Migrating to the new provider

This page provides instructions for migrating your Terraform state and configuration from the legacy Sectigo provider (v2.0.1) to the new provider.

Overview

The legacy provider used a single sectigo_certificate resource type with a cert_config_type discriminator field. The new provider uses separate resource types:

sectigo_ssl_certificate — for SSL/TLS certificates
sectigo_client_certificate — for client (S/MIME) certificates

This migration tool handles:

Converting resource types and attribute names.
Transforming flat attributes to nested structures (csr_params, renew_options).
Converting comma-separated SANs to list format.
Reading private keys and certificates from disk files (legacy provider wrote these to disk, not state).
Generating new Terraform configuration compatible with the new provider.

Configure the options

Configure the options referring to the following table.

sectigo-migrate [options]

Option Default Description

Option	Default	Description
`-input`	`terraform.tfstate`	Path to legacy terraform.tfstate file
`-output-state`	`terraform.tfstate.new`	Path for converted state file
`-output-config`	`main.tf.new`	Path for generated Terraform configuration
`-cert-dir`	(from state)	Directory containing certificate/key files
`-provider`	`terraform.local/local/sectigo`	New provider address
`-dry-run`	`false`	Print conversion results without writing files
`-verbose`	`false`	Enable verbose output

-input

terraform.tfstate

Path to legacy terraform.tfstate file

-output-state

terraform.tfstate.new

Path for converted state file

-output-config

main.tf.new

Path for generated Terraform configuration

-cert-dir

(from state)

Directory containing certificate/key files

-provider

terraform.local/local/sectigo

New provider address

-dry-run

false

Print conversion results without writing files

-verbose

false

Enable verbose output

Examples

Preview migration (dry-run)

sectigo-migrate -input terraform.tfstate -dry-run -verbose

Perform migration

sectigo-migrate \
  -input terraform.tfstate \
  -output-state terraform.tfstate.new \
  -output-config main.tf.new \
  -provider "hashicorp.com/edu/sectigo"

Specify certificate directory

If your certificate files are in a different location than recorded in state, specify the correct location.

sectigo-migrate \
  -input terraform.tfstate \
  -cert-dir /path/to/certs \
  -output-state terraform.tfstate.new \
  -output-config main.tf.new

Perform the migration

Backup your current state.

cp terraform.tfstate terraform.tfstate.backup

Run the migration tool.

sectigo-migrate \
  -input terraform.tfstate \
  -output-state terraform.tfstate.new \
  -output-config main.tf.new \
  -provider "hashicorp.com/edu/sectigo" \
  -verbose

Examine the generated configuration (main.tf.new) and state (terraform.tfstate.new) to ensure they look correct.

Update the provider configuration.

The generated main.tf.new includes a provider block with placeholders for credentials.

provider "sectigo" {
  host         = "https://demo.cert-manager.com"
  # username     = var.SECTIGO_USERNAME  # Or set SECTIGO_USERNAME env var
  # password     = var.SECTIGO_PASSWORD  # Or set SECTIGO_PASSWORD env var
  # customer_uri = var.SECTIGO_CUSTOMER_URI  # Or set SECTIGO_CUSTOMER_URI env var
}

Update this to use your preferred credential method.

Option A: Environment variables

export SECTIGO_HOST="https://cert-manager.com"
export SECTIGO_USERNAME="your-username"
export SECTIGO_PASSWORD="your-password"
export SECTIGO_CUSTOMER_URI="your-customer-uri"

Option B: Variables file

# terraform.tfvars
SECTIGO_USERNAME     = "your-username"
SECTIGO_PASSWORD     = "your-password"
SECTIGO_CUSTOMER_URI = "your-customer-uri"

Replace state and configuration.

# Backup and replace state
mv terraform.tfstate terraform.tfstate.legacy
mv terraform.tfstate.new terraform.tfstate

# Replace configuration
mv main.tf main.tf.legacy
mv main.tf.new main.tf

Install the new provider.

The new provider must be installed before running Terraform commands.

Option A: Download from releases

# Download the provider binary for your platform
# Place it in the Terraform plugin directory:
~/.terraform.d/plugins/terraform.local/local/sectigo/1.0.0/<os>_<arch>/terraform-provider-sectigo_v1.0.0

Option B: Build from source

cd terraform-provider-sectigo
make install

Configure provider credentials.

Update the provider block in main.tf with your credentials.

provider "sectigo" {
  host         = "https://cert-manager.com"
  username     = var.SECTIGO_USERNAME
  password     = var.SECTIGO_PASSWORD
  customer_uri = var.SECTIGO_CUSTOMER_URI
}

Create a variables.tf file.

variable "SECTIGO_USERNAME" {
  type      = string
  sensitive = true
}

variable "SECTIGO_PASSWORD" {
  type      = string
  sensitive = true
}

variable "SECTIGO_CUSTOMER_URI" {
  type = string
}

Option A: Create a terraform.tfvars file (do not commit to version control)

SECTIGO_USERNAME     = "your-username"
SECTIGO_PASSWORD     = "your-password"
SECTIGO_CUSTOMER_URI = "your-customer-uri"

Option B: Use environment variables

export SECTIGO_HOST="https://cert-manager.com"
export SECTIGO_USERNAME="your-username"
export SECTIGO_PASSWORD="your-password"
export SECTIGO_CUSTOMER_URI="your-customer-uri"

Initialize and verify.
```
# Initialize Terraform with the new provider
terraform init

# Verify no changes detected
terraform plan
```
You should see the following message:

No changes. Your infrastructure matches the configuration.

If Terraform shows changes, review the differences and adjust your configuration as needed.

Continue using Terraform.

After successful migration, you can manage your certificates with standard Terraform commands:

# Make changes to your configuration
terraform plan

# Apply changes (renew, replace, or modify certificates)
terraform apply

# Destroy certificates when no longer needed
terraform destroy

Attribute Mapping Reference

Provider Configuration

Legacy New Notes

Legacy	New	Notes
`SECTIGO_CM_USER`	`SECTIGO_USERNAME`	Environment variable
`SECTIGO_CM_PASSWORD`	`SECTIGO_PASSWORD`	Environment variable
`SECTIGO_CM_URI`	`SECTIGO_CUSTOMER_URI`	Environment variable
(in resource `base_url`)	`host`	Moved to provider level

SECTIGO_CM_USER

SECTIGO_USERNAME

Environment variable

SECTIGO_CM_PASSWORD

SECTIGO_PASSWORD

Environment variable

SECTIGO_CM_URI

SECTIGO_CUSTOMER_URI

Environment variable

(in resource base_url)

host

Moved to provider level

SSL Certificate Attributes

Legacy New Notes

Legacy	New	Notes
`cert_config_type`	(implicit)	Resource type determines this
`orgid`	`org_id`	Direct mapping
`cert_type`	`cert_profile_id`	Direct mapping
`cert_validity`	`validity`	Direct mapping
`cert_comments`	`comments`	Direct mapping
`cert_ext_requester`	`external_requester`	Direct mapping
`subject_alt_names`	`subject_alt_names`	Comma-separated → List
`ssl_custom_fields`	`custom_fields`	Format conversion
`external_csr_pem`	`external_csr`	Direct mapping
`domain`	`csr_params.common_name`	Nested
`country`	`csr_params.country`	Nested
`province`	`csr_params.province`	Nested
`locality`	`csr_params.locality`	Nested
`organization`	`csr_params.organization`	Nested
`org_unit`	`csr_params.organizational_unit`	Nested
`email_address`	`csr_params.email`	Nested
`sign_algorithm_type`	`csr_params.private_key_algorithm`	Nested
`rsa_bits`	`csr_params.private_key_size`	Nested, int → string
`auto_renew`	`renew_options.auto_renew`	Nested
`cert_warning_days`	`renew_options.expiry_window`	Nested
`sectigo_ssl_id`	`ssl_id`	Computed
`sectigo_renew_id`	`renew_id`	Computed

cert_config_type

(implicit)

Resource type determines this

orgid

org_id

Direct mapping

cert_type

cert_profile_id

Direct mapping

cert_validity

validity

Direct mapping

cert_comments

comments

Direct mapping

cert_ext_requester

external_requester

Direct mapping

subject_alt_names

Comma-separated → List

ssl_custom_fields

custom_fields

Format conversion

external_csr_pem

external_csr

Direct mapping

domain

csr_params.common_name

Nested

country

csr_params.country

Nested

province

csr_params.province

Nested

locality

csr_params.locality

Nested

organization

csr_params.organization

Nested

org_unit

csr_params.organizational_unit

Nested

email_address

csr_params.email

Nested

sign_algorithm_type

csr_params.private_key_algorithm

Nested

rsa_bits

csr_params.private_key_size

Nested, int → string

auto_renew

renew_options.auto_renew

Nested

cert_warning_days

renew_options.expiry_window

Nested

sectigo_ssl_id

ssl_id

Computed

sectigo_renew_id

renew_id

Computed

Client Certificate Attributes

Legacy New Notes

Legacy	New	Notes
`client_email_address`	`csr_params.email`	Nested
`client_first_name`	`first_name`	Direct mapping
`client_middle_name`	`middle_name`	Direct mapping
`client_last_name`	`last_name`	Direct mapping
`client_custom_fields`	`custom_fields`	Format conversion
`sectigo_order_number`	`order_number`	Computed

client_email_address

csr_params.email

Nested

client_first_name

first_name

Direct mapping

client_middle_name

middle_name

Direct mapping

client_last_name

last_name

Direct mapping

client_custom_fields

custom_fields

Format conversion

sectigo_order_number

order_number

Computed

Removed Attributes

These legacy attributes are not supported in the new provider:

Legacy Attribute Reason

Legacy Attribute	Reason
`cert_file_path`	Use `local_file` resource instead
`cert_file_name`	Use `local_file` resource instead
`cert_format_type`	Fixed to x509CO
`cert_num_servers`	Not used
`server_type`	Not used
`max_timeout`	Handled internally
`loop_period`	Handled internally
`reason`	Fixed message on delete
`client_revoke_on_replace`	Always revokes

cert_file_path

Use local_file resource instead

cert_file_name

Use local_file resource instead

cert_format_type

Fixed to x509CO

cert_num_servers

Not used

server_type

Not used

max_timeout

Handled internally

loop_period

Handled internally

reason

Fixed message on delete

client_revoke_on_replace

Always revokes

Writing certificates to files

The legacy provider automatically wrote certificates to disk. With the new provider, use the local_file resource.

resource "sectigo_ssl_certificate" "example" {
  # ... certificate configuration
}

resource "local_file" "certificate" {
  content  = sectigo_ssl_certificate.example.certificate_body
  filename = "${path.module}/certificate.crt"
}

resource "local_sensitive_file" "private_key" {
  content  = sectigo_ssl_certificate.example.csr_params.private_key_pem
  filename = "${path.module}/private.key"
}

Troubleshooting

"Could not read private key" warning

The migration tool tries to read private keys from files at the paths stored in the legacy state (cert_file_path/cert_file_name).

If these files have been moved:

Use -cert-dir to specify the current location.
Or manually add the private key to the state after migration.

Terraform plan shows changes

If terraform plan shows changes after migration:

Missing attributes: Some computed attributes may need to be fetched. Run terraform apply to sync.
Type mismatches: Check that numeric values haven’t become strings or vice versa.
Null vs empty: Empty lists/strings may show as changes.

Provider not found

Ensure the new provider is installed:

# For local development
terraform {
  required_providers {
    sectigo = {
      source = "hashicorp.com/edu/sectigo"
    }
  }
}

Support

For problems with the migration tool, please open an issue at: https://github.com/sectigo-eng/terraform-provider-sectigo/issues