{
"name": "acme",
"displayName": "ACME",
"version": "0.14.0",
"description": "A Pulumi package for creating and managing ACME cloud resources.",
"keywords": [
"pulumi",
"acme",
"category/cloud"
],
"homepage": "https://www.pulumi.com",
"license": "Apache-2.0",
"attribution": "This Pulumi package is based on the [`acme` Terraform Provider](https://github.com/vancluever/terraform-provider-acme).",
"repository": "https://github.com/pulumiverse/pulumi-acme",
"pluginDownloadURL": "github://api.github.com/pulumiverse/pulumi-acme",
"publisher": "Pulumiverse",
"meta": {
"moduleFormat": "(.*)(?:/[^/]*)"
},
"language": {
"csharp": {
"packageReferences": {
"Pulumi": "3.*"
},
"compatibility": "tfbridge20",
"rootNamespace": "Pulumiverse",
"respectSchemaVersion": true
},
"go": {
"importBasePath": "github.com/pulumiverse/pulumi-acme/sdk/go/acme",
"generateResourceContainerTypes": true,
"generateExtraInputTypes": true,
"respectSchemaVersion": true
},
"nodejs": {
"packageName": "@pulumiverse/acme",
"packageDescription": "A Pulumi package for creating and managing ACME cloud resources.",
"readme": "> This provider is a derived work of the [Terraform Provider](https://github.com/vancluever/terraform-provider-acme)\n> distributed under [MPL 2.0](https://www.mozilla.org/en-US/MPL/2.0/). If you encounter a bug or missing feature,\n> first check the [`pulumi-acme` repo](https://github.com/pulumiverse/pulumi-acme/issues); however, if that doesn't turn up anything,\n> please consult the source [`terraform-provider-acme` repo](https://github.com/vancluever/terraform-provider-acme/issues).",
"dependencies": {
"@pulumi/pulumi": "^3.0.0"
},
"devDependencies": {
"@types/mime": "^2.0.0",
"@types/node": "^10.0.0"
},
"compatibility": "tfbridge20",
"disableUnionOutputTypes": true,
"respectSchemaVersion": true
},
"python": {
"packageName": "pulumiverse_acme",
"requires": {
"pulumi": ">=3.0.0,<4.0.0"
},
"readme": "> This provider is a derived work of the [Terraform Provider](https://github.com/vancluever/terraform-provider-acme)\n> distributed under [MPL 2.0](https://www.mozilla.org/en-US/MPL/2.0/). If you encounter a bug or missing feature,\n> first check the [`pulumi-acme` repo](https://github.com/pulumiverse/pulumi-acme/issues); however, if that doesn't turn up anything,\n> please consult the source [`terraform-provider-acme` repo](https://github.com/vancluever/terraform-provider-acme/issues).",
"compatibility": "tfbridge20",
"respectSchemaVersion": true,
"pyproject": {
"enabled": true
}
}
},
"config": {
"variables": {
"serverUrl": {
"type": "string"
}
},
"defaults": [
"serverUrl"
]
},
"types": {
"acme:index/CertificateDnsChallenge:CertificateDnsChallenge": {
"properties": {
"config": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"secret": true
},
"provider": {
"type": "string"
}
},
"type": "object",
"required": [
"provider"
]
},
"acme:index/CertificateHttpChallenge:CertificateHttpChallenge": {
"properties": {
"port": {
"type": "integer",
"description": "The port that the challenge server listens on. Default: `80`.\n"
},
"proxyHeader": {
"type": "string",
"description": "The proxy header to match against. Default:\n`Host`.\n\nThe `proxy_header` option behaves differently depending on its definition:\n\n* When set to `Host`, standard host header validation is used.\n* When set to `Forwarded`, the server looks in the `Forwarded` header for a\nsection matching `host=DOMAIN` where `DOMAIN` is the domain currently being\nresolved by the challenge. See [RFC 7239](https://tools.ietf.org/html/rfc7239)\nfor more details.\n* When set to an arbitrary header (example: `X-Forwarded-Host`), that header is\nchecked for the host entry in the same way the host header would normally be\nchecked.\n"
}
},
"type": "object"
},
"acme:index/CertificateHttpMemcachedChallenge:CertificateHttpMemcachedChallenge": {
"properties": {
"hosts": {
"type": "array",
"items": {
"type": "string"
}
}
},
"type": "object",
"required": [
"hosts"
]
},
"acme:index/CertificateHttpS3Challenge:CertificateHttpS3Challenge": {
"properties": {
"s3Bucket": {
"type": "string",
"description": "The s3_bucket to publish the record to.\n"
}
},
"type": "object",
"required": [
"s3Bucket"
]
},
"acme:index/CertificateHttpWebrootChallenge:CertificateHttpWebrootChallenge": {
"properties": {
"directory": {
"type": "string",
"description": "The directory to publish the record to.\n"
}
},
"type": "object",
"required": [
"directory"
]
},
"acme:index/CertificateTlsChallenge:CertificateTlsChallenge": {
"properties": {
"port": {
"type": "integer",
"description": "The port that the challenge server listens on. Default: `443`.\n"
}
},
"type": "object"
},
"acme:index/RegistrationExternalAccountBinding:RegistrationExternalAccountBinding": {
"properties": {
"hmacBase64": {
"type": "string",
"secret": true,
"willReplaceOnChanges": true
},
"keyId": {
"type": "string",
"secret": true,
"willReplaceOnChanges": true
}
},
"type": "object",
"required": [
"hmacBase64",
"keyId"
]
}
},
"provider": {
"description": "The provider type for the acme package. By default, resources use package-wide configuration\nsettings, however an explicit `Provider` instance may be created and passed during resource\nconstruction to achieve fine-grained programmatic control over provider settings. See the\n[documentation](https://www.pulumi.com/docs/reference/programming-model/#providers) for more information.\n",
"properties": {
"serverUrl": {
"type": "string"
}
},
"type": "object",
"required": [
"serverUrl"
],
"inputProperties": {
"serverUrl": {
"type": "string"
}
},
"requiredInputs": [
"serverUrl"
]
},
"resources": {
"acme:index/certificate:Certificate": {
"properties": {
"accountKeyPem": {
"type": "string",
"description": "The private key of the account that is\nrequesting the certificate. Forces a new resource when changed.\n",
"secret": true
},
"certTimeout": {
"type": "integer",
"description": "Controls the timeout in seconds for certificate requests\nthat are made after challenges are complete. Defaults to 30 seconds.\n\n> As mentioned, `cert_timeout` does nothing until all challenges are complete.\nIf you are looking to control timeouts related to a particular challenge (such\nas a DNS challenge), see that challenge provider's specific options.\n"
},
"certificateDomain": {
"type": "string",
"description": "The common name of the certificate.\n"
},
"certificateNotAfter": {
"type": "string",
"description": "The expiry date of the certificate, laid out in\nRFC3339 format (`2006-01-02T15:04:05Z07:00`).\n"
},
"certificateP12": {
"type": "string",
"description": "The certificate, any intermediates, and the private key\narchived as a PFX file (PKCS12 format, generally used by Microsoft products).\nThe data is base64 encoded (including padding), and its password is\nconfigurable via the `certificate_p12_password`\nargument. This field is empty if creating a certificate from a CSR.\n",
"secret": true
},
"certificateP12Password": {
"type": "string",
"description": "Password to be used when generating\nthe PFX file stored in `certificate_p12`. Defaults to an\nempty string.\n",
"secret": true
},
"certificatePem": {
"type": "string",
"description": "The certificate in PEM format. This does not include the\n`issuer_pem`. This certificate can be concatenated with `issuer_pem` to form\na full chain, e.g. `\"${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}\"`\n"
},
"certificateRequestPem": {
"type": "string",
"description": "A pre-created certificate request, such as one\nfrom [`tls_cert_request`][tls-cert-request], or one from an external source,\nin PEM format. Forces a new resource when changed.\n\n> One of `common_name`, `subject_alternative_names`, or\n`certificate_request_pem` must be specified. `certificate_request_pem`\nconflicts with `common_name` and `subject_alternative_names`; You cannot have\n`certificate_request_pem` defined at the same time as `common_name` or\n`subject_alternative_names`, and vice versa. Finally, `common_name` can be\nblank while `subject_alternative_names` is defined, and vice versa; in this\ncase with the `classic` Let's Encrypt profile, the first domain defined in\n`subject_alternative_names` becomes the common name.\n"
},
"certificateSerial": {
"type": "string",
"description": "The serial number, in string format, as reported by\nthe CA.\n"
},
"certificateUrl": {
"type": "string",
"description": "The full URL of the certificate within the ACME CA.\n"
},
"commonName": {
"type": "string",
"description": "The certificate's common name, the primary domain that the\ncertificate will be recognized for. Forces a new resource when changed.\n"
},
"disableCompletePropagation": {
"type": "boolean",
"description": "Disable the requirement for full\npropagation of the TXT challenge records before proceeding with validation.\nDefaults to `false`.\n\n> See About DNS propagation checks for details\non the `recursive_nameservers` and `disable_complete_propagation` settings.\n"
},
"dnsChallenges": {
"type": "array",
"items": {
"$ref": "#/types/acme:index%2FCertificateDnsChallenge:CertificateDnsChallenge"
},
"description": "The DNS challenges to\nuse in fulfilling the request.\n"
},
"httpChallenge": {
"$ref": "#/types/acme:index%2FCertificateHttpChallenge:CertificateHttpChallenge",
"description": "Defines an HTTP challenge to use in fulfilling\nthe request.\n"
},
"httpMemcachedChallenge": {
"$ref": "#/types/acme:index%2FCertificateHttpMemcachedChallenge:CertificateHttpMemcachedChallenge",
"description": "Defines an alternate type of HTTP\nchallenge that can be used to serve up challenges to a\n[Memcached](https://memcached.org/) cluster.\n"
},
"httpS3Challenge": {
"$ref": "#/types/acme:index%2FCertificateHttpS3Challenge:CertificateHttpS3Challenge",
"description": "Defines an alternate type of HTTP\nchallenge that can be used to serve up challenges to a\n[S3](https://aws.amazon.com/s3/) bucket.\n"
},
"httpWebrootChallenge": {
"$ref": "#/types/acme:index%2FCertificateHttpWebrootChallenge:CertificateHttpWebrootChallenge",
"description": "Defines an alternate type of HTTP\nchallenge that can be used to place a file at a location that can be served by\nan out-of-band webserver.\n"
},
"issuerPem": {
"type": "string",
"description": "The intermediate certificates of the issuer. Multiple\ncertificates are concatenated in this field when there is more than one\nintermediate certificate in the chain.\n"
},
"keyType": {
"type": "string",
"description": "The key type for the certificate's private key. Can be one of:\n`P256` and `P384` (for ECDSA keys of respective length) or `2048`, `4096`, and\n`8192` (for RSA keys of respective length). Required when not specifying a\nCSR. The default is `2048` (RSA key of 2048 bits). Forces a new resource when\nchanged.\n"
},
"minDaysRemaining": {
"type": "integer",
"description": "The minimum amount of days remaining on the\nexpiration of a certificate before a renewal is attempted. The default is\n`30`. A value of less than `0` means that the certificate will never be\nrenewed.\n"
},
"mustStaple": {
"type": "boolean",
"description": "Enables the [OCSP Stapling Required][ocsp-stapling]\nTLS Security Policy extension. Certificates with this extension must include a\nvalid OCSP Staple in the TLS handshake for the connection to succeed.\nDefaults to `false`. Note that this option has no effect when using an\nexternal CSR - it must be enabled in the CSR itself. Forces a new resource\nwhen changed.\n\n[ocsp-stapling]: https://letsencrypt.org/docs/integration-guide/#implement-ocsp-stapling\n\n> OCSP stapling requires specific webserver configuration to support the\ndownloading of the staple from the CA's OCSP endpoints, and should be configured\nto tolerate prolonged outages of the OCSP service. Consider this when using\n`must_staple`, and only enable it if you are sure your webserver or service\nprovider can be configured correctly.\n"
},
"preCheckDelay": {
"type": "integer",
"description": "Insert a delay after _every_ DNS challenge\nrecord to allow for extra time for DNS propagation before the certificate is\nrequested. Use this option if you observe issues with requesting certificates\neven when DNS challenge records get added successfully. Units are in seconds.\nDefaults to 0 (no delay).\n\n> Be careful with `pre_check_delay` since the delay is executed _per-domain_.\nTake your expected delay and divide it by the number of domains you have\nconfigured (`common_name` + `subject_alternative_names`).\n"
},
"preferredChain": {
"type": "string",
"description": "The common name of the root of a preferred\nalternate certificate chain offered by the CA. The certificates in\n`issuer_pem` will reflect the chain requested, if available, otherwise the\ndefault chain will be provided. Forces a new resource when changed.\n\n> `preferred_chain` can be used to request alternate chains on Let's Encrypt\nduring the transition away from their old cross-signed intermediates. See [this\narticle for more\ndetails](https://letsencrypt.org/2020/12/21/extending-android-compatibility.html).\nIn their example titled **\"What about the alternate chain?\"**, the root you\nwould put in to the `preferred_chain` field would be `ISRG Root X1`. The\nequivalent in the [staging\nenvironment](https://letsencrypt.org/docs/staging-environment/) is `(STAGING)\nPretend Pear X1`.\n"
},
"privateKeyPem": {
"type": "string",
"description": "The certificate's private key, in PEM format, if the\ncertificate was generated from scratch and not with\n`certificate_request_pem`. If\n`certificate_request_pem` was used, this will be blank.\n",
"secret": true
},
"profile": {
"type": "string",
"description": "The ACME profile to use when requesting the\ncertificate. This can be used to control generation parameters according to\nthe specific CA. The default is blank (no profile); forces a new resource\nwhen changed.\n\n> Let's Encrypt publishes details on their profiles at\n.\n"
},
"recursiveNameservers": {
"type": "array",
"items": {
"type": "string"
},
"description": "The recursive nameservers that will be\nused to check for propagation of DNS challenge records, in addition to some\nin-provider checks such as zone detection. Defaults to your system-configured\nDNS resolvers.\n"
},
"renewalInfoExplanationUrl": {
"type": "string",
"description": "A URL that can be optionally supplied by an\nARI endpoint explaining the renewal window policy (see\n`use_renewal_info`).\n"
},
"renewalInfoIgnoreRetryAfter": {
"type": "boolean",
"description": "Ignores the retry interval\nsupplied by the ARI endpoint for re-fetching renewal window data. Should only\nbe used for testing. Default: `false`.\n"
},
"renewalInfoMaxSleep": {
"type": "integer",
"description": "The maximum amount of time, in seconds,\nthat the resource is willing to sleep during apply to reach a selected\nrenewal window time when `use_renewal_info` is set to `true`. Default: `0`.\n\n> It's recommended to only use small values here (a few minutes maximum).\nUsing extremely high values increases the risk of resource timeouts. To prevent\nhard resource timeouts, the maximum value allowed here is 900 seconds, or 15\nminutes.\n"
},
"renewalInfoRetryAfter": {
"type": "string",
"description": "A timestamp describing when ARI details will be\nrefreshed if already fetched (see `use_renewal_info`).\n"
},
"renewalInfoWindowEnd": {
"type": "string",
"description": "The end of the discovered ARI renewal window (see\n`use_renewal_info`).\n"
},
"renewalInfoWindowSelected": {
"type": "string",
"description": "The selected time within the ARI renewal\nwindow that a certificate will be renewed, if\n`use_renewal_info` is enabled.\n"
},
"renewalInfoWindowStart": {
"type": "string",
"description": "The start of the discovered ARI renewal window\n(see `use_renewal_info`).\n"
},
"revokeCertificateOnDestroy": {
"type": "boolean",
"description": "Enables revocation of a certificate upon destroy,\nwhich includes when a resource is re-created. Default is `true`.\n"
},
"revokeCertificateReason": {
"type": "string",
"description": "Some CA's require a reason for revocation to be provided.\nUse this reason (from [RFC 5280, section 5.3.1](https://www.rfc-editor.org/rfc/rfc5280#section-5.3.1).\nBy default, no reason provided in revocation requests. The reason is a string, when provided should be one of:\n* unspecified\n* key-compromise\n* ca-compromise\n* affiliation-changed\n* superseded\n* cessation-of-operation\n* certificate-hold\n* remove-from-crl\n* privilege-withdrawn\n* aa-compromise\n"
},
"subjectAlternativeNames": {
"type": "array",
"items": {
"type": "string"
},
"description": "The certificate's subject alternative names;\ndomains that this certificate will also be recognized for. Forces a new\nresource when changed.\n"
},
"tlsChallenge": {
"$ref": "#/types/acme:index%2FCertificateTlsChallenge:CertificateTlsChallenge",
"description": "Defines a TLS challenge to use in fulfilling the\nrequest.\n\n> Only one of `http_challenge`, `http_webroot_challenge`, `http_s3_challenge`\nand `http_memcached_challenge` can be defined at once. See the section on\nUsing HTTP and TLS challenges for more\ndetails on using these and `tls_challenge`.\n"
},
"useRenewalInfo": {
"type": "boolean",
"description": "When enabled, use information available from\nthe CA's ACME Renewal Information (ARI) endpoint for renewing certificates.\nDefault: `false`.\n\n> More detail on ARI can be found in [RFC\n9773](https://datatracker.ietf.org/doc/rfc9773/).\n\n> Note that `use_renewal_info` does not disable `min_days_remaining`! If the\nselected time within an ARI renewal window value cannot be reached at plan time\n(based on the current time plus the value of\n`renewal_info_max_sleep`), or if the CA has no ARI\nendpoint, renewal behavior will fall back to comparing the certificate expiry\ntime with the value in `min_days_remaining`. This means for short-lived\ncertificates, you may wish to turn this value down so that the settings do not\nconflict; however, don't disable it altogether, as this may prevent the\ncertificate from being renewed!\n"
}
},
"type": "object",
"required": [
"accountKeyPem",
"certificateDomain",
"certificateNotAfter",
"certificateP12",
"certificatePem",
"certificateSerial",
"certificateUrl",
"issuerPem",
"privateKeyPem",
"renewalInfoExplanationUrl",
"renewalInfoRetryAfter",
"renewalInfoWindowEnd",
"renewalInfoWindowSelected",
"renewalInfoWindowStart"
],
"inputProperties": {
"accountKeyPem": {
"type": "string",
"description": "The private key of the account that is\nrequesting the certificate. Forces a new resource when changed.\n",
"secret": true,
"willReplaceOnChanges": true
},
"certTimeout": {
"type": "integer",
"description": "Controls the timeout in seconds for certificate requests\nthat are made after challenges are complete. Defaults to 30 seconds.\n\n> As mentioned, `cert_timeout` does nothing until all challenges are complete.\nIf you are looking to control timeouts related to a particular challenge (such\nas a DNS challenge), see that challenge provider's specific options.\n"
},
"certificateP12Password": {
"type": "string",
"description": "Password to be used when generating\nthe PFX file stored in `certificate_p12`. Defaults to an\nempty string.\n",
"secret": true
},
"certificateRequestPem": {
"type": "string",
"description": "A pre-created certificate request, such as one\nfrom [`tls_cert_request`][tls-cert-request], or one from an external source,\nin PEM format. Forces a new resource when changed.\n\n> One of `common_name`, `subject_alternative_names`, or\n`certificate_request_pem` must be specified. `certificate_request_pem`\nconflicts with `common_name` and `subject_alternative_names`; You cannot have\n`certificate_request_pem` defined at the same time as `common_name` or\n`subject_alternative_names`, and vice versa. Finally, `common_name` can be\nblank while `subject_alternative_names` is defined, and vice versa; in this\ncase with the `classic` Let's Encrypt profile, the first domain defined in\n`subject_alternative_names` becomes the common name.\n",
"willReplaceOnChanges": true
},
"commonName": {
"type": "string",
"description": "The certificate's common name, the primary domain that the\ncertificate will be recognized for. Forces a new resource when changed.\n",
"willReplaceOnChanges": true
},
"disableCompletePropagation": {
"type": "boolean",
"description": "Disable the requirement for full\npropagation of the TXT challenge records before proceeding with validation.\nDefaults to `false`.\n\n> See About DNS propagation checks for details\non the `recursive_nameservers` and `disable_complete_propagation` settings.\n"
},
"dnsChallenges": {
"type": "array",
"items": {
"$ref": "#/types/acme:index%2FCertificateDnsChallenge:CertificateDnsChallenge"
},
"description": "The DNS challenges to\nuse in fulfilling the request.\n"
},
"httpChallenge": {
"$ref": "#/types/acme:index%2FCertificateHttpChallenge:CertificateHttpChallenge",
"description": "Defines an HTTP challenge to use in fulfilling\nthe request.\n"
},
"httpMemcachedChallenge": {
"$ref": "#/types/acme:index%2FCertificateHttpMemcachedChallenge:CertificateHttpMemcachedChallenge",
"description": "Defines an alternate type of HTTP\nchallenge that can be used to serve up challenges to a\n[Memcached](https://memcached.org/) cluster.\n"
},
"httpS3Challenge": {
"$ref": "#/types/acme:index%2FCertificateHttpS3Challenge:CertificateHttpS3Challenge",
"description": "Defines an alternate type of HTTP\nchallenge that can be used to serve up challenges to a\n[S3](https://aws.amazon.com/s3/) bucket.\n"
},
"httpWebrootChallenge": {
"$ref": "#/types/acme:index%2FCertificateHttpWebrootChallenge:CertificateHttpWebrootChallenge",
"description": "Defines an alternate type of HTTP\nchallenge that can be used to place a file at a location that can be served by\nan out-of-band webserver.\n"
},
"keyType": {
"type": "string",
"description": "The key type for the certificate's private key. Can be one of:\n`P256` and `P384` (for ECDSA keys of respective length) or `2048`, `4096`, and\n`8192` (for RSA keys of respective length). Required when not specifying a\nCSR. The default is `2048` (RSA key of 2048 bits). Forces a new resource when\nchanged.\n",
"willReplaceOnChanges": true
},
"minDaysRemaining": {
"type": "integer",
"description": "The minimum amount of days remaining on the\nexpiration of a certificate before a renewal is attempted. The default is\n`30`. A value of less than `0` means that the certificate will never be\nrenewed.\n"
},
"mustStaple": {
"type": "boolean",
"description": "Enables the [OCSP Stapling Required][ocsp-stapling]\nTLS Security Policy extension. Certificates with this extension must include a\nvalid OCSP Staple in the TLS handshake for the connection to succeed.\nDefaults to `false`. Note that this option has no effect when using an\nexternal CSR - it must be enabled in the CSR itself. Forces a new resource\nwhen changed.\n\n[ocsp-stapling]: https://letsencrypt.org/docs/integration-guide/#implement-ocsp-stapling\n\n> OCSP stapling requires specific webserver configuration to support the\ndownloading of the staple from the CA's OCSP endpoints, and should be configured\nto tolerate prolonged outages of the OCSP service. Consider this when using\n`must_staple`, and only enable it if you are sure your webserver or service\nprovider can be configured correctly.\n",
"willReplaceOnChanges": true
},
"preCheckDelay": {
"type": "integer",
"description": "Insert a delay after _every_ DNS challenge\nrecord to allow for extra time for DNS propagation before the certificate is\nrequested. Use this option if you observe issues with requesting certificates\neven when DNS challenge records get added successfully. Units are in seconds.\nDefaults to 0 (no delay).\n\n> Be careful with `pre_check_delay` since the delay is executed _per-domain_.\nTake your expected delay and divide it by the number of domains you have\nconfigured (`common_name` + `subject_alternative_names`).\n"
},
"preferredChain": {
"type": "string",
"description": "The common name of the root of a preferred\nalternate certificate chain offered by the CA. The certificates in\n`issuer_pem` will reflect the chain requested, if available, otherwise the\ndefault chain will be provided. Forces a new resource when changed.\n\n> `preferred_chain` can be used to request alternate chains on Let's Encrypt\nduring the transition away from their old cross-signed intermediates. See [this\narticle for more\ndetails](https://letsencrypt.org/2020/12/21/extending-android-compatibility.html).\nIn their example titled **\"What about the alternate chain?\"**, the root you\nwould put in to the `preferred_chain` field would be `ISRG Root X1`. The\nequivalent in the [staging\nenvironment](https://letsencrypt.org/docs/staging-environment/) is `(STAGING)\nPretend Pear X1`.\n",
"willReplaceOnChanges": true
},
"profile": {
"type": "string",
"description": "The ACME profile to use when requesting the\ncertificate. This can be used to control generation parameters according to\nthe specific CA. The default is blank (no profile); forces a new resource\nwhen changed.\n\n> Let's Encrypt publishes details on their profiles at\n.\n",
"willReplaceOnChanges": true
},
"recursiveNameservers": {
"type": "array",
"items": {
"type": "string"
},
"description": "The recursive nameservers that will be\nused to check for propagation of DNS challenge records, in addition to some\nin-provider checks such as zone detection. Defaults to your system-configured\nDNS resolvers.\n"
},
"renewalInfoIgnoreRetryAfter": {
"type": "boolean",
"description": "Ignores the retry interval\nsupplied by the ARI endpoint for re-fetching renewal window data. Should only\nbe used for testing. Default: `false`.\n"
},
"renewalInfoMaxSleep": {
"type": "integer",
"description": "The maximum amount of time, in seconds,\nthat the resource is willing to sleep during apply to reach a selected\nrenewal window time when `use_renewal_info` is set to `true`. Default: `0`.\n\n> It's recommended to only use small values here (a few minutes maximum).\nUsing extremely high values increases the risk of resource timeouts. To prevent\nhard resource timeouts, the maximum value allowed here is 900 seconds, or 15\nminutes.\n"
},
"revokeCertificateOnDestroy": {
"type": "boolean",
"description": "Enables revocation of a certificate upon destroy,\nwhich includes when a resource is re-created. Default is `true`.\n"
},
"revokeCertificateReason": {
"type": "string",
"description": "Some CA's require a reason for revocation to be provided.\nUse this reason (from [RFC 5280, section 5.3.1](https://www.rfc-editor.org/rfc/rfc5280#section-5.3.1).\nBy default, no reason provided in revocation requests. The reason is a string, when provided should be one of:\n* unspecified\n* key-compromise\n* ca-compromise\n* affiliation-changed\n* superseded\n* cessation-of-operation\n* certificate-hold\n* remove-from-crl\n* privilege-withdrawn\n* aa-compromise\n"
},
"subjectAlternativeNames": {
"type": "array",
"items": {
"type": "string"
},
"description": "The certificate's subject alternative names;\ndomains that this certificate will also be recognized for. Forces a new\nresource when changed.\n",
"willReplaceOnChanges": true
},
"tlsChallenge": {
"$ref": "#/types/acme:index%2FCertificateTlsChallenge:CertificateTlsChallenge",
"description": "Defines a TLS challenge to use in fulfilling the\nrequest.\n\n> Only one of `http_challenge`, `http_webroot_challenge`, `http_s3_challenge`\nand `http_memcached_challenge` can be defined at once. See the section on\nUsing HTTP and TLS challenges for more\ndetails on using these and `tls_challenge`.\n"
},
"useRenewalInfo": {
"type": "boolean",
"description": "When enabled, use information available from\nthe CA's ACME Renewal Information (ARI) endpoint for renewing certificates.\nDefault: `false`.\n\n> More detail on ARI can be found in [RFC\n9773](https://datatracker.ietf.org/doc/rfc9773/).\n\n> Note that `use_renewal_info` does not disable `min_days_remaining`! If the\nselected time within an ARI renewal window value cannot be reached at plan time\n(based on the current time plus the value of\n`renewal_info_max_sleep`), or if the CA has no ARI\nendpoint, renewal behavior will fall back to comparing the certificate expiry\ntime with the value in `min_days_remaining`. This means for short-lived\ncertificates, you may wish to turn this value down so that the settings do not\nconflict; however, don't disable it altogether, as this may prevent the\ncertificate from being renewed!\n"
}
},
"requiredInputs": [
"accountKeyPem"
],
"stateInputs": {
"description": "Input properties used for looking up and filtering Certificate resources.\n",
"properties": {
"accountKeyPem": {
"type": "string",
"description": "The private key of the account that is\nrequesting the certificate. Forces a new resource when changed.\n",
"secret": true,
"willReplaceOnChanges": true
},
"certTimeout": {
"type": "integer",
"description": "Controls the timeout in seconds for certificate requests\nthat are made after challenges are complete. Defaults to 30 seconds.\n\n> As mentioned, `cert_timeout` does nothing until all challenges are complete.\nIf you are looking to control timeouts related to a particular challenge (such\nas a DNS challenge), see that challenge provider's specific options.\n"
},
"certificateDomain": {
"type": "string",
"description": "The common name of the certificate.\n"
},
"certificateNotAfter": {
"type": "string",
"description": "The expiry date of the certificate, laid out in\nRFC3339 format (`2006-01-02T15:04:05Z07:00`).\n"
},
"certificateP12": {
"type": "string",
"description": "The certificate, any intermediates, and the private key\narchived as a PFX file (PKCS12 format, generally used by Microsoft products).\nThe data is base64 encoded (including padding), and its password is\nconfigurable via the `certificate_p12_password`\nargument. This field is empty if creating a certificate from a CSR.\n",
"secret": true
},
"certificateP12Password": {
"type": "string",
"description": "Password to be used when generating\nthe PFX file stored in `certificate_p12`. Defaults to an\nempty string.\n",
"secret": true
},
"certificatePem": {
"type": "string",
"description": "The certificate in PEM format. This does not include the\n`issuer_pem`. This certificate can be concatenated with `issuer_pem` to form\na full chain, e.g. `\"${acme_certificate.certificate.certificate_pem}${acme_certificate.certificate.issuer_pem}\"`\n"
},
"certificateRequestPem": {
"type": "string",
"description": "A pre-created certificate request, such as one\nfrom [`tls_cert_request`][tls-cert-request], or one from an external source,\nin PEM format. Forces a new resource when changed.\n\n> One of `common_name`, `subject_alternative_names`, or\n`certificate_request_pem` must be specified. `certificate_request_pem`\nconflicts with `common_name` and `subject_alternative_names`; You cannot have\n`certificate_request_pem` defined at the same time as `common_name` or\n`subject_alternative_names`, and vice versa. Finally, `common_name` can be\nblank while `subject_alternative_names` is defined, and vice versa; in this\ncase with the `classic` Let's Encrypt profile, the first domain defined in\n`subject_alternative_names` becomes the common name.\n",
"willReplaceOnChanges": true
},
"certificateSerial": {
"type": "string",
"description": "The serial number, in string format, as reported by\nthe CA.\n"
},
"certificateUrl": {
"type": "string",
"description": "The full URL of the certificate within the ACME CA.\n"
},
"commonName": {
"type": "string",
"description": "The certificate's common name, the primary domain that the\ncertificate will be recognized for. Forces a new resource when changed.\n",
"willReplaceOnChanges": true
},
"disableCompletePropagation": {
"type": "boolean",
"description": "Disable the requirement for full\npropagation of the TXT challenge records before proceeding with validation.\nDefaults to `false`.\n\n> See About DNS propagation checks for details\non the `recursive_nameservers` and `disable_complete_propagation` settings.\n"
},
"dnsChallenges": {
"type": "array",
"items": {
"$ref": "#/types/acme:index%2FCertificateDnsChallenge:CertificateDnsChallenge"
},
"description": "The DNS challenges to\nuse in fulfilling the request.\n"
},
"httpChallenge": {
"$ref": "#/types/acme:index%2FCertificateHttpChallenge:CertificateHttpChallenge",
"description": "Defines an HTTP challenge to use in fulfilling\nthe request.\n"
},
"httpMemcachedChallenge": {
"$ref": "#/types/acme:index%2FCertificateHttpMemcachedChallenge:CertificateHttpMemcachedChallenge",
"description": "Defines an alternate type of HTTP\nchallenge that can be used to serve up challenges to a\n[Memcached](https://memcached.org/) cluster.\n"
},
"httpS3Challenge": {
"$ref": "#/types/acme:index%2FCertificateHttpS3Challenge:CertificateHttpS3Challenge",
"description": "Defines an alternate type of HTTP\nchallenge that can be used to serve up challenges to a\n[S3](https://aws.amazon.com/s3/) bucket.\n"
},
"httpWebrootChallenge": {
"$ref": "#/types/acme:index%2FCertificateHttpWebrootChallenge:CertificateHttpWebrootChallenge",
"description": "Defines an alternate type of HTTP\nchallenge that can be used to place a file at a location that can be served by\nan out-of-band webserver.\n"
},
"issuerPem": {
"type": "string",
"description": "The intermediate certificates of the issuer. Multiple\ncertificates are concatenated in this field when there is more than one\nintermediate certificate in the chain.\n"
},
"keyType": {
"type": "string",
"description": "The key type for the certificate's private key. Can be one of:\n`P256` and `P384` (for ECDSA keys of respective length) or `2048`, `4096`, and\n`8192` (for RSA keys of respective length). Required when not specifying a\nCSR. The default is `2048` (RSA key of 2048 bits). Forces a new resource when\nchanged.\n",
"willReplaceOnChanges": true
},
"minDaysRemaining": {
"type": "integer",
"description": "The minimum amount of days remaining on the\nexpiration of a certificate before a renewal is attempted. The default is\n`30`. A value of less than `0` means that the certificate will never be\nrenewed.\n"
},
"mustStaple": {
"type": "boolean",
"description": "Enables the [OCSP Stapling Required][ocsp-stapling]\nTLS Security Policy extension. Certificates with this extension must include a\nvalid OCSP Staple in the TLS handshake for the connection to succeed.\nDefaults to `false`. Note that this option has no effect when using an\nexternal CSR - it must be enabled in the CSR itself. Forces a new resource\nwhen changed.\n\n[ocsp-stapling]: https://letsencrypt.org/docs/integration-guide/#implement-ocsp-stapling\n\n> OCSP stapling requires specific webserver configuration to support the\ndownloading of the staple from the CA's OCSP endpoints, and should be configured\nto tolerate prolonged outages of the OCSP service. Consider this when using\n`must_staple`, and only enable it if you are sure your webserver or service\nprovider can be configured correctly.\n",
"willReplaceOnChanges": true
},
"preCheckDelay": {
"type": "integer",
"description": "Insert a delay after _every_ DNS challenge\nrecord to allow for extra time for DNS propagation before the certificate is\nrequested. Use this option if you observe issues with requesting certificates\neven when DNS challenge records get added successfully. Units are in seconds.\nDefaults to 0 (no delay).\n\n> Be careful with `pre_check_delay` since the delay is executed _per-domain_.\nTake your expected delay and divide it by the number of domains you have\nconfigured (`common_name` + `subject_alternative_names`).\n"
},
"preferredChain": {
"type": "string",
"description": "The common name of the root of a preferred\nalternate certificate chain offered by the CA. The certificates in\n`issuer_pem` will reflect the chain requested, if available, otherwise the\ndefault chain will be provided. Forces a new resource when changed.\n\n> `preferred_chain` can be used to request alternate chains on Let's Encrypt\nduring the transition away from their old cross-signed intermediates. See [this\narticle for more\ndetails](https://letsencrypt.org/2020/12/21/extending-android-compatibility.html).\nIn their example titled **\"What about the alternate chain?\"**, the root you\nwould put in to the `preferred_chain` field would be `ISRG Root X1`. The\nequivalent in the [staging\nenvironment](https://letsencrypt.org/docs/staging-environment/) is `(STAGING)\nPretend Pear X1`.\n",
"willReplaceOnChanges": true
},
"privateKeyPem": {
"type": "string",
"description": "The certificate's private key, in PEM format, if the\ncertificate was generated from scratch and not with\n`certificate_request_pem`. If\n`certificate_request_pem` was used, this will be blank.\n",
"secret": true
},
"profile": {
"type": "string",
"description": "The ACME profile to use when requesting the\ncertificate. This can be used to control generation parameters according to\nthe specific CA. The default is blank (no profile); forces a new resource\nwhen changed.\n\n> Let's Encrypt publishes details on their profiles at\n.\n",
"willReplaceOnChanges": true
},
"recursiveNameservers": {
"type": "array",
"items": {
"type": "string"
},
"description": "The recursive nameservers that will be\nused to check for propagation of DNS challenge records, in addition to some\nin-provider checks such as zone detection. Defaults to your system-configured\nDNS resolvers.\n"
},
"renewalInfoExplanationUrl": {
"type": "string",
"description": "A URL that can be optionally supplied by an\nARI endpoint explaining the renewal window policy (see\n`use_renewal_info`).\n"
},
"renewalInfoIgnoreRetryAfter": {
"type": "boolean",
"description": "Ignores the retry interval\nsupplied by the ARI endpoint for re-fetching renewal window data. Should only\nbe used for testing. Default: `false`.\n"
},
"renewalInfoMaxSleep": {
"type": "integer",
"description": "The maximum amount of time, in seconds,\nthat the resource is willing to sleep during apply to reach a selected\nrenewal window time when `use_renewal_info` is set to `true`. Default: `0`.\n\n> It's recommended to only use small values here (a few minutes maximum).\nUsing extremely high values increases the risk of resource timeouts. To prevent\nhard resource timeouts, the maximum value allowed here is 900 seconds, or 15\nminutes.\n"
},
"renewalInfoRetryAfter": {
"type": "string",
"description": "A timestamp describing when ARI details will be\nrefreshed if already fetched (see `use_renewal_info`).\n"
},
"renewalInfoWindowEnd": {
"type": "string",
"description": "The end of the discovered ARI renewal window (see\n`use_renewal_info`).\n"
},
"renewalInfoWindowSelected": {
"type": "string",
"description": "The selected time within the ARI renewal\nwindow that a certificate will be renewed, if\n`use_renewal_info` is enabled.\n"
},
"renewalInfoWindowStart": {
"type": "string",
"description": "The start of the discovered ARI renewal window\n(see `use_renewal_info`).\n"
},
"revokeCertificateOnDestroy": {
"type": "boolean",
"description": "Enables revocation of a certificate upon destroy,\nwhich includes when a resource is re-created. Default is `true`.\n"
},
"revokeCertificateReason": {
"type": "string",
"description": "Some CA's require a reason for revocation to be provided.\nUse this reason (from [RFC 5280, section 5.3.1](https://www.rfc-editor.org/rfc/rfc5280#section-5.3.1).\nBy default, no reason provided in revocation requests. The reason is a string, when provided should be one of:\n* unspecified\n* key-compromise\n* ca-compromise\n* affiliation-changed\n* superseded\n* cessation-of-operation\n* certificate-hold\n* remove-from-crl\n* privilege-withdrawn\n* aa-compromise\n"
},
"subjectAlternativeNames": {
"type": "array",
"items": {
"type": "string"
},
"description": "The certificate's subject alternative names;\ndomains that this certificate will also be recognized for. Forces a new\nresource when changed.\n",
"willReplaceOnChanges": true
},
"tlsChallenge": {
"$ref": "#/types/acme:index%2FCertificateTlsChallenge:CertificateTlsChallenge",
"description": "Defines a TLS challenge to use in fulfilling the\nrequest.\n\n> Only one of `http_challenge`, `http_webroot_challenge`, `http_s3_challenge`\nand `http_memcached_challenge` can be defined at once. See the section on\nUsing HTTP and TLS challenges for more\ndetails on using these and `tls_challenge`.\n"
},
"useRenewalInfo": {
"type": "boolean",
"description": "When enabled, use information available from\nthe CA's ACME Renewal Information (ARI) endpoint for renewing certificates.\nDefault: `false`.\n\n> More detail on ARI can be found in [RFC\n9773](https://datatracker.ietf.org/doc/rfc9773/).\n\n> Note that `use_renewal_info` does not disable `min_days_remaining`! If the\nselected time within an ARI renewal window value cannot be reached at plan time\n(based on the current time plus the value of\n`renewal_info_max_sleep`), or if the CA has no ARI\nendpoint, renewal behavior will fall back to comparing the certificate expiry\ntime with the value in `min_days_remaining`. This means for short-lived\ncertificates, you may wish to turn this value down so that the settings do not\nconflict; however, don't disable it altogether, as this may prevent the\ncertificate from being renewed!\n"
}
},
"type": "object"
}
},
"acme:index/registration:Registration": {
"properties": {
"accountKeyAlgorithm": {
"type": "string"
},
"accountKeyEcdsaCurve": {
"type": "string"
},
"accountKeyPem": {
"type": "string",
"secret": true
},
"accountKeyRsaBits": {
"type": "integer"
},
"emailAddress": {
"type": "string"
},
"externalAccountBinding": {
"$ref": "#/types/acme:index%2FRegistrationExternalAccountBinding:RegistrationExternalAccountBinding"
},
"registrationUrl": {
"type": "string"
}
},
"type": "object",
"required": [
"accountKeyPem",
"emailAddress",
"registrationUrl"
],
"inputProperties": {
"accountKeyAlgorithm": {
"type": "string",
"willReplaceOnChanges": true
},
"accountKeyEcdsaCurve": {
"type": "string",
"willReplaceOnChanges": true
},
"accountKeyPem": {
"type": "string",
"secret": true,
"willReplaceOnChanges": true
},
"accountKeyRsaBits": {
"type": "integer",
"willReplaceOnChanges": true
},
"emailAddress": {
"type": "string",
"willReplaceOnChanges": true
},
"externalAccountBinding": {
"$ref": "#/types/acme:index%2FRegistrationExternalAccountBinding:RegistrationExternalAccountBinding",
"willReplaceOnChanges": true
}
},
"requiredInputs": [
"emailAddress"
],
"stateInputs": {
"description": "Input properties used for looking up and filtering Registration resources.\n",
"properties": {
"accountKeyAlgorithm": {
"type": "string",
"willReplaceOnChanges": true
},
"accountKeyEcdsaCurve": {
"type": "string",
"willReplaceOnChanges": true
},
"accountKeyPem": {
"type": "string",
"secret": true,
"willReplaceOnChanges": true
},
"accountKeyRsaBits": {
"type": "integer",
"willReplaceOnChanges": true
},
"emailAddress": {
"type": "string",
"willReplaceOnChanges": true
},
"externalAccountBinding": {
"$ref": "#/types/acme:index%2FRegistrationExternalAccountBinding:RegistrationExternalAccountBinding",
"willReplaceOnChanges": true
},
"registrationUrl": {
"type": "string"
}
},
"type": "object"
}
}
},
"functions": {
"acme:index/getServerUrl:getServerUrl": {
"description": "## # acme.getServerUrl\n\nThe `acme.getServerUrl` data source can be used to retrieve the CA server URL\nthat the provider is currently configured for.\n\n## Example\n\nThe following example populates the `server_url` output with the currently\nconfigured CA server URL.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as acme from \"@pulumi/acme\";\n\nconst url = acme.getServerUrl({});\nexport const serverUrl = url.then(url =\u003e url.serverUrl);\n```\n```python\nimport pulumi\nimport pulumi_acme as acme\n\nurl = acme.get_server_url()\npulumi.export(\"serverUrl\", url.server_url)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Acme = Pulumi.Acme;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var url = Acme.GetServerUrl.Invoke();\n\n return new Dictionary\u003cstring, object?\u003e\n {\n [\"serverUrl\"] = url.Apply(getServerUrlResult =\u003e getServerUrlResult.ServerUrl),\n };\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n\t\"github.com/pulumiverse/pulumi-acme/sdk/go/acme\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\turl, err := acme.GetServerUrl(ctx, map[string]interface{}{}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tctx.Export(\"serverUrl\", url.ServerUrl)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.acme.AcmeFunctions;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n final var url = AcmeFunctions.getServerUrl();\n\n ctx.export(\"serverUrl\", url.applyValue(getServerUrlResult -\u003e getServerUrlResult.serverUrl()));\n }\n}\n```\n```yaml\nvariables:\n url:\n fn::invoke:\n function: acme:getServerUrl\n arguments: {}\noutputs:\n serverUrl: ${url.serverUrl}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n#### Argument Reference\n\nThis data source takes no arguments.\n\n#### Attribute Reference\n\nThe following attributes are exported:\n\n* `id`: the CA server URL that the provider is currently configured for. \n* `server_url`: the CA server URL that the provider is currently configured\n for. Same as `id`.\n",
"outputs": {
"description": "A collection of values returned by getServerUrl.\n",
"properties": {
"id": {
"description": "The provider-assigned unique ID for this managed resource.\n",
"type": "string"
},
"serverUrl": {
"type": "string"
}
},
"required": [
"id",
"serverUrl"
],
"type": "object"
}
}
}
}