Pulumi TLS

5.3.1 · active · verified Fri Apr 10

Pulumi TLS is a Python package that provides an interface to create and manage TLS (Transport Layer Security) resources within Pulumi programs. It allows for the programmatic generation of private keys, certificate signing requests, and self-signed certificates, which can then be used with other cloud providers. The library is currently at version 5.3.1 and typically sees frequent updates to align with its upstream Terraform provider and Pulumi's core bridge updates.

Warnings

breaking Upgrading to a new major version (e.g., v4 to v5) may introduce breaking changes, even if not explicitly stated in patch notes, due to updates in the underlying Terraform provider or Pulumi's provider bridge. Always review the full changelog and test upgrades in a staging environment.
Fix: Consult the official Pulumi TLS provider changelog on GitHub and the Pulumi Registry for detailed migration guides or breaking changes specific to the versions you are upgrading between.
gotcha When using ECDSA with the P224 elliptic curve for PrivateKey, several OpenSSH-related attributes (e.g., `private_key_openssh`, `public_key_openssh`, `public_key_fingerprint_md5`, `public_key_fingerprint_sha256`) will be empty strings. This is due to restrictions in the SSH ECC Algorithm Integration (RFC 5656) which limits supported curves.
Fix: If OpenSSH compatibility is required, use ECDSA with `P256`, `P384`, or `P521` curves, or opt for the RSA algorithm.
gotcha Output properties like `private_key_pem` or `cert_pem` might contain leading or trailing whitespace depending on the downstream system consuming the PEM string. This can lead to parsing errors in external applications.
Fix: Always trim whitespace from PEM output strings using string methods like `.strip()` in Python before passing them to other tools or services if you encounter parsing issues.

Install

pip install pulumi_tls Install pulumi-tls

Imports

PrivateKey
```
from pulumi_tls import PrivateKey
```
SelfSignedCert
```
from pulumi_tls import SelfSignedCert
```

Quickstart

This example demonstrates how to create an RSA private key and then use it to generate a self-signed TLS certificate with specified validity and allowed uses.

import pulumi
import pulumi_tls as tls

# Create a new private key
private_key = tls.PrivateKey("example-private-key",
    algorithm="RSA",
    rsa_bits=2048)

# Create a self-signed certificate using the private key
self_signed_cert = tls.SelfSignedCert("example-self-signed-cert",
    private_key_pem=private_key.private_key_pem,
    validity_period_hours=8760, # 1 year
    early_renewal_hours=240,    # 10 days
    allowed_uses=[
        "key_encipherment",
        "digital_signature",
        "server_auth"
    ],
    dns_names=[
        "example.com",
        "www.example.com"
    ],
    subject={
        "common_name": "example.com",
        "organization": "Acme, Inc."
    })

pulumi.export("private_key_pem", private_key.private_key_pem)
pulumi.export("self_signed_certificate_pem", self_signed_cert.cert_pem)

view raw JSON →