Docs
PackagesGoogle Cloud Classic v7.19.0 published on Thursday, Apr 18, 2024 by Pulumi
gcp.certificateauthority.Authority
Explore with Pulumi AI
A CertificateAuthority represents an individual Certificate Authority. A CertificateAuthority can be used to create Certificates.
To get more information about CertificateAuthority, see:
- API documentation
- How-to Guides
Warning: On newer versions of the provider, you must explicitly set
deletion_protection=false(and runpulumi upto write the field to state) in order to destroy a CertificateAuthority. It is recommended to not set this field (or set it to true) until you’re ready to destroy.
Example Usage
Privateca Certificate Authority Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const _default = new gcp.certificateauthority.Authority("default", {
pool: "ca-pool",
certificateAuthorityId: "my-certificate-authority",
location: "us-central1",
deletionProtection: true,
config: {
subjectConfig: {
subject: {
organization: "HashiCorp",
commonName: "my-certificate-authority",
},
subjectAltName: {
dnsNames: ["hashicorp.com"],
},
},
x509Config: {
caOptions: {
isCa: true,
maxIssuerPathLength: 10,
},
keyUsage: {
baseKeyUsage: {
digitalSignature: true,
contentCommitment: true,
keyEncipherment: false,
dataEncipherment: true,
keyAgreement: true,
certSign: true,
crlSign: true,
decipherOnly: true,
},
extendedKeyUsage: {
serverAuth: true,
clientAuth: false,
emailProtection: true,
codeSigning: true,
timeStamping: true,
},
},
},
},
lifetime: "86400s",
keySpec: {
algorithm: "RSA_PKCS1_4096_SHA256",
},
});
import pulumi
import pulumi_gcp as gcp
default = gcp.certificateauthority.Authority("default",
pool="ca-pool",
certificate_authority_id="my-certificate-authority",
location="us-central1",
deletion_protection=True,
config=gcp.certificateauthority.AuthorityConfigArgs(
subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
organization="HashiCorp",
common_name="my-certificate-authority",
),
subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
dns_names=["hashicorp.com"],
),
),
x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
is_ca=True,
max_issuer_path_length=10,
),
key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
digital_signature=True,
content_commitment=True,
key_encipherment=False,
data_encipherment=True,
key_agreement=True,
cert_sign=True,
crl_sign=True,
decipher_only=True,
),
extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
server_auth=True,
client_auth=False,
email_protection=True,
code_signing=True,
time_stamping=True,
),
),
),
),
lifetime="86400s",
key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
algorithm="RSA_PKCS1_4096_SHA256",
))
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/certificateauthority"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
Pool: pulumi.String("ca-pool"),
CertificateAuthorityId: pulumi.String("my-certificate-authority"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(true),
Config: &certificateauthority.AuthorityConfigArgs{
SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
Organization: pulumi.String("HashiCorp"),
CommonName: pulumi.String("my-certificate-authority"),
},
SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
DnsNames: pulumi.StringArray{
pulumi.String("hashicorp.com"),
},
},
},
X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(true),
MaxIssuerPathLength: pulumi.Int(10),
},
KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
DigitalSignature: pulumi.Bool(true),
ContentCommitment: pulumi.Bool(true),
KeyEncipherment: pulumi.Bool(false),
DataEncipherment: pulumi.Bool(true),
KeyAgreement: pulumi.Bool(true),
CertSign: pulumi.Bool(true),
CrlSign: pulumi.Bool(true),
DecipherOnly: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(true),
ClientAuth: pulumi.Bool(false),
EmailProtection: pulumi.Bool(true),
CodeSigning: pulumi.Bool(true),
TimeStamping: pulumi.Bool(true),
},
},
},
},
Lifetime: pulumi.String("86400s"),
KeySpec: &certificateauthority.AuthorityKeySpecArgs{
Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CertificateAuthority.Authority("default", new()
{
Pool = "ca-pool",
CertificateAuthorityId = "my-certificate-authority",
Location = "us-central1",
DeletionProtection = true,
Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
{
Organization = "HashiCorp",
CommonName = "my-certificate-authority",
},
SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
{
DnsNames = new[]
{
"hashicorp.com",
},
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
{
IsCa = true,
MaxIssuerPathLength = 10,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
DigitalSignature = true,
ContentCommitment = true,
KeyEncipherment = false,
DataEncipherment = true,
KeyAgreement = true,
CertSign = true,
CrlSign = true,
DecipherOnly = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = true,
ClientAuth = false,
EmailProtection = true,
CodeSigning = true,
TimeStamping = true,
},
},
},
},
Lifetime = "86400s",
KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
{
Algorithm = "RSA_PKCS1_4096_SHA256",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new Authority("default", AuthorityArgs.builder()
.pool("ca-pool")
.certificateAuthorityId("my-certificate-authority")
.location("us-central1")
.deletionProtection("true")
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.organization("HashiCorp")
.commonName("my-certificate-authority")
.build())
.subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("hashicorp.com")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.maxIssuerPathLength(10)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.digitalSignature(true)
.contentCommitment(true)
.keyEncipherment(false)
.dataEncipherment(true)
.keyAgreement(true)
.certSign(true)
.crlSign(true)
.decipherOnly(true)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(true)
.clientAuth(false)
.emailProtection(true)
.codeSigning(true)
.timeStamping(true)
.build())
.build())
.build())
.build())
.lifetime("86400s")
.keySpec(AuthorityKeySpecArgs.builder()
.algorithm("RSA_PKCS1_4096_SHA256")
.build())
.build());
}
}
resources:
default:
type: gcp:certificateauthority:Authority
properties:
pool: ca-pool
certificateAuthorityId: my-certificate-authority
location: us-central1
deletionProtection: 'true'
config:
subjectConfig:
subject:
organization: HashiCorp
commonName: my-certificate-authority
subjectAltName:
dnsNames:
- hashicorp.com
x509Config:
caOptions:
isCa: true
maxIssuerPathLength: 10
keyUsage:
baseKeyUsage:
digitalSignature: true
contentCommitment: true
keyEncipherment: false
dataEncipherment: true
keyAgreement: true
certSign: true
crlSign: true
decipherOnly: true
extendedKeyUsage:
serverAuth: true
clientAuth: false
emailProtection: true
codeSigning: true
timeStamping: true
lifetime: 86400s
keySpec:
algorithm: RSA_PKCS1_4096_SHA256
Privateca Certificate Authority Subordinate
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const root_ca = new gcp.certificateauthority.Authority("root-ca", {
pool: "ca-pool",
certificateAuthorityId: "my-certificate-authority-root",
location: "us-central1",
config: {
subjectConfig: {
subject: {
organization: "HashiCorp",
commonName: "my-certificate-authority",
},
subjectAltName: {
dnsNames: ["hashicorp.com"],
},
},
x509Config: {
caOptions: {
isCa: true,
},
keyUsage: {
baseKeyUsage: {
certSign: true,
crlSign: true,
},
extendedKeyUsage: {
serverAuth: false,
},
},
},
},
keySpec: {
algorithm: "RSA_PKCS1_4096_SHA256",
},
deletionProtection: false,
skipGracePeriod: true,
ignoreActiveCertificatesOnDeletion: true,
});
const _default = new gcp.certificateauthority.Authority("default", {
pool: "ca-pool",
certificateAuthorityId: "my-certificate-authority-sub",
location: "us-central1",
deletionProtection: true,
subordinateConfig: {
certificateAuthority: root_ca.name,
},
config: {
subjectConfig: {
subject: {
organization: "HashiCorp",
commonName: "my-subordinate-authority",
},
subjectAltName: {
dnsNames: ["hashicorp.com"],
},
},
x509Config: {
caOptions: {
isCa: true,
maxIssuerPathLength: 0,
},
keyUsage: {
baseKeyUsage: {
digitalSignature: true,
contentCommitment: true,
keyEncipherment: false,
dataEncipherment: true,
keyAgreement: true,
certSign: true,
crlSign: true,
decipherOnly: true,
},
extendedKeyUsage: {
serverAuth: true,
clientAuth: false,
emailProtection: true,
codeSigning: true,
timeStamping: true,
},
},
},
},
lifetime: "86400s",
keySpec: {
algorithm: "RSA_PKCS1_4096_SHA256",
},
type: "SUBORDINATE",
});
import pulumi
import pulumi_gcp as gcp
root_ca = gcp.certificateauthority.Authority("root-ca",
pool="ca-pool",
certificate_authority_id="my-certificate-authority-root",
location="us-central1",
config=gcp.certificateauthority.AuthorityConfigArgs(
subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
organization="HashiCorp",
common_name="my-certificate-authority",
),
subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
dns_names=["hashicorp.com"],
),
),
x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
is_ca=True,
),
key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
cert_sign=True,
crl_sign=True,
),
extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
server_auth=False,
),
),
),
),
key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
algorithm="RSA_PKCS1_4096_SHA256",
),
deletion_protection=False,
skip_grace_period=True,
ignore_active_certificates_on_deletion=True)
default = gcp.certificateauthority.Authority("default",
pool="ca-pool",
certificate_authority_id="my-certificate-authority-sub",
location="us-central1",
deletion_protection=True,
subordinate_config=gcp.certificateauthority.AuthoritySubordinateConfigArgs(
certificate_authority=root_ca.name,
),
config=gcp.certificateauthority.AuthorityConfigArgs(
subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
organization="HashiCorp",
common_name="my-subordinate-authority",
),
subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
dns_names=["hashicorp.com"],
),
),
x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
is_ca=True,
max_issuer_path_length=0,
),
key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
digital_signature=True,
content_commitment=True,
key_encipherment=False,
data_encipherment=True,
key_agreement=True,
cert_sign=True,
crl_sign=True,
decipher_only=True,
),
extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
server_auth=True,
client_auth=False,
email_protection=True,
code_signing=True,
time_stamping=True,
),
),
),
),
lifetime="86400s",
key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
algorithm="RSA_PKCS1_4096_SHA256",
),
type="SUBORDINATE")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/certificateauthority"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := certificateauthority.NewAuthority(ctx, "root-ca", &certificateauthority.AuthorityArgs{
Pool: pulumi.String("ca-pool"),
CertificateAuthorityId: pulumi.String("my-certificate-authority-root"),
Location: pulumi.String("us-central1"),
Config: &certificateauthority.AuthorityConfigArgs{
SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
Organization: pulumi.String("HashiCorp"),
CommonName: pulumi.String("my-certificate-authority"),
},
SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
DnsNames: pulumi.StringArray{
pulumi.String("hashicorp.com"),
},
},
},
X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(true),
},
KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
CertSign: pulumi.Bool(true),
CrlSign: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(false),
},
},
},
},
KeySpec: &certificateauthority.AuthorityKeySpecArgs{
Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
},
DeletionProtection: pulumi.Bool(false),
SkipGracePeriod: pulumi.Bool(true),
IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
Pool: pulumi.String("ca-pool"),
CertificateAuthorityId: pulumi.String("my-certificate-authority-sub"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(true),
SubordinateConfig: &certificateauthority.AuthoritySubordinateConfigArgs{
CertificateAuthority: root_ca.Name,
},
Config: &certificateauthority.AuthorityConfigArgs{
SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
Organization: pulumi.String("HashiCorp"),
CommonName: pulumi.String("my-subordinate-authority"),
},
SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
DnsNames: pulumi.StringArray{
pulumi.String("hashicorp.com"),
},
},
},
X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(true),
MaxIssuerPathLength: pulumi.Int(0),
},
KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
DigitalSignature: pulumi.Bool(true),
ContentCommitment: pulumi.Bool(true),
KeyEncipherment: pulumi.Bool(false),
DataEncipherment: pulumi.Bool(true),
KeyAgreement: pulumi.Bool(true),
CertSign: pulumi.Bool(true),
CrlSign: pulumi.Bool(true),
DecipherOnly: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(true),
ClientAuth: pulumi.Bool(false),
EmailProtection: pulumi.Bool(true),
CodeSigning: pulumi.Bool(true),
TimeStamping: pulumi.Bool(true),
},
},
},
},
Lifetime: pulumi.String("86400s"),
KeySpec: &certificateauthority.AuthorityKeySpecArgs{
Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
},
Type: pulumi.String("SUBORDINATE"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var root_ca = new Gcp.CertificateAuthority.Authority("root-ca", new()
{
Pool = "ca-pool",
CertificateAuthorityId = "my-certificate-authority-root",
Location = "us-central1",
Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
{
Organization = "HashiCorp",
CommonName = "my-certificate-authority",
},
SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
{
DnsNames = new[]
{
"hashicorp.com",
},
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
{
IsCa = true,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
CertSign = true,
CrlSign = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = false,
},
},
},
},
KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
{
Algorithm = "RSA_PKCS1_4096_SHA256",
},
DeletionProtection = false,
SkipGracePeriod = true,
IgnoreActiveCertificatesOnDeletion = true,
});
var @default = new Gcp.CertificateAuthority.Authority("default", new()
{
Pool = "ca-pool",
CertificateAuthorityId = "my-certificate-authority-sub",
Location = "us-central1",
DeletionProtection = true,
SubordinateConfig = new Gcp.CertificateAuthority.Inputs.AuthoritySubordinateConfigArgs
{
CertificateAuthority = root_ca.Name,
},
Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
{
Organization = "HashiCorp",
CommonName = "my-subordinate-authority",
},
SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
{
DnsNames = new[]
{
"hashicorp.com",
},
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
{
IsCa = true,
MaxIssuerPathLength = 0,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
DigitalSignature = true,
ContentCommitment = true,
KeyEncipherment = false,
DataEncipherment = true,
KeyAgreement = true,
CertSign = true,
CrlSign = true,
DecipherOnly = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = true,
ClientAuth = false,
EmailProtection = true,
CodeSigning = true,
TimeStamping = true,
},
},
},
},
Lifetime = "86400s",
KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
{
Algorithm = "RSA_PKCS1_4096_SHA256",
},
Type = "SUBORDINATE",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthoritySubordinateConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var root_ca = new Authority("root-ca", AuthorityArgs.builder()
.pool("ca-pool")
.certificateAuthorityId("my-certificate-authority-root")
.location("us-central1")
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.organization("HashiCorp")
.commonName("my-certificate-authority")
.build())
.subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("hashicorp.com")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.certSign(true)
.crlSign(true)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(false)
.build())
.build())
.build())
.build())
.keySpec(AuthorityKeySpecArgs.builder()
.algorithm("RSA_PKCS1_4096_SHA256")
.build())
.deletionProtection(false)
.skipGracePeriod(true)
.ignoreActiveCertificatesOnDeletion(true)
.build());
var default_ = new Authority("default", AuthorityArgs.builder()
.pool("ca-pool")
.certificateAuthorityId("my-certificate-authority-sub")
.location("us-central1")
.deletionProtection("true")
.subordinateConfig(AuthoritySubordinateConfigArgs.builder()
.certificateAuthority(root_ca.name())
.build())
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.organization("HashiCorp")
.commonName("my-subordinate-authority")
.build())
.subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("hashicorp.com")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.maxIssuerPathLength(0)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.digitalSignature(true)
.contentCommitment(true)
.keyEncipherment(false)
.dataEncipherment(true)
.keyAgreement(true)
.certSign(true)
.crlSign(true)
.decipherOnly(true)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(true)
.clientAuth(false)
.emailProtection(true)
.codeSigning(true)
.timeStamping(true)
.build())
.build())
.build())
.build())
.lifetime("86400s")
.keySpec(AuthorityKeySpecArgs.builder()
.algorithm("RSA_PKCS1_4096_SHA256")
.build())
.type("SUBORDINATE")
.build());
}
}
resources:
root-ca:
type: gcp:certificateauthority:Authority
properties:
pool: ca-pool
certificateAuthorityId: my-certificate-authority-root
location: us-central1
config:
subjectConfig:
subject:
organization: HashiCorp
commonName: my-certificate-authority
subjectAltName:
dnsNames:
- hashicorp.com
x509Config:
caOptions:
isCa: true
keyUsage:
baseKeyUsage:
certSign: true
crlSign: true
extendedKeyUsage:
serverAuth: false
keySpec:
algorithm: RSA_PKCS1_4096_SHA256
deletionProtection: false
skipGracePeriod: true
ignoreActiveCertificatesOnDeletion: true
default:
type: gcp:certificateauthority:Authority
properties:
pool: ca-pool
certificateAuthorityId: my-certificate-authority-sub
location: us-central1
deletionProtection: 'true'
subordinateConfig:
certificateAuthority: ${["root-ca"].name}
config:
subjectConfig:
subject:
organization: HashiCorp
commonName: my-subordinate-authority
subjectAltName:
dnsNames:
- hashicorp.com
x509Config:
caOptions:
isCa: true
maxIssuerPathLength: 0
keyUsage:
baseKeyUsage:
digitalSignature: true
contentCommitment: true
keyEncipherment: false
dataEncipherment: true
keyAgreement: true
certSign: true
crlSign: true
decipherOnly: true
extendedKeyUsage:
serverAuth: true
clientAuth: false
emailProtection: true
codeSigning: true
timeStamping: true
lifetime: 86400s
keySpec:
algorithm: RSA_PKCS1_4096_SHA256
type: SUBORDINATE
Privateca Certificate Authority Byo Key
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const privatecaSa = new gcp.projects.ServiceIdentity("privateca_sa", {service: "privateca.googleapis.com"});
const privatecaSaKeyuserSignerverifier = new gcp.kms.CryptoKeyIAMMember("privateca_sa_keyuser_signerverifier", {
cryptoKeyId: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
role: "roles/cloudkms.signerVerifier",
member: pulumi.interpolate`serviceAccount:${privatecaSa.email}`,
});
const privatecaSaKeyuserViewer = new gcp.kms.CryptoKeyIAMMember("privateca_sa_keyuser_viewer", {
cryptoKeyId: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
role: "roles/viewer",
member: pulumi.interpolate`serviceAccount:${privatecaSa.email}`,
});
const _default = new gcp.certificateauthority.Authority("default", {
pool: "ca-pool",
certificateAuthorityId: "my-certificate-authority",
location: "us-central1",
deletionProtection: true,
keySpec: {
cloudKmsKeyVersion: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1",
},
config: {
subjectConfig: {
subject: {
organization: "Example, Org.",
commonName: "Example Authority",
},
},
x509Config: {
caOptions: {
isCa: true,
maxIssuerPathLength: 10,
},
keyUsage: {
baseKeyUsage: {
certSign: true,
crlSign: true,
},
extendedKeyUsage: {
serverAuth: false,
},
},
nameConstraints: {
critical: true,
permittedDnsNames: ["*.example.com"],
excludedDnsNames: ["*.deny.example.com"],
permittedIpRanges: ["10.0.0.0/8"],
excludedIpRanges: ["10.1.1.0/24"],
permittedEmailAddresses: [".example.com"],
excludedEmailAddresses: [".deny.example.com"],
permittedUris: [".example.com"],
excludedUris: [".deny.example.com"],
},
},
},
});
import pulumi
import pulumi_gcp as gcp
privateca_sa = gcp.projects.ServiceIdentity("privateca_sa", service="privateca.googleapis.com")
privateca_sa_keyuser_signerverifier = gcp.kms.CryptoKeyIAMMember("privateca_sa_keyuser_signerverifier",
crypto_key_id="projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
role="roles/cloudkms.signerVerifier",
member=privateca_sa.email.apply(lambda email: f"serviceAccount:{email}"))
privateca_sa_keyuser_viewer = gcp.kms.CryptoKeyIAMMember("privateca_sa_keyuser_viewer",
crypto_key_id="projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
role="roles/viewer",
member=privateca_sa.email.apply(lambda email: f"serviceAccount:{email}"))
default = gcp.certificateauthority.Authority("default",
pool="ca-pool",
certificate_authority_id="my-certificate-authority",
location="us-central1",
deletion_protection=True,
key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
cloud_kms_key_version="projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1",
),
config=gcp.certificateauthority.AuthorityConfigArgs(
subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
organization="Example, Org.",
common_name="Example Authority",
),
),
x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
is_ca=True,
max_issuer_path_length=10,
),
key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
cert_sign=True,
crl_sign=True,
),
extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
server_auth=False,
),
),
name_constraints=gcp.certificateauthority.AuthorityConfigX509ConfigNameConstraintsArgs(
critical=True,
permitted_dns_names=["*.example.com"],
excluded_dns_names=["*.deny.example.com"],
permitted_ip_ranges=["10.0.0.0/8"],
excluded_ip_ranges=["10.1.1.0/24"],
permitted_email_addresses=[".example.com"],
excluded_email_addresses=[".deny.example.com"],
permitted_uris=[".example.com"],
excluded_uris=[".deny.example.com"],
),
),
))
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/certificateauthority"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/kms"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/projects"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
privatecaSa, err := projects.NewServiceIdentity(ctx, "privateca_sa", &projects.ServiceIdentityArgs{
Service: pulumi.String("privateca.googleapis.com"),
})
if err != nil {
return err
}
_, err = kms.NewCryptoKeyIAMMember(ctx, "privateca_sa_keyuser_signerverifier", &kms.CryptoKeyIAMMemberArgs{
CryptoKeyId: pulumi.String("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"),
Role: pulumi.String("roles/cloudkms.signerVerifier"),
Member: privatecaSa.Email.ApplyT(func(email string) (string, error) {
return fmt.Sprintf("serviceAccount:%v", email), nil
}).(pulumi.StringOutput),
})
if err != nil {
return err
}
_, err = kms.NewCryptoKeyIAMMember(ctx, "privateca_sa_keyuser_viewer", &kms.CryptoKeyIAMMemberArgs{
CryptoKeyId: pulumi.String("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"),
Role: pulumi.String("roles/viewer"),
Member: privatecaSa.Email.ApplyT(func(email string) (string, error) {
return fmt.Sprintf("serviceAccount:%v", email), nil
}).(pulumi.StringOutput),
})
if err != nil {
return err
}
_, err = certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
Pool: pulumi.String("ca-pool"),
CertificateAuthorityId: pulumi.String("my-certificate-authority"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(true),
KeySpec: &certificateauthority.AuthorityKeySpecArgs{
CloudKmsKeyVersion: pulumi.String("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1"),
},
Config: &certificateauthority.AuthorityConfigArgs{
SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
Organization: pulumi.String("Example, Org."),
CommonName: pulumi.String("Example Authority"),
},
},
X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(true),
MaxIssuerPathLength: pulumi.Int(10),
},
KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
CertSign: pulumi.Bool(true),
CrlSign: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(false),
},
},
NameConstraints: &certificateauthority.AuthorityConfigX509ConfigNameConstraintsArgs{
Critical: pulumi.Bool(true),
PermittedDnsNames: pulumi.StringArray{
pulumi.String("*.example.com"),
},
ExcludedDnsNames: pulumi.StringArray{
pulumi.String("*.deny.example.com"),
},
PermittedIpRanges: pulumi.StringArray{
pulumi.String("10.0.0.0/8"),
},
ExcludedIpRanges: pulumi.StringArray{
pulumi.String("10.1.1.0/24"),
},
PermittedEmailAddresses: pulumi.StringArray{
pulumi.String(".example.com"),
},
ExcludedEmailAddresses: pulumi.StringArray{
pulumi.String(".deny.example.com"),
},
PermittedUris: pulumi.StringArray{
pulumi.String(".example.com"),
},
ExcludedUris: pulumi.StringArray{
pulumi.String(".deny.example.com"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var privatecaSa = new Gcp.Projects.ServiceIdentity("privateca_sa", new()
{
Service = "privateca.googleapis.com",
});
var privatecaSaKeyuserSignerverifier = new Gcp.Kms.CryptoKeyIAMMember("privateca_sa_keyuser_signerverifier", new()
{
CryptoKeyId = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
Role = "roles/cloudkms.signerVerifier",
Member = privatecaSa.Email.Apply(email => $"serviceAccount:{email}"),
});
var privatecaSaKeyuserViewer = new Gcp.Kms.CryptoKeyIAMMember("privateca_sa_keyuser_viewer", new()
{
CryptoKeyId = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
Role = "roles/viewer",
Member = privatecaSa.Email.Apply(email => $"serviceAccount:{email}"),
});
var @default = new Gcp.CertificateAuthority.Authority("default", new()
{
Pool = "ca-pool",
CertificateAuthorityId = "my-certificate-authority",
Location = "us-central1",
DeletionProtection = true,
KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
{
CloudKmsKeyVersion = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1",
},
Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
{
Organization = "Example, Org.",
CommonName = "Example Authority",
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
{
IsCa = true,
MaxIssuerPathLength = 10,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
CertSign = true,
CrlSign = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = false,
},
},
NameConstraints = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigNameConstraintsArgs
{
Critical = true,
PermittedDnsNames = new[]
{
"*.example.com",
},
ExcludedDnsNames = new[]
{
"*.deny.example.com",
},
PermittedIpRanges = new[]
{
"10.0.0.0/8",
},
ExcludedIpRanges = new[]
{
"10.1.1.0/24",
},
PermittedEmailAddresses = new[]
{
".example.com",
},
ExcludedEmailAddresses = new[]
{
".deny.example.com",
},
PermittedUris = new[]
{
".example.com",
},
ExcludedUris = new[]
{
".deny.example.com",
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.projects.ServiceIdentity;
import com.pulumi.gcp.projects.ServiceIdentityArgs;
import com.pulumi.gcp.kms.CryptoKeyIAMMember;
import com.pulumi.gcp.kms.CryptoKeyIAMMemberArgs;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigNameConstraintsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var privatecaSa = new ServiceIdentity("privatecaSa", ServiceIdentityArgs.builder()
.service("privateca.googleapis.com")
.build());
var privatecaSaKeyuserSignerverifier = new CryptoKeyIAMMember("privatecaSaKeyuserSignerverifier", CryptoKeyIAMMemberArgs.builder()
.cryptoKeyId("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key")
.role("roles/cloudkms.signerVerifier")
.member(privatecaSa.email().applyValue(email -> String.format("serviceAccount:%s", email)))
.build());
var privatecaSaKeyuserViewer = new CryptoKeyIAMMember("privatecaSaKeyuserViewer", CryptoKeyIAMMemberArgs.builder()
.cryptoKeyId("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key")
.role("roles/viewer")
.member(privatecaSa.email().applyValue(email -> String.format("serviceAccount:%s", email)))
.build());
var default_ = new Authority("default", AuthorityArgs.builder()
.pool("ca-pool")
.certificateAuthorityId("my-certificate-authority")
.location("us-central1")
.deletionProtection("true")
.keySpec(AuthorityKeySpecArgs.builder()
.cloudKmsKeyVersion("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1")
.build())
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.organization("Example, Org.")
.commonName("Example Authority")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.maxIssuerPathLength(10)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.certSign(true)
.crlSign(true)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(false)
.build())
.build())
.nameConstraints(AuthorityConfigX509ConfigNameConstraintsArgs.builder()
.critical(true)
.permittedDnsNames("*.example.com")
.excludedDnsNames("*.deny.example.com")
.permittedIpRanges("10.0.0.0/8")
.excludedIpRanges("10.1.1.0/24")
.permittedEmailAddresses(".example.com")
.excludedEmailAddresses(".deny.example.com")
.permittedUris(".example.com")
.excludedUris(".deny.example.com")
.build())
.build())
.build())
.build());
}
}
resources:
privatecaSa:
type: gcp:projects:ServiceIdentity
name: privateca_sa
properties:
service: privateca.googleapis.com
privatecaSaKeyuserSignerverifier:
type: gcp:kms:CryptoKeyIAMMember
name: privateca_sa_keyuser_signerverifier
properties:
cryptoKeyId: projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key
role: roles/cloudkms.signerVerifier
member: serviceAccount:${privatecaSa.email}
privatecaSaKeyuserViewer:
type: gcp:kms:CryptoKeyIAMMember
name: privateca_sa_keyuser_viewer
properties:
cryptoKeyId: projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key
role: roles/viewer
member: serviceAccount:${privatecaSa.email}
default:
type: gcp:certificateauthority:Authority
properties:
pool: ca-pool
certificateAuthorityId: my-certificate-authority
location: us-central1
deletionProtection: 'true'
keySpec:
cloudKmsKeyVersion: projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1
config:
subjectConfig:
subject:
organization: Example, Org.
commonName: Example Authority
x509Config:
caOptions:
isCa: true
maxIssuerPathLength: 10
keyUsage:
baseKeyUsage:
certSign: true
crlSign: true
extendedKeyUsage:
serverAuth: false
nameConstraints:
critical: true
permittedDnsNames:
- '*.example.com'
excludedDnsNames:
- '*.deny.example.com'
permittedIpRanges:
- 10.0.0.0/8
excludedIpRanges:
- 10.1.1.0/24
permittedEmailAddresses:
- .example.com
excludedEmailAddresses:
- .deny.example.com
permittedUris:
- .example.com
excludedUris:
- .deny.example.com
Create Authority Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Authority(name: string, args: AuthorityArgs, opts?: CustomResourceOptions);@overload
def Authority(resource_name: str,
args: AuthorityArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Authority(resource_name: str,
opts: Optional[ResourceOptions] = None,
key_spec: Optional[AuthorityKeySpecArgs] = None,
config: Optional[AuthorityConfigArgs] = None,
pool: Optional[str] = None,
location: Optional[str] = None,
certificate_authority_id: Optional[str] = None,
lifetime: Optional[str] = None,
ignore_active_certificates_on_deletion: Optional[bool] = None,
labels: Optional[Mapping[str, str]] = None,
gcs_bucket: Optional[str] = None,
desired_state: Optional[str] = None,
pem_ca_certificate: Optional[str] = None,
deletion_protection: Optional[bool] = None,
project: Optional[str] = None,
skip_grace_period: Optional[bool] = None,
subordinate_config: Optional[AuthoritySubordinateConfigArgs] = None,
type: Optional[str] = None)func NewAuthority(ctx *Context, name string, args AuthorityArgs, opts ...ResourceOption) (*Authority, error)public Authority(string name, AuthorityArgs args, CustomResourceOptions? opts = null)
public Authority(String name, AuthorityArgs args)
public Authority(String name, AuthorityArgs args, CustomResourceOptions options)
type: gcp:certificateauthority:Authority
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args AuthorityArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AuthorityArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AuthorityArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AuthorityArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AuthorityArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Example
The following reference example uses placeholder values for all input properties.
var authorityResource = new Gcp.CertificateAuthority.Authority("authorityResource", new()
{
KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
{
Algorithm = "string",
CloudKmsKeyVersion = "string",
},
Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
{
CommonName = "string",
Organization = "string",
CountryCode = "string",
Locality = "string",
OrganizationalUnit = "string",
PostalCode = "string",
Province = "string",
StreetAddress = "string",
},
SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
{
DnsNames = new[]
{
"string",
},
EmailAddresses = new[]
{
"string",
},
IpAddresses = new[]
{
"string",
},
Uris = new[]
{
"string",
},
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
{
IsCa = false,
MaxIssuerPathLength = 0,
NonCa = false,
ZeroMaxIssuerPathLength = false,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
CertSign = false,
ContentCommitment = false,
CrlSign = false,
DataEncipherment = false,
DecipherOnly = false,
DigitalSignature = false,
EncipherOnly = false,
KeyAgreement = false,
KeyEncipherment = false,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ClientAuth = false,
CodeSigning = false,
EmailProtection = false,
OcspSigning = false,
ServerAuth = false,
TimeStamping = false,
},
UnknownExtendedKeyUsages = new[]
{
new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArgs
{
ObjectIdPaths = new[]
{
0,
},
},
},
},
AdditionalExtensions = new[]
{
new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigAdditionalExtensionArgs
{
Critical = false,
ObjectId = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigAdditionalExtensionObjectIdArgs
{
ObjectIdPaths = new[]
{
0,
},
},
Value = "string",
},
},
AiaOcspServers = new[]
{
"string",
},
NameConstraints = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigNameConstraintsArgs
{
Critical = false,
ExcludedDnsNames = new[]
{
"string",
},
ExcludedEmailAddresses = new[]
{
"string",
},
ExcludedIpRanges = new[]
{
"string",
},
ExcludedUris = new[]
{
"string",
},
PermittedDnsNames = new[]
{
"string",
},
PermittedEmailAddresses = new[]
{
"string",
},
PermittedIpRanges = new[]
{
"string",
},
PermittedUris = new[]
{
"string",
},
},
PolicyIds = new[]
{
new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigPolicyIdArgs
{
ObjectIdPaths = new[]
{
0,
},
},
},
},
},
Pool = "string",
Location = "string",
CertificateAuthorityId = "string",
Lifetime = "string",
IgnoreActiveCertificatesOnDeletion = false,
Labels =
{
{ "string", "string" },
},
GcsBucket = "string",
DesiredState = "string",
PemCaCertificate = "string",
DeletionProtection = false,
Project = "string",
SkipGracePeriod = false,
SubordinateConfig = new Gcp.CertificateAuthority.Inputs.AuthoritySubordinateConfigArgs
{
CertificateAuthority = "string",
PemIssuerChain = new Gcp.CertificateAuthority.Inputs.AuthoritySubordinateConfigPemIssuerChainArgs
{
PemCertificates = new[]
{
"string",
},
},
},
Type = "string",
});
example, err := certificateauthority.NewAuthority(ctx, "authorityResource", &certificateauthority.AuthorityArgs{
KeySpec: &certificateauthority.AuthorityKeySpecArgs{
Algorithm: pulumi.String("string"),
CloudKmsKeyVersion: pulumi.String("string"),
},
Config: &certificateauthority.AuthorityConfigArgs{
SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
CommonName: pulumi.String("string"),
Organization: pulumi.String("string"),
CountryCode: pulumi.String("string"),
Locality: pulumi.String("string"),
OrganizationalUnit: pulumi.String("string"),
PostalCode: pulumi.String("string"),
Province: pulumi.String("string"),
StreetAddress: pulumi.String("string"),
},
SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
DnsNames: pulumi.StringArray{
pulumi.String("string"),
},
EmailAddresses: pulumi.StringArray{
pulumi.String("string"),
},
IpAddresses: pulumi.StringArray{
pulumi.String("string"),
},
Uris: pulumi.StringArray{
pulumi.String("string"),
},
},
},
X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(false),
MaxIssuerPathLength: pulumi.Int(0),
NonCa: pulumi.Bool(false),
ZeroMaxIssuerPathLength: pulumi.Bool(false),
},
KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
CertSign: pulumi.Bool(false),
ContentCommitment: pulumi.Bool(false),
CrlSign: pulumi.Bool(false),
DataEncipherment: pulumi.Bool(false),
DecipherOnly: pulumi.Bool(false),
DigitalSignature: pulumi.Bool(false),
EncipherOnly: pulumi.Bool(false),
KeyAgreement: pulumi.Bool(false),
KeyEncipherment: pulumi.Bool(false),
},
ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ClientAuth: pulumi.Bool(false),
CodeSigning: pulumi.Bool(false),
EmailProtection: pulumi.Bool(false),
OcspSigning: pulumi.Bool(false),
ServerAuth: pulumi.Bool(false),
TimeStamping: pulumi.Bool(false),
},
UnknownExtendedKeyUsages: certificateauthority.AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArray{
&certificateauthority.AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(0),
},
},
},
},
AdditionalExtensions: certificateauthority.AuthorityConfigX509ConfigAdditionalExtensionArray{
&certificateauthority.AuthorityConfigX509ConfigAdditionalExtensionArgs{
Critical: pulumi.Bool(false),
ObjectId: &certificateauthority.AuthorityConfigX509ConfigAdditionalExtensionObjectIdArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(0),
},
},
Value: pulumi.String("string"),
},
},
AiaOcspServers: pulumi.StringArray{
pulumi.String("string"),
},
NameConstraints: &certificateauthority.AuthorityConfigX509ConfigNameConstraintsArgs{
Critical: pulumi.Bool(false),
ExcludedDnsNames: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedEmailAddresses: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedIpRanges: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedUris: pulumi.StringArray{
pulumi.String("string"),
},
PermittedDnsNames: pulumi.StringArray{
pulumi.String("string"),
},
PermittedEmailAddresses: pulumi.StringArray{
pulumi.String("string"),
},
PermittedIpRanges: pulumi.StringArray{
pulumi.String("string"),
},
PermittedUris: pulumi.StringArray{
pulumi.String("string"),
},
},
PolicyIds: certificateauthority.AuthorityConfigX509ConfigPolicyIdArray{
&certificateauthority.AuthorityConfigX509ConfigPolicyIdArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(0),
},
},
},
},
},
Pool: pulumi.String("string"),
Location: pulumi.String("string"),
CertificateAuthorityId: pulumi.String("string"),
Lifetime: pulumi.String("string"),
IgnoreActiveCertificatesOnDeletion: pulumi.Bool(false),
Labels: pulumi.StringMap{
"string": pulumi.String("string"),
},
GcsBucket: pulumi.String("string"),
DesiredState: pulumi.String("string"),
PemCaCertificate: pulumi.String("string"),
DeletionProtection: pulumi.Bool(false),
Project: pulumi.String("string"),
SkipGracePeriod: pulumi.Bool(false),
SubordinateConfig: &certificateauthority.AuthoritySubordinateConfigArgs{
CertificateAuthority: pulumi.String("string"),
PemIssuerChain: &certificateauthority.AuthoritySubordinateConfigPemIssuerChainArgs{
PemCertificates: pulumi.StringArray{
pulumi.String("string"),
},
},
},
Type: pulumi.String("string"),
})
var authorityResource = new Authority("authorityResource", AuthorityArgs.builder()
.keySpec(AuthorityKeySpecArgs.builder()
.algorithm("string")
.cloudKmsKeyVersion("string")
.build())
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.commonName("string")
.organization("string")
.countryCode("string")
.locality("string")
.organizationalUnit("string")
.postalCode("string")
.province("string")
.streetAddress("string")
.build())
.subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("string")
.emailAddresses("string")
.ipAddresses("string")
.uris("string")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(false)
.maxIssuerPathLength(0)
.nonCa(false)
.zeroMaxIssuerPathLength(false)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.certSign(false)
.contentCommitment(false)
.crlSign(false)
.dataEncipherment(false)
.decipherOnly(false)
.digitalSignature(false)
.encipherOnly(false)
.keyAgreement(false)
.keyEncipherment(false)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.clientAuth(false)
.codeSigning(false)
.emailProtection(false)
.ocspSigning(false)
.serverAuth(false)
.timeStamping(false)
.build())
.unknownExtendedKeyUsages(AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArgs.builder()
.objectIdPaths(0)
.build())
.build())
.additionalExtensions(AuthorityConfigX509ConfigAdditionalExtensionArgs.builder()
.critical(false)
.objectId(AuthorityConfigX509ConfigAdditionalExtensionObjectIdArgs.builder()
.objectIdPaths(0)
.build())
.value("string")
.build())
.aiaOcspServers("string")
.nameConstraints(AuthorityConfigX509ConfigNameConstraintsArgs.builder()
.critical(false)
.excludedDnsNames("string")
.excludedEmailAddresses("string")
.excludedIpRanges("string")
.excludedUris("string")
.permittedDnsNames("string")
.permittedEmailAddresses("string")
.permittedIpRanges("string")
.permittedUris("string")
.build())
.policyIds(AuthorityConfigX509ConfigPolicyIdArgs.builder()
.objectIdPaths(0)
.build())
.build())
.build())
.pool("string")
.location("string")
.certificateAuthorityId("string")
.lifetime("string")
.ignoreActiveCertificatesOnDeletion(false)
.labels(Map.of("string", "string"))
.gcsBucket("string")
.desiredState("string")
.pemCaCertificate("string")
.deletionProtection(false)
.project("string")
.skipGracePeriod(false)
.subordinateConfig(AuthoritySubordinateConfigArgs.builder()
.certificateAuthority("string")
.pemIssuerChain(AuthoritySubordinateConfigPemIssuerChainArgs.builder()
.pemCertificates("string")
.build())
.build())
.type("string")
.build());
authority_resource = gcp.certificateauthority.Authority("authorityResource",
key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
algorithm="string",
cloud_kms_key_version="string",
),
config=gcp.certificateauthority.AuthorityConfigArgs(
subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
common_name="string",
organization="string",
country_code="string",
locality="string",
organizational_unit="string",
postal_code="string",
province="string",
street_address="string",
),
subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
dns_names=["string"],
email_addresses=["string"],
ip_addresses=["string"],
uris=["string"],
),
),
x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
is_ca=False,
max_issuer_path_length=0,
non_ca=False,
zero_max_issuer_path_length=False,
),
key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
cert_sign=False,
content_commitment=False,
crl_sign=False,
data_encipherment=False,
decipher_only=False,
digital_signature=False,
encipher_only=False,
key_agreement=False,
key_encipherment=False,
),
extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
client_auth=False,
code_signing=False,
email_protection=False,
ocsp_signing=False,
server_auth=False,
time_stamping=False,
),
unknown_extended_key_usages=[gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArgs(
object_id_paths=[0],
)],
),
additional_extensions=[gcp.certificateauthority.AuthorityConfigX509ConfigAdditionalExtensionArgs(
critical=False,
object_id=gcp.certificateauthority.AuthorityConfigX509ConfigAdditionalExtensionObjectIdArgs(
object_id_paths=[0],
),
value="string",
)],
aia_ocsp_servers=["string"],
name_constraints=gcp.certificateauthority.AuthorityConfigX509ConfigNameConstraintsArgs(
critical=False,
excluded_dns_names=["string"],
excluded_email_addresses=["string"],
excluded_ip_ranges=["string"],
excluded_uris=["string"],
permitted_dns_names=["string"],
permitted_email_addresses=["string"],
permitted_ip_ranges=["string"],
permitted_uris=["string"],
),
policy_ids=[gcp.certificateauthority.AuthorityConfigX509ConfigPolicyIdArgs(
object_id_paths=[0],
)],
),
),
pool="string",
location="string",
certificate_authority_id="string",
lifetime="string",
ignore_active_certificates_on_deletion=False,
labels={
"string": "string",
},
gcs_bucket="string",
desired_state="string",
pem_ca_certificate="string",
deletion_protection=False,
project="string",
skip_grace_period=False,
subordinate_config=gcp.certificateauthority.AuthoritySubordinateConfigArgs(
certificate_authority="string",
pem_issuer_chain=gcp.certificateauthority.AuthoritySubordinateConfigPemIssuerChainArgs(
pem_certificates=["string"],
),
),
type="string")
const authorityResource = new gcp.certificateauthority.Authority("authorityResource", {
keySpec: {
algorithm: "string",
cloudKmsKeyVersion: "string",
},
config: {
subjectConfig: {
subject: {
commonName: "string",
organization: "string",
countryCode: "string",
locality: "string",
organizationalUnit: "string",
postalCode: "string",
province: "string",
streetAddress: "string",
},
subjectAltName: {
dnsNames: ["string"],
emailAddresses: ["string"],
ipAddresses: ["string"],
uris: ["string"],
},
},
x509Config: {
caOptions: {
isCa: false,
maxIssuerPathLength: 0,
nonCa: false,
zeroMaxIssuerPathLength: false,
},
keyUsage: {
baseKeyUsage: {
certSign: false,
contentCommitment: false,
crlSign: false,
dataEncipherment: false,
decipherOnly: false,
digitalSignature: false,
encipherOnly: false,
keyAgreement: false,
keyEncipherment: false,
},
extendedKeyUsage: {
clientAuth: false,
codeSigning: false,
emailProtection: false,
ocspSigning: false,
serverAuth: false,
timeStamping: false,
},
unknownExtendedKeyUsages: [{
objectIdPaths: [0],
}],
},
additionalExtensions: [{
critical: false,
objectId: {
objectIdPaths: [0],
},
value: "string",
}],
aiaOcspServers: ["string"],
nameConstraints: {
critical: false,
excludedDnsNames: ["string"],
excludedEmailAddresses: ["string"],
excludedIpRanges: ["string"],
excludedUris: ["string"],
permittedDnsNames: ["string"],
permittedEmailAddresses: ["string"],
permittedIpRanges: ["string"],
permittedUris: ["string"],
},
policyIds: [{
objectIdPaths: [0],
}],
},
},
pool: "string",
location: "string",
certificateAuthorityId: "string",
lifetime: "string",
ignoreActiveCertificatesOnDeletion: false,
labels: {
string: "string",
},
gcsBucket: "string",
desiredState: "string",
pemCaCertificate: "string",
deletionProtection: false,
project: "string",
skipGracePeriod: false,
subordinateConfig: {
certificateAuthority: "string",
pemIssuerChain: {
pemCertificates: ["string"],
},
},
type: "string",
});
type: gcp:certificateauthority:Authority
properties:
certificateAuthorityId: string
config:
subjectConfig:
subject:
commonName: string
countryCode: string
locality: string
organization: string
organizationalUnit: string
postalCode: string
province: string
streetAddress: string
subjectAltName:
dnsNames:
- string
emailAddresses:
- string
ipAddresses:
- string
uris:
- string
x509Config:
additionalExtensions:
- critical: false
objectId:
objectIdPaths:
- 0
value: string
aiaOcspServers:
- string
caOptions:
isCa: false
maxIssuerPathLength: 0
nonCa: false
zeroMaxIssuerPathLength: false
keyUsage:
baseKeyUsage:
certSign: false
contentCommitment: false
crlSign: false
dataEncipherment: false
decipherOnly: false
digitalSignature: false
encipherOnly: false
keyAgreement: false
keyEncipherment: false
extendedKeyUsage:
clientAuth: false
codeSigning: false
emailProtection: false
ocspSigning: false
serverAuth: false
timeStamping: false
unknownExtendedKeyUsages:
- objectIdPaths:
- 0
nameConstraints:
critical: false
excludedDnsNames:
- string
excludedEmailAddresses:
- string
excludedIpRanges:
- string
excludedUris:
- string
permittedDnsNames:
- string
permittedEmailAddresses:
- string
permittedIpRanges:
- string
permittedUris:
- string
policyIds:
- objectIdPaths:
- 0
deletionProtection: false
desiredState: string
gcsBucket: string
ignoreActiveCertificatesOnDeletion: false
keySpec:
algorithm: string
cloudKmsKeyVersion: string
labels:
string: string
lifetime: string
location: string
pemCaCertificate: string
pool: string
project: string
skipGracePeriod: false
subordinateConfig:
certificateAuthority: string
pemIssuerChain:
pemCertificates:
- string
type: string
Authority Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The Authority resource accepts the following input properties:
- string
- The user provided Resource ID for this Certificate Authority.
- Config
Authority
Config - The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- Key
Spec AuthorityKey Spec - Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- Location string
- Location of the CertificateAuthority. A full list of valid locations can be found by
running
gcloud privateca locations list. - Pool string
- The name of the CaPool this Certificate Authority belongs to.
- Deletion
Protection bool - Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- Desired
State string - Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA. - Gcs
Bucket string - The name of a Cloud Storage bucket where this CertificateAuthority will publish content,
such as the CA certificate and CRLs. This must be a bucket name, without any prefixes
(such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created. - Ignore
Active boolCertificates On Deletion - This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs.
Use with care. Defaults to
false. - Labels Dictionary<string, string>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- Lifetime string
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- Pem
Ca stringCertificate - The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- Project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Skip
Grace boolPeriod - If this flag is set, the Certificate Authority will be deleted as soon as
possible without a 30-day grace period where undeletion would have been
allowed. If you proceed, there will be no way to recover this CA.
Use with care. Defaults to
false. - Subordinate
Config AuthoritySubordinate Config - If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- Type string
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.
- string
- The user provided Resource ID for this Certificate Authority.
- Config
Authority
Config Args - The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- Key
Spec AuthorityKey Spec Args - Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- Location string
- Location of the CertificateAuthority. A full list of valid locations can be found by
running
gcloud privateca locations list. - Pool string
- The name of the CaPool this Certificate Authority belongs to.
- Deletion
Protection bool - Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- Desired
State string - Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA. - Gcs
Bucket string - The name of a Cloud Storage bucket where this CertificateAuthority will publish content,
such as the CA certificate and CRLs. This must be a bucket name, without any prefixes
(such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created. - Ignore
Active boolCertificates On Deletion - This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs.
Use with care. Defaults to
false. - Labels map[string]string
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- Lifetime string
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- Pem
Ca stringCertificate - The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- Project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Skip
Grace boolPeriod - If this flag is set, the Certificate Authority will be deleted as soon as
possible without a 30-day grace period where undeletion would have been
allowed. If you proceed, there will be no way to recover this CA.
Use with care. Defaults to
false. - Subordinate
Config AuthoritySubordinate Config Args - If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- Type string
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.
- String
- The user provided Resource ID for this Certificate Authority.
- config
Authority
Config - The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- key
Spec AuthorityKey Spec - Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- location String
- Location of the CertificateAuthority. A full list of valid locations can be found by
running
gcloud privateca locations list. - pool String
- The name of the CaPool this Certificate Authority belongs to.
- deletion
Protection Boolean - Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- desired
State String - Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA. - gcs
Bucket String - The name of a Cloud Storage bucket where this CertificateAuthority will publish content,
such as the CA certificate and CRLs. This must be a bucket name, without any prefixes
(such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created. - ignore
Active BooleanCertificates On Deletion - This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs.
Use with care. Defaults to
false. - labels Map<String,String>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- lifetime String
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- pem
Ca StringCertificate - The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- project String
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- skip
Grace BooleanPeriod - If this flag is set, the Certificate Authority will be deleted as soon as
possible without a 30-day grace period where undeletion would have been
allowed. If you proceed, there will be no way to recover this CA.
Use with care. Defaults to
false. - subordinate
Config AuthoritySubordinate Config - If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- type String
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.
- string
- The user provided Resource ID for this Certificate Authority.
- config
Authority
Config - The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- key
Spec AuthorityKey Spec - Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- location string
- Location of the CertificateAuthority. A full list of valid locations can be found by
running
gcloud privateca locations list. - pool string
- The name of the CaPool this Certificate Authority belongs to.
- deletion
Protection boolean - Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- desired
State string - Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA. - gcs
Bucket string - The name of a Cloud Storage bucket where this CertificateAuthority will publish content,
such as the CA certificate and CRLs. This must be a bucket name, without any prefixes
(such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created. - ignore
Active booleanCertificates On Deletion - This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs.
Use with care. Defaults to
false. - labels {[key: string]: string}
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- lifetime string
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- pem
Ca stringCertificate - The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- skip
Grace booleanPeriod - If this flag is set, the Certificate Authority will be deleted as soon as
possible without a 30-day grace period where undeletion would have been
allowed. If you proceed, there will be no way to recover this CA.
Use with care. Defaults to
false. - subordinate
Config AuthoritySubordinate Config - If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- type string
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.
- str
- The user provided Resource ID for this Certificate Authority.
- config
Authority
Config Args - The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- key_
spec AuthorityKey Spec Args - Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- location str
- Location of the CertificateAuthority. A full list of valid locations can be found by
running
gcloud privateca locations list. - pool str
- The name of the CaPool this Certificate Authority belongs to.
- deletion_
protection bool - Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- desired_
state str - Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA. - gcs_
bucket str - The name of a Cloud Storage bucket where this CertificateAuthority will publish content,
such as the CA certificate and CRLs. This must be a bucket name, without any prefixes
(such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created. - ignore_
active_ boolcertificates_ on_ deletion - This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs.
Use with care. Defaults to
false. - labels Mapping[str, str]
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- lifetime str
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- pem_
ca_ strcertificate - The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- project str
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- skip_
grace_ boolperiod - If this flag is set, the Certificate Authority will be deleted as soon as
possible without a 30-day grace period where undeletion would have been
allowed. If you proceed, there will be no way to recover this CA.
Use with care. Defaults to
false. - subordinate_
config AuthoritySubordinate Config Args - If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- type str
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.
- String
- The user provided Resource ID for this Certificate Authority.
- config Property Map
- The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- key
Spec Property Map - Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- location String
- Location of the CertificateAuthority. A full list of valid locations can be found by
running
gcloud privateca locations list. - pool String
- The name of the CaPool this Certificate Authority belongs to.
- deletion
Protection Boolean - Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- desired
State String - Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA. - gcs
Bucket String - The name of a Cloud Storage bucket where this CertificateAuthority will publish content,
such as the CA certificate and CRLs. This must be a bucket name, without any prefixes
(such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created. - ignore
Active BooleanCertificates On Deletion - This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs.
Use with care. Defaults to
false. - labels Map<String>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- lifetime String
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- pem
Ca StringCertificate - The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- project String
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- skip
Grace BooleanPeriod - If this flag is set, the Certificate Authority will be deleted as soon as
possible without a 30-day grace period where undeletion would have been
allowed. If you proceed, there will be no way to recover this CA.
Use with care. Defaults to
false. - subordinate
Config Property Map - If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- type String
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.
Outputs
All input properties are implicitly available as output properties. Additionally, the Authority resource produces the following output properties:
- Access
Urls List<AuthorityAccess Url> - URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- Create
Time string - The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- Effective
Labels Dictionary<string, string> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- Pem
Ca List<string>Certificates - This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- Pulumi
Labels Dictionary<string, string> - The combination of labels configured directly on the resource and default labels configured on the provider.
- State string
- The State for this CertificateAuthority.
- Update
Time string - The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- Access
Urls []AuthorityAccess Url - URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- Create
Time string - The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- Effective
Labels map[string]string - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- Pem
Ca []stringCertificates - This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- Pulumi
Labels map[string]string - The combination of labels configured directly on the resource and default labels configured on the provider.
- State string
- The State for this CertificateAuthority.
- Update
Time string - The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- access
Urls List<AuthorityAccess Url> - URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- create
Time String - The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- effective
Labels Map<String,String> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- pem
Ca List<String>Certificates - This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- pulumi
Labels Map<String,String> - The combination of labels configured directly on the resource and default labels configured on the provider.
- state String
- The State for this CertificateAuthority.
- update
Time String - The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- access
Urls AuthorityAccess Url[] - URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- create
Time string - The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- effective
Labels {[key: string]: string} - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- id string
- The provider-assigned unique ID for this managed resource.
- name string
- The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- pem
Ca string[]Certificates - This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- pulumi
Labels {[key: string]: string} - The combination of labels configured directly on the resource and default labels configured on the provider.
- state string
- The State for this CertificateAuthority.
- update
Time string - The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- access_
urls Sequence[AuthorityAccess Url] - URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- create_
time str - The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- effective_
labels Mapping[str, str] - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- id str
- The provider-assigned unique ID for this managed resource.
- name str
- The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- pem_
ca_ Sequence[str]certificates - This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- pulumi_
labels Mapping[str, str] - The combination of labels configured directly on the resource and default labels configured on the provider.
- state str
- The State for this CertificateAuthority.
- update_
time str - The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- access
Urls List<Property Map> - URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- create
Time String - The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- effective
Labels Map<String> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- pem
Ca List<String>Certificates - This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- pulumi
Labels Map<String> - The combination of labels configured directly on the resource and default labels configured on the provider.
- state String
- The State for this CertificateAuthority.
- update
Time String - The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
Look up Existing Authority Resource
Get an existing Authority resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AuthorityState, opts?: CustomResourceOptions): Authority@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
access_urls: Optional[Sequence[AuthorityAccessUrlArgs]] = None,
certificate_authority_id: Optional[str] = None,
config: Optional[AuthorityConfigArgs] = None,
create_time: Optional[str] = None,
deletion_protection: Optional[bool] = None,
desired_state: Optional[str] = None,
effective_labels: Optional[Mapping[str, str]] = None,
gcs_bucket: Optional[str] = None,
ignore_active_certificates_on_deletion: Optional[bool] = None,
key_spec: Optional[AuthorityKeySpecArgs] = None,
labels: Optional[Mapping[str, str]] = None,
lifetime: Optional[str] = None,
location: Optional[str] = None,
name: Optional[str] = None,
pem_ca_certificate: Optional[str] = None,
pem_ca_certificates: Optional[Sequence[str]] = None,
pool: Optional[str] = None,
project: Optional[str] = None,
pulumi_labels: Optional[Mapping[str, str]] = None,
skip_grace_period: Optional[bool] = None,
state: Optional[str] = None,
subordinate_config: Optional[AuthoritySubordinateConfigArgs] = None,
type: Optional[str] = None,
update_time: Optional[str] = None) -> Authorityfunc GetAuthority(ctx *Context, name string, id IDInput, state *AuthorityState, opts ...ResourceOption) (*Authority, error)public static Authority Get(string name, Input<string> id, AuthorityState? state, CustomResourceOptions? opts = null)public static Authority get(String name, Output<String> id, AuthorityState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Access
Urls List<AuthorityAccess Url> - URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- string
- The user provided Resource ID for this Certificate Authority.
- Config
Authority
Config - The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- Create
Time string - The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- Deletion
Protection bool - Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- Desired
State string - Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA. - Effective
Labels Dictionary<string, string> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- Gcs
Bucket string - The name of a Cloud Storage bucket where this CertificateAuthority will publish content,
such as the CA certificate and CRLs. This must be a bucket name, without any prefixes
(such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created. - Ignore
Active boolCertificates On Deletion - This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs.
Use with care. Defaults to
false. - Key
Spec AuthorityKey Spec - Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- Labels Dictionary<string, string>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- Lifetime string
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- Location string
- Location of the CertificateAuthority. A full list of valid locations can be found by
running
gcloud privateca locations list. - Name string
- The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- Pem
Ca stringCertificate - The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- Pem
Ca List<string>Certificates - This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- Pool string
- The name of the CaPool this Certificate Authority belongs to.
- Project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Pulumi
Labels Dictionary<string, string> - The combination of labels configured directly on the resource and default labels configured on the provider.
- Skip
Grace boolPeriod - If this flag is set, the Certificate Authority will be deleted as soon as
possible without a 30-day grace period where undeletion would have been
allowed. If you proceed, there will be no way to recover this CA.
Use with care. Defaults to
false. - State string
- The State for this CertificateAuthority.
- Subordinate
Config AuthoritySubordinate Config - If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- Type string
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.- Update
Time string - The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- Access
Urls []AuthorityAccess Url Args - URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- string
- The user provided Resource ID for this Certificate Authority.
- Config
Authority
Config Args - The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- Create
Time string - The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- Deletion
Protection bool - Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- Desired
State string - Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA. - Effective
Labels map[string]string - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- Gcs
Bucket string - The name of a Cloud Storage bucket where this CertificateAuthority will publish content,
such as the CA certificate and CRLs. This must be a bucket name, without any prefixes
(such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created. - Ignore
Active boolCertificates On Deletion - This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs.
Use with care. Defaults to
false. - Key
Spec AuthorityKey Spec Args - Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- Labels map[string]string
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- Lifetime string
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- Location string
- Location of the CertificateAuthority. A full list of valid locations can be found by
running
gcloud privateca locations list. - Name string
- The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- Pem
Ca stringCertificate - The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- Pem
Ca []stringCertificates - This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- Pool string
- The name of the CaPool this Certificate Authority belongs to.
- Project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Pulumi
Labels map[string]string - The combination of labels configured directly on the resource and default labels configured on the provider.
- Skip
Grace boolPeriod - If this flag is set, the Certificate Authority will be deleted as soon as
possible without a 30-day grace period where undeletion would have been
allowed. If you proceed, there will be no way to recover this CA.
Use with care. Defaults to
false. - State string
- The State for this CertificateAuthority.
- Subordinate
Config AuthoritySubordinate Config Args - If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- Type string
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.- Update
Time string - The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- access
Urls List<AuthorityAccess Url> - URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- String
- The user provided Resource ID for this Certificate Authority.
- config
Authority
Config - The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- create
Time String - The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- deletion
Protection Boolean - Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- desired
State String - Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA. - effective
Labels Map<String,String> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- gcs
Bucket String - The name of a Cloud Storage bucket where this CertificateAuthority will publish content,
such as the CA certificate and CRLs. This must be a bucket name, without any prefixes
(such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created. - ignore
Active BooleanCertificates On Deletion - This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs.
Use with care. Defaults to
false. - key
Spec AuthorityKey Spec - Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- labels Map<String,String>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- lifetime String
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- location String
- Location of the CertificateAuthority. A full list of valid locations can be found by
running
gcloud privateca locations list. - name String
- The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- pem
Ca StringCertificate - The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- pem
Ca List<String>Certificates - This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- pool String
- The name of the CaPool this Certificate Authority belongs to.
- project String
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- pulumi
Labels Map<String,String> - The combination of labels configured directly on the resource and default labels configured on the provider.
- skip
Grace BooleanPeriod - If this flag is set, the Certificate Authority will be deleted as soon as
possible without a 30-day grace period where undeletion would have been
allowed. If you proceed, there will be no way to recover this CA.
Use with care. Defaults to
false. - state String
- The State for this CertificateAuthority.
- subordinate
Config AuthoritySubordinate Config - If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- type String
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.- update
Time String - The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- access
Urls AuthorityAccess Url[] - URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- string
- The user provided Resource ID for this Certificate Authority.
- config
Authority
Config - The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- create
Time string - The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- deletion
Protection boolean - Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- desired
State string - Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA. - effective
Labels {[key: string]: string} - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- gcs
Bucket string - The name of a Cloud Storage bucket where this CertificateAuthority will publish content,
such as the CA certificate and CRLs. This must be a bucket name, without any prefixes
(such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created. - ignore
Active booleanCertificates On Deletion - This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs.
Use with care. Defaults to
false. - key
Spec AuthorityKey Spec - Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- labels {[key: string]: string}
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- lifetime string
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- location string
- Location of the CertificateAuthority. A full list of valid locations can be found by
running
gcloud privateca locations list. - name string
- The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- pem
Ca stringCertificate - The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- pem
Ca string[]Certificates - This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- pool string
- The name of the CaPool this Certificate Authority belongs to.
- project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- pulumi
Labels {[key: string]: string} - The combination of labels configured directly on the resource and default labels configured on the provider.
- skip
Grace booleanPeriod - If this flag is set, the Certificate Authority will be deleted as soon as
possible without a 30-day grace period where undeletion would have been
allowed. If you proceed, there will be no way to recover this CA.
Use with care. Defaults to
false. - state string
- The State for this CertificateAuthority.
- subordinate
Config AuthoritySubordinate Config - If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- type string
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.- update
Time string - The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- access_
urls Sequence[AuthorityAccess Url Args] - URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- str
- The user provided Resource ID for this Certificate Authority.
- config
Authority
Config Args - The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- create_
time str - The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- deletion_
protection bool - Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- desired_
state str - Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA. - effective_
labels Mapping[str, str] - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- gcs_
bucket str - The name of a Cloud Storage bucket where this CertificateAuthority will publish content,
such as the CA certificate and CRLs. This must be a bucket name, without any prefixes
(such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created. - ignore_
active_ boolcertificates_ on_ deletion - This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs.
Use with care. Defaults to
false. - key_
spec AuthorityKey Spec Args - Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- labels Mapping[str, str]
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- lifetime str
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- location str
- Location of the CertificateAuthority. A full list of valid locations can be found by
running
gcloud privateca locations list. - name str
- The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- pem_
ca_ strcertificate - The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- pem_
ca_ Sequence[str]certificates - This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- pool str
- The name of the CaPool this Certificate Authority belongs to.
- project str
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- pulumi_
labels Mapping[str, str] - The combination of labels configured directly on the resource and default labels configured on the provider.
- skip_
grace_ boolperiod - If this flag is set, the Certificate Authority will be deleted as soon as
possible without a 30-day grace period where undeletion would have been
allowed. If you proceed, there will be no way to recover this CA.
Use with care. Defaults to
false. - state str
- The State for this CertificateAuthority.
- subordinate_
config AuthoritySubordinate Config Args - If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- type str
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.- update_
time str - The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- access
Urls List<Property Map> - URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- String
- The user provided Resource ID for this Certificate Authority.
- config Property Map
- The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- create
Time String - The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- deletion
Protection Boolean - Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- desired
State String - Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA. - effective
Labels Map<String> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- gcs
Bucket String - The name of a Cloud Storage bucket where this CertificateAuthority will publish content,
such as the CA certificate and CRLs. This must be a bucket name, without any prefixes
(such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created. - ignore
Active BooleanCertificates On Deletion - This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs.
Use with care. Defaults to
false. - key
Spec Property Map - Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- labels Map<String>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- lifetime String
- The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- location String
- Location of the CertificateAuthority. A full list of valid locations can be found by
running
gcloud privateca locations list. - name String
- The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- pem
Ca StringCertificate - The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- pem
Ca List<String>Certificates - This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- pool String
- The name of the CaPool this Certificate Authority belongs to.
- project String
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- pulumi
Labels Map<String> - The combination of labels configured directly on the resource and default labels configured on the provider.
- skip
Grace BooleanPeriod - If this flag is set, the Certificate Authority will be deleted as soon as
possible without a 30-day grace period where undeletion would have been
allowed. If you proceed, there will be no way to recover this CA.
Use with care. Defaults to
false. - state String
- The State for this CertificateAuthority.
- subordinate
Config Property Map - If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- type String
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.- update
Time String - The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
Supporting Types
AuthorityAccessUrl, AuthorityAccessUrlArgs
- Ca
Certificate stringAccess Url - (Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.
- Crl
Access List<string>Urls - (Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.
- Ca
Certificate stringAccess Url - (Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.
- Crl
Access []stringUrls - (Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.
- ca
Certificate StringAccess Url - (Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.
- crl
Access List<String>Urls - (Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.
- ca
Certificate stringAccess Url - (Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.
- crl
Access string[]Urls - (Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.
- ca_
certificate_ straccess_ url - (Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.
- crl_
access_ Sequence[str]urls - (Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.
- ca
Certificate StringAccess Url - (Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.
- crl
Access List<String>Urls - (Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.
AuthorityConfig, AuthorityConfigArgs
- Subject
Config AuthorityConfig Subject Config Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
The
x509_configblock supports:- X509Config
Authority
Config X509Config - Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
- Subject
Config AuthorityConfig Subject Config Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
The
x509_configblock supports:- X509Config
Authority
Config X509Config - Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
- subject
Config AuthorityConfig Subject Config Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
The
x509_configblock supports:- x509Config
Authority
Config X509Config - Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
- subject
Config AuthorityConfig Subject Config Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
The
x509_configblock supports:- x509Config
Authority
Config X509Config - Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
- subject_
config AuthorityConfig Subject Config Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
The
x509_configblock supports:- x509_
config AuthorityConfig X509Config - Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
- subject
Config Property Map Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
The
x509_configblock supports:- x509Config Property Map
- Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
AuthorityConfigSubjectConfig, AuthorityConfigSubjectConfigArgs
- Subject
Authority
Config Subject Config Subject - Contains distinguished name fields such as the location and organization. Structure is documented below.
- Subject
Alt AuthorityName Config Subject Config Subject Alt Name - The subject alternative name fields. Structure is documented below.
- Subject
Authority
Config Subject Config Subject - Contains distinguished name fields such as the location and organization. Structure is documented below.
- Subject
Alt AuthorityName Config Subject Config Subject Alt Name - The subject alternative name fields. Structure is documented below.
- subject
Authority
Config Subject Config Subject - Contains distinguished name fields such as the location and organization. Structure is documented below.
- subject
Alt AuthorityName Config Subject Config Subject Alt Name - The subject alternative name fields. Structure is documented below.
- subject
Authority
Config Subject Config Subject - Contains distinguished name fields such as the location and organization. Structure is documented below.
- subject
Alt AuthorityName Config Subject Config Subject Alt Name - The subject alternative name fields. Structure is documented below.
- subject
Authority
Config Subject Config Subject - Contains distinguished name fields such as the location and organization. Structure is documented below.
- subject_
alt_ Authorityname Config Subject Config Subject Alt Name - The subject alternative name fields. Structure is documented below.
- subject Property Map
- Contains distinguished name fields such as the location and organization. Structure is documented below.
- subject
Alt Property MapName - The subject alternative name fields. Structure is documented below.
AuthorityConfigSubjectConfigSubject, AuthorityConfigSubjectConfigSubjectArgs
- Common
Name string - The common name of the distinguished name.
- Organization string
- The organization of the subject.
- Country
Code string - The country code of the subject.
- Locality string
- The locality or city of the subject.
- Organizational
Unit string - The organizational unit of the subject.
- Postal
Code string - The postal code of the subject.
- Province string
- The province, territory, or regional state of the subject.
- Street
Address string - The street address of the subject.
- Common
Name string - The common name of the distinguished name.
- Organization string
- The organization of the subject.
- Country
Code string - The country code of the subject.
- Locality string
- The locality or city of the subject.
- Organizational
Unit string - The organizational unit of the subject.
- Postal
Code string - The postal code of the subject.
- Province string
- The province, territory, or regional state of the subject.
- Street
Address string - The street address of the subject.
- common
Name String - The common name of the distinguished name.
- organization String
- The organization of the subject.
- country
Code String - The country code of the subject.
- locality String
- The locality or city of the subject.
- organizational
Unit String - The organizational unit of the subject.
- postal
Code String - The postal code of the subject.
- province String
- The province, territory, or regional state of the subject.
- street
Address String - The street address of the subject.
- common
Name string - The common name of the distinguished name.
- organization string
- The organization of the subject.
- country
Code string - The country code of the subject.
- locality string
- The locality or city of the subject.
- organizational
Unit string - The organizational unit of the subject.
- postal
Code string - The postal code of the subject.
- province string
- The province, territory, or regional state of the subject.
- street
Address string - The street address of the subject.
- common_
name str - The common name of the distinguished name.
- organization str
- The organization of the subject.
- country_
code str - The country code of the subject.
- locality str
- The locality or city of the subject.
- organizational_
unit str - The organizational unit of the subject.
- postal_
code str - The postal code of the subject.
- province str
- The province, territory, or regional state of the subject.
- street_
address str - The street address of the subject.
- common
Name String - The common name of the distinguished name.
- organization String
- The organization of the subject.
- country
Code String - The country code of the subject.
- locality String
- The locality or city of the subject.
- organizational
Unit String - The organizational unit of the subject.
- postal
Code String - The postal code of the subject.
- province String
- The province, territory, or regional state of the subject.
- street
Address String - The street address of the subject.
AuthorityConfigSubjectConfigSubjectAltName, AuthorityConfigSubjectConfigSubjectAltNameArgs
- Dns
Names List<string> - Contains only valid, fully-qualified host names.
- Email
Addresses List<string> - Contains only valid RFC 2822 E-mail addresses.
- Ip
Addresses List<string> - Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- Uris List<string>
- Contains only valid RFC 3986 URIs.
- Dns
Names []string - Contains only valid, fully-qualified host names.
- Email
Addresses []string - Contains only valid RFC 2822 E-mail addresses.
- Ip
Addresses []string - Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- Uris []string
- Contains only valid RFC 3986 URIs.
- dns
Names List<String> - Contains only valid, fully-qualified host names.
- email
Addresses List<String> - Contains only valid RFC 2822 E-mail addresses.
- ip
Addresses List<String> - Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris List<String>
- Contains only valid RFC 3986 URIs.
- dns
Names string[] - Contains only valid, fully-qualified host names.
- email
Addresses string[] - Contains only valid RFC 2822 E-mail addresses.
- ip
Addresses string[] - Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris string[]
- Contains only valid RFC 3986 URIs.
- dns_
names Sequence[str] - Contains only valid, fully-qualified host names.
- email_
addresses Sequence[str] - Contains only valid RFC 2822 E-mail addresses.
- ip_
addresses Sequence[str] - Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris Sequence[str]
- Contains only valid RFC 3986 URIs.
- dns
Names List<String> - Contains only valid, fully-qualified host names.
- email
Addresses List<String> - Contains only valid RFC 2822 E-mail addresses.
- ip
Addresses List<String> - Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris List<String>
- Contains only valid RFC 3986 URIs.
AuthorityConfigX509Config, AuthorityConfigX509ConfigArgs
- Ca
Options AuthorityConfig X509Config Ca Options - Describes values that are relevant in a CA certificate. Structure is documented below.
- Key
Usage AuthorityConfig X509Config Key Usage - Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- Additional
Extensions List<AuthorityConfig X509Config Additional Extension> - Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- Aia
Ocsp List<string>Servers - Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- Name
Constraints AuthorityConfig X509Config Name Constraints - Describes the X.509 name constraints extension. Structure is documented below.
- Policy
Ids List<AuthorityConfig X509Config Policy Id> - Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- Ca
Options AuthorityConfig X509Config Ca Options - Describes values that are relevant in a CA certificate. Structure is documented below.
- Key
Usage AuthorityConfig X509Config Key Usage - Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- Additional
Extensions []AuthorityConfig X509Config Additional Extension - Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- Aia
Ocsp []stringServers - Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- Name
Constraints AuthorityConfig X509Config Name Constraints - Describes the X.509 name constraints extension. Structure is documented below.
- Policy
Ids []AuthorityConfig X509Config Policy Id - Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- ca
Options AuthorityConfig X509Config Ca Options - Describes values that are relevant in a CA certificate. Structure is documented below.
- key
Usage AuthorityConfig X509Config Key Usage - Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional
Extensions List<AuthorityConfig X509Config Additional Extension> - Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia
Ocsp List<String>Servers - Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- name
Constraints AuthorityConfig X509Config Name Constraints - Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids List<AuthorityConfig X509Config Policy Id> - Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- ca
Options AuthorityConfig X509Config Ca Options - Describes values that are relevant in a CA certificate. Structure is documented below.
- key
Usage AuthorityConfig X509Config Key Usage - Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional
Extensions AuthorityConfig X509Config Additional Extension[] - Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia
Ocsp string[]Servers - Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- name
Constraints AuthorityConfig X509Config Name Constraints - Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids AuthorityConfig X509Config Policy Id[] - Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- ca_
options AuthorityConfig X509Config Ca Options - Describes values that are relevant in a CA certificate. Structure is documented below.
- key_
usage AuthorityConfig X509Config Key Usage - Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional_
extensions Sequence[AuthorityConfig X509Config Additional Extension] - Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia_
ocsp_ Sequence[str]servers - Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- name_
constraints AuthorityConfig X509Config Name Constraints - Describes the X.509 name constraints extension. Structure is documented below.
- policy_
ids Sequence[AuthorityConfig X509Config Policy Id] - Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- ca
Options Property Map - Describes values that are relevant in a CA certificate. Structure is documented below.
- key
Usage Property Map - Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional
Extensions List<Property Map> - Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia
Ocsp List<String>Servers - Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- name
Constraints Property Map - Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids List<Property Map> - Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
AuthorityConfigX509ConfigAdditionalExtension, AuthorityConfigX509ConfigAdditionalExtensionArgs
- Critical bool
- Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- Object
Id AuthorityConfig X509Config Additional Extension Object Id - Describes values that are relevant in a CA certificate. Structure is documented below.
- Value string
- The value of this X.509 extension. A base64-encoded string.
- Critical bool
- Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- Object
Id AuthorityConfig X509Config Additional Extension Object Id - Describes values that are relevant in a CA certificate. Structure is documented below.
- Value string
- The value of this X.509 extension. A base64-encoded string.
- critical Boolean
- Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Id AuthorityConfig X509Config Additional Extension Object Id - Describes values that are relevant in a CA certificate. Structure is documented below.
- value String
- The value of this X.509 extension. A base64-encoded string.
- critical boolean
- Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Id AuthorityConfig X509Config Additional Extension Object Id - Describes values that are relevant in a CA certificate. Structure is documented below.
- value string
- The value of this X.509 extension. A base64-encoded string.
- critical bool
- Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object_
id AuthorityConfig X509Config Additional Extension Object Id - Describes values that are relevant in a CA certificate. Structure is documented below.
- value str
- The value of this X.509 extension. A base64-encoded string.
- critical Boolean
- Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Id Property Map - Describes values that are relevant in a CA certificate. Structure is documented below.
- value String
- The value of this X.509 extension. A base64-encoded string.
AuthorityConfigX509ConfigAdditionalExtensionObjectId, AuthorityConfigX509ConfigAdditionalExtensionObjectIdArgs
- Object
Id List<int>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
AuthorityConfigX509ConfigCaOptions, AuthorityConfigX509ConfigCaOptionsArgs
- Is
Ca bool - When true, the "CA" in Basic Constraints extension will be set to true.
- Max
Issuer intPath Length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of
subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0
requires setting
zero_max_issuer_path_length = true. - Non
Ca bool - When true, the "CA" in Basic Constraints extension will be set to false.
If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate. - Zero
Max boolIssuer Path Length - When true, the "path length constraint" in Basic Constraints extension will be set to 0.
If both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- Is
Ca bool - When true, the "CA" in Basic Constraints extension will be set to true.
- Max
Issuer intPath Length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of
subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0
requires setting
zero_max_issuer_path_length = true. - Non
Ca bool - When true, the "CA" in Basic Constraints extension will be set to false.
If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate. - Zero
Max boolIssuer Path Length - When true, the "path length constraint" in Basic Constraints extension will be set to 0.
If both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- is
Ca Boolean - When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer IntegerPath Length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of
subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0
requires setting
zero_max_issuer_path_length = true. - non
Ca Boolean - When true, the "CA" in Basic Constraints extension will be set to false.
If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate. - zero
Max BooleanIssuer Path Length - When true, the "path length constraint" in Basic Constraints extension will be set to 0.
If both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- is
Ca boolean - When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer numberPath Length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of
subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0
requires setting
zero_max_issuer_path_length = true. - non
Ca boolean - When true, the "CA" in Basic Constraints extension will be set to false.
If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate. - zero
Max booleanIssuer Path Length - When true, the "path length constraint" in Basic Constraints extension will be set to 0.
If both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- is_
ca bool - When true, the "CA" in Basic Constraints extension will be set to true.
- max_
issuer_ intpath_ length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of
subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0
requires setting
zero_max_issuer_path_length = true. - non_
ca bool - When true, the "CA" in Basic Constraints extension will be set to false.
If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate. - zero_
max_ boolissuer_ path_ length - When true, the "path length constraint" in Basic Constraints extension will be set to 0.
If both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- is
Ca Boolean - When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer NumberPath Length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of
subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0
requires setting
zero_max_issuer_path_length = true. - non
Ca Boolean - When true, the "CA" in Basic Constraints extension will be set to false.
If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate. - zero
Max BooleanIssuer Path Length - When true, the "path length constraint" in Basic Constraints extension will be set to 0.
If both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
AuthorityConfigX509ConfigKeyUsage, AuthorityConfigX509ConfigKeyUsageArgs
- Base
Key AuthorityUsage Config X509Config Key Usage Base Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- Extended
Key AuthorityUsage Config X509Config Key Usage Extended Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- Unknown
Extended List<AuthorityKey Usages Config X509Config Key Usage Unknown Extended Key Usage> - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- Base
Key AuthorityUsage Config X509Config Key Usage Base Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- Extended
Key AuthorityUsage Config X509Config Key Usage Extended Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- Unknown
Extended []AuthorityKey Usages Config X509Config Key Usage Unknown Extended Key Usage - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key AuthorityUsage Config X509Config Key Usage Base Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key AuthorityUsage Config X509Config Key Usage Extended Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended List<AuthorityKey Usages Config X509Config Key Usage Unknown Extended Key Usage> - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key AuthorityUsage Config X509Config Key Usage Base Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key AuthorityUsage Config X509Config Key Usage Extended Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended AuthorityKey Usages Config X509Config Key Usage Unknown Extended Key Usage[] - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base_
key_ Authorityusage Config X509Config Key Usage Base Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- extended_
key_ Authorityusage Config X509Config Key Usage Extended Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- unknown_
extended_ Sequence[Authoritykey_ usages Config X509Config Key Usage Unknown Extended Key Usage] - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key Property MapUsage - Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key Property MapUsage - Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended List<Property Map>Key Usages - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
AuthorityConfigX509ConfigKeyUsageBaseKeyUsage, AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
- Cert
Sign bool - The key may be used to sign certificates.
- Content
Commitment bool - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- Crl
Sign bool - The key may be used sign certificate revocation lists.
- Data
Encipherment bool - The key may be used to encipher data.
- Decipher
Only bool - The key may be used to decipher only.
- Digital
Signature bool - The key may be used for digital signatures.
- Encipher
Only bool - The key may be used to encipher only.
- Key
Agreement bool - The key may be used in a key agreement protocol.
- Key
Encipherment bool - The key may be used to encipher other keys.
- Cert
Sign bool - The key may be used to sign certificates.
- Content
Commitment bool - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- Crl
Sign bool - The key may be used sign certificate revocation lists.
- Data
Encipherment bool - The key may be used to encipher data.
- Decipher
Only bool - The key may be used to decipher only.
- Digital
Signature bool - The key may be used for digital signatures.
- Encipher
Only bool - The key may be used to encipher only.
- Key
Agreement bool - The key may be used in a key agreement protocol.
- Key
Encipherment bool - The key may be used to encipher other keys.
- cert
Sign Boolean - The key may be used to sign certificates.
- content
Commitment Boolean - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign Boolean - The key may be used sign certificate revocation lists.
- data
Encipherment Boolean - The key may be used to encipher data.
- decipher
Only Boolean - The key may be used to decipher only.
- digital
Signature Boolean - The key may be used for digital signatures.
- encipher
Only Boolean - The key may be used to encipher only.
- key
Agreement Boolean - The key may be used in a key agreement protocol.
- key
Encipherment Boolean - The key may be used to encipher other keys.
- cert
Sign boolean - The key may be used to sign certificates.
- content
Commitment boolean - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign boolean - The key may be used sign certificate revocation lists.
- data
Encipherment boolean - The key may be used to encipher data.
- decipher
Only boolean - The key may be used to decipher only.
- digital
Signature boolean - The key may be used for digital signatures.
- encipher
Only boolean - The key may be used to encipher only.
- key
Agreement boolean - The key may be used in a key agreement protocol.
- key
Encipherment boolean - The key may be used to encipher other keys.
- cert_
sign bool - The key may be used to sign certificates.
- content_
commitment bool - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl_
sign bool - The key may be used sign certificate revocation lists.
- data_
encipherment bool - The key may be used to encipher data.
- decipher_
only bool - The key may be used to decipher only.
- digital_
signature bool - The key may be used for digital signatures.
- encipher_
only bool - The key may be used to encipher only.
- key_
agreement bool - The key may be used in a key agreement protocol.
- key_
encipherment bool - The key may be used to encipher other keys.
- cert
Sign Boolean - The key may be used to sign certificates.
- content
Commitment Boolean - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign Boolean - The key may be used sign certificate revocation lists.
- data
Encipherment Boolean - The key may be used to encipher data.
- decipher
Only Boolean - The key may be used to decipher only.
- digital
Signature Boolean - The key may be used for digital signatures.
- encipher
Only Boolean - The key may be used to encipher only.
- key
Agreement Boolean - The key may be used in a key agreement protocol.
- key
Encipherment Boolean - The key may be used to encipher other keys.
AuthorityConfigX509ConfigKeyUsageExtendedKeyUsage, AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
- Client
Auth bool - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- Code
Signing bool - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- Email
Protection bool - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- Ocsp
Signing bool - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- Server
Auth bool - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- Time
Stamping bool - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- Client
Auth bool - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- Code
Signing bool - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- Email
Protection bool - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- Ocsp
Signing bool - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- Server
Auth bool - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- Time
Stamping bool - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth boolean - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing boolean - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection boolean - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing boolean - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth boolean - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping boolean - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client_
auth bool - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code_
signing bool - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email_
protection bool - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp_
signing bool - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server_
auth bool - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time_
stamping bool - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsage, AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArgs
- Object
Id List<int>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
AuthorityConfigX509ConfigNameConstraints, AuthorityConfigX509ConfigNameConstraintsArgs
- Critical bool
- Indicates whether or not the name constraints are marked critical.
- Excluded
Dns List<string>Names - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - Excluded
Email List<string>Addresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - Excluded
Ip List<string>Ranges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Excluded
Uris List<string> - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - Permitted
Dns List<string>Names - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - Permitted
Email List<string>Addresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - Permitted
Ip List<string>Ranges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Permitted
Uris List<string> - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
- Critical bool
- Indicates whether or not the name constraints are marked critical.
- Excluded
Dns []stringNames - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - Excluded
Email []stringAddresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - Excluded
Ip []stringRanges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Excluded
Uris []string - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - Permitted
Dns []stringNames - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - Permitted
Email []stringAddresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - Permitted
Ip []stringRanges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Permitted
Uris []string - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
- critical Boolean
- Indicates whether or not the name constraints are marked critical.
- excluded
Dns List<String>Names - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - excluded
Email List<String>Addresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - excluded
Ip List<String>Ranges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded
Uris List<String> - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - permitted
Dns List<String>Names - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - permitted
Email List<String>Addresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - permitted
Ip List<String>Ranges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted
Uris List<String> - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
- critical boolean
- Indicates whether or not the name constraints are marked critical.
- excluded
Dns string[]Names - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - excluded
Email string[]Addresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - excluded
Ip string[]Ranges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded
Uris string[] - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - permitted
Dns string[]Names - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - permitted
Email string[]Addresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - permitted
Ip string[]Ranges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted
Uris string[] - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
- critical bool
- Indicates whether or not the name constraints are marked critical.
- excluded_
dns_ Sequence[str]names - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - excluded_
email_ Sequence[str]addresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - excluded_
ip_ Sequence[str]ranges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded_
uris Sequence[str] - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - permitted_
dns_ Sequence[str]names - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - permitted_
email_ Sequence[str]addresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - permitted_
ip_ Sequence[str]ranges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted_
uris Sequence[str] - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
- critical Boolean
- Indicates whether or not the name constraints are marked critical.
- excluded
Dns List<String>Names - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - excluded
Email List<String>Addresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - excluded
Ip List<String>Ranges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded
Uris List<String> - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - permitted
Dns List<String>Names - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - permitted
Email List<String>Addresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - permitted
Ip List<String>Ranges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted
Uris List<String> - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
AuthorityConfigX509ConfigPolicyId, AuthorityConfigX509ConfigPolicyIdArgs
- Object
Id List<int>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
AuthorityKeySpec, AuthorityKeySpecArgs
- Algorithm string
- The algorithm to use for creating a managed Cloud KMS key for a for a simplified
experience. All managed keys will be have their ProtectionLevel as HSM.
Possible values are:
SIGN_HASH_ALGORITHM_UNSPECIFIED,RSA_PSS_2048_SHA256,RSA_PSS_3072_SHA256,RSA_PSS_4096_SHA256,RSA_PKCS1_2048_SHA256,RSA_PKCS1_3072_SHA256,RSA_PKCS1_4096_SHA256,EC_P256_SHA256,EC_P384_SHA384. - Cloud
Kms stringKey Version - The resource name for an existing Cloud KMS CryptoKeyVersion in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
- Algorithm string
- The algorithm to use for creating a managed Cloud KMS key for a for a simplified
experience. All managed keys will be have their ProtectionLevel as HSM.
Possible values are:
SIGN_HASH_ALGORITHM_UNSPECIFIED,RSA_PSS_2048_SHA256,RSA_PSS_3072_SHA256,RSA_PSS_4096_SHA256,RSA_PKCS1_2048_SHA256,RSA_PKCS1_3072_SHA256,RSA_PKCS1_4096_SHA256,EC_P256_SHA256,EC_P384_SHA384. - Cloud
Kms stringKey Version - The resource name for an existing Cloud KMS CryptoKeyVersion in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
- algorithm String
- The algorithm to use for creating a managed Cloud KMS key for a for a simplified
experience. All managed keys will be have their ProtectionLevel as HSM.
Possible values are:
SIGN_HASH_ALGORITHM_UNSPECIFIED,RSA_PSS_2048_SHA256,RSA_PSS_3072_SHA256,RSA_PSS_4096_SHA256,RSA_PKCS1_2048_SHA256,RSA_PKCS1_3072_SHA256,RSA_PKCS1_4096_SHA256,EC_P256_SHA256,EC_P384_SHA384. - cloud
Kms StringKey Version - The resource name for an existing Cloud KMS CryptoKeyVersion in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
- algorithm string
- The algorithm to use for creating a managed Cloud KMS key for a for a simplified
experience. All managed keys will be have their ProtectionLevel as HSM.
Possible values are:
SIGN_HASH_ALGORITHM_UNSPECIFIED,RSA_PSS_2048_SHA256,RSA_PSS_3072_SHA256,RSA_PSS_4096_SHA256,RSA_PKCS1_2048_SHA256,RSA_PKCS1_3072_SHA256,RSA_PKCS1_4096_SHA256,EC_P256_SHA256,EC_P384_SHA384. - cloud
Kms stringKey Version - The resource name for an existing Cloud KMS CryptoKeyVersion in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
- algorithm str
- The algorithm to use for creating a managed Cloud KMS key for a for a simplified
experience. All managed keys will be have their ProtectionLevel as HSM.
Possible values are:
SIGN_HASH_ALGORITHM_UNSPECIFIED,RSA_PSS_2048_SHA256,RSA_PSS_3072_SHA256,RSA_PSS_4096_SHA256,RSA_PKCS1_2048_SHA256,RSA_PKCS1_3072_SHA256,RSA_PKCS1_4096_SHA256,EC_P256_SHA256,EC_P384_SHA384. - cloud_
kms_ strkey_ version - The resource name for an existing Cloud KMS CryptoKeyVersion in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
- algorithm String
- The algorithm to use for creating a managed Cloud KMS key for a for a simplified
experience. All managed keys will be have their ProtectionLevel as HSM.
Possible values are:
SIGN_HASH_ALGORITHM_UNSPECIFIED,RSA_PSS_2048_SHA256,RSA_PSS_3072_SHA256,RSA_PSS_4096_SHA256,RSA_PKCS1_2048_SHA256,RSA_PKCS1_3072_SHA256,RSA_PKCS1_4096_SHA256,EC_P256_SHA256,EC_P384_SHA384. - cloud
Kms StringKey Version - The resource name for an existing Cloud KMS CryptoKeyVersion in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
AuthoritySubordinateConfig, AuthoritySubordinateConfigArgs
- string
- This can refer to a CertificateAuthority that was used to create a
subordinate CertificateAuthority. This field is used for information
and usability purposes only. The resource name is in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*. - Pem
Issuer AuthorityChain Subordinate Config Pem Issuer Chain - Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.
- string
- This can refer to a CertificateAuthority that was used to create a
subordinate CertificateAuthority. This field is used for information
and usability purposes only. The resource name is in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*. - Pem
Issuer AuthorityChain Subordinate Config Pem Issuer Chain - Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.
- String
- This can refer to a CertificateAuthority that was used to create a
subordinate CertificateAuthority. This field is used for information
and usability purposes only. The resource name is in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*. - pem
Issuer AuthorityChain Subordinate Config Pem Issuer Chain - Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.
- string
- This can refer to a CertificateAuthority that was used to create a
subordinate CertificateAuthority. This field is used for information
and usability purposes only. The resource name is in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*. - pem
Issuer AuthorityChain Subordinate Config Pem Issuer Chain - Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.
- str
- This can refer to a CertificateAuthority that was used to create a
subordinate CertificateAuthority. This field is used for information
and usability purposes only. The resource name is in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*. - pem_
issuer_ Authoritychain Subordinate Config Pem Issuer Chain - Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.
- String
- This can refer to a CertificateAuthority that was used to create a
subordinate CertificateAuthority. This field is used for information
and usability purposes only. The resource name is in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*. - pem
Issuer Property MapChain - Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.
AuthoritySubordinateConfigPemIssuerChain, AuthoritySubordinateConfigPemIssuerChainArgs
- Pem
Certificates List<string> - Expected to be in leaf-to-root order according to RFC 5246.
- Pem
Certificates []string - Expected to be in leaf-to-root order according to RFC 5246.
- pem
Certificates List<String> - Expected to be in leaf-to-root order according to RFC 5246.
- pem
Certificates string[] - Expected to be in leaf-to-root order according to RFC 5246.
- pem_
certificates Sequence[str] - Expected to be in leaf-to-root order according to RFC 5246.
- pem
Certificates List<String> - Expected to be in leaf-to-root order according to RFC 5246.
Import
CertificateAuthority can be imported using any of these accepted formats:
projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}{{project}}/{{location}}/{{pool}}/{{certificate_authority_id}}{{location}}/{{pool}}/{{certificate_authority_id}}
When using the pulumi import command, CertificateAuthority can be imported using one of the formats above. For example:
$ pulumi import gcp:certificateauthority/authority:Authority default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}
$ pulumi import gcp:certificateauthority/authority:Authority default {{project}}/{{location}}/{{pool}}/{{certificate_authority_id}}
$ pulumi import gcp:certificateauthority/authority:Authority default {{location}}/{{pool}}/{{certificate_authority_id}}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-betaTerraform Provider.