HashiConf The full conference agenda's now LIVE. Buy your pass and plan your schedule. Register
Well-Architected Framework
Well-Architected Framework Home

Manage TLS with Infrastructure as Code

If you need Transport Layer Security (TLS) certificates but do not need signing by established certificate authorities, you can provision self-signed certificates. A self-signed certificate is a certificate that is issued by the same entity that requests it and does not have the same chain of trust as a certificate signed by an authority. These certificates are typically used in non-production cases, like development and testing. One way to provision these kinds of certificates is through infrastructure as code. This allows consistent and repeatable certificate provisioning without the overhead of involving established CAs like Vault for signing and verifying.

Provision TLS certificates with Terraform and the TLS provider
Provision TLS certificates with Terraform and the TLS provider
Provision TLS certificates with Terraform and the TLS provider

Provision TLS certificates and keys

Terraform providers are similar to API clients or plugins, serving as the actor that transforms configuration resources into infrastructure. You can use infrastructure as code to create and manage the lifecycle of self-signed certificates with Terraform and the TLS provider. The TLS provider lets you interact with TLS keys and certificates by providing resources for private keys, certificates, and certificate requests. Some benefits from using the Terraform TLS provider to manage your self-signed certificates include:

  • The TLS provider lets you to manage your certificates and keys with infrastructure as code, enabling you to automate your certificate and key issuance and lifecycle.
  • Your TLS configuration is reproducible across different environments and you can avoid configuration drift and related issues.
  • By managing your TLS configuration with Terraform, you gain an audit trail of all changes to your configuration.

HashiCorp resources:

Use Automated Certificate Management Environment (ACME)

ACME simplifies certificate lifecycle management by providing a standardized protocol for the automation of common operations, such as certificate requests and renewals. If you use an external CA like Let's Encrypt, you can use the ACME provider. ACME is an evolving standard for automating a domain-validated certificate authority. Clients register on an authority using a private key and contact information and answer challenges for claimed domains by supplying data issued by the authority through HTTP or DNS. Through this process, clients prove that they own the domains in question and can request certificates via the CA. No part of this process requires user interaction, which is a conventional blocker in obtaining a domain-validated certificate.

HashiCorp resources:

Next steps

In this section of Secure applications, you learned how to manage TLS certificates using infrastructure as code tools like Terraform and the TLS provider. You also learned how to use ACME for automated certificate management. Manage TLS with infrastructure as code is part of the Secure systems pillar.

Edit this page on GitHub