diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8b7ff43..980ef0f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -49,4 +49,4 @@
* 1.2.4 -- 2025-08-01
- acmpca: add creation of certs/.gitignore containing *.key
-
+ - acmpca-iam-rolesanywhere: ignore *.crt and *.csr
diff --git a/acmpca-iam-rolesanywhere/README.md b/acmpca-iam-rolesanywhere/README.md
index bfdc644..00b6589 100644
--- a/acmpca-iam-rolesanywhere/README.md
+++ b/acmpca-iam-rolesanywhere/README.md
@@ -107,6 +107,7 @@ certificate_subject = {
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >= 5.0 |
+| [null](#provider\_null) | >= 3.1.0 |
## Modules
@@ -118,6 +119,7 @@ certificate_subject = {
| Name | Type |
|------|------|
+| [null_resource.ignore](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
diff --git a/acmpca-iam-rolesanywhere/main.tf b/acmpca-iam-rolesanywhere/main.tf
index 988f7a3..852abec 100644
--- a/acmpca-iam-rolesanywhere/main.tf
+++ b/acmpca-iam-rolesanywhere/main.tf
@@ -130,3 +130,15 @@ module "certificate" {
var.tags,
)
}
+
+resource "null_resource" "ignore" {
+ triggers = {
+ directory = dirname(module.certificate.certificate_filenames.certificate)
+ }
+ provisioner "local-exec" {
+ command = "echo '*.csr' >> ${self.triggers.directory}/.gitignore"
+ }
+ provisioner "local-exec" {
+ command = "echo '*.crt' >> ${self.triggers.directory}/.gitignore"
+ }
+}