diff --git a/aws/data_source_aws_acm_certificate.go b/aws/data_source_aws_acm_certificate.go index 48fead5c367..798afd6ed3d 100644 --- a/aws/data_source_aws_acm_certificate.go +++ b/aws/data_source_aws_acm_certificate.go @@ -8,6 +8,7 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/acm" "github.com/hashicorp/terraform/helper/schema" + "github.com/hashicorp/terraform/helper/validation" ) func dataSourceAwsAcmCertificate() *schema.Resource { @@ -27,6 +28,21 @@ func dataSourceAwsAcmCertificate() *schema.Resource { Optional: true, Elem: &schema.Schema{Type: schema.TypeString}, }, + "key_types": { + Type: schema.TypeSet, + Optional: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateFunc: validation.StringInSlice([]string{ + acm.KeyAlgorithmEcPrime256v1, + acm.KeyAlgorithmEcSecp384r1, + acm.KeyAlgorithmEcSecp521r1, + acm.KeyAlgorithmRsa1024, + acm.KeyAlgorithmRsa2048, + acm.KeyAlgorithmRsa4096, + }, false), + }, + }, "types": { Type: schema.TypeList, Optional: true, @@ -44,21 +60,14 @@ func dataSourceAwsAcmCertificate() *schema.Resource { func dataSourceAwsAcmCertificateRead(d *schema.ResourceData, meta interface{}) error { conn := meta.(*AWSClient).acmconn - // Explicitly define algorithms, by default, the API does not return all types - // More information about the values present: https://docs.aws.amazon.com/acm/latest/APIReference/API_Filters.html#ACM-Type-Filters-keyTypes - keyAlgorithms := []string{ - acm.KeyAlgorithmEcPrime256v1, - acm.KeyAlgorithmEcSecp384r1, - acm.KeyAlgorithmEcSecp521r1, - acm.KeyAlgorithmRsa1024, - acm.KeyAlgorithmRsa2048, - acm.KeyAlgorithmRsa4096, - } - params := &acm.ListCertificatesInput{ - Includes: &acm.Filters{ - KeyTypes: aws.StringSlice(keyAlgorithms), - }, + params := &acm.ListCertificatesInput{} + + if v := d.Get("key_types").(*schema.Set); v.Len() > 0 { + params.Includes = &acm.Filters{ + KeyTypes: expandStringSet(v), + } } + target := d.Get("domain") statuses, ok := d.GetOk("statuses") if ok { diff --git a/aws/data_source_aws_acm_certificate_test.go b/aws/data_source_aws_acm_certificate_test.go index be8a4d5d7dd..78054367a58 100644 --- a/aws/data_source_aws_acm_certificate_test.go +++ b/aws/data_source_aws_acm_certificate_test.go @@ -177,17 +177,16 @@ func TestAccAWSAcmCertificateDataSource_noMatchReturnsError(t *testing.T) { }) } -func TestAccAWSAcmCertificateDataSource_Rsa4096(t *testing.T) { +func TestAccAWSAcmCertificateDataSource_KeyTypes(t *testing.T) { resourceName := "aws_acm_certificate.test" dataSourceName := "data.aws_acm_certificate.test" resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProvidersWithTLS, - CheckDestroy: testAccCheckAcmCertificateDestroy, + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProvidersWithTLS, Steps: []resource.TestStep{ { - Config: testAccAwsAcmCertificateDataSourceConfigRsa4096(), + Config: testAccAwsAcmCertificateDataSourceConfigKeyTypes(), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttrPair(resourceName, "arn", dataSourceName, "arn"), ), @@ -251,7 +250,7 @@ data "aws_acm_certificate" "test" { `, domain, certType, mostRecent) } -func testAccAwsAcmCertificateDataSourceConfigRsa4096() string { +func testAccAwsAcmCertificateDataSourceConfigKeyTypes() string { return fmt.Sprintf(` resource "tls_private_key" "test" { algorithm = "RSA" @@ -281,7 +280,8 @@ resource "aws_acm_certificate" "test" { } data "aws_acm_certificate" "test" { - domain = "${aws_acm_certificate.test.domain_name}" + domain = "${aws_acm_certificate.test.domain_name}" + key_types = ["RSA_4096"] } `) } diff --git a/website/docs/d/acm_certificate.html.markdown b/website/docs/d/acm_certificate.html.markdown index fb8d0c82324..20417d05108 100644 --- a/website/docs/d/acm_certificate.html.markdown +++ b/website/docs/d/acm_certificate.html.markdown @@ -15,21 +15,30 @@ it by domain without having to hard code the ARNs as input. ## Example Usage ```hcl +# Find a certificate that is issued data "aws_acm_certificate" "example" { domain = "tf.example.com" statuses = ["ISSUED"] } +# Find a certificate issued by (not imported into) ACM data "aws_acm_certificate" "example" { domain = "tf.example.com" types = ["AMAZON_ISSUED"] most_recent = true } + +# Find a RSA 4096 bit certificate +data "aws_acm_certificate" "example" { + domain = "tf.example.com" + key_types = ["RSA_4096"] +} ``` ## Argument Reference * `domain` - (Required) The domain of the certificate to look up. If no certificate is found with this name, an error will be returned. + * `key_types` - (Optional) A list of key algorithms to filter certificates. By default, ACM does not return all certificate types when searching. Valid values are `RSA_1024`, `RSA_2048`, `RSA_4096`, `EC_prime256v1`, `EC_secp384r1`, and `EC_secp521r1`. * `statuses` - (Optional) A list of statuses on which to filter the returned list. Valid values are `PENDING_VALIDATION`, `ISSUED`, `INACTIVE`, `EXPIRED`, `VALIDATION_TIMED_OUT`, `REVOKED` and `FAILED`. If no value is specified, only certificates in the `ISSUED` state are returned.