Deploy TLS Bundles with Terraform

A TLS bundle stores a CA certificate, server certificate, and private key. TLS bundles are scoped to your organisation, versioned with rotation history, and can be attached to projects and containers for secure communication.

Required fields

Read-only fields

Example

resource "bahriya_tls_bundle" "api_cert" {
  handle = "api-cert"
  name   = "API Public Certificate"
  ca     = file("${path.module}/ca.crt")
  cert   = file("${path.module}/api.crt")
  key    = file("${path.module}/api.key")
}

Attach it to a project so it deploys to the project's regions:

resource "bahriya_project" "production" {
  handle  = "production"
  name    = "Production"
  regions = ["helsinki-1", "falkenstein-1"]
}
 
resource "bahriya_project_tls_bundle_attachment" "api_cert" {
  project_id = bahriya_project.production.id
  handle     = bahriya_tls_bundle.api_cert.handle
}

Then mount it on a container — the CA, cert, and key land as files in mountpath:

resource "bahriya_container" "api" {
  # ... other fields ...
 
  tls_bundles = [
    {
      handle    = bahriya_tls_bundle.api_cert.handle
      mountpath = "/etc/bahriya/tls"
    },
  ]
}

Rotation

To rotate certificate material, update the ca, cert, and key fields in your Terraform config and run terraform apply. The Bahriya API creates a new version and marks it current. Previous versions are retained for rollback (default: last 5).

After rotation, file-mounted containers pick up the new certificate automatically within about 60 seconds. No manual redeploy is needed for file-mounted TLS bundles.

Pricing

TLS bundles are billed at $0.02 per month while they exist in your organisation, plus $0.02 per region per month when attached to a project.