States module for managing ACM certificates.

async idem_aws.states.aws.acm.certificate_manager.present(hub, ctx, name: str, resource_id: str = None, certificate: str = None, private_key: str = None, certificate_chain: str = None, domain_name: str = None, validation_method: str = None, subject_alternative_names: List[str] = None, idempotency_token: str = None, domain_validation_options: List[DomainValidationOption] = None, options: CertificateOptions = None, certificate_authority_arn: str = None, timeout: Timeout = None, tags: Dict[str, Any] = None) Dict[str, Any][source]#

Manage SSL/TLS certificates for your AWS-based websites and applications.

Imports a certificate into AWS Certificate Manager (ACM) to use with services that are integrated with ACM.

Note that integrated services allow only certificate types and keys they support to be associated with their resources. Further, their support differs depending on whether the certificate is imported into IAM or into ACM. Requests an ACM certificate for use with other AWS services. To request an ACM certificate, you must specify a fully qualified domain name (FQDN) in the DomainName parameter. You can also specify additional FQDNs in the SubjectAlternativeNames parameter.

If you are requesting a private certificate, domain validation is not required. If you are requesting a public certificate, each domain name that you specify must be validated to verify that you own or control the domain. You can use DNS validation or email validation.

  • name (str) – An Idem name of the resource.

  • resource_id (str, Optional) – The Amazon Resource Name (ARN) of certificate to identify the resource.

  • certificate (bytes, Optional) – The certificate to import.

  • private_key (bytes, Optional) – The private key that matches the public key in the certificate.

  • certificate_chain (bytes, Optional) – The PEM encoded certificate chain.

  • domain_name (str, Optional) – Fully qualified domain name (FQDN), such as www.example.com, that you want to secure with an ACM certificate.

  • validation_method (str, Optional) – The method you want to use if you are requesting a public certificate to validate that you own or control domain.

  • subject_alternative_names (list[str], Optional) – Additional FQDNs to be included in the Subject Alternative Name extension of the ACM certificate.

  • idempotency_token (str, Optional) – Customer chosen string that can be used to distinguish between calls to RequestCertificate.

  • domain_validation_options (list[dict[str, Any]], Optional) –

    The domain name that you want ACM to use to send you emails so that you can validate domain ownership.

    Defaults to None.

    • domain_name (str):

      A fully qualified domain name (FQDN) in the certificate request.

    • validation_domain (str):

      The domain name that you want ACM to use to send you validation emails. This domain name is the suffix of the email addresses that you want ACM to use. This must be the same as the DomainName value or a superdomain of the DomainName value.

      For example, if you request a certificate for testing.example.com, you can specify example.com for this value. In that case, ACM sends domain validation emails to the following five addresses: admin@example.com, administrator@example.com, hostmaster@example.com, postmaster@example.com, webmaster@example.com

    • validation_method (str):

      Specifies the domain validation method.

    • resource_record (dict[str, Any]):

      Contains the CNAME record that you add to your DNS database for domain validation.

      • Name (str):

        The name of the DNS record to create in your domain. This is supplied by ACM.

      • Type (str):

        The type of DNS record. Currently this can be CNAME.

      • Value (str):

        The value of the CNAME record to add to your DNS database. This is supplied by ACM.

    • validation_status (str):

      The validation status of the domain name. This can be one of the following values:


      • SUCCESS

      • FAILED

  • options (dict[str, Any], Optional) –

    Currently, you can use this parameter to specify whether to add the certificate to a certificate transparency log. Certificate transparency makes it possible to detect SSL/TLS certificates that have been mistakenly or maliciously issued. Certificates that have not been logged typically produce an error message in a browser. For more information, see Opting Out of Certificate Transparency Logging. Defaults to None.

    • CertificateTransparencyLoggingPreference (str, Optional):

      You can opt out of certificate transparency logging by specifying the DISABLED option. Opt in by specifying ENABLED.

  • certificate_authority_arn (str, Optional) – The Amazon Resource Name (ARN) of the private certificate authority (CA) that will be used to issue the certificate.

  • tags (dict[str, str], Optional) –

    The collection of tags associated with the certificate. Defaults to None.

    • Key (str):

      The key of the tag.

    • Value (str):

      The value of the tag.

  • timeout (dict[str, Any], Optional) –

    Timeout configuration for request/import AWS Certificate.

    • create(dict[str, int]:

      Timeout configuration for request/importing AWS Certificate.

      • delay (int, Optional):

        The amount of time in seconds to wait between attempts.

      • max_attempts (int, Optional):

        Customized timeout configuration containing delay and max attempts.

Request Syntax:
    - domain_name: 'string'
    - validation_method: 'string'
    - subject_alternative_names:
      - 'string'
    - idempotency_token: 'string'
    - domain_validation_options:
      - domain_name: 'string'
        validation_domain: 'string'
        validation_method: 'string'
          Name: 'string'
          Value: 'string'
          Type: 'string'
        validation_status: PENDING_VALIDATION|SUCCESS|FAILED
    - options:
      CertificateTransparencyLoggingPreference: ENABLED|DISABLED
    - certificate_authority_arn: 'string'
    - tags:
      - 'string': 'string'
    - timeout:
        delay: 'int'
        max_attempts: 'int'

Dict[str, Any]


# Request a certificate
    - domain_name: www.example.com
    - validation_method: DNS
    - subject_alternative_names:
        - www.example.net
    - idempotency_token: ExampleIdempotancyToken
    - domain_validation_options:
      - domain_name: testing.example.com
        validation_domain: example.com
    - options:
        CertificateTransparencyLoggingPreference: DISABLED
    - certificate_authority_arn: arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
    - tags:
      - class: test

# Import a certificate
    - resource_id: arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
    - certificate_arn: arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
    - certificate: example_certificate
    - private_key: -----BEGIN RSA PRIVATE KEY-----
        -----END RSA PRIVATE KEY-----
    - certificate_chain: example_certificate_chain
    - tags:
      - class: test
async idem_aws.states.aws.acm.certificate_manager.absent(hub, ctx, name: str, resource_id: str = None) Dict[str, Any][source]#

Deletes a certificate and its associated private key.

If this action succeeds, the certificate no longer appears in the list that can be displayed by calling the ListCertificates action or be retrieved by calling the GetCertificate action. The certificate will not be available for use by Amazon Web Services services integrated with ACM.

  • name (str) – An Idem name of the resource.

  • resource_id (str, Optional) – The Amazon Resource Name (ARN) of certificate to identify the resource.


Dict[str, Any]


    - name: value
    - resource_id: value
async idem_aws.states.aws.acm.certificate_manager.describe(hub, ctx) Dict[str, Dict[str, Any]][source]#

Describe the resource in a way that can be recreated/managed with the corresponding “present” function.

Returns detailed metadata about ACM certificates.


Dict[str, Any]


$ idem describe aws.acm.certificate