Skip to content
This repository has been archived by the owner on Sep 22, 2020. It is now read-only.

Latest commit

 

History

History

doc

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
resource_acme_certificate.md
resource_acme_certificate.md
 
 
resource_acme_registration.md
resource_acme_registration.md
 
 

README.md

ACME Provider

ACME Certificate and Registration Provider

The Automated Certificate Management Environment (ACME) is an evolving standard for the automation of a domain-validated certificate authority. Clients register themselves on an authority using a private key and contact information, and answer challenges for domains that they own by supplying response data issued by the authority via either HTTP or DNS. Via this process, they prove that they own the domains in question, and can then request certificates for them via the CA. No part of this process requires user interaction, a traditional blocker in obtaining a domain validated certificate.

Currently the major ACME CA is Let's Encrypt, but the ACME support in Terraform can be configured to use any ACME CA, including an internal one that is set up using Boulder.

For more detail on the ACME process, see here. For the ACME spec, click here. Note that the ACME provider may diverge from the current ACME spec to account for the real-world divergences that are made by CAs such as Let's Encrypt.

⚠️ NOTE: The ACME provider as of version 1.0.0 supports ACME v2 only. For ACME v1 endpoints, version 0.6.0 is required, which can be found here.

Installation Instructions

The ACME provider is currently a 3rd party plugin. See the documentation on 3rd party plugins for installation instructions, and download the latest release from the releases page.

Distributions with direct installation support

If you use Arch Linux, the terraform-provider-acme-bin package is available via the AUR and can be installed via an AUR-supported package manager such as yay. Thanks to @SamWhited for this!

Example with yay:

yay -S terraform-provider-acme-bin

Basic Example

The following example can be used to create an account using the acme_registration resource, and a certificate using the acme_certificate resource. The initial private key is created using the tls_private_key resource, but can be supplied via other means. DNS validation is performed by using Amazon Route 53, for which appropriate credentials are assumed to be in your environment.

⚠️ NOTE: The directory URLs in all examples in this provider reference Let's Encrypt's staging server endpoint. For production use, change the directory URLs to the production endpoints, which can be found here.

provider "acme" {
  server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}

resource "tls_private_key" "private_key" {
  algorithm = "RSA"
}

resource "acme_registration" "reg" {
  account_key_pem = "${tls_private_key.private_key.private_key_pem}"
  email_address   = "nobody@example.com"
}

resource "acme_certificate" "certificate" {
  account_key_pem           = "${acme_registration.reg.account_key_pem}"
  common_name               = "www.example.com"
  subject_alternative_names = ["www2.example.com"]

  dns_challenge {
    provider = "route53"
  }
}

Argument Reference

The following arguments are required:

  • server_url - (Required) The URL to the ACME endpoint's directory.

⚠️ Note that the account key is not a provider-level config value at this time to allow the management of accounts and certificates within the same provider.