are generated by running `cdktf get`.
 86 |  * See https://cdk.tf/provider-generation for more details.
 87 |  */
 88 | import { DataTlsCertificate } from "./.gen/providers/tls/data-tls-certificate";
 89 | class MyConvertedCode extends TerraformStack {
 90 |   constructor(scope: Construct, name: string) {
 91 |     super(scope, name);
 92 |     new DataTlsCertificate(this, "example_content", {
 93 |       content: Token.asString(Fn.file("example.pem")),
 94 |     });
 95 |   }
 96 | }
 97 | 
 98 | ```
 99 | 
100 | <!-- 
101 |     Schema ORIGINALLY generated by tfplugindocs,
102 |     then manually tweaked to circumvent current limitations.
103 | 
104 |     This should be revisited, once https://github.com/hashicorp/terraform-plugin-docs/issues/66 is resolved.
105 | -->
106 | ## Schema
107 | 
108 | ### Optional
109 | 
110 | - `url` (String) The URL of the website to get the certificates from. Cannot be used with `content`.
111 | - `content` (String) The content of the certificate in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. Cannot be used with `url`.
112 | - `verifyChain` (Boolean) Whether to verify the certificate chain while parsing it or not (default: `true`). Cannot be used with `content`.
113 | 
114 | ### Read-Only
115 | 
116 | - `id` (String) Unique identifier of this data source: hashing of the certificates in the chain.
117 | - `certificates` (List of Object) The certificates protecting the site, with the root of the chain first. (see [below for nested schema](#nestedatt--certificates))
118 | 
119 | <a id="nestedatt--certificates"></a>
120 | ### Nested Schema for `certificates`
121 | 
122 | Read-Only:
123 | 
124 | - `is_ca` (Boolean) `true` if the certificate is of a CA (Certificate Authority).
125 | - `issuer` (String) Who verified and signed the certificate, roughly following [RFC2253](https://tools.ietf.org/html/rfc2253).
126 | - `notAfter` (String) The time until which the certificate is invalid, as an [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
127 | - `notBefore` (String) The time after which the certificate is valid, as an [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
128 | - `public_key_algorithm` (String) The key algorithm used to create the certificate.
129 | - `serialNumber` (String) Number that uniquely identifies the certificate with the CA's system.
130 |   The `format` function can be used to convert this _base 10_ number into other bases, such as hex.
131 | - `sha1_fingerprint` (String) The SHA1 fingerprint of the public key of the certificate.
132 | - `signature_algorithm` (String) The algorithm used to sign the certificate.
133 | - `subject` (String) The entity the certificate belongs to, roughly following [RFC2253](https://tools.ietf.org/html/rfc2253).
134 | - `version` (Number) The version the certificate is in.
135 | - `certPem` (String) Certificate data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
136 | 
137 | <!-- cache-key: cdktf-0.20.8 input-aa0448a429be224544a948790292f3b630d2ecf0739247bd90334feadefa8419 -->


--------------------------------------------------------------------------------
/docs/cdktf/typescript/data-sources/public_key.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | <!-- Please do not edit this file, it is generated. -->
 4 | # generated by https://github.com/hashicorp/terraform-plugin-docs
 5 | page_title: "tls_public_key Data Source - terraform-provider-tls"
 6 | subcategory: ""
 7 | description: |-
 8 |   Get a public key from a PEM-encoded private key.
 9 |   Use this data source to get the public key from a PEM (RFC 1421) https://datatracker.ietf.org/doc/html/rfc1421 or OpenSSH PEM (RFC 4716) https://datatracker.ietf.org/doc/html/rfc4716 formatted private key, for use in other resources.
10 | ---
11 | 
12 | # tls_public_key (Data Source)
13 | 
14 | Get a public key from a PEM-encoded private key.
15 | 
16 | Use this data source to get the public key from a [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) or [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) formatted private key, for use in other resources.
17 | 
18 | ## Example Usage
19 | 
20 | ```typescript
21 | // DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
22 | import { Construct } from "constructs";
23 | import { Fn, Token, TerraformStack } from "cdktf";
24 | /*
25 |  * Provider bindings are generated by running `cdktf get`.
26 |  * See https://cdk.tf/provider-generation for more details.
27 |  */
28 | import { DataTlsPublicKey } from "./.gen/providers/tls/data-tls-public-key";
29 | import { PrivateKey } from "./.gen/providers/tls/private-key";
30 | class MyConvertedCode extends TerraformStack {
31 |   constructor(scope: Construct, name: string) {
32 |     super(scope, name);
33 |     const ed25519Example = new PrivateKey(this, "ed25519-example", {
34 |       algorithm: "ED25519",
35 |     });
36 |     new DataTlsPublicKey(this, "private_key_openssh-example", {
37 |       privateKeyOpenssh: Token.asString(Fn.file("~/.ssh/id_rsa_rfc4716")),
38 |     });
39 |     new DataTlsPublicKey(this, "private_key_pem-example", {
40 |       privateKeyPem: ed25519Example.privateKeyPem,
41 |     });
42 |   }
43 | }
44 | 
45 | ```
46 | 
47 | <!-- schema generated by tfplugindocs -->
48 | ## Schema
49 | 
50 | ### Optional
51 | 
52 | - `privateKeyOpenssh` (String, Sensitive) The private key (in  [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) format) to extract the public key from. This is _mutually exclusive_ with `privateKeyPem`. Currently-supported algorithms for keys are: `RSA`, `ECDSA`, `ED25519`.
53 | - `privateKeyPem` (String, Sensitive) The private key (in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format) to extract the public key from. This is _mutually exclusive_ with `privateKeyOpenssh`. Currently-supported algorithms for keys are: `RSA`, `ECDSA`, `ED25519`.
54 | 
55 | ### Read-Only
56 | 
57 | - `algorithm` (String) The name of the algorithm used by the given private key. Possible values are: `RSA`, `ECDSA`, `ED25519`.
58 | - `id` (String) Unique identifier for this data source: hexadecimal representation of the SHA1 checksum of the data source.
59 | - `publicKeyFingerprintMd5` (String) The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. `aa:bb:cc:...`. Only available if the selected private key format is compatible, as per the rules for `publicKeyOpenssh` and [ECDSA P224 limitations](../../docs#limitations).
60 | - `publicKeyFingerprintSha256` (String) The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. `SHA256:...`. Only available if the selected private key format is compatible, as per the rules for `publicKeyOpenssh` and [ECDSA P224 limitations](../../docs#limitations).
61 | - `publicKeyOpenssh` (String) The public key, in  [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) format. This is also known as ['Authorized Keys'](https://www.ssh.com/academy/ssh/authorized_keys/openssh#format-of-the-authorized-keys-file) format. This is not populated for `ECDSA` with curve `P224`, as it is [not supported](../../docs#limitations). **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
62 | - `publicKeyPem` (String) The public key, in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
63 | 
64 | <!-- cache-key: cdktf-0.20.8 input-025d5bde39901a91ba6cb60272c97a78a0c01a6de59d77d7dea035490ff6ee0a -->


--------------------------------------------------------------------------------
/docs/cdktf/typescript/ephemeral-resources/private_key.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | <!-- Please do not edit this file, it is generated. -->
 4 | # generated by https://github.com/hashicorp/terraform-plugin-docs
 5 | page_title: "tls_private_key Ephemeral Resource - terraform-provider-tls"
 6 | subcategory: ""
 7 | description: |-
 8 |   -> If the managed resource doesn't have a write-only argument available for the private key (first introduced in Terraform 1.11), then the private key can only be created with the managed resource variant of tls_private_key https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key.
 9 |   Creates a PEM (and OpenSSH) formatted private key.
10 |   Generates a secure private key and encodes it in PEM (RFC 1421) https://datatracker.ietf.org/doc/html/rfc1421 and OpenSSH PEM (RFC 4716) https://datatracker.ietf.org/doc/html/rfc4716 formats.
11 |   The primary use-case for generating an ephemeral private key is to be used in combination with a write-only argument in a managed resource, which will avoid Terraform storing the private key data in the plan or state file.
12 | ---
13 | 
14 | # tls_private_key (Ephemeral Resource)
15 | 
16 | -> If the managed resource doesn't have a write-only argument available for the private key (first introduced in Terraform 1.11), then the private key can only be created with the managed resource variant of [`tls_private_key`](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key).
17 | 
18 | Creates a PEM (and OpenSSH) formatted private key.
19 | 
20 | Generates a secure private key and encodes it in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) and [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) formats. 
21 | 
22 | The primary use-case for generating an ephemeral private key is to be used in combination with a write-only argument in a managed resource, which will avoid Terraform storing the private key data in the plan or state file.
23 | 
24 | ## Example Usage
25 | 
26 | ```typescript
27 | // DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
28 | import { Construct } from "constructs";
29 | import { TerraformStack } from "cdktf";
30 | class MyConvertedCode extends TerraformStack {
31 |   constructor(scope: Construct, name: string) {
32 |     super(scope, name);
33 |   }
34 | }
35 | 
36 | ```
37 | 
38 | <!-- schema generated by tfplugindocs -->
39 | ## Schema
40 | 
41 | ### Required
42 | 
43 | - `algorithm` (String) Name of the algorithm to use when generating the private key. Currently-supported values are: `RSA`, `ECDSA`, `ED25519`.
44 | 
45 | ### Optional
46 | 
47 | - `ecdsaCurve` (String) When `algorithm` is `ECDSA`, the name of the elliptic curve to use. Currently-supported values are: `P224`, `P256`, `P384`, `P521`. (default: `P224`).
48 | - `rsaBits` (Number) When `algorithm` is `RSA`, the size of the generated RSA key, in bits (default: `2048`).
49 | 
50 | ### Read-Only
51 | 
52 | - `privateKeyOpenssh` (String, Sensitive) Private key data in [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) format.
53 | - `privateKeyPem` (String, Sensitive) Private key data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.
54 | - `privateKeyPemPkcs8` (String, Sensitive) Private key data in [PKCS#8 PEM (RFC 5208)](https://datatracker.ietf.org/doc/html/rfc5208) format.
55 | - `publicKeyFingerprintMd5` (String) The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. `aa:bb:cc:...`. Only available if the selected private key format is compatible, similarly to `publicKeyOpenssh` and the [ECDSA P224 limitations](../../docs#limitations).
56 | - `publicKeyFingerprintSha256` (String) The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. `SHA256:...`. Only available if the selected private key format is compatible, similarly to `publicKeyOpenssh` and the [ECDSA P224 limitations](../../docs#limitations).
57 | - `publicKeyOpenssh` (String) The public key data in ["Authorized Keys"](https://www.ssh.com/academy/ssh/authorized_keys/openssh#format-of-the-authorized-keys-file) format. This is not populated for `ECDSA` with curve `P224`, as it is [not supported](../../docs#limitations). **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
58 | - `publicKeyPem` (String) Public key data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
59 | 
60 | <!-- cache-key: cdktf-0.20.8 input-858687a65cc896d43aaec3ef675d1b25abdf572fd68d3440f2ec1829134aebe2 -->


--------------------------------------------------------------------------------
/docs/cdktf/typescript/index.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | page_title: "Provider: TLS"
  3 | description: |-
  4 |   The TLS provider provides utilities for working with Transport Layer Security keys and certificates.
  5 | ---
  6 | 
  7 | 
  8 | <!-- Please do not edit this file, it is generated. -->
  9 | # TLS Provider
 10 | 
 11 | The TLS provider provides utilities for working with *Transport Layer Security*
 12 | keys and certificates. It provides resources that
 13 | allow private keys, certificates and certificate requests to be
 14 | created as part of a Terraform deployment.
 15 | 
 16 | Another name for Transport Layer Security is *Secure Sockets Layer*,
 17 | or SSL. TLS and SSL are equivalent when considering the resources
 18 | managed by this provider.
 19 | 
 20 | This provider is not particularly useful on its own, but it can be
 21 | used to create certificates and credentials that can then be used
 22 | with other providers when creating resources that expose TLS
 23 | services or that themselves provision TLS certificates.
 24 | 
 25 | Use the navigation to the left to read about the available resources.
 26 | 
 27 | ## Example Usage
 28 | 
 29 | ```typescript
 30 | // DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
 31 | import { Construct } from "constructs";
 32 | import { Token, TerraformStack } from "cdktf";
 33 | /*
 34 |  * Provider bindings are generated by running `cdktf get`.
 35 |  * See https://cdk.tf/provider-generation for more details.
 36 |  */
 37 | import { IamServerCertificate } from "./.gen/providers/aws/iam-server-certificate";
 38 | import { PrivateKey } from "./.gen/providers/tls/private-key";
 39 | import { SelfSignedCert } from "./.gen/providers/tls/self-signed-cert";
 40 | class MyConvertedCode extends TerraformStack {
 41 |   constructor(scope: Construct, name: string) {
 42 |     super(scope, name);
 43 |     const example = new PrivateKey(this, "example", {
 44 |       algorithm: "ECDSA",
 45 |     });
 46 |     const tlsSelfSignedCertExample = new SelfSignedCert(this, "example_1", {
 47 |       allowedUses: ["key_encipherment", "digital_signature", "server_auth"],
 48 |       dnsNames: ["example.com", "example.net"],
 49 |       earlyRenewalHours: 3,
 50 |       keyAlgorithm: example.algorithm,
 51 |       privateKeyPem: example.privateKeyPem,
 52 |       subject: [
 53 |         {
 54 |           commonName: "example.com",
 55 |           organization: "ACME Examples, Inc",
 56 |         },
 57 |       ],
 58 |       validityPeriodHours: 12,
 59 |     });
 60 |     /*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
 61 |     tlsSelfSignedCertExample.overrideLogicalId("example");
 62 |     const awsIamServerCertificateExample = new IamServerCertificate(
 63 |       this,
 64 |       "example_2",
 65 |       {
 66 |         certificateBody: Token.asString(tlsSelfSignedCertExample.certPem),
 67 |         name: "example_self_signed_cert",
 68 |         privateKey: example.privateKeyPem,
 69 |       }
 70 |     );
 71 |     /*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
 72 |     awsIamServerCertificateExample.overrideLogicalId("example");
 73 |   }
 74 | }
 75 | 
 76 | ```
 77 | 
 78 | ### Configuring Proxy
 79 | 
 80 | ```typescript
 81 | // DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
 82 | import { Construct } from "constructs";
 83 | import { TerraformStack } from "cdktf";
 84 | /*
 85 |  * Provider bindings are generated by running `cdktf get`.
 86 |  * See https://cdk.tf/provider-generation for more details.
 87 |  */
 88 | import { DataTlsCertificate } from "./.gen/providers/tls/data-tls-certificate";
 89 | import { TlsProvider } from "./.gen/providers/tls/provider";
 90 | class MyConvertedCode extends TerraformStack {
 91 |   constructor(scope: Construct, name: string) {
 92 |     super(scope, name);
 93 |     new TlsProvider(this, "tls", {
 94 |       proxy: [
 95 |         {
 96 |           url: "https://corporate.proxy.service",
 97 |         },
 98 |       ],
 99 |     });
100 |     new DataTlsCertificate(this, "test", {
101 |       url: "https://example.com",
102 |     });
103 |   }
104 | }
105 | 
106 | ```
107 | 
108 | ```typescript
109 | // DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
110 | import { Construct } from "constructs";
111 | import { TerraformStack } from "cdktf";
112 | /*
113 |  * Provider bindings are generated by running `cdktf get`.
114 |  * See https://cdk.tf/provider-generation for more details.
115 |  */
116 | import { DataTlsCertificate } from "./.gen/providers/tls/data-tls-certificate";
117 | import { TlsProvider } from "./.gen/providers/tls/provider";
118 | class MyConvertedCode extends TerraformStack {
119 |   constructor(scope: Construct, name: string) {
120 |     super(scope, name);
121 |     new TlsProvider(this, "tls", {
122 |       proxy: [
123 |         {
124 |           fromEnv: true,
125 |         },
126 |       ],
127 |     });
128 |     new DataTlsCertificate(this, "test", {
129 |       url: "https://example.com",
130 |     });
131 |   }
132 | }
133 | 
134 | ```
135 | 
136 | <!-- schema generated by tfplugindocs -->
137 | ## Schema
138 | 
139 | ### Optional
140 | 
141 | - `proxy` (Block List) Proxy used by resources and data sources that connect to external endpoints. (see [below for nested schema](#nestedblock--proxy))
142 | 
143 | <a id="nestedblock--proxy"></a>
144 | ### Nested Schema for `proxy`
145 | 
146 | Optional:
147 | 
148 | - `fromEnv` (Boolean) When `true` the provider will discover the proxy configuration from environment variables. This is based upon [`http.ProxyFromEnvironment`](https://pkg.go.dev/net/http#ProxyFromEnvironment) and it supports the same environment variables (default: `true`).
149 | - `password` (String, Sensitive) Password used for Basic authentication against the Proxy.
150 | - `url` (String) URL used to connect to the Proxy. Accepted schemes are: `http`, `https`, `socks5`.
151 | - `username` (String) Username (or Token) used for Basic authentication against the Proxy.
152 | 
153 | ## Limitations
154 | 
155 | ### `ECDSA` with `P224` elliptic curve
156 | 
157 | When using `ECDSA` with `P224`, all the (computed) attributes
158 | that have to do with [OpenSSH](https://www.openssh.com/) will have a value of `""` (empty string).
159 | This applies to different resources and data sources offered by this provider,
160 | like the `tls_private_key` resource or the `tls_public_key` data source.
161 | 
162 | The attributes affected are:
163 | 
164 | * `.public_key_openssh`
165 | * `.private_key_openssh`
166 | * `.public_key_fingerprint_md5`
167 | * `.public_key_fingerprint_sha256`
168 | 
169 | This is because the SSH ECC Algorithm Integration ([RFC 5656](https://datatracker.ietf.org/doc/html/rfc5656))
170 | restricts support for elliptic curves to "nistp256", "nistp384" and "nistp521".
171 | 
172 | ### Secrets and Terraform state
173 | 
174 | Some resources that can be created with this provider, like `tls_private_key`, are
175 | considered "secrets", and as such are marked by this provider as _sensitive_, so to
176 | help practitioner to not accidentally leak their value in logs or other form of output.
177 | 
178 | It's important to remember that the values that constitute the "state" of those
179 | resources will be stored in the [Terraform state](https://www.terraform.io/language/state) file.
180 | This includes the "secrets", that will be part of the state file *unencrypted*.
181 | 
182 | Because of these limitations, **use of these resources for production deployments is _not_ recommended**.
183 | Failing that, **protecting the content of the state file is strongly recommended**.
184 | 
185 | The more general advice is that it's better to generate "secrets" outside of Terraform,
186 | and then distribute them securely to the system where Terraform will make use of them.
187 | 
188 | <!-- cache-key: cdktf-0.20.8 input-9629aac943b54f5dd10ea0b4a5ac545ba133cdf7ce49405f60bebc3525e333fa -->


--------------------------------------------------------------------------------
/docs/cdktf/typescript/resources/cert_request.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | page_title: "tls_cert_request Resource - terraform-provider-tls"
 3 | subcategory: ""
 4 | description: |-
 5 |   Creates a Certificate Signing Request (CSR) in PEM (RFC 1421) https://datatracker.ietf.org/doc/html/rfc1421 format.
 6 |   PEM is the typical format used to request a certificate from a Certificate Authority (CA).
 7 |   This resource is intended to be used in conjunction with a Terraform provider for a particular certificate authority in order to provision a new certificate.
 8 | ---
 9 | 
10 | 
11 | <!-- Please do not edit this file, it is generated. -->
12 | # tls_cert_request (Resource)
13 | 
14 | Creates a Certificate Signing Request (CSR) in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.
15 | 
16 | PEM is the typical format used to request a certificate from a Certificate Authority (CA).
17 | 
18 | This resource is intended to be used in conjunction with a Terraform provider for a particular certificate authority in order to provision a new certificate.
19 | 
20 | This is a *logical resource*, so it contributes only to the current Terraform
21 | state and does not create any external managed resources.
22 | 
23 | 
24 | ## Example Usage
25 | 
26 | ```typescript
27 | // DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
28 | import { Construct } from "constructs";
29 | import { Fn, Token, TerraformStack } from "cdktf";
30 | /*
31 |  * Provider bindings are generated by running `cdktf get`.
32 |  * See https://cdk.tf/provider-generation for more details.
33 |  */
34 | import { CertRequest } from "./.gen/providers/tls/cert-request";
35 | class MyConvertedCode extends TerraformStack {
36 |   constructor(scope: Construct, name: string) {
37 |     super(scope, name);
38 |     new CertRequest(this, "example", {
39 |       privateKeyPem: Token.asString(Fn.file("private_key.pem")),
40 |       subject: [
41 |         {
42 |           commonName: "example.com",
43 |           organization: "ACME Examples, Inc",
44 |         },
45 |       ],
46 |     });
47 |   }
48 | }
49 | 
50 | ```
51 | 
52 | <!-- schema generated by tfplugindocs -->
53 | ## Schema
54 | 
55 | ### Required
56 | 
57 | - `privateKeyPem` (String, Sensitive) Private key in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format, that the certificate will belong to. This can be read from a separate file using the [`file`](https://www.terraform.io/language/functions/file) interpolation function.
58 | 
59 | ### Optional
60 | 
61 | - `dnsNames` (List of String) List of DNS names for which a certificate is being requested (i.e. certificate subjects).
62 | - `ipAddresses` (List of String) List of IP addresses for which a certificate is being requested (i.e. certificate subjects).
63 | - `subject` (Block List) The subject for which a certificate is being requested. The acceptable arguments are all optional and their naming is based upon [Issuer Distinguished Names (RFC5280)](https://tools.ietf.org/html/rfc5280#section-4.1.2.4) section. (see [below for nested schema](#nestedblock--subject))
64 | - `uris` (List of String) List of URIs for which a certificate is being requested (i.e. certificate subjects).
65 | 
66 | ### Read-Only
67 | 
68 | - `certRequestPem` (String) The certificate request data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
69 | - `id` (String) Unique identifier for this resource: hexadecimal representation of the SHA1 checksum of the resource.
70 | - `keyAlgorithm` (String) Name of the algorithm used when generating the private key provided in `privateKeyPem`.
71 | 
72 | <a id="nestedblock--subject"></a>
73 | ### Nested Schema for `subject`
74 | 
75 | Optional:
76 | 
77 | - `commonName` (String) Distinguished name: `CN`
78 | - `country` (String) Distinguished name: `C`
79 | - `emailAddress` (String) ASN.1 Object Identifier (OID): `1.2.840.113549.1.9.1`
80 | - `locality` (String) Distinguished name: `L`
81 | - `organization` (String) Distinguished name: `O`
82 | - `organizationalUnit` (String) Distinguished name: `OU`
83 | - `postalCode` (String) Distinguished name: `PC`
84 | - `province` (String) Distinguished name: `ST`
85 | - `serialNumber` (String) Distinguished name: `SERIALNUMBER`
86 | - `streetAddress` (List of String) Distinguished name: `STREET`
87 | 
88 | <!-- cache-key: cdktf-0.20.8 input-5fc3454a287e0ef0992677dd4a77aa057e244661e06a2fdf1bd98cf262a46a61 -->


--------------------------------------------------------------------------------
/docs/cdktf/typescript/resources/locally_signed_cert.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | page_title: "tls_locally_signed_cert Resource - terraform-provider-tls"
 3 | subcategory: ""
 4 | description: |-
 5 |   Creates a TLS certificate in PEM (RFC 1421) https://datatracker.ietf.org/doc/html/rfc1421 format using a Certificate Signing Request (CSR) and signs it with a provided (local) Certificate Authority (CA).
 6 | ---
 7 | 
 8 | 
 9 | <!-- Please do not edit this file, it is generated. -->
10 | # tls_locally_signed_cert (Resource)
11 | 
12 | Creates a TLS certificate in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format using a Certificate Signing Request (CSR) and signs it with a provided (local) Certificate Authority (CA).
13 | 
14 | -> **Note** Locally-signed certificates are generally only trusted by client software when
15 | setup to use the provided CA. They are normally used in development environments
16 | or when deployed internally to an organization.
17 | 
18 | ## Example Usage
19 | 
20 | ```typescript
21 | // DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
22 | import { Construct } from "constructs";
23 | import { Fn, Token, TerraformStack } from "cdktf";
24 | /*
25 |  * Provider bindings are generated by running `cdktf get`.
26 |  * See https://cdk.tf/provider-generation for more details.
27 |  */
28 | import { LocallySignedCert } from "./.gen/providers/tls/locally-signed-cert";
29 | class MyConvertedCode extends TerraformStack {
30 |   constructor(scope: Construct, name: string) {
31 |     super(scope, name);
32 |     new LocallySignedCert(this, "example", {
33 |       allowedUses: ["key_encipherment", "digital_signature", "server_auth"],
34 |       caCertPem: Token.asString(Fn.file("ca_cert.pem")),
35 |       caPrivateKeyPem: Token.asString(Fn.file("ca_private_key.pem")),
36 |       certRequestPem: Token.asString(Fn.file("cert_request.pem")),
37 |       validityPeriodHours: 12,
38 |     });
39 |   }
40 | }
41 | 
42 | ```
43 | 
44 | <!-- schema generated by tfplugindocs -->
45 | ## Schema
46 | 
47 | ### Required
48 | 
49 | - `allowedUses` (List of String) List of key usages allowed for the issued certificate. Values are defined in [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280) and combine flags defined by both [Key Usages](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3) and [Extended Key Usages](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12). Accepted values: `any_extended`, `cert_signing`, `client_auth`, `code_signing`, `content_commitment`, `crl_signing`, `data_encipherment`, `decipher_only`, `digital_signature`, `email_protection`, `encipher_only`, `ipsec_end_system`, `ipsec_tunnel`, `ipsec_user`, `key_agreement`, `key_encipherment`, `microsoft_commercial_code_signing`, `microsoft_kernel_code_signing`, `microsoft_server_gated_crypto`, `netscape_server_gated_crypto`, `ocsp_signing`, `server_auth`, `timestamping`.
50 | - `caCertPem` (String) Certificate data of the Certificate Authority (CA) in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.
51 | - `caPrivateKeyPem` (String, Sensitive) Private key of the Certificate Authority (CA) used to sign the certificate, in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.
52 | - `certRequestPem` (String) Certificate request data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.
53 | - `validityPeriodHours` (Number) Number of hours, after initial issuing, that the certificate will remain valid for.
54 | 
55 | ### Optional
56 | 
57 | - `earlyRenewalHours` (Number) The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default: `0`)
58 | - `isCaCertificate` (Boolean) Is the generated certificate representing a Certificate Authority (CA) (default: `false`).
59 | - `setSubjectKeyId` (Boolean) Should the generated certificate include a [subject key identifier](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2) (default: `false`).
60 | 
61 | ### Read-Only
62 | 
63 | - `caKeyAlgorithm` (String) Name of the algorithm used when generating the private key provided in `caPrivateKeyPem`.
64 | - `certPem` (String) Certificate data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
65 | - `id` (String) Unique identifier for this resource: the certificate serial number.
66 | - `readyForRenewal` (Boolean) Is the certificate either expired (i.e. beyond the `validityPeriodHours`) or ready for an early renewal (i.e. within the `earlyRenewalHours`)?
67 | - `validityEndTime` (String) The time until which the certificate is invalid, expressed as an [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
68 | - `validityStartTime` (String) The time after which the certificate is valid, expressed as an [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
69 | 
70 | ## Automatic Renewal
71 | 
72 | This resource considers its instances to have been deleted after either their validity
73 | periods ends (i.e. beyond the `validityPeriodHours`)
74 | or the early renewal period is reached (i.e. within the `earlyRenewalHours`):
75 | when this happens, the `readyForRenewal` attribute will be `true`.
76 | At this time, applying the Terraform configuration will cause a new certificate to be
77 | generated for the instance.
78 | 
79 | Therefore in a development environment with frequent deployments it may be convenient
80 | to set a relatively-short expiration time and use early renewal to automatically provision
81 | a new certificate when the current one is about to expire.
82 | 
83 | The creation of a new certificate may of course cause dependent resources to be updated
84 | or replaced, depending on the lifecycle rules applying to those resources.
85 | 
86 | <!-- cache-key: cdktf-0.20.8 input-68f5a3ac6e15730702eda898fd0b26d83e0623e2680b4782c44d4d8fba2cfe8f -->


--------------------------------------------------------------------------------
/docs/cdktf/typescript/resources/private_key.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | page_title: "tls_private_key Resource - terraform-provider-tls"
 3 | subcategory: ""
 4 | description: |-
 5 |   -> If the managed resource supports a write-only attribute for the private key (first introduced in Terraform 1.11), then the ephemeral variant of tls_private_key https://registry.terraform.io/providers/hashicorp/tls/latest/docs/ephemeral-resources/private_key should be used, when possible, to avoid storing the private key data in the plan or state file.
 6 |   Creates a PEM (and OpenSSH) formatted private key.
 7 |   Generates a secure private key and encodes it in PEM (RFC 1421) https://datatracker.ietf.org/doc/html/rfc1421 and OpenSSH PEM (RFC 4716) https://datatracker.ietf.org/doc/html/rfc4716 formats. This resource is primarily intended for easily bootstrapping throwaway development environments.
 8 | ---
 9 | 
10 | 
11 | <!-- Please do not edit this file, it is generated. -->
12 | # tls_private_key (Resource)
13 | 
14 | -> If the managed resource supports a write-only attribute for the private key (first introduced in Terraform 1.11), then the ephemeral variant of [`tls_private_key`](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/ephemeral-resources/private_key) should be used, when possible, to avoid storing the private key data in the plan or state file.
15 | 
16 | Creates a PEM (and OpenSSH) formatted private key.
17 | 
18 | Generates a secure private key and encodes it in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) and [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) formats. This resource is primarily intended for easily bootstrapping throwaway development environments.
19 | 
20 | ~> **Security Notice** The private key generated by this resource will
21 | be stored *unencrypted* in your Terraform state file. **Use of this resource
22 | for production deployments is *not* recommended**. Instead, generate
23 | a private key file outside of Terraform and distribute it securely
24 | to the system where Terraform will be run.
25 | 
26 | This is a *logical resource*, so it contributes only to the current Terraform
27 | state and does not create any external managed resources.
28 | 
29 | 
30 | ## Example Usage
31 | 
32 | ```typescript
33 | // DO NOT EDIT. Code generated by 'cdktf convert' - Please report bugs at https://cdk.tf/bug
34 | import { Construct } from "constructs";
35 | import { TerraformStack } from "cdktf";
36 | /*
37 |  * Provider bindings are generated by running `cdktf get`.
38 |  * See https://cdk.tf/provider-generation for more details.
39 |  */
40 | import { PrivateKey } from "./.gen/providers/tls/private-key";
41 | class MyConvertedCode extends TerraformStack {
42 |   constructor(scope: Construct, name: string) {
43 |     super(scope, name);
44 |     new PrivateKey(this, "ecdsa-p384-example", {
45 |       algorithm: "ECDSA",
46 |       ecdsaCurve: "P384",
47 |     });
48 |     new PrivateKey(this, "ed25519-example", {
49 |       algorithm: "ED25519",
50 |     });
51 |     new PrivateKey(this, "rsa-4096-example", {
52 |       algorithm: "RSA",
53 |       rsaBits: 4096,
54 |     });
55 |   }
56 | }
57 | 
58 | ```
59 | 
60 | <!-- schema generated by tfplugindocs -->
61 | ## Schema
62 | 
63 | ### Required
64 | 
65 | - `algorithm` (String) Name of the algorithm to use when generating the private key. Currently-supported values are: `RSA`, `ECDSA`, `ED25519`.
66 | 
67 | ### Optional
68 | 
69 | - `ecdsaCurve` (String) When `algorithm` is `ECDSA`, the name of the elliptic curve to use. Currently-supported values are: `P224`, `P256`, `P384`, `P521`. (default: `P224`).
70 | - `rsaBits` (Number) When `algorithm` is `RSA`, the size of the generated RSA key, in bits (default: `2048`).
71 | 
72 | ### Read-Only
73 | 
74 | - `id` (String) Unique identifier for this resource: hexadecimal representation of the SHA1 checksum of the resource.
75 | - `privateKeyOpenssh` (String, Sensitive) Private key data in [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) format.
76 | - `privateKeyPem` (String, Sensitive) Private key data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.
77 | - `privateKeyPemPkcs8` (String, Sensitive) Private key data in [PKCS#8 PEM (RFC 5208)](https://datatracker.ietf.org/doc/html/rfc5208) format.
78 | - `publicKeyFingerprintMd5` (String) The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. `aa:bb:cc:...`. Only available if the selected private key format is compatible, similarly to `publicKeyOpenssh` and the [ECDSA P224 limitations](../../docs#limitations).
79 | - `publicKeyFingerprintSha256` (String) The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. `SHA256:...`. Only available if the selected private key format is compatible, similarly to `publicKeyOpenssh` and the [ECDSA P224 limitations](../../docs#limitations).
80 | - `publicKeyOpenssh` (String) The public key data in ["Authorized Keys"](https://www.ssh.com/academy/ssh/authorized_keys/openssh#format-of-the-authorized-keys-file) format. This is not populated for `ECDSA` with curve `P224`, as it is [not supported](../../docs#limitations). **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
81 | - `publicKeyPem` (String) Public key data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
82 | 
83 | ## Generating a New Key
84 | 
85 | Since a private key is a logical resource that lives only in the Terraform state,
86 | it will persist until it is explicitly destroyed by the user.
87 | 
88 | In order to force the generation of a new key within an existing state, the
89 | private key instance can be "tainted":
90 | 
91 | ```
92 | terraform taint tls_private_key.example
93 | ```
94 | 
95 | A new key will then be generated on the next ``terraform apply``.
96 | 
97 | <!-- cache-key: cdktf-0.20.8 input-fa6a54a5b4a6d273bd8578f6498da92e11a57bc5a256bc7bf76da5af3c84ca2d -->


--------------------------------------------------------------------------------
/docs/data-sources/certificate.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | page_title: "tls_certificate Data Source - terraform-provider-tls"
 3 | subcategory: ""
 4 | description: |-
 5 |   Get information about the TLS certificates securing a host.
 6 |   Use this data source to get information, such as SHA1 fingerprint or serial number, about the TLS certificates that protects a URL.
 7 | ---
 8 | 
 9 | # tls_certificate (Data Source)
10 | 
11 | Get information about the TLS certificates securing a host.
12 | 
13 | Use this data source to get information, such as SHA1 fingerprint or serial number, about the TLS certificates that protects a URL.
14 | 
15 | ## Example Usage
16 | 
17 | ### URL Usage
18 | ```terraform
19 | resource "aws_eks_cluster" "example" {
20 |   name = "example"
21 | }
22 | 
23 | data "tls_certificate" "example" {
24 |   url = aws_eks_cluster.example.identity[0].oidc[0].issuer
25 | }
26 | 
27 | resource "aws_iam_openid_connect_provider" "example" {
28 |   client_id_list  = ["sts.amazonaws.com"]
29 |   thumbprint_list = [data.tls_certificate.example.certificates[0].sha1_fingerprint]
30 |   url             = aws_eks_cluster.example.identity[0].oidc[0].issuer
31 | }
32 | ```
33 | 
34 | ### Content Usage
35 | ```terraform
36 | data "tls_certificate" "example_content" {
37 |   content = file("example.pem")
38 | }
39 | ```
40 | 
41 | <!-- 
42 |     Schema ORIGINALLY generated by tfplugindocs,
43 |     then manually tweaked to circumvent current limitations.
44 | 
45 |     This should be revisited, once https://github.com/hashicorp/terraform-plugin-docs/issues/66 is resolved.
46 | -->
47 | ## Schema
48 | 
49 | ### Optional
50 | 
51 | - `url` (String) The URL of the website to get the certificates from. Cannot be used with `content`.
52 | - `content` (String) The content of the certificate in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. Cannot be used with `url`.
53 | - `verify_chain` (Boolean) Whether to verify the certificate chain while parsing it or not (default: `true`). Cannot be used with `content`.
54 | 
55 | ### Read-Only
56 | 
57 | - `id` (String) Unique identifier of this data source: hashing of the certificates in the chain.
58 | - `certificates` (List of Object) The certificates protecting the site, with the root of the chain first. (see [below for nested schema](#nestedatt--certificates))
59 | 
60 | <a id="nestedatt--certificates"></a>
61 | ### Nested Schema for `certificates`
62 | 
63 | Read-Only:
64 | 
65 | - `is_ca` (Boolean) `true` if the certificate is of a CA (Certificate Authority).
66 | - `issuer` (String) Who verified and signed the certificate, roughly following [RFC2253](https://tools.ietf.org/html/rfc2253).
67 | - `not_after` (String) The time until which the certificate is invalid, as an [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
68 | - `not_before` (String) The time after which the certificate is valid, as an [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
69 | - `public_key_algorithm` (String) The key algorithm used to create the certificate.
70 | - `serial_number` (String) Number that uniquely identifies the certificate with the CA's system.
71 |   The `format` function can be used to convert this _base 10_ number into other bases, such as hex.
72 | - `sha1_fingerprint` (String) The SHA1 fingerprint of the public key of the certificate.
73 | - `signature_algorithm` (String) The algorithm used to sign the certificate.
74 | - `subject` (String) The entity the certificate belongs to, roughly following [RFC2253](https://tools.ietf.org/html/rfc2253).
75 | - `version` (Number) The version the certificate is in.
76 | - `cert_pem` (String) Certificate data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
77 | 


--------------------------------------------------------------------------------
/docs/data-sources/public_key.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs
 3 | page_title: "tls_public_key Data Source - terraform-provider-tls"
 4 | subcategory: ""
 5 | description: |-
 6 |   Get a public key from a PEM-encoded private key.
 7 |   Use this data source to get the public key from a PEM (RFC 1421) https://datatracker.ietf.org/doc/html/rfc1421 or OpenSSH PEM (RFC 4716) https://datatracker.ietf.org/doc/html/rfc4716 formatted private key, for use in other resources.
 8 | ---
 9 | 
10 | # tls_public_key (Data Source)
11 | 
12 | Get a public key from a PEM-encoded private key.
13 | 
14 | Use this data source to get the public key from a [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) or [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) formatted private key, for use in other resources.
15 | 
16 | ## Example Usage
17 | 
18 | ```terraform
19 | resource "tls_private_key" "ed25519-example" {
20 |   algorithm = "ED25519"
21 | }
22 | 
23 | # Public key loaded from a terraform-generated private key, using the PEM (RFC 1421) format
24 | data "tls_public_key" "private_key_pem-example" {
25 |   private_key_pem = tls_private_key.ed25519-example.private_key_pem
26 | }
27 | 
28 | # Public key loaded from filesystem, using the Open SSH (RFC 4716) format
29 | data "tls_public_key" "private_key_openssh-example" {
30 |   private_key_openssh = file("~/.ssh/id_rsa_rfc4716")
31 | }
32 | ```
33 | 
34 | <!-- schema generated by tfplugindocs -->
35 | ## Schema
36 | 
37 | ### Optional
38 | 
39 | - `private_key_openssh` (String, Sensitive) The private key (in  [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) format) to extract the public key from. This is _mutually exclusive_ with `private_key_pem`. Currently-supported algorithms for keys are: `RSA`, `ECDSA`, `ED25519`.
40 | - `private_key_pem` (String, Sensitive) The private key (in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format) to extract the public key from. This is _mutually exclusive_ with `private_key_openssh`. Currently-supported algorithms for keys are: `RSA`, `ECDSA`, `ED25519`.
41 | 
42 | ### Read-Only
43 | 
44 | - `algorithm` (String) The name of the algorithm used by the given private key. Possible values are: `RSA`, `ECDSA`, `ED25519`.
45 | - `id` (String) Unique identifier for this data source: hexadecimal representation of the SHA1 checksum of the data source.
46 | - `public_key_fingerprint_md5` (String) The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. `aa:bb:cc:...`. Only available if the selected private key format is compatible, as per the rules for `public_key_openssh` and [ECDSA P224 limitations](../../docs#limitations).
47 | - `public_key_fingerprint_sha256` (String) The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. `SHA256:...`. Only available if the selected private key format is compatible, as per the rules for `public_key_openssh` and [ECDSA P224 limitations](../../docs#limitations).
48 | - `public_key_openssh` (String) The public key, in  [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) format. This is also known as ['Authorized Keys'](https://www.ssh.com/academy/ssh/authorized_keys/openssh#format-of-the-authorized-keys-file) format. This is not populated for `ECDSA` with curve `P224`, as it is [not supported](../../docs#limitations). **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
49 | - `public_key_pem` (String) The public key, in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
50 | 


--------------------------------------------------------------------------------
/docs/ephemeral-resources/private_key.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | # generated by https://github.com/hashicorp/terraform-plugin-docs
 3 | page_title: "tls_private_key Ephemeral Resource - terraform-provider-tls"
 4 | subcategory: ""
 5 | description: |-
 6 |   -> If the managed resource doesn't have a write-only argument available for the private key (first introduced in Terraform 1.11), then the private key can only be created with the managed resource variant of tls_private_key https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key.
 7 |   Creates a PEM (and OpenSSH) formatted private key.
 8 |   Generates a secure private key and encodes it in PEM (RFC 1421) https://datatracker.ietf.org/doc/html/rfc1421 and OpenSSH PEM (RFC 4716) https://datatracker.ietf.org/doc/html/rfc4716 formats.
 9 |   The primary use-case for generating an ephemeral private key is to be used in combination with a write-only argument in a managed resource, which will avoid Terraform storing the private key data in the plan or state file.
10 | ---
11 | 
12 | # tls_private_key (Ephemeral Resource)
13 | 
14 | -> If the managed resource doesn't have a write-only argument available for the private key (first introduced in Terraform 1.11), then the private key can only be created with the managed resource variant of [`tls_private_key`](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key).
15 | 
16 | Creates a PEM (and OpenSSH) formatted private key.
17 | 
18 | Generates a secure private key and encodes it in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) and [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) formats. 
19 | 
20 | The primary use-case for generating an ephemeral private key is to be used in combination with a write-only argument in a managed resource, which will avoid Terraform storing the private key data in the plan or state file.
21 | 
22 | ## Example Usage
23 | 
24 | ```terraform
25 | # ECDSA key with P384 elliptic curve
26 | ephemeral "tls_private_key" "ecdsa-p384-example" {
27 |   algorithm   = "ECDSA"
28 |   ecdsa_curve = "P384"
29 | }
30 | 
31 | # RSA key of size 4096 bits
32 | ephemeral "tls_private_key" "rsa-4096-example" {
33 |   algorithm = "RSA"
34 |   rsa_bits  = 4096
35 | }
36 | 
37 | # ED25519 key
38 | ephemeral "tls_private_key" "ed25519-example" {
39 |   algorithm = "ED25519"
40 | }
41 | ```
42 | 
43 | <!-- schema generated by tfplugindocs -->
44 | ## Schema
45 | 
46 | ### Required
47 | 
48 | - `algorithm` (String) Name of the algorithm to use when generating the private key. Currently-supported values are: `RSA`, `ECDSA`, `ED25519`.
49 | 
50 | ### Optional
51 | 
52 | - `ecdsa_curve` (String) When `algorithm` is `ECDSA`, the name of the elliptic curve to use. Currently-supported values are: `P224`, `P256`, `P384`, `P521`. (default: `P224`).
53 | - `rsa_bits` (Number) When `algorithm` is `RSA`, the size of the generated RSA key, in bits (default: `2048`).
54 | 
55 | ### Read-Only
56 | 
57 | - `private_key_openssh` (String, Sensitive) Private key data in [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) format.
58 | - `private_key_pem` (String, Sensitive) Private key data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.
59 | - `private_key_pem_pkcs8` (String, Sensitive) Private key data in [PKCS#8 PEM (RFC 5208)](https://datatracker.ietf.org/doc/html/rfc5208) format.
60 | - `public_key_fingerprint_md5` (String) The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. `aa:bb:cc:...`. Only available if the selected private key format is compatible, similarly to `public_key_openssh` and the [ECDSA P224 limitations](../../docs#limitations).
61 | - `public_key_fingerprint_sha256` (String) The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. `SHA256:...`. Only available if the selected private key format is compatible, similarly to `public_key_openssh` and the [ECDSA P224 limitations](../../docs#limitations).
62 | - `public_key_openssh` (String) The public key data in ["Authorized Keys"](https://www.ssh.com/academy/ssh/authorized_keys/openssh#format-of-the-authorized-keys-file) format. This is not populated for `ECDSA` with curve `P224`, as it is [not supported](../../docs#limitations). **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
63 | - `public_key_pem` (String) Public key data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
64 | 


--------------------------------------------------------------------------------
/docs/index.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | page_title: "Provider: TLS"
  3 | description: |-
  4 |   The TLS provider provides utilities for working with Transport Layer Security keys and certificates.
  5 | ---
  6 | 
  7 | # TLS Provider
  8 | 
  9 | The TLS provider provides utilities for working with *Transport Layer Security*
 10 | keys and certificates. It provides resources that
 11 | allow private keys, certificates and certificate requests to be
 12 | created as part of a Terraform deployment.
 13 | 
 14 | Another name for Transport Layer Security is *Secure Sockets Layer*,
 15 | or SSL. TLS and SSL are equivalent when considering the resources
 16 | managed by this provider.
 17 | 
 18 | This provider is not particularly useful on its own, but it can be
 19 | used to create certificates and credentials that can then be used
 20 | with other providers when creating resources that expose TLS
 21 | services or that themselves provision TLS certificates.
 22 | 
 23 | Use the navigation to the left to read about the available resources.
 24 | 
 25 | ## Example Usage
 26 | 
 27 | ```terraform
 28 | # This example creates a self-signed certificate,
 29 | # and uses it to create an AWS IAM Server certificate.
 30 | #
 31 | # THIS IS NOT RECOMMENDED FOR PRODUCTION SERVICES.
 32 | # See the detailed documentation of each resource for further
 33 | # security considerations and other practical tradeoffs.
 34 | 
 35 | resource "tls_private_key" "example" {
 36 |   algorithm = "ECDSA"
 37 | }
 38 | 
 39 | resource "tls_self_signed_cert" "example" {
 40 |   key_algorithm   = tls_private_key.example.algorithm
 41 |   private_key_pem = tls_private_key.example.private_key_pem
 42 | 
 43 |   # Certificate expires after 12 hours.
 44 |   validity_period_hours = 12
 45 | 
 46 |   # Generate a new certificate if Terraform is run within three
 47 |   # hours of the certificate's expiration time.
 48 |   early_renewal_hours = 3
 49 | 
 50 |   # Reasonable set of uses for a server SSL certificate.
 51 |   allowed_uses = [
 52 |     "key_encipherment",
 53 |     "digital_signature",
 54 |     "server_auth",
 55 |   ]
 56 | 
 57 |   dns_names = ["example.com", "example.net"]
 58 | 
 59 |   subject {
 60 |     common_name  = "example.com"
 61 |     organization = "ACME Examples, Inc"
 62 |   }
 63 | }
 64 | 
 65 | # For example, this can be used to populate an AWS IAM server certificate.
 66 | resource "aws_iam_server_certificate" "example" {
 67 |   name             = "example_self_signed_cert"
 68 |   certificate_body = tls_self_signed_cert.example.cert_pem
 69 |   private_key      = tls_private_key.example.private_key_pem
 70 | }
 71 | ```
 72 | 
 73 | ### Configuring Proxy
 74 | 
 75 | ```terraform
 76 | # This example fetches the TLS certificate chain
 77 | # from `example.com` using an HTTP Proxy.
 78 | 
 79 | provider "tls" {
 80 |   proxy {
 81 |     url = "https://corporate.proxy.service"
 82 |   }
 83 | }
 84 | 
 85 | data "tls_certificate" "test" {
 86 |   url = "https://example.com"
 87 | }
 88 | ```
 89 | 
 90 | ```terraform
 91 | # This example fetches the TLS certificate chain
 92 | # from `example.com` using an HTTP Proxy.
 93 | # The Proxy is discovered via environment variables:
 94 | # see https://pkg.go.dev/net/http#ProxyFromEnvironment for details.
 95 | 
 96 | provider "tls" {
 97 |   proxy {
 98 |     from_env = true
 99 |   }
100 | }
101 | 
102 | data "tls_certificate" "test" {
103 |   url = "https://example.com"
104 | }
105 | ```
106 | 
107 | <!-- schema generated by tfplugindocs -->
108 | ## Schema
109 | 
110 | ### Optional
111 | 
112 | - `proxy` (Block List) Proxy used by resources and data sources that connect to external endpoints. (see [below for nested schema](#nestedblock--proxy))
113 | 
114 | <a id="nestedblock--proxy"></a>
115 | ### Nested Schema for `proxy`
116 | 
117 | Optional:
118 | 
119 | - `from_env` (Boolean) When `true` the provider will discover the proxy configuration from environment variables. This is based upon [`http.ProxyFromEnvironment`](https://pkg.go.dev/net/http#ProxyFromEnvironment) and it supports the same environment variables (default: `true`).
120 | - `password` (String, Sensitive) Password used for Basic authentication against the Proxy.
121 | - `url` (String) URL used to connect to the Proxy. Accepted schemes are: `http`, `https`, `socks5`.
122 | - `username` (String) Username (or Token) used for Basic authentication against the Proxy.
123 | 
124 | ## Limitations
125 | 
126 | ### `ECDSA` with `P224` elliptic curve
127 | 
128 | When using `ECDSA` with `P224`, all the (computed) attributes
129 | that have to do with [OpenSSH](https://www.openssh.com/) will have a value of `""` (empty string).
130 | This applies to different resources and data sources offered by this provider,
131 | like the `tls_private_key` resource or the `tls_public_key` data source.
132 | 
133 | The attributes affected are:
134 | 
135 | * `.public_key_openssh`
136 | * `.private_key_openssh`
137 | * `.public_key_fingerprint_md5`
138 | * `.public_key_fingerprint_sha256`
139 | 
140 | This is because the SSH ECC Algorithm Integration ([RFC 5656](https://datatracker.ietf.org/doc/html/rfc5656))
141 | restricts support for elliptic curves to "nistp256", "nistp384" and "nistp521".
142 | 
143 | ### Secrets and Terraform state
144 | 
145 | Some resources that can be created with this provider, like `tls_private_key`, are
146 | considered "secrets", and as such are marked by this provider as _sensitive_, so to
147 | help practitioner to not accidentally leak their value in logs or other form of output.
148 | 
149 | It's important to remember that the values that constitute the "state" of those
150 | resources will be stored in the [Terraform state](https://www.terraform.io/language/state) file.
151 | This includes the "secrets", that will be part of the state file *unencrypted*.
152 | 
153 | Because of these limitations, **use of these resources for production deployments is _not_ recommended**.
154 | Failing that, **protecting the content of the state file is strongly recommended**.
155 | 
156 | The more general advice is that it's better to generate "secrets" outside of Terraform,
157 | and then distribute them securely to the system where Terraform will make use of them.
158 | 


--------------------------------------------------------------------------------
/docs/resources/cert_request.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | page_title: "tls_cert_request Resource - terraform-provider-tls"
 3 | subcategory: ""
 4 | description: |-
 5 |   Creates a Certificate Signing Request (CSR) in PEM (RFC 1421) https://datatracker.ietf.org/doc/html/rfc1421 format.
 6 |   PEM is the typical format used to request a certificate from a Certificate Authority (CA).
 7 |   This resource is intended to be used in conjunction with a Terraform provider for a particular certificate authority in order to provision a new certificate.
 8 | ---
 9 | 
10 | # tls_cert_request (Resource)
11 | 
12 | Creates a Certificate Signing Request (CSR) in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.
13 | 
14 | PEM is the typical format used to request a certificate from a Certificate Authority (CA).
15 | 
16 | This resource is intended to be used in conjunction with a Terraform provider for a particular certificate authority in order to provision a new certificate.
17 | 
18 | This is a *logical resource*, so it contributes only to the current Terraform
19 | state and does not create any external managed resources.
20 | 
21 | 
22 | ## Example Usage
23 | 
24 | ```terraform
25 | resource "tls_cert_request" "example" {
26 |   private_key_pem = file("private_key.pem")
27 | 
28 |   subject {
29 |     common_name  = "example.com"
30 |     organization = "ACME Examples, Inc"
31 |   }
32 | }
33 | ```
34 | 
35 | <!-- schema generated by tfplugindocs -->
36 | ## Schema
37 | 
38 | ### Required
39 | 
40 | - `private_key_pem` (String, Sensitive) Private key in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format, that the certificate will belong to. This can be read from a separate file using the [`file`](https://www.terraform.io/language/functions/file) interpolation function.
41 | 
42 | ### Optional
43 | 
44 | - `dns_names` (List of String) List of DNS names for which a certificate is being requested (i.e. certificate subjects).
45 | - `ip_addresses` (List of String) List of IP addresses for which a certificate is being requested (i.e. certificate subjects).
46 | - `subject` (Block List) The subject for which a certificate is being requested. The acceptable arguments are all optional and their naming is based upon [Issuer Distinguished Names (RFC5280)](https://tools.ietf.org/html/rfc5280#section-4.1.2.4) section. (see [below for nested schema](#nestedblock--subject))
47 | - `uris` (List of String) List of URIs for which a certificate is being requested (i.e. certificate subjects).
48 | 
49 | ### Read-Only
50 | 
51 | - `cert_request_pem` (String) The certificate request data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
52 | - `id` (String) Unique identifier for this resource: hexadecimal representation of the SHA1 checksum of the resource.
53 | - `key_algorithm` (String) Name of the algorithm used when generating the private key provided in `private_key_pem`.
54 | 
55 | <a id="nestedblock--subject"></a>
56 | ### Nested Schema for `subject`
57 | 
58 | Optional:
59 | 
60 | - `common_name` (String) Distinguished name: `CN`
61 | - `country` (String) Distinguished name: `C`
62 | - `email_address` (String) ASN.1 Object Identifier (OID): `1.2.840.113549.1.9.1`
63 | - `locality` (String) Distinguished name: `L`
64 | - `organization` (String) Distinguished name: `O`
65 | - `organizational_unit` (String) Distinguished name: `OU`
66 | - `postal_code` (String) Distinguished name: `PC`
67 | - `province` (String) Distinguished name: `ST`
68 | - `serial_number` (String) Distinguished name: `SERIALNUMBER`
69 | - `street_address` (List of String) Distinguished name: `STREET`
70 | 


--------------------------------------------------------------------------------
/docs/resources/locally_signed_cert.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | page_title: "tls_locally_signed_cert Resource - terraform-provider-tls"
 3 | subcategory: ""
 4 | description: |-
 5 |   Creates a TLS certificate in PEM (RFC 1421) https://datatracker.ietf.org/doc/html/rfc1421 format using a Certificate Signing Request (CSR) and signs it with a provided (local) Certificate Authority (CA).
 6 | ---
 7 | 
 8 | # tls_locally_signed_cert (Resource)
 9 | 
10 | Creates a TLS certificate in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format using a Certificate Signing Request (CSR) and signs it with a provided (local) Certificate Authority (CA).
11 | 
12 | -> **Note** Locally-signed certificates are generally only trusted by client software when
13 | setup to use the provided CA. They are normally used in development environments
14 | or when deployed internally to an organization.
15 | 
16 | ## Example Usage
17 | 
18 | ```terraform
19 | resource "tls_locally_signed_cert" "example" {
20 |   cert_request_pem   = file("cert_request.pem")
21 |   ca_private_key_pem = file("ca_private_key.pem")
22 |   ca_cert_pem        = file("ca_cert.pem")
23 | 
24 |   validity_period_hours = 12
25 | 
26 |   allowed_uses = [
27 |     "key_encipherment",
28 |     "digital_signature",
29 |     "server_auth",
30 |   ]
31 | }
32 | ```
33 | 
34 | <!-- schema generated by tfplugindocs -->
35 | ## Schema
36 | 
37 | ### Required
38 | 
39 | - `allowed_uses` (List of String) List of key usages allowed for the issued certificate. Values are defined in [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280) and combine flags defined by both [Key Usages](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3) and [Extended Key Usages](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12). Accepted values: `any_extended`, `cert_signing`, `client_auth`, `code_signing`, `content_commitment`, `crl_signing`, `data_encipherment`, `decipher_only`, `digital_signature`, `email_protection`, `encipher_only`, `ipsec_end_system`, `ipsec_tunnel`, `ipsec_user`, `key_agreement`, `key_encipherment`, `microsoft_commercial_code_signing`, `microsoft_kernel_code_signing`, `microsoft_server_gated_crypto`, `netscape_server_gated_crypto`, `ocsp_signing`, `server_auth`, `timestamping`.
40 | - `ca_cert_pem` (String) Certificate data of the Certificate Authority (CA) in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.
41 | - `ca_private_key_pem` (String, Sensitive) Private key of the Certificate Authority (CA) used to sign the certificate, in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.
42 | - `cert_request_pem` (String) Certificate request data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.
43 | - `validity_period_hours` (Number) Number of hours, after initial issuing, that the certificate will remain valid for.
44 | 
45 | ### Optional
46 | 
47 | - `early_renewal_hours` (Number) The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default: `0`)
48 | - `is_ca_certificate` (Boolean) Is the generated certificate representing a Certificate Authority (CA) (default: `false`).
49 | - `set_subject_key_id` (Boolean) Should the generated certificate include a [subject key identifier](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2) (default: `false`).
50 | 
51 | ### Read-Only
52 | 
53 | - `ca_key_algorithm` (String) Name of the algorithm used when generating the private key provided in `ca_private_key_pem`.
54 | - `cert_pem` (String) Certificate data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
55 | - `id` (String) Unique identifier for this resource: the certificate serial number.
56 | - `ready_for_renewal` (Boolean) Is the certificate either expired (i.e. beyond the `validity_period_hours`) or ready for an early renewal (i.e. within the `early_renewal_hours`)?
57 | - `validity_end_time` (String) The time until which the certificate is invalid, expressed as an [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
58 | - `validity_start_time` (String) The time after which the certificate is valid, expressed as an [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
59 | 
60 | ## Automatic Renewal
61 | 
62 | This resource considers its instances to have been deleted after either their validity
63 | periods ends (i.e. beyond the `validity_period_hours`)
64 | or the early renewal period is reached (i.e. within the `early_renewal_hours`):
65 | when this happens, the `ready_for_renewal` attribute will be `true`.
66 | At this time, applying the Terraform configuration will cause a new certificate to be
67 | generated for the instance.
68 | 
69 | Therefore in a development environment with frequent deployments it may be convenient
70 | to set a relatively-short expiration time and use early renewal to automatically provision
71 | a new certificate when the current one is about to expire.
72 | 
73 | The creation of a new certificate may of course cause dependent resources to be updated
74 | or replaced, depending on the lifecycle rules applying to those resources.
75 | 


--------------------------------------------------------------------------------
/docs/resources/private_key.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | page_title: "tls_private_key Resource - terraform-provider-tls"
 3 | subcategory: ""
 4 | description: |-
 5 |   -> If the managed resource supports a write-only attribute for the private key (first introduced in Terraform 1.11), then the ephemeral variant of tls_private_key https://registry.terraform.io/providers/hashicorp/tls/latest/docs/ephemeral-resources/private_key should be used, when possible, to avoid storing the private key data in the plan or state file.
 6 |   Creates a PEM (and OpenSSH) formatted private key.
 7 |   Generates a secure private key and encodes it in PEM (RFC 1421) https://datatracker.ietf.org/doc/html/rfc1421 and OpenSSH PEM (RFC 4716) https://datatracker.ietf.org/doc/html/rfc4716 formats. This resource is primarily intended for easily bootstrapping throwaway development environments.
 8 | ---
 9 | 
10 | # tls_private_key (Resource)
11 | 
12 | -> If the managed resource supports a write-only attribute for the private key (first introduced in Terraform 1.11), then the ephemeral variant of [`tls_private_key`](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/ephemeral-resources/private_key) should be used, when possible, to avoid storing the private key data in the plan or state file.
13 | 
14 | Creates a PEM (and OpenSSH) formatted private key.
15 | 
16 | Generates a secure private key and encodes it in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) and [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) formats. This resource is primarily intended for easily bootstrapping throwaway development environments.
17 | 
18 | ~> **Security Notice** The private key generated by this resource will
19 | be stored *unencrypted* in your Terraform state file. **Use of this resource
20 | for production deployments is *not* recommended**. Instead, generate
21 | a private key file outside of Terraform and distribute it securely
22 | to the system where Terraform will be run.
23 | 
24 | This is a *logical resource*, so it contributes only to the current Terraform
25 | state and does not create any external managed resources.
26 | 
27 | 
28 | ## Example Usage
29 | 
30 | ```terraform
31 | # ECDSA key with P384 elliptic curve
32 | resource "tls_private_key" "ecdsa-p384-example" {
33 |   algorithm   = "ECDSA"
34 |   ecdsa_curve = "P384"
35 | }
36 | 
37 | # RSA key of size 4096 bits
38 | resource "tls_private_key" "rsa-4096-example" {
39 |   algorithm = "RSA"
40 |   rsa_bits  = 4096
41 | }
42 | 
43 | # ED25519 key
44 | resource "tls_private_key" "ed25519-example" {
45 |   algorithm = "ED25519"
46 | }
47 | ```
48 | 
49 | <!-- schema generated by tfplugindocs -->
50 | ## Schema
51 | 
52 | ### Required
53 | 
54 | - `algorithm` (String) Name of the algorithm to use when generating the private key. Currently-supported values are: `RSA`, `ECDSA`, `ED25519`.
55 | 
56 | ### Optional
57 | 
58 | - `ecdsa_curve` (String) When `algorithm` is `ECDSA`, the name of the elliptic curve to use. Currently-supported values are: `P224`, `P256`, `P384`, `P521`. (default: `P224`).
59 | - `rsa_bits` (Number) When `algorithm` is `RSA`, the size of the generated RSA key, in bits (default: `2048`).
60 | 
61 | ### Read-Only
62 | 
63 | - `id` (String) Unique identifier for this resource: hexadecimal representation of the SHA1 checksum of the resource.
64 | - `private_key_openssh` (String, Sensitive) Private key data in [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) format.
65 | - `private_key_pem` (String, Sensitive) Private key data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.
66 | - `private_key_pem_pkcs8` (String, Sensitive) Private key data in [PKCS#8 PEM (RFC 5208)](https://datatracker.ietf.org/doc/html/rfc5208) format.
67 | - `public_key_fingerprint_md5` (String) The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. `aa:bb:cc:...`. Only available if the selected private key format is compatible, similarly to `public_key_openssh` and the [ECDSA P224 limitations](../../docs#limitations).
68 | - `public_key_fingerprint_sha256` (String) The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. `SHA256:...`. Only available if the selected private key format is compatible, similarly to `public_key_openssh` and the [ECDSA P224 limitations](../../docs#limitations).
69 | - `public_key_openssh` (String) The public key data in ["Authorized Keys"](https://www.ssh.com/academy/ssh/authorized_keys/openssh#format-of-the-authorized-keys-file) format. This is not populated for `ECDSA` with curve `P224`, as it is [not supported](../../docs#limitations). **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
70 | - `public_key_pem` (String) Public key data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
71 | 
72 | ## Generating a New Key
73 | 
74 | Since a private key is a logical resource that lives only in the Terraform state,
75 | it will persist until it is explicitly destroyed by the user.
76 | 
77 | In order to force the generation of a new key within an existing state, the
78 | private key instance can be "tainted":
79 | 
80 | ```
81 | terraform taint tls_private_key.example
82 | ```
83 | 
84 | A new key will then be generated on the next ``terraform apply``.
85 | 


--------------------------------------------------------------------------------
/docs/resources/self_signed_cert.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | page_title: "tls_self_signed_cert Resource - terraform-provider-tls"
 3 | subcategory: ""
 4 | description: |-
 5 |   Creates a self-signed TLS certificate in PEM (RFC 1421) https://datatracker.ietf.org/doc/html/rfc1421 format.
 6 | ---
 7 | 
 8 | # tls_self_signed_cert (Resource)
 9 | 
10 | Creates a **self-signed** TLS certificate in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format.
11 | 
12 | ~> **Warning** Self-signed certificates are usually used only in development environments
13 | or applications deployed internally to an organization.
14 | Certificates of this type are generally not trusted by client software such
15 | as web browsers. Therefore clients are likely to generate trust warnings when
16 | connecting to a server that has a self-signed certificate. 
17 | 
18 | ## Example Usage
19 | 
20 | ```terraform
21 | resource "tls_self_signed_cert" "example" {
22 |   private_key_pem = file("private_key.pem")
23 | 
24 |   subject {
25 |     common_name  = "example.com"
26 |     organization = "ACME Examples, Inc"
27 |   }
28 | 
29 |   validity_period_hours = 12
30 | 
31 |   allowed_uses = [
32 |     "key_encipherment",
33 |     "digital_signature",
34 |     "server_auth",
35 |   ]
36 | }
37 | ```
38 | 
39 | <!-- schema generated by tfplugindocs -->
40 | ## Schema
41 | 
42 | ### Required
43 | 
44 | - `allowed_uses` (List of String) List of key usages allowed for the issued certificate. Values are defined in [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280) and combine flags defined by both [Key Usages](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3) and [Extended Key Usages](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12). Accepted values: `any_extended`, `cert_signing`, `client_auth`, `code_signing`, `content_commitment`, `crl_signing`, `data_encipherment`, `decipher_only`, `digital_signature`, `email_protection`, `encipher_only`, `ipsec_end_system`, `ipsec_tunnel`, `ipsec_user`, `key_agreement`, `key_encipherment`, `microsoft_commercial_code_signing`, `microsoft_kernel_code_signing`, `microsoft_server_gated_crypto`, `netscape_server_gated_crypto`, `ocsp_signing`, `server_auth`, `timestamping`.
45 | - `private_key_pem` (String, Sensitive) Private key in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format, that the certificate will belong to. This can be read from a separate file using the [`file`](https://www.terraform.io/language/functions/file) interpolation function.
46 | - `validity_period_hours` (Number) Number of hours, after initial issuing, that the certificate will remain valid for.
47 | 
48 | ### Optional
49 | 
50 | - `dns_names` (List of String) List of DNS names for which a certificate is being requested (i.e. certificate subjects).
51 | - `early_renewal_hours` (Number) The resource will consider the certificate to have expired the given number of hours before its actual expiry time. This can be useful to deploy an updated certificate in advance of the expiration of the current certificate. However, the old certificate remains valid until its true expiration time, since this resource does not (and cannot) support certificate revocation. Also, this advance update can only be performed should the Terraform configuration be applied during the early renewal period. (default: `0`)
52 | - `ip_addresses` (List of String) List of IP addresses for which a certificate is being requested (i.e. certificate subjects).
53 | - `is_ca_certificate` (Boolean) Is the generated certificate representing a Certificate Authority (CA) (default: `false`).
54 | - `set_authority_key_id` (Boolean) Should the generated certificate include an [authority key identifier](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1): for self-signed certificates this is the same value as the [subject key identifier](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2) (default: `false`).
55 | - `set_subject_key_id` (Boolean) Should the generated certificate include a [subject key identifier](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2) (default: `false`).
56 | - `subject` (Block List) The subject for which a certificate is being requested. The acceptable arguments are all optional and their naming is based upon [Issuer Distinguished Names (RFC5280)](https://tools.ietf.org/html/rfc5280#section-4.1.2.4) section. (see [below for nested schema](#nestedblock--subject))
57 | - `uris` (List of String) List of URIs for which a certificate is being requested (i.e. certificate subjects).
58 | 
59 | ### Read-Only
60 | 
61 | - `cert_pem` (String) Certificate data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
62 | - `id` (String) Unique identifier for this resource: the certificate serial number.
63 | - `key_algorithm` (String) Name of the algorithm used when generating the private key provided in `private_key_pem`.
64 | - `ready_for_renewal` (Boolean) Is the certificate either expired (i.e. beyond the `validity_period_hours`) or ready for an early renewal (i.e. within the `early_renewal_hours`)?
65 | - `validity_end_time` (String) The time until which the certificate is invalid, expressed as an [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
66 | - `validity_start_time` (String) The time after which the certificate is valid, expressed as an [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
67 | 
68 | <a id="nestedblock--subject"></a>
69 | ### Nested Schema for `subject`
70 | 
71 | Optional:
72 | 
73 | - `common_name` (String) Distinguished name: `CN`
74 | - `country` (String) Distinguished name: `C`
75 | - `email_address` (String) ASN.1 Object Identifier (OID): `1.2.840.113549.1.9.1`
76 | - `locality` (String) Distinguished name: `L`
77 | - `organization` (String) Distinguished name: `O`
78 | - `organizational_unit` (String) Distinguished name: `OU`
79 | - `postal_code` (String) Distinguished name: `PC`
80 | - `province` (String) Distinguished name: `ST`
81 | - `serial_number` (String) Distinguished name: `SERIALNUMBER`
82 | - `street_address` (List of String) Distinguished name: `STREET`
83 | 
84 | ## Automatic Renewal
85 | 
86 | This resource considers its instances to have been deleted after either their validity
87 | periods ends (i.e. beyond the `validity_period_hours`)
88 | or the early renewal period is reached (i.e. within the `early_renewal_hours`):
89 | when this happens, the `ready_for_renewal` attribute will be `true`.
90 | At this time, applying the Terraform configuration will cause a new certificate to be
91 | generated for the instance.
92 | 
93 | Therefore in a development environment with frequent deployments it may be convenient
94 | to set a relatively-short expiration time and use early renewal to automatically provision
95 | a new certificate when the current one is about to expire.
96 | 
97 | The creation of a new certificate may of course cause dependent resources to be updated
98 | or replaced, depending on the lifecycle rules applying to those resources.
99 | 


--------------------------------------------------------------------------------
/examples/data-sources/tls_certificate/content-example.tf:
--------------------------------------------------------------------------------
1 | data "tls_certificate" "example_content" {
2 |   content = file("example.pem")
3 | }


--------------------------------------------------------------------------------
/examples/data-sources/tls_certificate/data-source.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_eks_cluster" "example" {
 2 |   name = "example"
 3 | }
 4 | 
 5 | data "tls_certificate" "example" {
 6 |   url = aws_eks_cluster.example.identity[0].oidc[0].issuer
 7 | }
 8 | 
 9 | resource "aws_iam_openid_connect_provider" "example" {
10 |   client_id_list  = ["sts.amazonaws.com"]
11 |   thumbprint_list = [data.tls_certificate.example.certificates[0].sha1_fingerprint]
12 |   url             = aws_eks_cluster.example.identity[0].oidc[0].issuer
13 | }
14 | 


--------------------------------------------------------------------------------
/examples/data-sources/tls_public_key/data-source.tf:
--------------------------------------------------------------------------------
 1 | resource "tls_private_key" "ed25519-example" {
 2 |   algorithm = "ED25519"
 3 | }
 4 | 
 5 | # Public key loaded from a terraform-generated private key, using the PEM (RFC 1421) format
 6 | data "tls_public_key" "private_key_pem-example" {
 7 |   private_key_pem = tls_private_key.ed25519-example.private_key_pem
 8 | }
 9 | 
10 | # Public key loaded from filesystem, using the Open SSH (RFC 4716) format
11 | data "tls_public_key" "private_key_openssh-example" {
12 |   private_key_openssh = file("~/.ssh/id_rsa_rfc4716")
13 | }
14 | 


--------------------------------------------------------------------------------
/examples/ephemeral-resources/tls_private_key/ephemeral-resource.tf:
--------------------------------------------------------------------------------
 1 | # ECDSA key with P384 elliptic curve
 2 | ephemeral "tls_private_key" "ecdsa-p384-example" {
 3 |   algorithm   = "ECDSA"
 4 |   ecdsa_curve = "P384"
 5 | }
 6 | 
 7 | # RSA key of size 4096 bits
 8 | ephemeral "tls_private_key" "rsa-4096-example" {
 9 |   algorithm = "RSA"
10 |   rsa_bits  = 4096
11 | }
12 | 
13 | # ED25519 key
14 | ephemeral "tls_private_key" "ed25519-example" {
15 |   algorithm = "ED25519"
16 | }
17 | 


--------------------------------------------------------------------------------
/examples/provider/provider.tf:
--------------------------------------------------------------------------------
 1 | # This example creates a self-signed certificate,
 2 | # and uses it to create an AWS IAM Server certificate.
 3 | #
 4 | # THIS IS NOT RECOMMENDED FOR PRODUCTION SERVICES.
 5 | # See the detailed documentation of each resource for further
 6 | # security considerations and other practical tradeoffs.
 7 | 
 8 | resource "tls_private_key" "example" {
 9 |   algorithm = "ECDSA"
10 | }
11 | 
12 | resource "tls_self_signed_cert" "example" {
13 |   key_algorithm   = tls_private_key.example.algorithm
14 |   private_key_pem = tls_private_key.example.private_key_pem
15 | 
16 |   # Certificate expires after 12 hours.
17 |   validity_period_hours = 12
18 | 
19 |   # Generate a new certificate if Terraform is run within three
20 |   # hours of the certificate's expiration time.
21 |   early_renewal_hours = 3
22 | 
23 |   # Reasonable set of uses for a server SSL certificate.
24 |   allowed_uses = [
25 |     "key_encipherment",
26 |     "digital_signature",
27 |     "server_auth",
28 |   ]
29 | 
30 |   dns_names = ["example.com", "example.net"]
31 | 
32 |   subject {
33 |     common_name  = "example.com"
34 |     organization = "ACME Examples, Inc"
35 |   }
36 | }
37 | 
38 | # For example, this can be used to populate an AWS IAM server certificate.
39 | resource "aws_iam_server_certificate" "example" {
40 |   name             = "example_self_signed_cert"
41 |   certificate_body = tls_self_signed_cert.example.cert_pem
42 |   private_key      = tls_private_key.example.private_key_pem
43 | }
44 | 


--------------------------------------------------------------------------------
/examples/provider/provider_with_proxy.tf:
--------------------------------------------------------------------------------
 1 | # This example fetches the TLS certificate chain
 2 | # from `example.com` using an HTTP Proxy.
 3 | 
 4 | provider "tls" {
 5 |   proxy {
 6 |     url = "https://corporate.proxy.service"
 7 |   }
 8 | }
 9 | 
10 | data "tls_certificate" "test" {
11 |   url = "https://example.com"
12 | }
13 | 


--------------------------------------------------------------------------------
/examples/provider/provider_with_proxy_from_env.tf:
--------------------------------------------------------------------------------
 1 | # This example fetches the TLS certificate chain
 2 | # from `example.com` using an HTTP Proxy.
 3 | # The Proxy is discovered via environment variables:
 4 | # see https://pkg.go.dev/net/http#ProxyFromEnvironment for details.
 5 | 
 6 | provider "tls" {
 7 |   proxy {
 8 |     from_env = true
 9 |   }
10 | }
11 | 
12 | data "tls_certificate" "test" {
13 |   url = "https://example.com"
14 | }
15 | 


--------------------------------------------------------------------------------
/examples/resources/tls_cert_request/resource.tf:
--------------------------------------------------------------------------------
1 | resource "tls_cert_request" "example" {
2 |   private_key_pem = file("private_key.pem")
3 | 
4 |   subject {
5 |     common_name  = "example.com"
6 |     organization = "ACME Examples, Inc"
7 |   }
8 | }
9 | 


--------------------------------------------------------------------------------
/examples/resources/tls_locally_signed_cert/resource.tf:
--------------------------------------------------------------------------------
 1 | resource "tls_locally_signed_cert" "example" {
 2 |   cert_request_pem   = file("cert_request.pem")
 3 |   ca_private_key_pem = file("ca_private_key.pem")
 4 |   ca_cert_pem        = file("ca_cert.pem")
 5 | 
 6 |   validity_period_hours = 12
 7 | 
 8 |   allowed_uses = [
 9 |     "key_encipherment",
10 |     "digital_signature",
11 |     "server_auth",
12 |   ]
13 | }
14 | 


--------------------------------------------------------------------------------
/examples/resources/tls_private_key/resource.tf:
--------------------------------------------------------------------------------
 1 | # ECDSA key with P384 elliptic curve
 2 | resource "tls_private_key" "ecdsa-p384-example" {
 3 |   algorithm   = "ECDSA"
 4 |   ecdsa_curve = "P384"
 5 | }
 6 | 
 7 | # RSA key of size 4096 bits
 8 | resource "tls_private_key" "rsa-4096-example" {
 9 |   algorithm = "RSA"
10 |   rsa_bits  = 4096
11 | }
12 | 
13 | # ED25519 key
14 | resource "tls_private_key" "ed25519-example" {
15 |   algorithm = "ED25519"
16 | }
17 | 


--------------------------------------------------------------------------------
/examples/resources/tls_self_signed_cert/resource.tf:
--------------------------------------------------------------------------------
 1 | resource "tls_self_signed_cert" "example" {
 2 |   private_key_pem = file("private_key.pem")
 3 | 
 4 |   subject {
 5 |     common_name  = "example.com"
 6 |     organization = "ACME Examples, Inc"
 7 |   }
 8 | 
 9 |   validity_period_hours = 12
10 | 
11 |   allowed_uses = [
12 |     "key_encipherment",
13 |     "digital_signature",
14 |     "server_auth",
15 |   ]
16 | }


--------------------------------------------------------------------------------
/go.mod:
--------------------------------------------------------------------------------
 1 | module github.com/hashicorp/terraform-provider-tls
 2 | 
 3 | go 1.23.7
 4 | 
 5 | toolchain go1.24.1
 6 | 
 7 | require (
 8 | 	github.com/elazarl/goproxy v1.7.2
 9 | 	github.com/elazarl/goproxy/ext v0.0.0-20220529153421-8ea89ba92021
10 | 	github.com/google/go-cmp v0.7.0
11 | 	github.com/hashicorp/terraform-plugin-framework v1.15.0
12 | 	github.com/hashicorp/terraform-plugin-framework-validators v0.18.0
13 | 	github.com/hashicorp/terraform-plugin-go v0.28.0
14 | 	github.com/hashicorp/terraform-plugin-log v0.9.0
15 | 	github.com/hashicorp/terraform-plugin-testing v1.13.1
16 | 	golang.org/x/crypto v0.38.0
17 | 	golang.org/x/net v0.40.0
18 | )
19 | 
20 | require (
21 | 	github.com/ProtonMail/go-crypto v1.1.6 // indirect
22 | 	github.com/agext/levenshtein v1.2.2 // indirect
23 | 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
24 | 	github.com/cloudflare/circl v1.6.0 // indirect
25 | 	github.com/fatih/color v1.16.0 // indirect
26 | 	github.com/golang/protobuf v1.5.4 // indirect
27 | 	github.com/hashicorp/errwrap v1.1.0 // indirect
28 | 	github.com/hashicorp/go-checkpoint v0.5.0 // indirect
29 | 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
30 | 	github.com/hashicorp/go-cty v1.5.0 // indirect
31 | 	github.com/hashicorp/go-hclog v1.6.3 // indirect
32 | 	github.com/hashicorp/go-multierror v1.1.1 // indirect
33 | 	github.com/hashicorp/go-plugin v1.6.3 // indirect
34 | 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
35 | 	github.com/hashicorp/go-uuid v1.0.3 // indirect
36 | 	github.com/hashicorp/go-version v1.7.0 // indirect
37 | 	github.com/hashicorp/hc-install v0.9.2 // indirect
38 | 	github.com/hashicorp/hcl/v2 v2.23.0 // indirect
39 | 	github.com/hashicorp/logutils v1.0.0 // indirect
40 | 	github.com/hashicorp/terraform-exec v0.23.0 // indirect
41 | 	github.com/hashicorp/terraform-json v0.25.0 // indirect
42 | 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.37.0 // indirect
43 | 	github.com/hashicorp/terraform-registry-address v0.2.5 // indirect
44 | 	github.com/hashicorp/terraform-svchost v0.1.1 // indirect
45 | 	github.com/hashicorp/yamux v0.1.1 // indirect
46 | 	github.com/kr/pretty v0.3.0 // indirect
47 | 	github.com/mattn/go-colorable v0.1.13 // indirect
48 | 	github.com/mattn/go-isatty v0.0.20 // indirect
49 | 	github.com/mitchellh/copystructure v1.2.0 // indirect
50 | 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
51 | 	github.com/mitchellh/go-wordwrap v1.0.0 // indirect
52 | 	github.com/mitchellh/mapstructure v1.5.0 // indirect
53 | 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
54 | 	github.com/oklog/run v1.1.0 // indirect
55 | 	github.com/vmihailenco/msgpack v4.0.4+incompatible // indirect
56 | 	github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
57 | 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
58 | 	github.com/zclconf/go-cty v1.16.2 // indirect
59 | 	golang.org/x/mod v0.24.0 // indirect
60 | 	golang.org/x/sync v0.14.0 // indirect
61 | 	golang.org/x/sys v0.33.0 // indirect
62 | 	golang.org/x/text v0.25.0 // indirect
63 | 	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
64 | 	google.golang.org/appengine v1.6.8 // indirect
65 | 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a // indirect
66 | 	google.golang.org/grpc v1.72.1 // indirect
67 | 	google.golang.org/protobuf v1.36.6 // indirect
68 | )
69 | 


--------------------------------------------------------------------------------
/internal/provider/attribute_plan_modifier_bool/default_value.go:
--------------------------------------------------------------------------------
 1 | // Copyright (c) HashiCorp, Inc.
 2 | // SPDX-License-Identifier: MPL-2.0
 3 | 
 4 | package attribute_plan_modifier_bool
 5 | 
 6 | import (
 7 | 	"context"
 8 | 
 9 | 	"github.com/hashicorp/terraform-plugin-framework/path"
10 | 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
11 | 	"github.com/hashicorp/terraform-plugin-framework/types"
12 | )
13 | 
14 | // readyForRenewalAttributePlanModifier determines whether the certificate is ready for renewal.
15 | type readyForRenewalAttributePlanModifier struct {
16 | }
17 | 
18 | // ReadyForRenewal is an helper to instantiate a defaultValueAttributePlanModifier.
19 | func ReadyForRenewal() planmodifier.Bool {
20 | 	return &readyForRenewalAttributePlanModifier{}
21 | }
22 | 
23 | var _ planmodifier.Bool = (*readyForRenewalAttributePlanModifier)(nil)
24 | 
25 | func (apm *readyForRenewalAttributePlanModifier) Description(ctx context.Context) string {
26 | 	return apm.MarkdownDescription(ctx)
27 | }
28 | 
29 | func (apm *readyForRenewalAttributePlanModifier) MarkdownDescription(ctx context.Context) string {
30 | 	return "Sets the value of ready_for_renewal depending on value of validity_period_hours and early_renewal_hours"
31 | }
32 | 
33 | func (apm *readyForRenewalAttributePlanModifier) PlanModifyBool(ctx context.Context, req planmodifier.BoolRequest, res *planmodifier.BoolResponse) {
34 | 	var validityPeriodHours types.Int64
35 | 
36 | 	res.Diagnostics.Append(req.Plan.GetAttribute(ctx, path.Root("validity_period_hours"), &validityPeriodHours)...)
37 | 	if res.Diagnostics.HasError() {
38 | 		return
39 | 	}
40 | 
41 | 	if validityPeriodHours.ValueInt64() == 0 {
42 | 		res.PlanValue = types.BoolValue(true)
43 | 
44 | 		return
45 | 	}
46 | 
47 | 	var earlyRenewalHours types.Int64
48 | 
49 | 	res.Diagnostics.Append(req.Plan.GetAttribute(ctx, path.Root("early_renewal_hours"), &earlyRenewalHours)...)
50 | 	if res.Diagnostics.HasError() {
51 | 		return
52 | 	}
53 | 
54 | 	if earlyRenewalHours.IsNull() || earlyRenewalHours.IsUnknown() {
55 | 		return
56 | 	}
57 | 
58 | 	if earlyRenewalHours.ValueInt64() >= validityPeriodHours.ValueInt64() {
59 | 		res.PlanValue = types.BoolValue(true)
60 | 
61 | 		return
62 | 	}
63 | }
64 | 


--------------------------------------------------------------------------------
/internal/provider/attribute_validator/url_with_scheme.go:
--------------------------------------------------------------------------------
 1 | // Copyright (c) HashiCorp, Inc.
 2 | // SPDX-License-Identifier: MPL-2.0
 3 | 
 4 | package attribute_validator
 5 | 
 6 | import (
 7 | 	"context"
 8 | 	"fmt"
 9 | 	"net/url"
10 | 	"strings"
11 | 
12 | 	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
13 | 	"github.com/hashicorp/terraform-plugin-log/tflog"
14 | )
15 | 
16 | // urlWithSchemeAttributeValidator checks that a types.String attribute
17 | // is indeed a URL and its scheme is one of the given `acceptableSchemes`.
18 | //
19 | // Instances should be created via UrlWithScheme function.
20 | type urlWithSchemeAttributeValidator struct {
21 | 	acceptableSchemes []string
22 | }
23 | 
24 | // UrlWithScheme is a helper to instantiate a urlWithSchemeAttributeValidator.
25 | func UrlWithScheme(acceptableSchemes ...string) validator.String {
26 | 	return &urlWithSchemeAttributeValidator{acceptableSchemes}
27 | }
28 | 
29 | var _ validator.String = (*urlWithSchemeAttributeValidator)(nil)
30 | 
31 | func (av *urlWithSchemeAttributeValidator) Description(ctx context.Context) string {
32 | 	return av.MarkdownDescription(ctx)
33 | }
34 | 
35 | func (av *urlWithSchemeAttributeValidator) MarkdownDescription(_ context.Context) string {
36 | 	return fmt.Sprintf("Ensures that the attribute is a URL and its scheme is one of: %q", av.acceptableSchemes)
37 | }
38 | 
39 | func (av *urlWithSchemeAttributeValidator) ValidateString(ctx context.Context, req validator.StringRequest, res *validator.StringResponse) {
40 | 	if req.ConfigValue.IsNull() || req.ConfigValue.IsUnknown() {
41 | 		return
42 | 	}
43 | 
44 | 	tflog.Debug(ctx, "Validating attribute value is a URL with acceptable scheme", map[string]interface{}{
45 | 		"attribute":         req.Path.String(),
46 | 		"acceptableSchemes": strings.Join(av.acceptableSchemes, ","),
47 | 	})
48 | 
49 | 	u, err := url.Parse(req.ConfigValue.ValueString())
50 | 	if err != nil {
51 | 		res.Diagnostics.AddAttributeError(
52 | 			req.Path,
53 | 			"Invalid URL",
54 | 			fmt.Sprintf("Parsing URL %q failed: %v", req.ConfigValue.ValueString(), err),
55 | 		)
56 | 		return
57 | 	}
58 | 
59 | 	if u.Host == "" {
60 | 		res.Diagnostics.AddAttributeError(
61 | 			req.Path,
62 | 			"Invalid URL",
63 | 			fmt.Sprintf("URL %q contains no host", u.String()),
64 | 		)
65 | 		return
66 | 	}
67 | 
68 | 	for _, s := range av.acceptableSchemes {
69 | 		if u.Scheme == s {
70 | 			return
71 | 		}
72 | 	}
73 | 
74 | 	res.Diagnostics.AddAttributeError(
75 | 		req.Path,
76 | 		"Invalid URL scheme",
77 | 		fmt.Sprintf("URL %q expected to use scheme from %q, got: %q", u.String(), av.acceptableSchemes, u.Scheme),
78 | 	)
79 | }
80 | 


--------------------------------------------------------------------------------
/internal/provider/common.go:
--------------------------------------------------------------------------------
 1 | // Copyright (c) HashiCorp, Inc.
 2 | // SPDX-License-Identifier: MPL-2.0
 3 | 
 4 | package provider
 5 | 
 6 | import (
 7 | 	"context"
 8 | 	"crypto/sha1"
 9 | 	"encoding/hex"
10 | 	"regexp"
11 | 	"strings"
12 | 	"time"
13 | 
14 | 	"github.com/hashicorp/terraform-plugin-framework/resource"
15 | 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
16 | 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
17 | )
18 | 
19 | // hashForState computes the hexadecimal representation of the SHA1 checksum of a string.
20 | // This is used by most resources/data-sources here to compute their Unique Identifier (ID).
21 | func hashForState(value string) string {
22 | 	if value == "" {
23 | 		return ""
24 | 	}
25 | 	hash := sha1.Sum([]byte(strings.TrimSpace(value)))
26 | 	return hex.EncodeToString(hash[:])
27 | }
28 | 
29 | // overridableTimeFunc normally returns time.Now(),
30 | // but it is overridden during testing to simulate an arbitrary value of "now".
31 | var overridableTimeFunc = func() time.Time {
32 | 	return time.Now()
33 | }
34 | 
35 | // updatedUsingPlan is to be used as part of resource.Resource `Update`.
36 | // It takes the resource.UpdateRequest `Plan` and sets it on resource.UpdateResponse State.
37 | //
38 | // Use this if the planned values should just be copied over into the new state.
39 | func updatedUsingPlan(ctx context.Context, req *resource.UpdateRequest, res *resource.UpdateResponse, model interface{}) {
40 | 	// Read the plan
41 | 	res.Diagnostics.Append(req.Plan.Get(ctx, model)...)
42 | 	if res.Diagnostics.HasError() {
43 | 		return
44 | 	}
45 | 
46 | 	// Set it as the new state
47 | 	res.Diagnostics.Append(res.State.Set(ctx, model)...)
48 | }
49 | 
50 | // requireReplaceIfStateContainsPEMString returns a planmodifier.String that triggers a
51 | // replacement of the resource if (and only if) all the conditions of a resource.RequiresReplace are met,
52 | // and the attribute value is a PEM string.
53 | func requireReplaceIfStateContainsPEMString() planmodifier.String {
54 | 	description := "Attribute requires replacement if it contains a PEM string"
55 | 
56 | 	return stringplanmodifier.RequiresReplaceIf(func(ctx context.Context, req planmodifier.StringRequest, resp *stringplanmodifier.RequiresReplaceIfFuncResponse) {
57 | 		// NOTE: If we reach this point, we know a change has been detected and that is known AND not-null
58 | 
59 | 		// If the value is indeed a PEM, and
60 | 		if regexp.MustCompile(`^-----BEGIN [[:alpha:] ]+-----\n(.|\s)+\n-----END [[:alpha:] ]+-----\n?$`).MatchString(req.StateValue.ValueString()) {
61 | 			resp.RequiresReplace = true
62 | 			return
63 | 		}
64 | 	}, description, description)
65 | }
66 | 


--------------------------------------------------------------------------------
/internal/provider/data_source_public_key.go:
--------------------------------------------------------------------------------
  1 | // Copyright (c) HashiCorp, Inc.
  2 | // SPDX-License-Identifier: MPL-2.0
  3 | 
  4 | package provider
  5 | 
  6 | import (
  7 | 	"context"
  8 | 	"crypto"
  9 | 	"fmt"
 10 | 	"strings"
 11 | 
 12 | 	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
 13 | 	"github.com/hashicorp/terraform-plugin-framework/datasource"
 14 | 	"github.com/hashicorp/terraform-plugin-framework/datasource/schema"
 15 | 	"github.com/hashicorp/terraform-plugin-framework/path"
 16 | 	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
 17 | 	"github.com/hashicorp/terraform-plugin-framework/types"
 18 | 	"github.com/hashicorp/terraform-plugin-log/tflog"
 19 | )
 20 | 
 21 | type publicKeyDataSource struct{}
 22 | 
 23 | var _ datasource.DataSource = (*publicKeyDataSource)(nil)
 24 | 
 25 | func NewPublicKeyDataSource() datasource.DataSource {
 26 | 	return &publicKeyDataSource{}
 27 | }
 28 | 
 29 | func (d *publicKeyDataSource) Metadata(_ context.Context, req datasource.MetadataRequest, resp *datasource.MetadataResponse) {
 30 | 	resp.TypeName = req.ProviderTypeName + "_public_key"
 31 | }
 32 | 
 33 | func (d *publicKeyDataSource) Schema(ctx context.Context, req datasource.SchemaRequest, resp *datasource.SchemaResponse) {
 34 | 	resp.Schema = schema.Schema{
 35 | 		Attributes: map[string]schema.Attribute{
 36 | 			// Required attributes
 37 | 			"private_key_pem": schema.StringAttribute{
 38 | 				Optional:  true,
 39 | 				Sensitive: true,
 40 | 				Validators: []validator.String{
 41 | 					stringvalidator.ExactlyOneOf(
 42 | 						path.MatchRoot("private_key_pem"),
 43 | 						path.MatchRoot("private_key_openssh"),
 44 | 					),
 45 | 				},
 46 | 				Description: "The private key (in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format) " +
 47 | 					"to extract the public key from. " +
 48 | 					"This is _mutually exclusive_ with `private_key_openssh`. " +
 49 | 					fmt.Sprintf("Currently-supported algorithms for keys are: `%s`. ", strings.Join(supportedAlgorithmsStr(), "`, `")),
 50 | 			},
 51 | 			"private_key_openssh": schema.StringAttribute{
 52 | 				Optional:  true,
 53 | 				Sensitive: true,
 54 | 				Validators: []validator.String{
 55 | 					stringvalidator.ExactlyOneOf(
 56 | 						path.MatchRoot("private_key_pem"),
 57 | 						path.MatchRoot("private_key_openssh"),
 58 | 					),
 59 | 				},
 60 | 				Description: "The private key (in  [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) format) " +
 61 | 					"to extract the public key from. " +
 62 | 					"This is _mutually exclusive_ with `private_key_pem`. " +
 63 | 					fmt.Sprintf("Currently-supported algorithms for keys are: `%s`. ", strings.Join(supportedAlgorithmsStr(), "`, `")),
 64 | 			},
 65 | 
 66 | 			// Computed attributes
 67 | 			"algorithm": schema.StringAttribute{
 68 | 				Computed: true,
 69 | 				Description: "The name of the algorithm used by the given private key. " +
 70 | 					fmt.Sprintf("Possible values are: `%s`. ", strings.Join(supportedAlgorithmsStr(), "`, `")),
 71 | 			},
 72 | 			"public_key_pem": schema.StringAttribute{
 73 | 				Computed: true,
 74 | 				Description: "The public key, in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. " +
 75 | 					"**NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) " +
 76 | 					"[libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this " +
 77 | 					"value append a `\\n` at the end of the PEM. " +
 78 | 					"In case this disrupts your use case, we recommend using " +
 79 | 					"[`trimspace()`](https://www.terraform.io/language/functions/trimspace).",
 80 | 			},
 81 | 			"public_key_openssh": schema.StringAttribute{
 82 | 				Computed: true,
 83 | 				Description: "The public key, in  [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) format. " +
 84 | 					"This is also known as ['Authorized Keys'](https://www.ssh.com/academy/ssh/authorized_keys/openssh#format-of-the-authorized-keys-file) format. " +
 85 | 					"This is not populated for `ECDSA` with curve `P224`, as it is [not supported](../../docs#limitations). " +
 86 | 					"**NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) " +
 87 | 					"[libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this " +
 88 | 					"value append a `\\n` at the end of the PEM. " +
 89 | 					"In case this disrupts your use case, we recommend using " +
 90 | 					"[`trimspace()`](https://www.terraform.io/language/functions/trimspace).",
 91 | 			},
 92 | 			"public_key_fingerprint_md5": schema.StringAttribute{
 93 | 				Computed: true,
 94 | 				Description: "The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. `aa:bb:cc:...`. " +
 95 | 					"Only available if the selected private key format is compatible, as per the rules for " +
 96 | 					"`public_key_openssh` and [ECDSA P224 limitations](../../docs#limitations).",
 97 | 			},
 98 | 			"public_key_fingerprint_sha256": schema.StringAttribute{
 99 | 				Computed: true,
100 | 				Description: "The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. `SHA256:...`. " +
101 | 					"Only available if the selected private key format is compatible, as per the rules for " +
102 | 					"`public_key_openssh` and [ECDSA P224 limitations](../../docs#limitations).",
103 | 			},
104 | 			"id": schema.StringAttribute{
105 | 				Computed: true,
106 | 				Description: "Unique identifier for this data source: " +
107 | 					"hexadecimal representation of the SHA1 checksum of the data source.",
108 | 			},
109 | 		},
110 | 		MarkdownDescription: "Get a public key from a PEM-encoded private key.\n\n" +
111 | 			"Use this data source to get the public key from a [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) " +
112 | 			"or [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) formatted private key, " +
113 | 			"for use in other resources.",
114 | 	}
115 | }
116 | 
117 | func (ds *publicKeyDataSource) Read(ctx context.Context, req datasource.ReadRequest, res *datasource.ReadResponse) {
118 | 	tflog.Debug(ctx, "Reading public key resource")
119 | 
120 | 	var prvKey crypto.PrivateKey
121 | 	var algorithm Algorithm
122 | 	var err error
123 | 
124 | 	// Given the use of `ExactlyOneOf` in the Schema, we are guaranteed
125 | 	// that either `private_key_pem` or `private_key_openssh` will be set.
126 | 	var prvKeyArg types.String
127 | 	if req.Config.GetAttribute(ctx, path.Root("private_key_pem"), &prvKeyArg); !prvKeyArg.IsNull() && !prvKeyArg.IsUnknown() {
128 | 		tflog.Debug(ctx, "Parsing private key from PEM")
129 | 		prvKey, algorithm, err = parsePrivateKeyPEM([]byte(prvKeyArg.ValueString()))
130 | 	} else if req.Config.GetAttribute(ctx, path.Root("private_key_openssh"), &prvKeyArg); !prvKeyArg.IsNull() && !prvKeyArg.IsUnknown() {
131 | 		tflog.Debug(ctx, "Parsing private key from OpenSSH PEM")
132 | 		prvKey, algorithm, err = parsePrivateKeyOpenSSHPEM([]byte(prvKeyArg.ValueString()))
133 | 	}
134 | 	if err != nil {
135 | 		res.Diagnostics.AddError("Unable to parse private key", err.Error())
136 | 		return
137 | 	}
138 | 
139 | 	tflog.Debug(ctx, "Storing private key algorithm info into the state")
140 | 	res.Diagnostics.Append(res.State.SetAttribute(ctx, path.Root("algorithm"), &algorithm)...)
141 | 	if res.Diagnostics.HasError() {
142 | 		return
143 | 	}
144 | 
145 | 	tflog.Debug(ctx, "Storing private key's public key info into the state")
146 | 	res.Diagnostics.Append(setPublicKeyAttributes(ctx, &res.State, prvKey)...)
147 | }
148 | 


--------------------------------------------------------------------------------
/internal/provider/fixtures/certificate.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIDUzCCAjugAwIBAgIRAMhMxtTgTXHTmo6ZU7OafFMwDQYJKoZIhvcNAQELBQAw
 3 | NDENMAsGA1UEBxMESGVyZTERMA8GA1UEChMIVGVzdCBPcmcxEDAOBgNVBAMTB1Jv
 4 | b3QgQ0EwHhcNMTkxMTA4MDkwMTM2WhcNMTkxMTA4MTkwMTM2WjA+MRMwEQYDVQQH
 5 | EwpFdmVyeXdoZXJlMRIwEAYDVQQKEwlDaGlsZCBDby4xEzARBgNVBAMTCkNoaWxk
 6 | IENlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQTeCu466xxnGr
 7 | CCrl823J4gGnp9AYb0laTP3uB4orXblTFq45ehDnEJXNykT+7acT8IrAjQlVQdl0
 8 | gLjNM6XjGkFQ7xRw5xi041vRrOtUzC1KxVqrcfT4WrKj6zM/MuK3hznc4NvvwdAx
 9 | Mb3Sk46yQ1PrMslsidDvhTAqXkVi3lD1bV/bpnDo3NRCldVpedE1wlR+6thXZN/Y
10 | MggNuDdv6LDadVGlXgKw5KkEIgenGOzpX1o+GKGo5UWu1xoTHikVwEC1iVuCZax+
11 | 9FnHQO/q7SyF4Lb9d0j6vzrIAjzauGbiAsJya1GhYMF7INxzpSolzk0UYjT5Dxcq
12 | d3VX1prxAgMBAAGjVjBUMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEF
13 | BQcDATAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFIBRoM9+w7/obXaqAmaCPyVf
14 | ldxEMA0GCSqGSIb3DQEBCwUAA4IBAQCuXJkT+qD3STmyDlsJOQRLBKaECH+/0mw4
15 | mn3oMikNfneybjhao+fpwTgFup3KIrdIgbuciHfSTZzWT6mDs9bUdZZLccU6cVRh
16 | WiX0I1eppjQyOT7PuXDsOsBUMf+et5WuGYrtKsib07q2rHPtTq72iftANtWbznfq
17 | DsM3TQL4LuEE9V2lU2L2f3kXKrkYzLJj7R4sGck5Fo/E8eeIFm1Z5FCPcia82N+C
18 | xDsNFvV3r8TsRH60IxFekKddI+ivepa97SvC4r+69MPyxULHNwDtSL+8T4q01LEP
19 | VKT7dWjBK3K0xxH0SPCtlqRbGalWz4adNNHazN/x7ebK+WB9ReSM
20 | -----END CERTIFICATE-----
21 | 


--------------------------------------------------------------------------------
/internal/provider/fixtures/private.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN RSA PRIVATE KEY-----
 2 | MIIEogIBAAKCAQEA0E3gruOuscZxqwgq5fNtyeIBp6fQGG9JWkz97geKK125Uxau
 3 | OXoQ5xCVzcpE/u2nE/CKwI0JVUHZdIC4zTOl4xpBUO8UcOcYtONb0azrVMwtSsVa
 4 | q3H0+Fqyo+szPzLit4c53ODb78HQMTG90pOOskNT6zLJbInQ74UwKl5FYt5Q9W1f
 5 | 26Zw6NzUQpXVaXnRNcJUfurYV2Tf2DIIDbg3b+iw2nVRpV4CsOSpBCIHpxjs6V9a
 6 | PhihqOVFrtcaEx4pFcBAtYlbgmWsfvRZx0Dv6u0sheC2/XdI+r86yAI82rhm4gLC
 7 | cmtRoWDBeyDcc6UqJc5NFGI0+Q8XKnd1V9aa8QIDAQABAoIBAEl4HlYw8e27612C
 8 | nPbL/B4ne6PxeWEU509VNn7c4+vVu8bFih+1oP6Oh/e0bs9nbPWIcrflRrRubE8+
 9 | E3A01j6ahQ0Rtij4KWurgTgcAEjBVvw3TXqIz/lErBtKmqGgxfwrUspH+OrAdjjT
10 | rXr3Fm5jdtbO6+I/XZUNaeaXp2tuEO462isNpkdYgJ2+xkw9/slWRytcHA9XirAJ
11 | LRwToNAc9Mx7EwYLDp2vDnUKuyFvD0LUn84UvP5tjqDHoALrSFRK+gtoQjCR95AB
12 | GdzOqXE8P01gMJlSIJJNhcoh4Cco4C7izgKNhkmClHlg7lCd40psZ+01FO+y4kmN
13 | LWCqgcECgYEA2I4gIn1OvzFMB4bxMoFw3g1Mr2WQsgwPPKR1L1fmN5t/V55KvBkq
14 | 2XiJ0SyDqGokw9xPGoasdY52qLyPHTh6L+7B3ljuNBPl0PWDnbTyRUBhGOkC8TYx
15 | VArgf4wPJe6GXjULjnpVV/bAGTJYzBtOsDTJB+nvMVxhcK49kQqWLakCgYEA9j8D
16 | V68U7hksLBNPF5T61wM8TcEJWjWLEDJJ0cCWkmC2gm3tkOq/KiRpjJu4/ps7zuxk
17 | sG4+XXDYPDw6AJG66wOgrKYkH65Vl/q1b0oFJczC776sShvP7lqIbCPSGtfC+wAm
18 | iflagm6aKuSXjviizoHXZ4wNvf8jOStq2Cd3AAkCgYAkLqsD2Df+DfiMEWnfbG01
19 | TLeRXsDsXsN0+G1z+ZXHmL2QICyQfQwBxfgQ8QUWcJWv+/Fjlzjdc240Bz1KPpN7
20 | ysKtqeIy5Vgyr7LL+N254GXYyaXqM4nOZvrXlMk7Jz1gJDDIH3x+9AVosFbR04Y0
21 | Pr2QCvAiKTNGpnY287Pf8QKBgGmTBpnXZL/YZwnWlXhk1U7OAlLLyni0sBSXmvKl
22 | AWlssZMmEk6pdqBY0DAKq7vtTi0fSOQjv/VL5kmdALkxwdP00DR1XtN+aRAp2xQF
23 | xkM4kPM86p0zY2irxAWpLfF4RA5dOCi7kcSOKubs7tXLX/Ht1S59635kHvPp23sl
24 | IG4RAoGAaRh+Kx5m14rc1o1scZbIycXMrj7jVMrOQqhXcoJWv35t51XJhdZpXWWJ
25 | V7IlZhbvCdDFOESfjisX3rx7QdfpOgAbin3BrjRR2ouP0e6/svNREEJnRTvarsnz
26 | dqGNd8Tn9ryGJybjXSQ2Rrx05wy0rL9PL7yDPeYmB1Nqb9vEQFU=
27 | -----END RSA PRIVATE KEY-----
28 | 


--------------------------------------------------------------------------------
/internal/provider/fixtures/public.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIDUzCCAjugAwIBAgIRAMhMxtTgTXHTmo6ZU7OafFMwDQYJKoZIhvcNAQELBQAw
 3 | NDENMAsGA1UEBxMESGVyZTERMA8GA1UEChMIVGVzdCBPcmcxEDAOBgNVBAMTB1Jv
 4 | b3QgQ0EwHhcNMTkxMTA4MDkwMTM2WhcNMTkxMTA4MTkwMTM2WjA+MRMwEQYDVQQH
 5 | EwpFdmVyeXdoZXJlMRIwEAYDVQQKEwlDaGlsZCBDby4xEzARBgNVBAMTCkNoaWxk
 6 | IENlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQTeCu466xxnGr
 7 | CCrl823J4gGnp9AYb0laTP3uB4orXblTFq45ehDnEJXNykT+7acT8IrAjQlVQdl0
 8 | gLjNM6XjGkFQ7xRw5xi041vRrOtUzC1KxVqrcfT4WrKj6zM/MuK3hznc4NvvwdAx
 9 | Mb3Sk46yQ1PrMslsidDvhTAqXkVi3lD1bV/bpnDo3NRCldVpedE1wlR+6thXZN/Y
10 | MggNuDdv6LDadVGlXgKw5KkEIgenGOzpX1o+GKGo5UWu1xoTHikVwEC1iVuCZax+
11 | 9FnHQO/q7SyF4Lb9d0j6vzrIAjzauGbiAsJya1GhYMF7INxzpSolzk0UYjT5Dxcq
12 | d3VX1prxAgMBAAGjVjBUMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEF
13 | BQcDATAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFIBRoM9+w7/obXaqAmaCPyVf
14 | ldxEMA0GCSqGSIb3DQEBCwUAA4IBAQCuXJkT+qD3STmyDlsJOQRLBKaECH+/0mw4
15 | mn3oMikNfneybjhao+fpwTgFup3KIrdIgbuciHfSTZzWT6mDs9bUdZZLccU6cVRh
16 | WiX0I1eppjQyOT7PuXDsOsBUMf+et5WuGYrtKsib07q2rHPtTq72iftANtWbznfq
17 | DsM3TQL4LuEE9V2lU2L2f3kXKrkYzLJj7R4sGck5Fo/E8eeIFm1Z5FCPcia82N+C
18 | xDsNFvV3r8TsRH60IxFekKddI+ivepa97SvC4r+69MPyxULHNwDtSL+8T4q01LEP
19 | VKT7dWjBK3K0xxH0SPCtlqRbGalWz4adNNHazN/x7ebK+WB9ReSM
20 | -----END CERTIFICATE-----
21 | -----BEGIN CERTIFICATE-----
22 | MIIDSTCCAjGgAwIBAgIQLYZHhf04h/2jlZsgJbq/1TANBgkqhkiG9w0BAQsFADA0
23 | MQ0wCwYDVQQHEwRIZXJlMREwDwYDVQQKEwhUZXN0IE9yZzEQMA4GA1UEAxMHUm9v
24 | dCBDQTAeFw0xOTExMDcxNTQ3NDhaFw0xOTEyMTcxNTQ3NDhaMDQxDTALBgNVBAcT
25 | BEhlcmUxETAPBgNVBAoTCFRlc3QgT3JnMRAwDgYDVQQDEwdSb290IENBMIIBIjAN
26 | BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwMNzcNkAoCaIhaEVqPZOt53vws6K
27 | Owx9SgdRJxFv1t51RdVg3m5NJoQsAFof1giYYP9og2J9gYp6t/ORaWOjcDF1Tt6l
28 | /vCbQypAwIGHdx5VuJsOy79YoxQVXssNCQZFDl7iuucisuPq9xRSrE84RwTyzU+S
29 | jUbBeyPEBs3mzekwk0pyndMala/NnkWPgHwEI2lMbvZIXCQqokhhusp85e5cdkgD
30 | 4s2/XyNk9yNTlLaaiA8413G2ABD6cvDbJI5y/Og9A1N+VHN30+qFhNXX7qZqWoiD
31 | hQQb7CTeqRaNDS3136qPoQZ0w+3iH4Vnl6bCgOrfU1w0k+0v9xs/sEJp+wIDAQAB
32 | o1cwVTAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0T
33 | AQH/BAUwAwEB/zAdBgNVHQ4EFgQUgFGgz37Dv+htdqoCZoI/JV+V3EQwDQYJKoZI
34 | hvcNAQELBQADggEBALmO85dAooD1+2qhjJuLTZgESnVTS3KJQTqLQypIhyF1an3+
35 | MMq4h3oYmN5n3dNq+8HKq06XffI6vLqmxo9Mj5CXuos60IydXiASMzRBStkRd+/P
36 | pJ2u6SJC1+u3HaR/TYLVA5JoZ3JESLzRsM0G75eiEiZy+jQzFaNpuG54ylz4y6jk
37 | w4sbWtwCeHIbLCU9Ee0lHb0xWrkOJnOPYrq0hlXCCqkml0HjD5jdheoRglJIUabm
38 | eA3ZUVSXXLsWuPlItoM02+JcMJV82Hfh9w0cYq1Z44eyBJO2EMAkLP0T5GRbWA+R
39 | 0vRPQyF7Oz/Klv3ZhTwS0gzNiTmNPCXvCjZoXhc=
40 | -----END CERTIFICATE-----
41 | 


--------------------------------------------------------------------------------
/internal/provider/provider_test.go:
--------------------------------------------------------------------------------
  1 | // Copyright (c) HashiCorp, Inc.
  2 | // SPDX-License-Identifier: MPL-2.0
  3 | 
  4 | package provider
  5 | 
  6 | import (
  7 | 	"regexp"
  8 | 	"testing"
  9 | 	"time"
 10 | 
 11 | 	"github.com/hashicorp/terraform-plugin-framework/providerserver"
 12 | 	"github.com/hashicorp/terraform-plugin-go/tfprotov5"
 13 | 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 14 | )
 15 | 
 16 | func setTimeForTest(timeStr string) func() {
 17 | 	return func() {
 18 | 		overridableTimeFunc = func() time.Time {
 19 | 			t, _ := time.Parse(time.RFC3339, timeStr)
 20 | 			return t
 21 | 		}
 22 | 	}
 23 | }
 24 | 
 25 | func protoV5ProviderFactories() map[string]func() (tfprotov5.ProviderServer, error) {
 26 | 	return map[string]func() (tfprotov5.ProviderServer, error){
 27 | 		"tls": providerserver.NewProtocol5WithError(New()),
 28 | 	}
 29 | }
 30 | 
 31 | func providerVersion340() map[string]resource.ExternalProvider {
 32 | 	return map[string]resource.ExternalProvider{
 33 | 		"tls": {
 34 | 			VersionConstraint: "3.4.0",
 35 | 			Source:            "hashicorp/tls",
 36 | 		},
 37 | 	}
 38 | }
 39 | 
 40 | func providerVersion310() map[string]resource.ExternalProvider {
 41 | 	return map[string]resource.ExternalProvider{
 42 | 		"tls": {
 43 | 			VersionConstraint: "3.1.0",
 44 | 			Source:            "hashicorp/tls",
 45 | 		},
 46 | 	}
 47 | }
 48 | 
 49 | func TestProvider_InvalidProxyConfig(t *testing.T) {
 50 | 	resource.UnitTest(t, resource.TestCase{
 51 | 		ProtoV5ProviderFactories: protoV5ProviderFactories(),
 52 | 
 53 | 		Steps: []resource.TestStep{
 54 | 			{
 55 | 				Config: `
 56 | 					provider "tls" {
 57 | 						proxy {
 58 | 							url = "https://proxy.host.com"
 59 | 							from_env = true
 60 | 						}
 61 | 					}
 62 | 					resource "tls_private_key" "test" {
 63 | 						algorithm = "ED25519"
 64 | 					}
 65 | 				`,
 66 | 				ExpectError: regexp.MustCompile(`Invalid Attribute Combination`),
 67 | 			},
 68 | 			{
 69 | 				Config: `
 70 | 					provider "tls" {
 71 | 						proxy {
 72 | 							username = "user"
 73 | 						}
 74 | 					}
 75 | 					resource "tls_private_key" "test" {
 76 | 						algorithm = "ED25519"
 77 | 					}
 78 | 				`,
 79 | 				ExpectError: regexp.MustCompile(`Invalid Attribute Combination`),
 80 | 			},
 81 | 			{
 82 | 				Config: `
 83 | 					provider "tls" {
 84 | 						proxy {
 85 | 							password = "pwd"
 86 | 						}
 87 | 					}
 88 | 					resource "tls_private_key" "test" {
 89 | 						algorithm = "ED25519"
 90 | 					}
 91 | 				`,
 92 | 				ExpectError: regexp.MustCompile(`Invalid Attribute Combination`),
 93 | 			},
 94 | 			{
 95 | 				Config: `
 96 | 					provider "tls" {
 97 | 						proxy {
 98 | 							username = "user"
 99 | 							password = "pwd"
100 | 						}
101 | 					}
102 | 					resource "tls_private_key" "test" {
103 | 						algorithm = "ED25519"
104 | 					}
105 | 				`,
106 | 				ExpectError: regexp.MustCompile(`Invalid Attribute Combination`),
107 | 			},
108 | 			{
109 | 				Config: `
110 | 					provider "tls" {
111 | 						proxy {
112 | 							username = "user"
113 | 							from_env = true
114 | 						}
115 | 					}
116 | 					resource "tls_private_key" "test" {
117 | 						algorithm = "ED25519"
118 | 					}
119 | 				`,
120 | 				ExpectError: regexp.MustCompile(`Invalid Attribute Combination`),
121 | 			},
122 | 		},
123 | 	})
124 | }
125 | 


--------------------------------------------------------------------------------
/internal/provider/testutils/local_server.go:
--------------------------------------------------------------------------------
  1 | // Copyright (c) HashiCorp, Inc.
  2 | // SPDX-License-Identifier: MPL-2.0
  3 | 
  4 | package testutils
  5 | 
  6 | import (
  7 | 	"fmt"
  8 | 	"log"
  9 | 	"net"
 10 | 	"net/http"
 11 | 
 12 | 	"github.com/elazarl/goproxy"
 13 | 	"github.com/elazarl/goproxy/ext/auth"
 14 | 	r "github.com/hashicorp/terraform-plugin-testing/helper/resource"
 15 | 	"github.com/hashicorp/terraform-plugin-testing/terraform"
 16 | )
 17 | 
 18 | // LocalServerTest is a simple HTTP server used for testing.
 19 | type LocalServerTest struct {
 20 | 	listener      net.Listener
 21 | 	server        *http.Server
 22 | 	connActivated int
 23 | 	connClosed    int
 24 | }
 25 | 
 26 | // NewHTTPServer creates an HTTP server that listens on a random port.
 27 | func NewHTTPServer() (*LocalServerTest, error) {
 28 | 	listener, err := net.Listen("tcp", ":0")
 29 | 	if err != nil {
 30 | 		return nil, err
 31 | 	}
 32 | 
 33 | 	// Create HTTP server, listening on a randomly-selected port
 34 | 	localServer := &LocalServerTest{
 35 | 		listener: listener,
 36 | 		server: &http.Server{
 37 | 			Addr: listener.Addr().String(),
 38 | 		},
 39 | 	}
 40 | 
 41 | 	// Count connections activated and closed
 42 | 	localServer.server.ConnState = func(conn net.Conn, state http.ConnState) {
 43 | 		if state == http.StateActive {
 44 | 			localServer.connActivated++
 45 | 		}
 46 | 		if state == http.StateClosed {
 47 | 			localServer.connClosed++
 48 | 		}
 49 | 	}
 50 | 
 51 | 	return localServer, nil
 52 | }
 53 | 
 54 | // NewHTTPProxyServer creates an HTTP Proxy server that listens on a random port.
 55 | func NewHTTPProxyServer() (*LocalServerTest, error) {
 56 | 	localServer, err := NewHTTPServer()
 57 | 	if err != nil {
 58 | 		return nil, err
 59 | 	}
 60 | 
 61 | 	// Turn http server into a proxy
 62 | 	localServer.server.Handler = goproxy.NewProxyHttpServer()
 63 | 
 64 | 	return localServer, nil
 65 | }
 66 | 
 67 | // NewHTTPProxyServerWithBasicAuth creates an HTTP Proxy server that listens on a random port and expects HTTP Basic Auth.
 68 | func NewHTTPProxyServerWithBasicAuth(expectedUsername, expectedPassword string) (*LocalServerTest, error) {
 69 | 	proxy, err := NewHTTPProxyServer()
 70 | 	if err != nil {
 71 | 		return nil, err
 72 | 	}
 73 | 
 74 | 	proxyHttpServer, ok := proxy.server.Handler.(*goproxy.ProxyHttpServer)
 75 | 	if !ok {
 76 | 		return nil, fmt.Errorf("unexpected type for %T proxy.Server.Handler", proxy.server.Handler)
 77 | 	}
 78 | 
 79 | 	// Add "HTTP Connect auth handler" to proxy server
 80 | 	proxyHttpServer.OnRequest().HandleConnect(auth.BasicConnect("restricted", func(username, password string) bool {
 81 | 		return username == expectedUsername && (expectedPassword == "" || password == expectedPassword)
 82 | 	}))
 83 | 
 84 | 	return proxy, nil
 85 | }
 86 | 
 87 | // ServeTLS makes the server begin listening for TLS client connections.
 88 | func (lst *LocalServerTest) ServeTLS() {
 89 | 	err := lst.server.ServeTLS(lst.listener, "fixtures/public.pem", "fixtures/private.pem")
 90 | 	if err != nil {
 91 | 		log.Println("Failed to start LocalServerTest with TLS", err)
 92 | 	}
 93 | }
 94 | 
 95 | // Serve makes the server begin listening for plain client connections.
 96 | func (lst *LocalServerTest) Serve() {
 97 | 	err := lst.server.Serve(lst.listener)
 98 | 	if err != nil {
 99 | 		log.Println("Failed to start LocalServerTest", err)
100 | 	}
101 | }
102 | 
103 | func (lst *LocalServerTest) Close() error {
104 | 	if err := lst.listener.Close(); err != nil {
105 | 		return err
106 | 	}
107 | 	if err := lst.server.Close(); err != nil {
108 | 		return err
109 | 	}
110 | 	return nil
111 | }
112 | 
113 | func (lst *LocalServerTest) Address() string {
114 | 	return lst.listener.Addr().String()
115 | }
116 | 
117 | func (lst *LocalServerTest) ConnActivated() int {
118 | 	return lst.connActivated
119 | }
120 | 
121 | func (lst *LocalServerTest) ConnClosed() int {
122 | 	return lst.connClosed
123 | }
124 | 
125 | func TestCheckBothServerAndProxyWereUsed(server, proxy *LocalServerTest) r.TestCheckFunc {
126 | 	return func(_ *terraform.State) error {
127 | 		if server.ConnActivated() != proxy.ConnActivated() {
128 | 			return fmt.Errorf("expected server and proxy actived connection count to match: server was %d, while proxy was %d", server.ConnActivated(), proxy.ConnActivated())
129 | 		}
130 | 		if server.ConnClosed() != proxy.ConnClosed() {
131 | 			return fmt.Errorf("expected server and proxy closed connection count to match: server was %d, while proxy was %d", server.ConnClosed(), proxy.ConnClosed())
132 | 		}
133 | 		return nil
134 | 	}
135 | }
136 | 


--------------------------------------------------------------------------------
/internal/provider/types.go:
--------------------------------------------------------------------------------
  1 | // Copyright (c) HashiCorp, Inc.
  2 | // SPDX-License-Identifier: MPL-2.0
  3 | 
  4 | package provider
  5 | 
  6 | import (
  7 | 	"encoding/pem"
  8 | 	"fmt"
  9 | )
 10 | 
 11 | // Algorithm represents a type of private key algorithm.
 12 | type Algorithm string
 13 | 
 14 | const (
 15 | 	RSA     Algorithm = "RSA"
 16 | 	ECDSA   Algorithm = "ECDSA"
 17 | 	ED25519 Algorithm = "ED25519"
 18 | )
 19 | 
 20 | func (a Algorithm) String() string {
 21 | 	return string(a)
 22 | }
 23 | 
 24 | // supportedAlgorithms returns a slice of Algorithm currently supported by this provider.
 25 | func supportedAlgorithms() []Algorithm {
 26 | 	return []Algorithm{
 27 | 		RSA,
 28 | 		ECDSA,
 29 | 		ED25519,
 30 | 	}
 31 | }
 32 | 
 33 | // supportedAlgorithmsStr returns the same content of supportedAlgorithms but as a slice of string.
 34 | func supportedAlgorithmsStr() []string {
 35 | 	supported := supportedAlgorithms()
 36 | 	supportedStr := make([]string, len(supported))
 37 | 	for i := range supported {
 38 | 		supportedStr[i] = supported[i].String()
 39 | 	}
 40 | 	return supportedStr
 41 | }
 42 | 
 43 | // ECDSACurve represents a type of ECDSA elliptic curve.
 44 | type ECDSACurve string
 45 | 
 46 | const (
 47 | 	P224 ECDSACurve = "P224"
 48 | 	P256 ECDSACurve = "P256"
 49 | 	P384 ECDSACurve = "P384"
 50 | 	P521 ECDSACurve = "P521"
 51 | )
 52 | 
 53 | func (e ECDSACurve) String() string {
 54 | 	return string(e)
 55 | }
 56 | 
 57 | // supportedECDSACurves returns an array of ECDSACurve currently supported by this provider.
 58 | func supportedECDSACurves() []ECDSACurve {
 59 | 	return []ECDSACurve{
 60 | 		P224,
 61 | 		P256,
 62 | 		P384,
 63 | 		P521,
 64 | 	}
 65 | }
 66 | 
 67 | // supportedECDSACurvesStr returns the same content of supportedECDSACurves but as a slice of string.
 68 | func supportedECDSACurvesStr() []string {
 69 | 	supported := supportedECDSACurves()
 70 | 	supportedStr := make([]string, len(supported))
 71 | 	for i := range supported {
 72 | 		supportedStr[i] = supported[i].String()
 73 | 	}
 74 | 	return supportedStr
 75 | }
 76 | 
 77 | // PEMPreamble represents the heading used in a PEM-formatted for the "encapsulation boundaries",
 78 | // that is used to delimit the "encapsulated text portion" of cryptographic documents.
 79 | //
 80 | // See https://datatracker.ietf.org/doc/html/rfc1421 and https://datatracker.ietf.org/doc/html/rfc7468.
 81 | type PEMPreamble string
 82 | 
 83 | const (
 84 | 	PreamblePublicKey PEMPreamble = "PUBLIC KEY"
 85 | 
 86 | 	PreamblePrivateKeyPKCS8   PEMPreamble = "PRIVATE KEY"
 87 | 	PreamblePrivateKeyRSA     PEMPreamble = "RSA PRIVATE KEY"
 88 | 	PreamblePrivateKeyEC      PEMPreamble = "EC PRIVATE KEY"
 89 | 	PreamblePrivateKeyOpenSSH PEMPreamble = "OPENSSH PRIVATE KEY"
 90 | 
 91 | 	PreambleCertificate        PEMPreamble = "CERTIFICATE"
 92 | 	PreambleCertificateRequest PEMPreamble = "CERTIFICATE REQUEST"
 93 | )
 94 | 
 95 | func (p PEMPreamble) String() string {
 96 | 	return string(p)
 97 | }
 98 | 
 99 | // pemBlockToPEMPreamble takes a pem.Block and returns the related PEMPreamble, if supported.
100 | func pemBlockToPEMPreamble(block *pem.Block) (PEMPreamble, error) {
101 | 	switch block.Type {
102 | 	case PreamblePublicKey.String():
103 | 		return PreamblePublicKey, nil
104 | 	case PreamblePrivateKeyPKCS8.String():
105 | 		return PreamblePrivateKeyPKCS8, nil
106 | 	case PreamblePrivateKeyRSA.String():
107 | 		return PreamblePrivateKeyRSA, nil
108 | 	case PreamblePrivateKeyEC.String():
109 | 		return PreamblePrivateKeyEC, nil
110 | 	case PreambleCertificate.String():
111 | 		return PreambleCertificate, nil
112 | 	case PreambleCertificateRequest.String():
113 | 		return PreambleCertificateRequest, nil
114 | 	default:
115 | 		return "", fmt.Errorf("unsupported PEM preamble/type: %s", block.Type)
116 | 	}
117 | }
118 | 
119 | // ProxyScheme represents url schemes supported when providing proxy configuration to this provider.
120 | type ProxyScheme string
121 | 
122 | const (
123 | 	HTTPProxy   ProxyScheme = "http"
124 | 	HTTPSProxy  ProxyScheme = "https"
125 | 	SOCKS5Proxy ProxyScheme = "socks5"
126 | )
127 | 
128 | func (p ProxyScheme) String() string {
129 | 	return string(p)
130 | }
131 | 
132 | // supportedProxySchemes returns an array of ProxyScheme currently supported by this provider.
133 | func supportedProxySchemes() []ProxyScheme {
134 | 	return []ProxyScheme{
135 | 		HTTPProxy,
136 | 		HTTPSProxy,
137 | 		SOCKS5Proxy,
138 | 	}
139 | }
140 | 
141 | // supportedProxySchemesStr returns the same content of supportedProxySchemes but as a slice of string.
142 | func supportedProxySchemesStr() []string {
143 | 	supported := supportedProxySchemes()
144 | 	supportedStr := make([]string, len(supported))
145 | 	for i := range supported {
146 | 		supportedStr[i] = string(supported[i])
147 | 	}
148 | 	return supportedStr
149 | }
150 | 
151 | // URLScheme represents url schemes supported by resources and data-sources of this provider.
152 | type URLScheme string
153 | 
154 | const (
155 | 	HTTPSScheme URLScheme = "https"
156 | 	TLSScheme   URLScheme = "tls"
157 | )
158 | 
159 | func (p URLScheme) String() string {
160 | 	return string(p)
161 | }
162 | 
163 | // supportedURLSchemes returns an array of URLScheme currently supported by this provider.
164 | func supportedURLSchemes() []URLScheme {
165 | 	return []URLScheme{
166 | 		HTTPSScheme,
167 | 		TLSScheme,
168 | 	}
169 | }
170 | 
171 | // supportedURLSchemesStr returns the same content of supportedURLSchemes but as a slice of string.
172 | func supportedURLSchemesStr() []string {
173 | 	supported := supportedURLSchemes()
174 | 	supportedStr := make([]string, len(supported))
175 | 	for i := range supported {
176 | 		supportedStr[i] = string(supported[i])
177 | 	}
178 | 	return supportedStr
179 | }
180 | 


--------------------------------------------------------------------------------
/main.go:
--------------------------------------------------------------------------------
 1 | // Copyright (c) HashiCorp, Inc.
 2 | // SPDX-License-Identifier: MPL-2.0
 3 | 
 4 | package main
 5 | 
 6 | import (
 7 | 	"context"
 8 | 	"flag"
 9 | 	"fmt"
10 | 	"os"
11 | 
12 | 	"github.com/hashicorp/terraform-plugin-framework/providerserver"
13 | 
14 | 	"github.com/hashicorp/terraform-provider-tls/internal/provider"
15 | )
16 | 
17 | func main() {
18 | 	var debug bool
19 | 
20 | 	flag.BoolVar(&debug, "debug", false, "set to true to run the provider with support for debuggers like delve")
21 | 	flag.Parse()
22 | 
23 | 	err := providerserver.Serve(context.Background(), provider.New, providerserver.ServeOpts{
24 | 		Address:         "registry.terraform.io/hashicorp/tls",
25 | 		Debug:           debug,
26 | 		ProtocolVersion: 5,
27 | 	})
28 | 	if err != nil {
29 | 		fmt.Printf("failed to initialize provider: %v\n", err)
30 | 		os.Exit(1)
31 | 	}
32 | }
33 | 


--------------------------------------------------------------------------------
/templates/data-sources/certificate.md.tmpl:
--------------------------------------------------------------------------------
 1 | ---
 2 | page_title: "{{.Name}} {{.Type}} - {{.ProviderName}}"
 3 | subcategory: ""
 4 | description: |-
 5 | {{ .Description | plainmarkdown | trimspace | prefixlines "  " }}
 6 | ---
 7 | 
 8 | # {{.Name}} ({{.Type}})
 9 | 
10 | {{ .Description | trimspace }}
11 | 
12 | ## Example Usage
13 | 
14 | ### URL Usage
15 | {{ tffile "examples/data-sources/tls_certificate/data-source.tf" }}
16 | 
17 | ### Content Usage
18 | {{ tffile "examples/data-sources/tls_certificate/content-example.tf" }}
19 | 
20 | <!-- 
21 |     Schema ORIGINALLY generated by tfplugindocs,
22 |     then manually tweaked to circumvent current limitations.
23 | 
24 |     This should be revisited, once https://github.com/hashicorp/terraform-plugin-docs/issues/66 is resolved.
25 | -->
26 | ## Schema
27 | 
28 | ### Optional
29 | 
30 | - `url` (String) The URL of the website to get the certificates from. Cannot be used with `content`.
31 | - `content` (String) The content of the certificate in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. Cannot be used with `url`.
32 | - `verify_chain` (Boolean) Whether to verify the certificate chain while parsing it or not (default: `true`). Cannot be used with `content`.
33 | 
34 | ### Read-Only
35 | 
36 | - `id` (String) Unique identifier of this data source: hashing of the certificates in the chain.
37 | - `certificates` (List of Object) The certificates protecting the site, with the root of the chain first. (see [below for nested schema](#nestedatt--certificates))
38 | 
39 | <a id="nestedatt--certificates"></a>
40 | ### Nested Schema for `certificates`
41 | 
42 | Read-Only:
43 | 
44 | - `is_ca` (Boolean) `true` if the certificate is of a CA (Certificate Authority).
45 | - `issuer` (String) Who verified and signed the certificate, roughly following [RFC2253](https://tools.ietf.org/html/rfc2253).
46 | - `not_after` (String) The time until which the certificate is invalid, as an [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
47 | - `not_before` (String) The time after which the certificate is valid, as an [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
48 | - `public_key_algorithm` (String) The key algorithm used to create the certificate.
49 | - `serial_number` (String) Number that uniquely identifies the certificate with the CA's system.
50 |   The `format` function can be used to convert this _base 10_ number into other bases, such as hex.
51 | - `sha1_fingerprint` (String) The SHA1 fingerprint of the public key of the certificate.
52 | - `signature_algorithm` (String) The algorithm used to sign the certificate.
53 | - `subject` (String) The entity the certificate belongs to, roughly following [RFC2253](https://tools.ietf.org/html/rfc2253).
54 | - `version` (Number) The version the certificate is in.
55 | - `cert_pem` (String) Certificate data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
56 | 


--------------------------------------------------------------------------------
/templates/index.md.tmpl:
--------------------------------------------------------------------------------
 1 | ---
 2 | page_title: "Provider: TLS"
 3 | description: |-
 4 |   The TLS provider provides utilities for working with Transport Layer Security keys and certificates.
 5 | ---
 6 | 
 7 | # {{ .ProviderShortName | upper }} Provider
 8 | 
 9 | The TLS provider provides utilities for working with *Transport Layer Security*
10 | keys and certificates. It provides resources that
11 | allow private keys, certificates and certificate requests to be
12 | created as part of a Terraform deployment.
13 | 
14 | Another name for Transport Layer Security is *Secure Sockets Layer*,
15 | or SSL. TLS and SSL are equivalent when considering the resources
16 | managed by this provider.
17 | 
18 | This provider is not particularly useful on its own, but it can be
19 | used to create certificates and credentials that can then be used
20 | with other providers when creating resources that expose TLS
21 | services or that themselves provision TLS certificates.
22 | 
23 | Use the navigation to the left to read about the available resources.
24 | 
25 | ## Example Usage
26 | 
27 | {{ tffile "examples/provider/provider.tf" }}
28 | 
29 | ### Configuring Proxy
30 | 
31 | {{ tffile "examples/provider/provider_with_proxy.tf" }}
32 | 
33 | {{ tffile "examples/provider/provider_with_proxy_from_env.tf" }}
34 | 
35 | {{ .SchemaMarkdown | trimspace }}
36 | 
37 | ## Limitations
38 | 
39 | ### `ECDSA` with `P224` elliptic curve
40 | 
41 | When using `ECDSA` with `P224`, all the (computed) attributes
42 | that have to do with [OpenSSH](https://www.openssh.com/) will have a value of `""` (empty string).
43 | This applies to different resources and data sources offered by this provider,
44 | like the `tls_private_key` resource or the `tls_public_key` data source.
45 | 
46 | The attributes affected are:
47 | 
48 | * `.public_key_openssh`
49 | * `.private_key_openssh`
50 | * `.public_key_fingerprint_md5`
51 | * `.public_key_fingerprint_sha256`
52 | 
53 | This is because the SSH ECC Algorithm Integration ([RFC 5656](https://datatracker.ietf.org/doc/html/rfc5656))
54 | restricts support for elliptic curves to "nistp256", "nistp384" and "nistp521".
55 | 
56 | ### Secrets and Terraform state
57 | 
58 | Some resources that can be created with this provider, like `tls_private_key`, are
59 | considered "secrets", and as such are marked by this provider as _sensitive_, so to
60 | help practitioner to not accidentally leak their value in logs or other form of output.
61 | 
62 | It's important to remember that the values that constitute the "state" of those
63 | resources will be stored in the [Terraform state](https://www.terraform.io/language/state) file.
64 | This includes the "secrets", that will be part of the state file *unencrypted*.
65 | 
66 | Because of these limitations, **use of these resources for production deployments is _not_ recommended**.
67 | Failing that, **protecting the content of the state file is strongly recommended**.
68 | 
69 | The more general advice is that it's better to generate "secrets" outside of Terraform,
70 | and then distribute them securely to the system where Terraform will make use of them.
71 | 


--------------------------------------------------------------------------------
/templates/resources/cert_request.md.tmpl:
--------------------------------------------------------------------------------
 1 | ---
 2 | page_title: "{{.Name}} {{.Type}} - {{.ProviderName}}"
 3 | subcategory: ""
 4 | description: |-
 5 | {{ .Description | plainmarkdown | trimspace | prefixlines "  " }}
 6 | ---
 7 | 
 8 | # {{.Name}} ({{.Type}})
 9 | 
10 | {{ .Description | trimspace }}
11 | 
12 | This is a *logical resource*, so it contributes only to the current Terraform
13 | state and does not create any external managed resources.
14 | 
15 | 
16 | ## Example Usage
17 | 
18 | {{ tffile "examples/resources/tls_cert_request/resource.tf" }}
19 | 
20 | {{ .SchemaMarkdown | trimspace }}
21 | 


--------------------------------------------------------------------------------
/templates/resources/locally_signed_cert.md.tmpl:
--------------------------------------------------------------------------------
 1 | ---
 2 | page_title: "{{.Name}} {{.Type}} - {{.ProviderName}}"
 3 | subcategory: ""
 4 | description: |-
 5 | {{ .Description | plainmarkdown | trimspace | prefixlines "  " }}
 6 | ---
 7 | 
 8 | # {{.Name}} ({{.Type}})
 9 | 
10 | {{ .Description | trimspace }}
11 | 
12 | -> **Note** Locally-signed certificates are generally only trusted by client software when
13 | setup to use the provided CA. They are normally used in development environments
14 | or when deployed internally to an organization.
15 | 
16 | ## Example Usage
17 | 
18 | {{ tffile "examples/resources/tls_locally_signed_cert/resource.tf" }}
19 | 
20 | {{ .SchemaMarkdown | trimspace }}
21 | 
22 | ## Automatic Renewal
23 | 
24 | This resource considers its instances to have been deleted after either their validity
25 | periods ends (i.e. beyond the `validity_period_hours`)
26 | or the early renewal period is reached (i.e. within the `early_renewal_hours`):
27 | when this happens, the `ready_for_renewal` attribute will be `true`.
28 | At this time, applying the Terraform configuration will cause a new certificate to be
29 | generated for the instance.
30 | 
31 | Therefore in a development environment with frequent deployments it may be convenient
32 | to set a relatively-short expiration time and use early renewal to automatically provision
33 | a new certificate when the current one is about to expire.
34 | 
35 | The creation of a new certificate may of course cause dependent resources to be updated
36 | or replaced, depending on the lifecycle rules applying to those resources.
37 | 


--------------------------------------------------------------------------------
/templates/resources/private_key.md.tmpl:
--------------------------------------------------------------------------------
 1 | ---
 2 | page_title: "{{.Name}} {{.Type}} - {{.ProviderName}}"
 3 | subcategory: ""
 4 | description: |-
 5 | {{ .Description | plainmarkdown | trimspace | prefixlines "  " }}
 6 | ---
 7 | 
 8 | # {{.Name}} ({{.Type}})
 9 | 
10 | {{ .Description | trimspace }}
11 | 
12 | ~> **Security Notice** The private key generated by this resource will
13 | be stored *unencrypted* in your Terraform state file. **Use of this resource
14 | for production deployments is *not* recommended**. Instead, generate
15 | a private key file outside of Terraform and distribute it securely
16 | to the system where Terraform will be run.
17 | 
18 | This is a *logical resource*, so it contributes only to the current Terraform
19 | state and does not create any external managed resources.
20 | 
21 | 
22 | ## Example Usage
23 | 
24 | {{ tffile "examples/resources/tls_private_key/resource.tf" }}
25 | 
26 | {{ .SchemaMarkdown | trimspace }}
27 | 
28 | ## Generating a New Key
29 | 
30 | Since a private key is a logical resource that lives only in the Terraform state,
31 | it will persist until it is explicitly destroyed by the user.
32 | 
33 | In order to force the generation of a new key within an existing state, the
34 | private key instance can be "tainted":
35 | 
36 | ```
37 | terraform taint tls_private_key.example
38 | ```
39 | 
40 | A new key will then be generated on the next ``terraform apply``.
41 | 


--------------------------------------------------------------------------------
/templates/resources/self_signed_cert.md.tmpl:
--------------------------------------------------------------------------------
 1 | ---
 2 | page_title: "{{.Name}} {{.Type}} - {{.ProviderName}}"
 3 | subcategory: ""
 4 | description: |-
 5 | {{ .Description | plainmarkdown | trimspace | prefixlines "  " }}
 6 | ---
 7 | 
 8 | # {{.Name}} ({{.Type}})
 9 | 
10 | {{ .Description | trimspace }}
11 | 
12 | ~> **Warning** Self-signed certificates are usually used only in development environments
13 | or applications deployed internally to an organization.
14 | Certificates of this type are generally not trusted by client software such
15 | as web browsers. Therefore clients are likely to generate trust warnings when
16 | connecting to a server that has a self-signed certificate. 
17 | 
18 | ## Example Usage
19 | 
20 | {{ tffile "examples/resources/tls_self_signed_cert/resource.tf" }}
21 | 
22 | {{ .SchemaMarkdown | trimspace }}
23 | 
24 | ## Automatic Renewal
25 | 
26 | This resource considers its instances to have been deleted after either their validity
27 | periods ends (i.e. beyond the `validity_period_hours`)
28 | or the early renewal period is reached (i.e. within the `early_renewal_hours`):
29 | when this happens, the `ready_for_renewal` attribute will be `true`.
30 | At this time, applying the Terraform configuration will cause a new certificate to be
31 | generated for the instance.
32 | 
33 | Therefore in a development environment with frequent deployments it may be convenient
34 | to set a relatively-short expiration time and use early renewal to automatically provision
35 | a new certificate when the current one is about to expire.
36 | 
37 | The creation of a new certificate may of course cause dependent resources to be updated
38 | or replaced, depending on the lifecycle rules applying to those resources.
39 | 


--------------------------------------------------------------------------------
/terraform-registry-manifest.json:
--------------------------------------------------------------------------------
1 | {
2 |     "version": 1,
3 |     "metadata": {
4 |         "protocol_versions": ["5.0"]
5 |     }
6 | }
7 | 


--------------------------------------------------------------------------------
/tools/go.mod:
--------------------------------------------------------------------------------
 1 | module tools
 2 | 
 3 | go 1.23.7
 4 | 
 5 | require (
 6 | 	github.com/hashicorp/copywrite v0.22.0
 7 | 	github.com/hashicorp/terraform-plugin-docs v0.21.0
 8 | )
 9 | 
10 | require (
11 | 	github.com/AlecAivazis/survey/v2 v2.3.7 // indirect
12 | 	github.com/BurntSushi/toml v1.2.1 // indirect
13 | 	github.com/Kunde21/markdownfmt/v3 v3.1.0 // indirect
14 | 	github.com/Masterminds/goutils v1.1.1 // indirect
15 | 	github.com/Masterminds/semver/v3 v3.2.0 // indirect
16 | 	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
17 | 	github.com/ProtonMail/go-crypto v1.1.3 // indirect
18 | 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
19 | 	github.com/armon/go-radix v1.0.0 // indirect
20 | 	github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef // indirect
21 | 	github.com/bgentry/speakeasy v0.1.0 // indirect
22 | 	github.com/bmatcuk/doublestar/v4 v4.8.1 // indirect
23 | 	github.com/bradleyfalzon/ghinstallation/v2 v2.5.0 // indirect
24 | 	github.com/cli/go-gh/v2 v2.11.2 // indirect
25 | 	github.com/cli/safeexec v1.0.0 // indirect
26 | 	github.com/cloudflare/circl v1.3.7 // indirect
27 | 	github.com/fatih/color v1.16.0 // indirect
28 | 	github.com/fsnotify/fsnotify v1.5.4 // indirect
29 | 	github.com/go-openapi/errors v0.20.2 // indirect
30 | 	github.com/go-openapi/strfmt v0.21.3 // indirect
31 | 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
32 | 	github.com/golang/protobuf v1.5.2 // indirect
33 | 	github.com/google/go-github/v45 v45.2.0 // indirect
34 | 	github.com/google/go-github/v53 v53.0.0 // indirect
35 | 	github.com/google/go-querystring v1.1.0 // indirect
36 | 	github.com/google/uuid v1.3.0 // indirect
37 | 	github.com/hashicorp/cli v1.1.7 // indirect
38 | 	github.com/hashicorp/errwrap v1.1.0 // indirect
39 | 	github.com/hashicorp/go-checkpoint v0.5.0 // indirect
40 | 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
41 | 	github.com/hashicorp/go-hclog v1.6.3 // indirect
42 | 	github.com/hashicorp/go-multierror v1.1.1 // indirect
43 | 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
44 | 	github.com/hashicorp/go-uuid v1.0.3 // indirect
45 | 	github.com/hashicorp/go-version v1.7.0 // indirect
46 | 	github.com/hashicorp/hc-install v0.9.1 // indirect
47 | 	github.com/hashicorp/hcl v1.0.0 // indirect
48 | 	github.com/hashicorp/terraform-exec v0.22.0 // indirect
49 | 	github.com/hashicorp/terraform-json v0.24.0 // indirect
50 | 	github.com/huandu/xstrings v1.3.3 // indirect
51 | 	github.com/imdario/mergo v0.3.15 // indirect
52 | 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
53 | 	github.com/jedib0t/go-pretty v4.3.0+incompatible // indirect
54 | 	github.com/jedib0t/go-pretty/v6 v6.4.6 // indirect
55 | 	github.com/joho/godotenv v1.3.0 // indirect
56 | 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
57 | 	github.com/knadh/koanf v1.5.0 // indirect
58 | 	github.com/mattn/go-colorable v0.1.14 // indirect
59 | 	github.com/mattn/go-isatty v0.0.20 // indirect
60 | 	github.com/mattn/go-runewidth v0.0.15 // indirect
61 | 	github.com/mergestat/timediff v0.0.3 // indirect
62 | 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
63 | 	github.com/mitchellh/copystructure v1.2.0 // indirect
64 | 	github.com/mitchellh/go-homedir v1.1.0 // indirect
65 | 	github.com/mitchellh/mapstructure v1.5.0 // indirect
66 | 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
67 | 	github.com/oklog/ulid v1.3.1 // indirect
68 | 	github.com/posener/complete v1.2.3 // indirect
69 | 	github.com/rivo/uniseg v0.4.7 // indirect
70 | 	github.com/samber/lo v1.37.0 // indirect
71 | 	github.com/shopspring/decimal v1.3.1 // indirect
72 | 	github.com/spf13/cast v1.5.0 // indirect
73 | 	github.com/spf13/cobra v1.6.1 // indirect
74 | 	github.com/spf13/pflag v1.0.5 // indirect
75 | 	github.com/thanhpk/randstr v1.0.4 // indirect
76 | 	github.com/yuin/goldmark v1.7.7 // indirect
77 | 	github.com/yuin/goldmark-meta v1.1.0 // indirect
78 | 	github.com/zclconf/go-cty v1.16.2 // indirect
79 | 	go.abhg.dev/goldmark/frontmatter v0.2.0 // indirect
80 | 	go.mongodb.org/mongo-driver v1.10.0 // indirect
81 | 	golang.org/x/crypto v0.36.0 // indirect
82 | 	golang.org/x/exp v0.0.0-20230626212559-97b1e661b5df // indirect
83 | 	golang.org/x/mod v0.22.0 // indirect
84 | 	golang.org/x/net v0.38.0 // indirect
85 | 	golang.org/x/oauth2 v0.8.0 // indirect
86 | 	golang.org/x/sync v0.12.0 // indirect
87 | 	golang.org/x/sys v0.31.0 // indirect
88 | 	golang.org/x/term v0.30.0 // indirect
89 | 	golang.org/x/text v0.23.0 // indirect
90 | 	google.golang.org/appengine v1.6.7 // indirect
91 | 	google.golang.org/protobuf v1.33.0 // indirect
92 | 	gopkg.in/yaml.v2 v2.4.0 // indirect
93 | 	gopkg.in/yaml.v3 v3.0.1 // indirect
94 | )
95 | 


--------------------------------------------------------------------------------
/tools/tools.go:
--------------------------------------------------------------------------------
 1 | // Copyright (c) HashiCorp, Inc.
 2 | // SPDX-License-Identifier: MPL-2.0
 3 | 
 4 | //go:build generate
 5 | 
 6 | package tools
 7 | 
 8 | import (
 9 | 	// document generation
10 | 	_ "github.com/hashicorp/terraform-plugin-docs/cmd/tfplugindocs"
11 | 	// copywrite header generation
12 | 	_ "github.com/hashicorp/copywrite"
13 | )
14 | 
15 | // Generate copyright headers
16 | //go:generate go run github.com/hashicorp/copywrite headers -d .. --config ../.copywrite.hcl
17 | // Format Terraform code for use in documentation.
18 | // If you do not have Terraform installed, you can remove the formatting command, but it is suggested
19 | // to ensure the documentation is formatted properly.
20 | //go:generate terraform fmt -recursive ../examples/
21 | // Generate documentation.
22 | //go:generate go run github.com/hashicorp/terraform-plugin-docs/cmd/tfplugindocs generate --provider-dir ..
23 | 


--------------------------------------------------------------------------------
/version/VERSION:
--------------------------------------------------------------------------------
1 | 4.1.0


--------------------------------------------------------------------------------