Once certificates are created via a resource "acme_certificate" ... block, what happens next?

• Could you add an example of deploying (and renewing?) a cert to e.g. an aws_instance? Or is this just the file provider and a lot of elbow grease?
• Are there any concerns about the (sensitive) contents of private_key_pem being persisted to tfstate?

Thanks!

After a bit more digestion I see now that it would be more natural to use the certs here as an input to an aws_iam_server_certificate, which seems straightforward to configure. Also found relevant info on security implications in http://apparently.me.uk/terraform-certificate-authority/

@snakescott sounds like you figured this out already but just wanted to reply on a couple of things - you are right that it's probably better to pass this to something like aws_iam_server_certificate. A common scenario would be terminating SSL on an ELB/ALB with this and passing those requests to a non-HTTPS service on your instances created with aws_instance.

Glad you found Martin's example! Aside from that, my practice for handling private data in state is to ensure it's encrypted at rest or deleted otherwise. Also mark any key outputs you have as sensitive as well so that keys are not displayed in the clear when they shouldn't be, and delete the local state cache in .terraform/terraform.tfstate when you are using remote state and don't need to have it available.