Certificate Leaf

The certificate_leaf resource generates leaf certificates signed by a Certificate Authority (CA). These are end-entity certificates used for servers, clients, or other applications that require TLS/SSL certificates signed by a trusted authority.

Use Cases

As a lab author, you can use certificate_leaf resources to:

Server Certificate Generation: Create TLS certificates for web servers, APIs, and other network services
Client Certificate Authentication: Generate client certificates for mutual TLS authentication scenarios
Service-to-Service Communication: Enable secure communication between microservices using signed certificates

Certificate leaf resources provide signed certificates for specific services while maintaining the certificate chain of trust.

HCL Syntax

Basic Syntax

1
resource "certificate_leaf" "name" {
2
  ca_key  = resource.certificate_ca.root.private_key.path
3
  ca_cert = resource.certificate_ca.root.certificate.path
4
  output  = "./server-certs"
5
}

Full Syntax

1
resource "certificate_leaf" "name" {
2
  ca_key  = resource.certificate_ca.root.private_key.path
3
  ca_cert = resource.certificate_ca.root.certificate.path
4
  output  = "./server-certs"
5

6
  dns_names = [
7
    "localhost",
8
    "api.example.com",
9
    "www.example.com"
10
  ]
11

12
  ip_addresses = [
13
    "127.0.0.1",
14
    "192.168.1.100",
15
    "10.0.0.5"
16
  ]
17
}

Fields

Field	Required	Type	Description
`ca_key`	✓	string	Path to the CA private key file used for signing
`ca_cert`	✓	string	Path to the CA certificate file
`output`	✓	string	Output directory where certificate and key files will be written
`dns_names`		list(string)	DNS names to include in the certificate’s Subject Alternative Names (SAN)
`ip_addresses`		list(string)	IP addresses to include in the certificate’s Subject Alternative Names (SAN)

Computed Attributes

These attributes are set by the system after certificate generation:

Field	Type	Description
`private_key`	File	The private key of the generated leaf certificate
`public_key_pem`	File	The PEM-formatted public key
`public_key_ssh`	File	The SSH-formatted public key
`certificate`	File	The generated leaf certificate signed by the CA

File Object Structure

The File object contains information about generated certificate files:

Field	Type	Description
`filename`	string	The name of the generated file
`directory`	string	The directory where the file is written
`path`	string	The full absolute path to the file
`contents`	string	The contents of the generated file

Validation Rules

CA key and certificate files must exist and be valid
Output directory must be a valid path
DNS names must be valid domain names or hostnames
IP addresses must be valid IPv4 or IPv6 addresses
Generated files are written with appropriate permissions for certificate files
Certificate generation is idempotent - same configuration produces same output
Directory structure is created automatically if it doesn’t exist

Examples

Simple Server Certificate

1
resource "certificate_ca" "root" {
2
  output = "./ca"
3
}
4

5
resource "certificate_leaf" "server" {
6
  ca_key  = resource.certificate_ca.root.private_key.path    # e.g., "./ca/private_key.pem"
7
  ca_cert = resource.certificate_ca.root.certificate.path    # e.g., "./ca/certificate.pem"
8
  output  = "./server-certs"
9

10
  dns_names    = ["localhost"]
11
  ip_addresses = ["127.0.0.1"]
12
}
13

14
output "server_cert_path" {
15
  value = resource.certificate_leaf.server.certificate.path  # e.g., "./server-certs/certificate.pem"
16
}

Multi-Domain Web Certificate

1
resource "certificate_leaf" "web" {
2
  ca_key  = resource.certificate_ca.root.private_key.path
3
  ca_cert = resource.certificate_ca.root.certificate.path
4
  output  = "./web-certs"
5

6
  dns_names = [
7
    "example.com",
8
    "www.example.com",
9
    "api.example.com",
10
    "admin.example.com"
11
  ]
12

13
  ip_addresses = [
14
    "192.168.1.10",
15
    "10.0.0.100"
16
  ]
17
}
18

19
resource "container" "web_server" {
20
  image {
21
    name = "nginx:alpine"
22
  }
23

24
  volume {
25
    source      = resource.certificate_leaf.web.certificate.path     # e.g., "./web-certs/certificate.pem"
26
    destination = "/etc/ssl/certs/server.crt"
27
    type        = "bind"
28
    read_only   = true
29
  }
30

31
  volume {
32
    source      = resource.certificate_leaf.web.private_key.path     # e.g., "./web-certs/private_key.pem"
33
    destination = "/etc/ssl/private/server.key"
34
    type        = "bind"
35
    read_only   = true
36
  }
37

38
  port {
39
    local = "443"
40
    host  = "8443"
41
  }
42
}

Client Certificate Authentication

1
resource "certificate_leaf" "client" {
2
  ca_key  = resource.certificate_ca.root.private_key.path
3
  ca_cert = resource.certificate_ca.root.certificate.path
4
  output  = "./client-certs"
5

6
  dns_names = ["client.internal"]
7
}
8

9
resource "template" "client_config" {
10
  source = <<-EOF
11
    client:
12
      certificate: ${resource.certificate_leaf.client.certificate.path}      # e.g., "./client-certs/certificate.pem"
13
      private_key: ${resource.certificate_leaf.client.private_key.path}      # e.g., "./client-certs/private_key.pem"
14
      ca_certificate: ${resource.certificate_ca.root.certificate.path}       # e.g., "./ca/certificate.pem"
15

16
    tls:
17
      verify_peer: true
18
      verify_host: true
19
  EOF
20

21
  destination = "./client-config.yaml"
22
}

Service Mesh Certificates

1
resource "certificate_ca" "service_mesh_ca" {
2
  output = "./mesh-ca"
3
}
4

5
# API service certificate
6
resource "certificate_leaf" "api_service" {
7
  ca_key  = resource.certificate_ca.service_mesh_ca.private_key.path
8
  ca_cert = resource.certificate_ca.service_mesh_ca.certificate.path
9
  output  = "./api-service-certs"
10

11
  dns_names = [
12
    "api-service",
13
    "api-service.default.svc.cluster.local"
14
  ]
15
}
16

17
# Database service certificate
18
resource "certificate_leaf" "database_service" {
19
  ca_key  = resource.certificate_ca.service_mesh_ca.private_key.path
20
  ca_cert = resource.certificate_ca.service_mesh_ca.certificate.path
21
  output  = "./database-service-certs"
22

23
  dns_names = [
24
    "database-service",
25
    "database-service.default.svc.cluster.local"
26
  ]
27
}
28

29
resource "container" "api" {
30
  image {
31
    name = "api:latest"
32
  }
33

34
  environment = {
35
    TLS_CERT_FILE = resource.certificate_leaf.api_service.certificate.path      # e.g., "./api-service-certs/certificate.pem"
36
    TLS_KEY_FILE  = resource.certificate_leaf.api_service.private_key.path      # e.g., "./api-service-certs/private_key.pem"
37
    CA_CERT_FILE  = resource.certificate_ca.service_mesh_ca.certificate.path    # e.g., "./mesh-ca/certificate.pem"
38
  }
39
}

Load Balancer Certificate

1
resource "certificate_leaf" "load_balancer" {
2
  ca_key  = resource.certificate_ca.root.private_key.path
3
  ca_cert = resource.certificate_ca.root.certificate.path
4
  output  = "./lb-certs"
5

6
  dns_names = [
7
    "lb.example.com",
8
    "loadbalancer.internal",
9
    "*.apps.example.com"  # Wildcard certificate
10
  ]
11

12
  ip_addresses = [
13
    "192.168.1.50",   # Load balancer IP
14
    "10.0.0.50"       # Internal IP
15
  ]
16
}
17

18
resource "template" "nginx_ssl_config" {
19
  source = <<-EOF
20
    server {
21
        listen 443 ssl;
22
        server_name lb.example.com *.apps.example.com;
23

24
        ssl_certificate ${resource.certificate_leaf.load_balancer.certificate.path};       # e.g., "./lb-certs/certificate.pem"
25
        ssl_certificate_key ${resource.certificate_leaf.load_balancer.private_key.path};   # e.g., "./lb-certs/private_key.pem"
26

27
        ssl_protocols TLSv1.2 TLSv1.3;
28
        ssl_ciphers HIGH:!aNULL:!MD5;
29

30
        location / {
31
            proxy_pass http://backend;
32
        }
33
    }
34
  EOF
35

36
  destination = "./nginx-ssl.conf"
37
}

Certificate Contents Usage

1
resource "certificate_leaf" "app_cert" {
2
  ca_key  = resource.certificate_ca.root.private_key.path
3
  ca_cert = resource.certificate_ca.root.certificate.path
4
  output  = "./app-certs"
5

6
  dns_names = ["app.local"]
7
}
8

9
resource "container" "secure_app" {
10
  image {
11
    name = "myapp:latest"
12
  }
13

14
  environment = {
15
    # Pass certificate contents directly as environment variables
16
    TLS_CERTIFICATE = resource.certificate_leaf.app_cert.certificate.contents
17
    TLS_PRIVATE_KEY = resource.certificate_leaf.app_cert.private_key.contents
18
    TLS_CA_CERT     = resource.certificate_ca.root.certificate.contents
19

20
    # Certificate metadata
21
    CERT_FILENAME   = resource.certificate_leaf.app_cert.certificate.filename    # e.g., "certificate.pem"
22
    CERT_DIRECTORY  = resource.certificate_leaf.app_cert.certificate.directory   # e.g., "./app-certs"
23
  }
24
}

Best Practices

Subject Alternative Names: Always include relevant DNS names and IP addresses for proper certificate validation
Certificate Organization: Use descriptive output directories to organize certificates by service or purpose
File References: Use .path for file system operations and .contents for inline certificate data
Security: Protect private keys and limit access to certificate files
Validation: Include all hostnames and IPs that clients will use to connect to your services
Certificate Chain: Ensure CA certificates are properly distributed to clients for validation
Naming Conventions: Use clear naming that indicates the certificate’s purpose and scope
Environment Separation: Generate separate certificates for different environments (dev, staging, prod)