» google_compute_managed_ssl_certificate

An SslCertificate resource, used for HTTPS load balancing. This resource represents a certificate for which the certificate secrets are created and managed by Google.

For a resource where you provide the key, see the SSL Certificate resource.

To get more information about ManagedSslCertificate, see:

In conclusion: Be extremely cautious.

» Example Usage - Managed Ssl Certificate Basic

resource "google_compute_managed_ssl_certificate" "default" {
  provider = google-beta

  name = "test-cert"

  managed {
    domains = ["sslcert.tf-test.club."]
  }
}

resource "google_compute_target_https_proxy" "default" {
  provider = google-beta

  name             = "test-proxy"
  url_map          = google_compute_url_map.default.id
  ssl_certificates = [google_compute_managed_ssl_certificate.default.id]
}

resource "google_compute_url_map" "default" {
  provider = google-beta

  name        = "url-map"
  description = "a description"

  default_service = google_compute_backend_service.default.id

  host_rule {
    hosts        = ["sslcert.tf-test.club"]
    path_matcher = "allpaths"
  }

  path_matcher {
    name            = "allpaths"
    default_service = google_compute_backend_service.default.id

    path_rule {
      paths   = ["/*"]
      service = google_compute_backend_service.default.id
    }
  }
}

resource "google_compute_backend_service" "default" {
  provider = google-beta

  name        = "backend-service"
  port_name   = "http"
  protocol    = "HTTP"
  timeout_sec = 10

  health_checks = [google_compute_http_health_check.default.id]
}

resource "google_compute_http_health_check" "default" {
  provider = google-beta

  name               = "http-health-check"
  request_path       = "/"
  check_interval_sec = 1
  timeout_sec        = 1
}

resource "google_dns_managed_zone" "zone" {
  provider = google-beta

  name     = "dnszone"
  dns_name = "sslcert.tf-test.club."
}

resource "google_compute_global_forwarding_rule" "default" {
  provider = google-beta

  name       = "forwarding-rule"
  target     = google_compute_target_https_proxy.default.id
  port_range = 443
}

resource "google_dns_record_set" "set" {
  provider = google-beta

  name         = "sslcert.tf-test.club."
  type         = "A"
  ttl          = 3600
  managed_zone = google_dns_managed_zone.zone.name
  rrdatas      = [google_compute_global_forwarding_rule.default.ip_address]
}

provider "google-beta" {
  region = "us-central1"
  zone   = "us-central1-a"
}

» Example Usage - Managed Ssl Certificate Recreation

// This example allows the list of managed domains to be modified and will
// recreate the ssl certificate and update the target https proxy correctly

resource "google_compute_target_https_proxy" "default" {
  provider = google-beta
  name             = "test-proxy"
  url_map          = google_compute_url_map.default.id
  ssl_certificates = [google_compute_managed_ssl_certificate.cert.id]
}

locals {
  managed_domains = list("test.example.com")
}

resource "random_id" "certificate" {
  byte_length = 4
  prefix      = "issue6147-cert-"

  keepers = {
    domains = join(",", local.managed_domains)
  }
}

resource "google_compute_managed_ssl_certificate" "cert" {
  provider = google-beta
  name     = random_id.certificate.hex

  lifecycle {
    create_before_destroy = true
  }

  managed {
    domains = local.managed_domains
  }
}

resource "google_compute_url_map" "default" {
  provider = google-beta
  name            = "url-map"
  description     = "a description"
  default_service = google_compute_backend_service.default.id
  host_rule {
    hosts        = ["mysite.com"]
    path_matcher = "allpaths"
  }
  path_matcher {
    name            = "allpaths"
    default_service = google_compute_backend_service.default.id
    path_rule {
      paths   = ["/*"]
      service = google_compute_backend_service.default.id
    }
  }
}

resource "google_compute_backend_service" "default" {
  provider = google-beta
  name          = "backend-service"
  port_name     = "http"
  protocol      = "HTTP"
  timeout_sec   = 10
  health_checks = [google_compute_http_health_check.default.id]
}

resource "google_compute_http_health_check" "default" {
  provider = google-beta
  name               = "http-health-check"
  request_path       = "/"
  check_interval_sec = 1
  timeout_sec        = 1
}

» Argument Reference

The following arguments are supported:


  • description - (Optional) An optional description of this resource.

  • name - (Optional) Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.

These are in the same namespace as the managed SSL certificates.

  • managed - (Optional) Properties relevant to a managed certificate. These will be used if the certificate is managed (as indicated by a value of MANAGED in type). Structure is documented below.

  • type - (Optional) Enum field whose value is always MANAGED - used to signal to the API which type this is.

Default value: MANAGED Possible values are: * MANAGED

  • project - (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

The managed block supports:

  • domains - (Required) Domains for which a managed SSL certificate will be valid. Currently, there can be up to 100 domains in this list.

» Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • id - an identifier for the resource with format projects/{{project}}/global/sslCertificates/{{name}}

  • creation_timestamp - Creation timestamp in RFC3339 text format.

  • certificate_id - The unique identifier for the resource.

  • subject_alternative_names - Domains associated with the certificate via Subject Alternative Name.

  • expire_time - Expire time of the certificate.

  • self_link - The URI of the created resource.

» Timeouts

This resource provides the following Timeouts configuration options:

  • create - Default is 6 minutes.
  • delete - Default is 30 minutes.

» Import

ManagedSslCertificate can be imported using any of these accepted formats:

$ terraform import -provider=google-beta google_compute_managed_ssl_certificate.default projects/{{project}}/global/sslCertificates/{{name}}
$ terraform import -provider=google-beta google_compute_managed_ssl_certificate.default {{project}}/{{name}}
$ terraform import -provider=google-beta google_compute_managed_ssl_certificate.default {{name}}

» User Project Overrides

This resource supports User Project Overrides.