» Resource: aws_acm_certificate

The ACM certificate resource allows requesting and management of certificates from the Amazon Certificate Manager.

It deals with requesting certificates and managing their attributes and life-cycle. This resource does not deal with validation of a certificate but can provide inputs for other resources implementing the validation. It does not wait for a certificate to be issued. Use a aws_acm_certificate_validation resource for this.

Most commonly, this resource is used together with aws_route53_record and aws_acm_certificate_validation to request a DNS validated certificate, deploy the required validation records and wait for validation to complete.

Domain validation through email is also supported but should be avoided as it requires a manual step outside of Terraform.

It's recommended to specify create_before_destroy = true in a lifecycle block to replace a certificate which is currently in use (eg, by aws_lb_listener).

» Example Usage

» Certificate creation

resource "aws_acm_certificate" "cert" {
  domain_name       = "example.com"
  validation_method = "DNS"

  tags = {
    Environment = "test"

  lifecycle {
    create_before_destroy = true

» Importing an existing certificate

resource "tls_private_key" "example" {
  algorithm = "RSA"

resource "tls_self_signed_cert" "example" {
  key_algorithm   = "RSA"
  private_key_pem = "${tls_private_key.example.private_key_pem}"

  subject {
    common_name  = "example.com"
    organization = "ACME Examples, Inc"

  validity_period_hours = 12

  allowed_uses = [

resource "aws_acm_certificate" "cert" {
  private_key      = "${tls_private_key.example.private_key_pem}"
  certificate_body = "${tls_self_signed_cert.example.cert_pem}"

» Argument Reference

The following arguments are supported:

  • Creating an amazon issued certificate
    • domain_name - (Required) A domain name for which the certificate should be issued
    • subject_alternative_names - (Optional) A list of domains that should be SANs in the issued certificate. To remove all elements of a previously configured list, set this value equal to an empty list ([]) or use the terraform taint command to trigger recreation.
    • validation_method - (Required) Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into Terraform.
    • options - (Optional) Configuration block used to set certificate options. Detailed below.
  • Importing an existing certificate
  • Creating a private CA issued certificate
  • tags - (Optional) A map of tags to assign to the resource.

» options Configuration Block

Supported nested arguments for the options configuration block:

» Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The ARN of the certificate
  • arn - The ARN of the certificate
  • domain_name - The domain name for which the certificate is issued
  • domain_validation_options - A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if DNS-validation was used.
  • status - Status of the certificate.
  • validation_emails - A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.

Domain validation objects export the following attributes:

» Import

Certificates can be imported using their ARN, e.g.

$ terraform import aws_acm_certificate.cert arn:aws:acm:eu-central-1:123456789012:certificate/7e7a28d2-163f-4b8f-b9cd-822f96c08d6a