Deploy X.509 Certificates with Terraform

An X.509 certificate stores a single PEM-encoded certificate -- no private key, no CA. X.509 certificates are scoped to your organisation, versioned with rotation history, and can be attached to projects and containers.

Required fields

Read-only fields

Example

resource "bahriya_x509_cert" "signing_cert" {
  handle = "signing-cert"
  name   = "Signing Certificate"
  cert   = file("${path.module}/signing.crt")
}

Attach it to a project so it deploys to the project's regions:

resource "bahriya_project" "production" {
  handle  = "production"
  name    = "Production"
  regions = ["helsinki-1", "falkenstein-1"]
}
 
resource "bahriya_project_x509_cert_attachment" "signing_cert" {
  project_id = bahriya_project.production.id
  handle     = bahriya_x509_cert.signing_cert.handle
}

Then mount it on a container — the cert lands as a file in mountpath:

resource "bahriya_container" "verifier" {
  # ... other fields ...
 
  x509_certs = [
    {
      handle    = bahriya_x509_cert.signing_cert.handle
      mountpath = "/etc/bahriya/x509"
    },
  ]
}

Rotation

To rotate certificate material, update the cert field in your Terraform config and run terraform apply. The Bahriya API creates a new version and marks it current. Previous versions are retained for rollback (default: last 5).

After rotation, file-mounted containers pick up the new certificate automatically within about 60 seconds. No manual redeploy is needed for file-mounted certificates.

Importing an existing certificate

terraform import bahriya_x509_cert.signing_cert <uuid>

Pricing

X.509 certificates are billed at $0.02 per month while they exist in your organisation, plus $0.02 per region per month when attached to a project.