Terraform is an open-source infrastructure as code (IaC) software tool that enables you to safely and predictably create, change and improve infrastructure. It is widely used for deployment of cloud infrastructure, but it can also be used to manage on-premises infrastructure and hybrid infrastructures.
Declarative configuration of infrastructure allows you to create a blueprint of your infrastructure and version it, enabling you to roll back to a previous version if needed.
Digital certificates play an important role in any infrastructure as they provide security and trust in the communication between various services. Let’s look how we can automate certificate provisioning and management using Terraform.
The certificate resources can be created in Terraform using various providers. Each approach has its own advantages and disadvantages.
- self-signed certificates using TLS provider – only for testing purposes, it’s not recommended to provision self-signed certificates into production infrastructure. However, TLS provider resources can become handy when used to create internal keys and certification signing requests.
- create self-managed certification authority certificates – for example using cloud PKI provider such as Google CAS, AWS CM, and many others
- manage certificate resource using standard protocols – where protocols like ACME, EST, CMP can be used to create and manage certificate
- build custom provider to manage certificates – which may be needed for some special use cases with custom certificate types
Terraform resources have their own lifecycle, and this is not different with the certificate resource. They can be created, read, updated, and deleted.
Typically, when working with the certificate resources, the following is required:
- certificates issued by trusted certification authority
- updated certificates are renewed or issued as new one
- destroyed certificate resources should invoke certificate revocation
- automation of certificate renewal before expiration
We will explore more ACME Certificate and Account Provider that can fulfil all of mentioned requirements.
Terraform ACME provider
Terraform ACME Certificate and Account Provider lets you to work with the certification authority using standardized ACME protocol.
It supports HTTP and DNS validation of challenges to prove the private key ownership. The certificate resource has the following lifecycle:
- create – certificate is issued using ACME protocol on the supported certification authority, ownership is validated
- read – fetch and parse certificate resource from the ACME server
- update – certificate is renewed if needed
- delete – certificate is revoked and removed from the Terraform state (including private key if available)
The certificate resource handles automatic certificate renewal so long as a plan or apply is done within the minimum number of days before certificate expiration. During refresh, if Terraform detects that the certificate is within the expiry range, or is already expired, Terraform will mark the certificate to be renewed on the next apply.
Terraform + CZERTAINLY
CZERTAINLY platform supports ACME implementation according to the RFC 8555. Therefore, it can be used as ACME server for Terraform ACME provider to manage certificates.
Advantage of using CZERTAINLY is the agility and abstraction of the certificate management service. This means, that once Terraform integrates with CZERTAINLY, it can literally manage and automate any certificate type for any use case.
If there is a change in the certificate management service, it does not have impact on Terraform and its managed infrastructures.
See Terraform ACME provider integration guide and learn how it can be applied in your infrastructure as code!
Get more information about the CZERTAINLY
CZERTAINLY is an open-source platform for effective and efficient certificate lifecycle management for companies of any size and individuals. One of its goals is to provide an easy and affordable way to secure digital communication and support information security in more and more connected world.
Do not hesitate to get in touch with us!