gcp.certificateauthority.Authority

Import

CertificateAuthority can be imported using any of these accepted formats

 $ pulumi import gcp:certificateauthority/authority:Authority default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}
 $ pulumi import gcp:certificateauthority/authority:Authority default {{project}}/{{location}}/{{pool}}/{{certificate_authority_id}}
 $ pulumi import gcp:certificateauthority/authority:Authority default {{location}}/{{pool}}/{{certificate_authority_id}}

Example Usage

Privateca Certificate Authority Basic

using System.Collections.Generic;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var @default = new Gcp.CertificateAuthority.Authority("default", new()
    {
        CertificateAuthorityId = "my-certificate-authority",
        Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
        {
            SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
            {
                Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                {
                    CommonName = "my-certificate-authority",
                    Organization = "HashiCorp",
                },
                SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                {
                    DnsNames = new[]
                    {
                        "hashicorp.com",
                    },
                },
            },
            X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
            {
                CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                {
                    IsCa = true,
                    MaxIssuerPathLength = 10,
                },
                KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                {
                    BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                    {
                        CertSign = true,
                        ContentCommitment = true,
                        CrlSign = true,
                        DataEncipherment = true,
                        DecipherOnly = true,
                        DigitalSignature = true,
                        KeyAgreement = true,
                        KeyEncipherment = false,
                    },
                    ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                    {
                        ClientAuth = false,
                        CodeSigning = true,
                        EmailProtection = true,
                        ServerAuth = true,
                        TimeStamping = true,
                    },
                },
            },
        },
        DeletionProtection = true,
        KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
        {
            Algorithm = "RSA_PKCS1_4096_SHA256",
        },
        Lifetime = "86400s",
        Location = "us-central1",
        Pool = "ca-pool",
    });

});
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
			CertificateAuthorityId: pulumi.String("my-certificate-authority"),
			Config: &certificateauthority.AuthorityConfigArgs{
				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
						CommonName:   pulumi.String("my-certificate-authority"),
						Organization: pulumi.String("HashiCorp"),
					},
					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
						DnsNames: pulumi.StringArray{
							pulumi.String("hashicorp.com"),
						},
					},
				},
				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
						IsCa:                pulumi.Bool(true),
						MaxIssuerPathLength: pulumi.Int(10),
					},
					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
							CertSign:          pulumi.Bool(true),
							ContentCommitment: pulumi.Bool(true),
							CrlSign:           pulumi.Bool(true),
							DataEncipherment:  pulumi.Bool(true),
							DecipherOnly:      pulumi.Bool(true),
							DigitalSignature:  pulumi.Bool(true),
							KeyAgreement:      pulumi.Bool(true),
							KeyEncipherment:   pulumi.Bool(false),
						},
						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
							ClientAuth:      pulumi.Bool(false),
							CodeSigning:     pulumi.Bool(true),
							EmailProtection: pulumi.Bool(true),
							ServerAuth:      pulumi.Bool(true),
							TimeStamping:    pulumi.Bool(true),
						},
					},
				},
			},
			DeletionProtection: pulumi.Bool(true),
			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
			},
			Lifetime: pulumi.String("86400s"),
			Location: pulumi.String("us-central1"),
			Pool:     pulumi.String("ca-pool"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var default_ = new Authority("default", AuthorityArgs.builder()        
            .certificateAuthorityId("my-certificate-authority")
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .commonName("my-certificate-authority")
                        .organization("HashiCorp")
                        .build())
                    .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                        .dnsNames("hashicorp.com")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .maxIssuerPathLength(10)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .certSign(true)
                            .contentCommitment(true)
                            .crlSign(true)
                            .dataEncipherment(true)
                            .decipherOnly(true)
                            .digitalSignature(true)
                            .keyAgreement(true)
                            .keyEncipherment(false)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .clientAuth(false)
                            .codeSigning(true)
                            .emailProtection(true)
                            .serverAuth(true)
                            .timeStamping(true)
                            .build())
                        .build())
                    .build())
                .build())
            .deletionProtection("true")
            .keySpec(AuthorityKeySpecArgs.builder()
                .algorithm("RSA_PKCS1_4096_SHA256")
                .build())
            .lifetime("86400s")
            .location("us-central1")
            .pool("ca-pool")
            .build());

    }
}
import pulumi
import pulumi_gcp as gcp

default = gcp.certificateauthority.Authority("default",
    certificate_authority_id="my-certificate-authority",
    config=gcp.certificateauthority.AuthorityConfigArgs(
        subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
            subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                common_name="my-certificate-authority",
                organization="HashiCorp",
            ),
            subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
                dns_names=["hashicorp.com"],
            ),
        ),
        x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
            ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                is_ca=True,
                max_issuer_path_length=10,
            ),
            key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                    cert_sign=True,
                    content_commitment=True,
                    crl_sign=True,
                    data_encipherment=True,
                    decipher_only=True,
                    digital_signature=True,
                    key_agreement=True,
                    key_encipherment=False,
                ),
                extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                    client_auth=False,
                    code_signing=True,
                    email_protection=True,
                    server_auth=True,
                    time_stamping=True,
                ),
            ),
        ),
    ),
    deletion_protection=True,
    key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
        algorithm="RSA_PKCS1_4096_SHA256",
    ),
    lifetime="86400s",
    location="us-central1",
    pool="ca-pool")
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const _default = new gcp.certificateauthority.Authority("default", {
    certificateAuthorityId: "my-certificate-authority",
    config: {
        subjectConfig: {
            subject: {
                commonName: "my-certificate-authority",
                organization: "HashiCorp",
            },
            subjectAltName: {
                dnsNames: ["hashicorp.com"],
            },
        },
        x509Config: {
            caOptions: {
                isCa: true,
                maxIssuerPathLength: 10,
            },
            keyUsage: {
                baseKeyUsage: {
                    certSign: true,
                    contentCommitment: true,
                    crlSign: true,
                    dataEncipherment: true,
                    decipherOnly: true,
                    digitalSignature: true,
                    keyAgreement: true,
                    keyEncipherment: false,
                },
                extendedKeyUsage: {
                    clientAuth: false,
                    codeSigning: true,
                    emailProtection: true,
                    serverAuth: true,
                    timeStamping: true,
                },
            },
        },
    },
    deletionProtection: true,
    keySpec: {
        algorithm: "RSA_PKCS1_4096_SHA256",
    },
    lifetime: "86400s",
    location: "us-central1",
    pool: "ca-pool",
});
resources:
  default:
    type: gcp:certificateauthority:Authority
    properties:
      certificateAuthorityId: my-certificate-authority
      config:
        subjectConfig:
          subject:
            commonName: my-certificate-authority
            organization: HashiCorp
          subjectAltName:
            dnsNames:
              - hashicorp.com
        x509Config:
          caOptions:
            isCa: true
            maxIssuerPathLength: 10
          keyUsage:
            baseKeyUsage:
              certSign: true
              contentCommitment: true
              crlSign: true
              dataEncipherment: true
              decipherOnly: true
              digitalSignature: true
              keyAgreement: true
              keyEncipherment: false
            extendedKeyUsage:
              clientAuth: false
              codeSigning: true
              emailProtection: true
              serverAuth: true
              timeStamping: true
      deletionProtection: 'true'
      keySpec:
        algorithm: RSA_PKCS1_4096_SHA256
      lifetime: 86400s
      location: us-central1
      # This example assumes this pool already exists.
      #     // Pools cannot be deleted in normal test circumstances, so we depend on static pools
      pool: ca-pool

Privateca Certificate Authority Subordinate

using System.Collections.Generic;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var root_ca = new Gcp.CertificateAuthority.Authority("root-ca", new()
    {
        Pool = "ca-pool",
        CertificateAuthorityId = "my-certificate-authority-root",
        Location = "us-central1",
        Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
        {
            SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
            {
                Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                {
                    Organization = "HashiCorp",
                    CommonName = "my-certificate-authority",
                },
                SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                {
                    DnsNames = new[]
                    {
                        "hashicorp.com",
                    },
                },
            },
            X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
            {
                CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                {
                    IsCa = true,
                },
                KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                {
                    BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                    {
                        CertSign = true,
                        CrlSign = true,
                    },
                    ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                    {
                        ServerAuth = false,
                    },
                },
            },
        },
        KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
        {
            Algorithm = "RSA_PKCS1_4096_SHA256",
        },
        DeletionProtection = false,
        SkipGracePeriod = true,
        IgnoreActiveCertificatesOnDeletion = true,
    });

    var @default = new Gcp.CertificateAuthority.Authority("default", new()
    {
        Pool = "ca-pool",
        CertificateAuthorityId = "my-certificate-authority-sub",
        Location = "us-central1",
        DeletionProtection = true,
        SubordinateConfig = new Gcp.CertificateAuthority.Inputs.AuthoritySubordinateConfigArgs
        {
            CertificateAuthority = root_ca.Name,
        },
        Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
        {
            SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
            {
                Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                {
                    Organization = "HashiCorp",
                    CommonName = "my-subordinate-authority",
                },
                SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                {
                    DnsNames = new[]
                    {
                        "hashicorp.com",
                    },
                },
            },
            X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
            {
                CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                {
                    IsCa = true,
                    MaxIssuerPathLength = 0,
                },
                KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                {
                    BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                    {
                        DigitalSignature = true,
                        ContentCommitment = true,
                        KeyEncipherment = false,
                        DataEncipherment = true,
                        KeyAgreement = true,
                        CertSign = true,
                        CrlSign = true,
                        DecipherOnly = true,
                    },
                    ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                    {
                        ServerAuth = true,
                        ClientAuth = false,
                        EmailProtection = true,
                        CodeSigning = true,
                        TimeStamping = true,
                    },
                },
            },
        },
        Lifetime = "86400s",
        KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
        {
            Algorithm = "RSA_PKCS1_4096_SHA256",
        },
        Type = "SUBORDINATE",
    });

});
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := certificateauthority.NewAuthority(ctx, "root-ca", &certificateauthority.AuthorityArgs{
			Pool:                   pulumi.String("ca-pool"),
			CertificateAuthorityId: pulumi.String("my-certificate-authority-root"),
			Location:               pulumi.String("us-central1"),
			Config: &certificateauthority.AuthorityConfigArgs{
				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
						Organization: pulumi.String("HashiCorp"),
						CommonName:   pulumi.String("my-certificate-authority"),
					},
					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
						DnsNames: pulumi.StringArray{
							pulumi.String("hashicorp.com"),
						},
					},
				},
				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
						IsCa: pulumi.Bool(true),
					},
					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
							CertSign: pulumi.Bool(true),
							CrlSign:  pulumi.Bool(true),
						},
						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
							ServerAuth: pulumi.Bool(false),
						},
					},
				},
			},
			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
			},
			DeletionProtection:                 pulumi.Bool(false),
			SkipGracePeriod:                    pulumi.Bool(true),
			IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
			Pool:                   pulumi.String("ca-pool"),
			CertificateAuthorityId: pulumi.String("my-certificate-authority-sub"),
			Location:               pulumi.String("us-central1"),
			DeletionProtection:     pulumi.Bool(true),
			SubordinateConfig: &certificateauthority.AuthoritySubordinateConfigArgs{
				CertificateAuthority: root_ca.Name,
			},
			Config: &certificateauthority.AuthorityConfigArgs{
				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
						Organization: pulumi.String("HashiCorp"),
						CommonName:   pulumi.String("my-subordinate-authority"),
					},
					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
						DnsNames: pulumi.StringArray{
							pulumi.String("hashicorp.com"),
						},
					},
				},
				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
						IsCa:                pulumi.Bool(true),
						MaxIssuerPathLength: pulumi.Int(0),
					},
					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
							DigitalSignature:  pulumi.Bool(true),
							ContentCommitment: pulumi.Bool(true),
							KeyEncipherment:   pulumi.Bool(false),
							DataEncipherment:  pulumi.Bool(true),
							KeyAgreement:      pulumi.Bool(true),
							CertSign:          pulumi.Bool(true),
							CrlSign:           pulumi.Bool(true),
							DecipherOnly:      pulumi.Bool(true),
						},
						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
							ServerAuth:      pulumi.Bool(true),
							ClientAuth:      pulumi.Bool(false),
							EmailProtection: pulumi.Bool(true),
							CodeSigning:     pulumi.Bool(true),
							TimeStamping:    pulumi.Bool(true),
						},
					},
				},
			},
			Lifetime: pulumi.String("86400s"),
			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
			},
			Type: pulumi.String("SUBORDINATE"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthoritySubordinateConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var root_ca = new Authority("root-ca", AuthorityArgs.builder()        
            .pool("ca-pool")
            .certificateAuthorityId("my-certificate-authority-root")
            .location("us-central1")
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .organization("HashiCorp")
                        .commonName("my-certificate-authority")
                        .build())
                    .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                        .dnsNames("hashicorp.com")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .certSign(true)
                            .crlSign(true)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(false)
                            .build())
                        .build())
                    .build())
                .build())
            .keySpec(AuthorityKeySpecArgs.builder()
                .algorithm("RSA_PKCS1_4096_SHA256")
                .build())
            .deletionProtection(false)
            .skipGracePeriod(true)
            .ignoreActiveCertificatesOnDeletion(true)
            .build());

        var default_ = new Authority("default", AuthorityArgs.builder()        
            .pool("ca-pool")
            .certificateAuthorityId("my-certificate-authority-sub")
            .location("us-central1")
            .deletionProtection("true")
            .subordinateConfig(AuthoritySubordinateConfigArgs.builder()
                .certificateAuthority(root_ca.name())
                .build())
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .organization("HashiCorp")
                        .commonName("my-subordinate-authority")
                        .build())
                    .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                        .dnsNames("hashicorp.com")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .maxIssuerPathLength(0)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .digitalSignature(true)
                            .contentCommitment(true)
                            .keyEncipherment(false)
                            .dataEncipherment(true)
                            .keyAgreement(true)
                            .certSign(true)
                            .crlSign(true)
                            .decipherOnly(true)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(true)
                            .clientAuth(false)
                            .emailProtection(true)
                            .codeSigning(true)
                            .timeStamping(true)
                            .build())
                        .build())
                    .build())
                .build())
            .lifetime("86400s")
            .keySpec(AuthorityKeySpecArgs.builder()
                .algorithm("RSA_PKCS1_4096_SHA256")
                .build())
            .type("SUBORDINATE")
            .build());

    }
}
import pulumi
import pulumi_gcp as gcp

root_ca = gcp.certificateauthority.Authority("root-ca",
    pool="ca-pool",
    certificate_authority_id="my-certificate-authority-root",
    location="us-central1",
    config=gcp.certificateauthority.AuthorityConfigArgs(
        subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
            subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                organization="HashiCorp",
                common_name="my-certificate-authority",
            ),
            subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
                dns_names=["hashicorp.com"],
            ),
        ),
        x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
            ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                is_ca=True,
            ),
            key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                    cert_sign=True,
                    crl_sign=True,
                ),
                extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                    server_auth=False,
                ),
            ),
        ),
    ),
    key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
        algorithm="RSA_PKCS1_4096_SHA256",
    ),
    deletion_protection=False,
    skip_grace_period=True,
    ignore_active_certificates_on_deletion=True)
default = gcp.certificateauthority.Authority("default",
    pool="ca-pool",
    certificate_authority_id="my-certificate-authority-sub",
    location="us-central1",
    deletion_protection=True,
    subordinate_config=gcp.certificateauthority.AuthoritySubordinateConfigArgs(
        certificate_authority=root_ca.name,
    ),
    config=gcp.certificateauthority.AuthorityConfigArgs(
        subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
            subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                organization="HashiCorp",
                common_name="my-subordinate-authority",
            ),
            subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
                dns_names=["hashicorp.com"],
            ),
        ),
        x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
            ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                is_ca=True,
                max_issuer_path_length=0,
            ),
            key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                    digital_signature=True,
                    content_commitment=True,
                    key_encipherment=False,
                    data_encipherment=True,
                    key_agreement=True,
                    cert_sign=True,
                    crl_sign=True,
                    decipher_only=True,
                ),
                extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                    server_auth=True,
                    client_auth=False,
                    email_protection=True,
                    code_signing=True,
                    time_stamping=True,
                ),
            ),
        ),
    ),
    lifetime="86400s",
    key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
        algorithm="RSA_PKCS1_4096_SHA256",
    ),
    type="SUBORDINATE")
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const root_ca = new gcp.certificateauthority.Authority("root-ca", {
    pool: "ca-pool",
    certificateAuthorityId: "my-certificate-authority-root",
    location: "us-central1",
    config: {
        subjectConfig: {
            subject: {
                organization: "HashiCorp",
                commonName: "my-certificate-authority",
            },
            subjectAltName: {
                dnsNames: ["hashicorp.com"],
            },
        },
        x509Config: {
            caOptions: {
                isCa: true,
            },
            keyUsage: {
                baseKeyUsage: {
                    certSign: true,
                    crlSign: true,
                },
                extendedKeyUsage: {
                    serverAuth: false,
                },
            },
        },
    },
    keySpec: {
        algorithm: "RSA_PKCS1_4096_SHA256",
    },
    deletionProtection: false,
    skipGracePeriod: true,
    ignoreActiveCertificatesOnDeletion: true,
});
const _default = new gcp.certificateauthority.Authority("default", {
    pool: "ca-pool",
    certificateAuthorityId: "my-certificate-authority-sub",
    location: "us-central1",
    deletionProtection: true,
    subordinateConfig: {
        certificateAuthority: root_ca.name,
    },
    config: {
        subjectConfig: {
            subject: {
                organization: "HashiCorp",
                commonName: "my-subordinate-authority",
            },
            subjectAltName: {
                dnsNames: ["hashicorp.com"],
            },
        },
        x509Config: {
            caOptions: {
                isCa: true,
                maxIssuerPathLength: 0,
            },
            keyUsage: {
                baseKeyUsage: {
                    digitalSignature: true,
                    contentCommitment: true,
                    keyEncipherment: false,
                    dataEncipherment: true,
                    keyAgreement: true,
                    certSign: true,
                    crlSign: true,
                    decipherOnly: true,
                },
                extendedKeyUsage: {
                    serverAuth: true,
                    clientAuth: false,
                    emailProtection: true,
                    codeSigning: true,
                    timeStamping: true,
                },
            },
        },
    },
    lifetime: "86400s",
    keySpec: {
        algorithm: "RSA_PKCS1_4096_SHA256",
    },
    type: "SUBORDINATE",
});
resources:
  root-ca:
    type: gcp:certificateauthority:Authority
    properties:
      pool: ca-pool
      certificateAuthorityId: my-certificate-authority-root
      location: us-central1
      config:
        subjectConfig:
          subject:
            organization: HashiCorp
            commonName: my-certificate-authority
          subjectAltName:
            dnsNames:
              - hashicorp.com
        x509Config:
          caOptions:
            isCa: true
          keyUsage:
            baseKeyUsage:
              certSign: true
              crlSign: true
            extendedKeyUsage:
              serverAuth: false
      keySpec:
        algorithm: RSA_PKCS1_4096_SHA256
      # Disable CA deletion related safe checks for easier cleanup.
      deletionProtection: false
      skipGracePeriod: true
      ignoreActiveCertificatesOnDeletion: true
  default:
    type: gcp:certificateauthority:Authority
    properties:
      # This example assumes this pool already exists.
      #   // Pools cannot be deleted in normal test circumstances, so we depend on static pools
      pool: ca-pool
      certificateAuthorityId: my-certificate-authority-sub
      location: us-central1
      deletionProtection: 'true'
      subordinateConfig:
        certificateAuthority: ${["root-ca"].name}
      config:
        subjectConfig:
          subject:
            organization: HashiCorp
            commonName: my-subordinate-authority
          subjectAltName:
            dnsNames:
              - hashicorp.com
        x509Config:
          caOptions:
            isCa: true
            maxIssuerPathLength: 0
          keyUsage:
            baseKeyUsage:
              digitalSignature: true
              contentCommitment: true
              keyEncipherment: false
              dataEncipherment: true
              keyAgreement: true
              certSign: true
              crlSign: true
              decipherOnly: true
            extendedKeyUsage:
              serverAuth: true
              clientAuth: false
              emailProtection: true
              codeSigning: true
              timeStamping: true
      lifetime: 86400s
      keySpec:
        algorithm: RSA_PKCS1_4096_SHA256
      type: SUBORDINATE

Privateca Certificate Authority Byo Key

using System.Collections.Generic;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var privatecaSa = new Gcp.Projects.ServiceIdentity("privatecaSa", new()
    {
        Service = "privateca.googleapis.com",
    });

    var privatecaSaKeyuserSignerverifier = new Gcp.Kms.CryptoKeyIAMBinding("privatecaSaKeyuserSignerverifier", new()
    {
        CryptoKeyId = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
        Role = "roles/cloudkms.signerVerifier",
        Members = new[]
        {
            privatecaSa.Email.Apply(email => $"serviceAccount:{email}"),
        },
    });

    var privatecaSaKeyuserViewer = new Gcp.Kms.CryptoKeyIAMBinding("privatecaSaKeyuserViewer", new()
    {
        CryptoKeyId = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
        Role = "roles/viewer",
        Members = new[]
        {
            privatecaSa.Email.Apply(email => $"serviceAccount:{email}"),
        },
    });

    var @default = new Gcp.CertificateAuthority.Authority("default", new()
    {
        Pool = "ca-pool",
        CertificateAuthorityId = "my-certificate-authority",
        Location = "us-central1",
        DeletionProtection = true,
        KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
        {
            CloudKmsKeyVersion = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1",
        },
        Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
        {
            SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
            {
                Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                {
                    Organization = "Example, Org.",
                    CommonName = "Example Authority",
                },
            },
            X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
            {
                CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                {
                    IsCa = true,
                    MaxIssuerPathLength = 10,
                },
                KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                {
                    BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                    {
                        CertSign = true,
                        CrlSign = true,
                    },
                    ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                    {
                        ServerAuth = false,
                    },
                },
                NameConstraints = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigNameConstraintsArgs
                {
                    Critical = true,
                    PermittedDnsNames = new[]
                    {
                        "*.example.com",
                    },
                    ExcludedDnsNames = new[]
                    {
                        "*.deny.example.com",
                    },
                    PermittedIpRanges = new[]
                    {
                        "10.0.0.0/8",
                    },
                    ExcludedIpRanges = new[]
                    {
                        "10.1.1.0/24",
                    },
                    PermittedEmailAddresses = new[]
                    {
                        ".example.com",
                    },
                    ExcludedEmailAddresses = new[]
                    {
                        ".deny.example.com",
                    },
                    PermittedUris = new[]
                    {
                        ".example.com",
                    },
                    ExcludedUris = new[]
                    {
                        ".deny.example.com",
                    },
                },
            },
        },
    }, new CustomResourceOptions
    {
        DependsOn = new[]
        {
            privatecaSaKeyuserSignerverifier,
            privatecaSaKeyuserViewer,
        },
    });

});
package main

import (
	"fmt"

	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/kms"
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/projects"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		privatecaSa, err := projects.NewServiceIdentity(ctx, "privatecaSa", &projects.ServiceIdentityArgs{
			Service: pulumi.String("privateca.googleapis.com"),
		})
		if err != nil {
			return err
		}
		privatecaSaKeyuserSignerverifier, err := kms.NewCryptoKeyIAMBinding(ctx, "privatecaSaKeyuserSignerverifier", &kms.CryptoKeyIAMBindingArgs{
			CryptoKeyId: pulumi.String("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"),
			Role:        pulumi.String("roles/cloudkms.signerVerifier"),
			Members: pulumi.StringArray{
				privatecaSa.Email.ApplyT(func(email string) (string, error) {
					return fmt.Sprintf("serviceAccount:%v", email), nil
				}).(pulumi.StringOutput),
			},
		})
		if err != nil {
			return err
		}
		privatecaSaKeyuserViewer, err := kms.NewCryptoKeyIAMBinding(ctx, "privatecaSaKeyuserViewer", &kms.CryptoKeyIAMBindingArgs{
			CryptoKeyId: pulumi.String("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"),
			Role:        pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				privatecaSa.Email.ApplyT(func(email string) (string, error) {
					return fmt.Sprintf("serviceAccount:%v", email), nil
				}).(pulumi.StringOutput),
			},
		})
		if err != nil {
			return err
		}
		_, err = certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
			Pool:                   pulumi.String("ca-pool"),
			CertificateAuthorityId: pulumi.String("my-certificate-authority"),
			Location:               pulumi.String("us-central1"),
			DeletionProtection:     pulumi.Bool(true),
			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
				CloudKmsKeyVersion: pulumi.String("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1"),
			},
			Config: &certificateauthority.AuthorityConfigArgs{
				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
						Organization: pulumi.String("Example, Org."),
						CommonName:   pulumi.String("Example Authority"),
					},
				},
				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
						IsCa:                pulumi.Bool(true),
						MaxIssuerPathLength: pulumi.Int(10),
					},
					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
							CertSign: pulumi.Bool(true),
							CrlSign:  pulumi.Bool(true),
						},
						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
							ServerAuth: pulumi.Bool(false),
						},
					},
					NameConstraints: &certificateauthority.AuthorityConfigX509ConfigNameConstraintsArgs{
						Critical: pulumi.Bool(true),
						PermittedDnsNames: pulumi.StringArray{
							pulumi.String("*.example.com"),
						},
						ExcludedDnsNames: pulumi.StringArray{
							pulumi.String("*.deny.example.com"),
						},
						PermittedIpRanges: pulumi.StringArray{
							pulumi.String("10.0.0.0/8"),
						},
						ExcludedIpRanges: pulumi.StringArray{
							pulumi.String("10.1.1.0/24"),
						},
						PermittedEmailAddresses: pulumi.StringArray{
							pulumi.String(".example.com"),
						},
						ExcludedEmailAddresses: pulumi.StringArray{
							pulumi.String(".deny.example.com"),
						},
						PermittedUris: pulumi.StringArray{
							pulumi.String(".example.com"),
						},
						ExcludedUris: pulumi.StringArray{
							pulumi.String(".deny.example.com"),
						},
					},
				},
			},
		}, pulumi.DependsOn([]pulumi.Resource{
			privatecaSaKeyuserSignerverifier,
			privatecaSaKeyuserViewer,
		}))
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.projects.ServiceIdentity;
import com.pulumi.gcp.projects.ServiceIdentityArgs;
import com.pulumi.gcp.kms.CryptoKeyIAMBinding;
import com.pulumi.gcp.kms.CryptoKeyIAMBindingArgs;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigNameConstraintsArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var privatecaSa = new ServiceIdentity("privatecaSa", ServiceIdentityArgs.builder()        
            .service("privateca.googleapis.com")
            .build());

        var privatecaSaKeyuserSignerverifier = new CryptoKeyIAMBinding("privatecaSaKeyuserSignerverifier", CryptoKeyIAMBindingArgs.builder()        
            .cryptoKeyId("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key")
            .role("roles/cloudkms.signerVerifier")
            .members(privatecaSa.email().applyValue(email -> String.format("serviceAccount:%s", email)))
            .build());

        var privatecaSaKeyuserViewer = new CryptoKeyIAMBinding("privatecaSaKeyuserViewer", CryptoKeyIAMBindingArgs.builder()        
            .cryptoKeyId("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key")
            .role("roles/viewer")
            .members(privatecaSa.email().applyValue(email -> String.format("serviceAccount:%s", email)))
            .build());

        var default_ = new Authority("default", AuthorityArgs.builder()        
            .pool("ca-pool")
            .certificateAuthorityId("my-certificate-authority")
            .location("us-central1")
            .deletionProtection("true")
            .keySpec(AuthorityKeySpecArgs.builder()
                .cloudKmsKeyVersion("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1")
                .build())
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .organization("Example, Org.")
                        .commonName("Example Authority")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .maxIssuerPathLength(10)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .certSign(true)
                            .crlSign(true)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(false)
                            .build())
                        .build())
                    .nameConstraints(AuthorityConfigX509ConfigNameConstraintsArgs.builder()
                        .critical(true)
                        .permittedDnsNames("*.example.com")
                        .excludedDnsNames("*.deny.example.com")
                        .permittedIpRanges("10.0.0.0/8")
                        .excludedIpRanges("10.1.1.0/24")
                        .permittedEmailAddresses(".example.com")
                        .excludedEmailAddresses(".deny.example.com")
                        .permittedUris(".example.com")
                        .excludedUris(".deny.example.com")
                        .build())
                    .build())
                .build())
            .build(), CustomResourceOptions.builder()
                .dependsOn(                
                    privatecaSaKeyuserSignerverifier,
                    privatecaSaKeyuserViewer)
                .build());

    }
}
import pulumi
import pulumi_gcp as gcp

privateca_sa = gcp.projects.ServiceIdentity("privatecaSa", service="privateca.googleapis.com")
privateca_sa_keyuser_signerverifier = gcp.kms.CryptoKeyIAMBinding("privatecaSaKeyuserSignerverifier",
    crypto_key_id="projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
    role="roles/cloudkms.signerVerifier",
    members=[privateca_sa.email.apply(lambda email: f"serviceAccount:{email}")])
privateca_sa_keyuser_viewer = gcp.kms.CryptoKeyIAMBinding("privatecaSaKeyuserViewer",
    crypto_key_id="projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
    role="roles/viewer",
    members=[privateca_sa.email.apply(lambda email: f"serviceAccount:{email}")])
default = gcp.certificateauthority.Authority("default",
    pool="ca-pool",
    certificate_authority_id="my-certificate-authority",
    location="us-central1",
    deletion_protection=True,
    key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
        cloud_kms_key_version="projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1",
    ),
    config=gcp.certificateauthority.AuthorityConfigArgs(
        subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
            subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                organization="Example, Org.",
                common_name="Example Authority",
            ),
        ),
        x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
            ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                is_ca=True,
                max_issuer_path_length=10,
            ),
            key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                    cert_sign=True,
                    crl_sign=True,
                ),
                extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                    server_auth=False,
                ),
            ),
            name_constraints=gcp.certificateauthority.AuthorityConfigX509ConfigNameConstraintsArgs(
                critical=True,
                permitted_dns_names=["*.example.com"],
                excluded_dns_names=["*.deny.example.com"],
                permitted_ip_ranges=["10.0.0.0/8"],
                excluded_ip_ranges=["10.1.1.0/24"],
                permitted_email_addresses=[".example.com"],
                excluded_email_addresses=[".deny.example.com"],
                permitted_uris=[".example.com"],
                excluded_uris=[".deny.example.com"],
            ),
        ),
    ),
    opts=pulumi.ResourceOptions(depends_on=[
            privateca_sa_keyuser_signerverifier,
            privateca_sa_keyuser_viewer,
        ]))
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const privatecaSa = new gcp.projects.ServiceIdentity("privatecaSa", {service: "privateca.googleapis.com"});
const privatecaSaKeyuserSignerverifier = new gcp.kms.CryptoKeyIAMBinding("privatecaSaKeyuserSignerverifier", {
    cryptoKeyId: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
    role: "roles/cloudkms.signerVerifier",
    members: [pulumi.interpolate`serviceAccount:${privatecaSa.email}`],
});
const privatecaSaKeyuserViewer = new gcp.kms.CryptoKeyIAMBinding("privatecaSaKeyuserViewer", {
    cryptoKeyId: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
    role: "roles/viewer",
    members: [pulumi.interpolate`serviceAccount:${privatecaSa.email}`],
});
const _default = new gcp.certificateauthority.Authority("default", {
    pool: "ca-pool",
    certificateAuthorityId: "my-certificate-authority",
    location: "us-central1",
    deletionProtection: true,
    keySpec: {
        cloudKmsKeyVersion: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1",
    },
    config: {
        subjectConfig: {
            subject: {
                organization: "Example, Org.",
                commonName: "Example Authority",
            },
        },
        x509Config: {
            caOptions: {
                isCa: true,
                maxIssuerPathLength: 10,
            },
            keyUsage: {
                baseKeyUsage: {
                    certSign: true,
                    crlSign: true,
                },
                extendedKeyUsage: {
                    serverAuth: false,
                },
            },
            nameConstraints: {
                critical: true,
                permittedDnsNames: ["*.example.com"],
                excludedDnsNames: ["*.deny.example.com"],
                permittedIpRanges: ["10.0.0.0/8"],
                excludedIpRanges: ["10.1.1.0/24"],
                permittedEmailAddresses: [".example.com"],
                excludedEmailAddresses: [".deny.example.com"],
                permittedUris: [".example.com"],
                excludedUris: [".deny.example.com"],
            },
        },
    },
}, {
    dependsOn: [
        privatecaSaKeyuserSignerverifier,
        privatecaSaKeyuserViewer,
    ],
});
resources:
  privatecaSa:
    type: gcp:projects:ServiceIdentity
    properties:
      service: privateca.googleapis.com
  privatecaSaKeyuserSignerverifier:
    type: gcp:kms:CryptoKeyIAMBinding
    properties:
      cryptoKeyId: projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key
      role: roles/cloudkms.signerVerifier
      members:
        - serviceAccount:${privatecaSa.email}
  privatecaSaKeyuserViewer:
    type: gcp:kms:CryptoKeyIAMBinding
    properties:
      cryptoKeyId: projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key
      role: roles/viewer
      members:
        - serviceAccount:${privatecaSa.email}
  default:
    type: gcp:certificateauthority:Authority
    properties:
      # This example assumes this pool already exists.
      #   // Pools cannot be deleted in normal test circumstances, so we depend on static pools
      pool: ca-pool
      certificateAuthorityId: my-certificate-authority
      location: us-central1
      deletionProtection: 'true'
      keySpec:
        cloudKmsKeyVersion: projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1
      config:
        subjectConfig:
          subject:
            organization: Example, Org.
            commonName: Example Authority
        x509Config:
          caOptions:
            isCa: true
            maxIssuerPathLength: 10
          keyUsage:
            baseKeyUsage:
              certSign: true
              crlSign: true
            extendedKeyUsage:
              serverAuth: false
          nameConstraints:
            critical: true
            permittedDnsNames:
              - '*.example.com'
            excludedDnsNames:
              - '*.deny.example.com'
            permittedIpRanges:
              - 10.0.0.0/8
            excludedIpRanges:
              - 10.1.1.0/24
            permittedEmailAddresses:
              - .example.com
            excludedEmailAddresses:
              - .deny.example.com
            permittedUris:
              - .example.com
            excludedUris:
              - .deny.example.com
    options:
      dependson:
        - ${privatecaSaKeyuserSignerverifier}
        - ${privatecaSaKeyuserViewer}

Create Authority Resource

new Authority(name: string, args: AuthorityArgs, opts?: CustomResourceOptions);
@overload
def Authority(resource_name: str,
              opts: Optional[ResourceOptions] = None,
              certificate_authority_id: Optional[str] = None,
              config: Optional[AuthorityConfigArgs] = None,
              deletion_protection: Optional[bool] = None,
              desired_state: Optional[str] = None,
              gcs_bucket: Optional[str] = None,
              ignore_active_certificates_on_deletion: Optional[bool] = None,
              key_spec: Optional[AuthorityKeySpecArgs] = None,
              labels: Optional[Mapping[str, str]] = None,
              lifetime: Optional[str] = None,
              location: Optional[str] = None,
              pem_ca_certificate: Optional[str] = None,
              pool: Optional[str] = None,
              project: Optional[str] = None,
              skip_grace_period: Optional[bool] = None,
              subordinate_config: Optional[AuthoritySubordinateConfigArgs] = None,
              type: Optional[str] = None)
@overload
def Authority(resource_name: str,
              args: AuthorityArgs,
              opts: Optional[ResourceOptions] = None)
func NewAuthority(ctx *Context, name string, args AuthorityArgs, opts ...ResourceOption) (*Authority, error)
public Authority(string name, AuthorityArgs args, CustomResourceOptions? opts = null)
public Authority(String name, AuthorityArgs args)
public Authority(String name, AuthorityArgs args, CustomResourceOptions options)
type: gcp:certificateauthority:Authority
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args AuthorityArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args AuthorityArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args AuthorityArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args AuthorityArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args AuthorityArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Authority Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The Authority resource accepts the following input properties:

CertificateAuthorityId string

The user provided Resource ID for this Certificate Authority.

Config AuthorityConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

KeySpec AuthorityKeySpecArgs

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

Location string

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

Pool string

The name of the CaPool this Certificate Authority belongs to.

DeletionProtection bool

Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.

DesiredState string

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

GcsBucket string

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

IgnoreActiveCertificatesOnDeletion bool

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

Labels Dictionary<string, string>

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

PemCaCertificate string

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

SkipGracePeriod bool

If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to false.

SubordinateConfig AuthoritySubordinateConfigArgs

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

Type string

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

CertificateAuthorityId string

The user provided Resource ID for this Certificate Authority.

Config AuthorityConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

KeySpec AuthorityKeySpecArgs

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

Location string

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

Pool string

The name of the CaPool this Certificate Authority belongs to.

DeletionProtection bool

Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.

DesiredState string

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

GcsBucket string

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

IgnoreActiveCertificatesOnDeletion bool

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

Labels map[string]string

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

PemCaCertificate string

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

SkipGracePeriod bool

If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to false.

SubordinateConfig AuthoritySubordinateConfigArgs

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

Type string

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

certificateAuthorityId String

The user provided Resource ID for this Certificate Authority.

config AuthorityConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

keySpec AuthorityKeySpecArgs

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

location String

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

pool String

The name of the CaPool this Certificate Authority belongs to.

deletionProtection Boolean

Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.

desiredState String

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

gcsBucket String

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

ignoreActiveCertificatesOnDeletion Boolean

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

labels Map<String,String>

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

lifetime String

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

pemCaCertificate String

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

skipGracePeriod Boolean

If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to false.

subordinateConfig AuthoritySubordinateConfigArgs

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

type String

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

certificateAuthorityId string

The user provided Resource ID for this Certificate Authority.

config AuthorityConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

keySpec AuthorityKeySpecArgs

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

location string

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

pool string

The name of the CaPool this Certificate Authority belongs to.

deletionProtection boolean

Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.

desiredState string

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

gcsBucket string

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

ignoreActiveCertificatesOnDeletion boolean

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

labels {[key: string]: string}

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

pemCaCertificate string

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

skipGracePeriod boolean

If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to false.

subordinateConfig AuthoritySubordinateConfigArgs

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

type string

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

certificate_authority_id str

The user provided Resource ID for this Certificate Authority.

config AuthorityConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

key_spec AuthorityKeySpecArgs

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

location str

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

pool str

The name of the CaPool this Certificate Authority belongs to.

deletion_protection bool

Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.

desired_state str

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

gcs_bucket str

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

ignore_active_certificates_on_deletion bool

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

labels Mapping[str, str]

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

lifetime str

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

pem_ca_certificate str

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

project str

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

skip_grace_period bool

If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to false.

subordinate_config AuthoritySubordinateConfigArgs

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

type str

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

certificateAuthorityId String

The user provided Resource ID for this Certificate Authority.

config Property Map

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

keySpec Property Map

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

location String

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

pool String

The name of the CaPool this Certificate Authority belongs to.

deletionProtection Boolean

Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.

desiredState String

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

gcsBucket String

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

ignoreActiveCertificatesOnDeletion Boolean

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

labels Map<String>

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

lifetime String

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

pemCaCertificate String

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

skipGracePeriod Boolean

If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to false.

subordinateConfig Property Map

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

type String

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

Outputs

All input properties are implicitly available as output properties. Additionally, the Authority resource produces the following output properties:

AccessUrls List<AuthorityAccessUrl>

URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.

CreateTime string

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Id string

The provider-assigned unique ID for this managed resource.

Name string

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

PemCaCertificates List<string>

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

State string

The State for this CertificateAuthority.

UpdateTime string

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

AccessUrls []AuthorityAccessUrl

URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.

CreateTime string

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Id string

The provider-assigned unique ID for this managed resource.

Name string

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

PemCaCertificates []string

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

State string

The State for this CertificateAuthority.

UpdateTime string

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

accessUrls List<AuthorityAccessUrl>

URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.

createTime String

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

id String

The provider-assigned unique ID for this managed resource.

name String

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

pemCaCertificates List<String>

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

state String

The State for this CertificateAuthority.

updateTime String

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

accessUrls AuthorityAccessUrl[]

URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.

createTime string

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

id string

The provider-assigned unique ID for this managed resource.

name string

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

pemCaCertificates string[]

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

state string

The State for this CertificateAuthority.

updateTime string

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

access_urls Sequence[AuthorityAccessUrl]

URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.

create_time str

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

id str

The provider-assigned unique ID for this managed resource.

name str

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

pem_ca_certificates Sequence[str]

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

state str

The State for this CertificateAuthority.

update_time str

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

accessUrls List<Property Map>

URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.

createTime String

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

id String

The provider-assigned unique ID for this managed resource.

name String

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

pemCaCertificates List<String>

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

state String

The State for this CertificateAuthority.

updateTime String

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Look up Existing Authority Resource

Get an existing Authority resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AuthorityState, opts?: CustomResourceOptions): Authority
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        access_urls: Optional[Sequence[AuthorityAccessUrlArgs]] = None,
        certificate_authority_id: Optional[str] = None,
        config: Optional[AuthorityConfigArgs] = None,
        create_time: Optional[str] = None,
        deletion_protection: Optional[bool] = None,
        desired_state: Optional[str] = None,
        gcs_bucket: Optional[str] = None,
        ignore_active_certificates_on_deletion: Optional[bool] = None,
        key_spec: Optional[AuthorityKeySpecArgs] = None,
        labels: Optional[Mapping[str, str]] = None,
        lifetime: Optional[str] = None,
        location: Optional[str] = None,
        name: Optional[str] = None,
        pem_ca_certificate: Optional[str] = None,
        pem_ca_certificates: Optional[Sequence[str]] = None,
        pool: Optional[str] = None,
        project: Optional[str] = None,
        skip_grace_period: Optional[bool] = None,
        state: Optional[str] = None,
        subordinate_config: Optional[AuthoritySubordinateConfigArgs] = None,
        type: Optional[str] = None,
        update_time: Optional[str] = None) -> Authority
func GetAuthority(ctx *Context, name string, id IDInput, state *AuthorityState, opts ...ResourceOption) (*Authority, error)
public static Authority Get(string name, Input<string> id, AuthorityState? state, CustomResourceOptions? opts = null)
public static Authority get(String name, Output<String> id, AuthorityState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AccessUrls List<AuthorityAccessUrlArgs>

URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.

CertificateAuthorityId string

The user provided Resource ID for this Certificate Authority.

Config AuthorityConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

CreateTime string

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

DeletionProtection bool

Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.

DesiredState string

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

GcsBucket string

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

IgnoreActiveCertificatesOnDeletion bool

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

KeySpec AuthorityKeySpecArgs

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

Labels Dictionary<string, string>

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

Location string

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

Name string

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

PemCaCertificate string

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

PemCaCertificates List<string>

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

Pool string

The name of the CaPool this Certificate Authority belongs to.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

SkipGracePeriod bool

If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to false.

State string

The State for this CertificateAuthority.

SubordinateConfig AuthoritySubordinateConfigArgs

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

Type string

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

UpdateTime string

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

AccessUrls []AuthorityAccessUrlArgs

URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.

CertificateAuthorityId string

The user provided Resource ID for this Certificate Authority.

Config AuthorityConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

CreateTime string

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

DeletionProtection bool

Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.

DesiredState string

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

GcsBucket string

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

IgnoreActiveCertificatesOnDeletion bool

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

KeySpec AuthorityKeySpecArgs

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

Labels map[string]string

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

Location string

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

Name string

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

PemCaCertificate string

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

PemCaCertificates []string

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

Pool string

The name of the CaPool this Certificate Authority belongs to.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

SkipGracePeriod bool

If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to false.

State string

The State for this CertificateAuthority.

SubordinateConfig AuthoritySubordinateConfigArgs

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

Type string

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

UpdateTime string

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

accessUrls List<AuthorityAccessUrlArgs>

URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.

certificateAuthorityId String

The user provided Resource ID for this Certificate Authority.

config AuthorityConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

createTime String

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

deletionProtection Boolean

Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.

desiredState String

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

gcsBucket String

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

ignoreActiveCertificatesOnDeletion Boolean

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

keySpec AuthorityKeySpecArgs

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

labels Map<String,String>

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

lifetime String

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

location String

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

name String

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

pemCaCertificate String

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

pemCaCertificates List<String>

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

pool String

The name of the CaPool this Certificate Authority belongs to.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

skipGracePeriod Boolean

If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to false.

state String

The State for this CertificateAuthority.

subordinateConfig AuthoritySubordinateConfigArgs

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

type String

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

updateTime String

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

accessUrls AuthorityAccessUrlArgs[]

URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.

certificateAuthorityId string

The user provided Resource ID for this Certificate Authority.

config AuthorityConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

createTime string

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

deletionProtection boolean

Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.

desiredState string

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

gcsBucket string

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

ignoreActiveCertificatesOnDeletion boolean

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

keySpec AuthorityKeySpecArgs

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

labels {[key: string]: string}

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

lifetime string

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

location string

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

name string

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

pemCaCertificate string

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

pemCaCertificates string[]

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

pool string

The name of the CaPool this Certificate Authority belongs to.

project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

skipGracePeriod boolean

If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to false.

state string

The State for this CertificateAuthority.

subordinateConfig AuthoritySubordinateConfigArgs

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

type string

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

updateTime string

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

access_urls Sequence[AuthorityAccessUrlArgs]

URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.

certificate_authority_id str

The user provided Resource ID for this Certificate Authority.

config AuthorityConfigArgs

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

create_time str

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

deletion_protection bool

Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.

desired_state str

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

gcs_bucket str

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

ignore_active_certificates_on_deletion bool

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

key_spec AuthorityKeySpecArgs

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

labels Mapping[str, str]

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

lifetime str

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

location str

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

name str

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

pem_ca_certificate str

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

pem_ca_certificates Sequence[str]

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

pool str

The name of the CaPool this Certificate Authority belongs to.

project str

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

skip_grace_period bool

If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to false.

state str

The State for this CertificateAuthority.

subordinate_config AuthoritySubordinateConfigArgs

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

type str

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

update_time str

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

accessUrls List<Property Map>

URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.

certificateAuthorityId String

The user provided Resource ID for this Certificate Authority.

config Property Map

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

createTime String

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

deletionProtection Boolean

Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.

desiredState String

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

gcsBucket String

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

ignoreActiveCertificatesOnDeletion Boolean

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

keySpec Property Map

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

labels Map<String>

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

lifetime String

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

location String

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

name String

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.

pemCaCertificate String

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

pemCaCertificates List<String>

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

pool String

The name of the CaPool this Certificate Authority belongs to.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

skipGracePeriod Boolean

If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to false.

state String

The State for this CertificateAuthority.

subordinateConfig Property Map

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

type String

The Type of this CertificateAuthority.

Note: For SUBORDINATE Certificate Authorities, they need to be activated before they can issue certificates. Default value is SELF_SIGNED. Possible values are SELF_SIGNED and SUBORDINATE.

updateTime String

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Supporting Types

AuthorityAccessUrl

CaCertificateAccessUrl string

(Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.

CrlAccessUrls List<string>

(Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.

CaCertificateAccessUrl string

(Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.

CrlAccessUrls []string

(Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.

caCertificateAccessUrl String

(Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.

crlAccessUrls List<String>

(Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.

caCertificateAccessUrl string

(Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.

crlAccessUrls string[]

(Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.

ca_certificate_access_url str

(Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.

crl_access_urls Sequence[str]

(Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.

caCertificateAccessUrl String

(Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.

crlAccessUrls List<String>

(Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.

AuthorityConfig

SubjectConfig AuthorityConfigSubjectConfig

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

X509Config AuthorityConfigX509Config

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

SubjectConfig AuthorityConfigSubjectConfig

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

X509Config AuthorityConfigX509Config

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

subjectConfig AuthorityConfigSubjectConfig

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

x509Config AuthorityConfigX509Config

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

subjectConfig AuthorityConfigSubjectConfig

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

x509Config AuthorityConfigX509Config

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

subject_config AuthorityConfigSubjectConfig

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

x509_config AuthorityConfigX509Config

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

subjectConfig Property Map

Specifies some of the values in a certificate that are related to the subject. Structure is documented below.

x509Config Property Map

Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.

AuthorityConfigSubjectConfig

Subject AuthorityConfigSubjectConfigSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

SubjectAltName AuthorityConfigSubjectConfigSubjectAltName

The subject alternative name fields. Structure is documented below.

Subject AuthorityConfigSubjectConfigSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

SubjectAltName AuthorityConfigSubjectConfigSubjectAltName

The subject alternative name fields. Structure is documented below.

subject AuthorityConfigSubjectConfigSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

subjectAltName AuthorityConfigSubjectConfigSubjectAltName

The subject alternative name fields. Structure is documented below.

subject AuthorityConfigSubjectConfigSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

subjectAltName AuthorityConfigSubjectConfigSubjectAltName

The subject alternative name fields. Structure is documented below.

subject AuthorityConfigSubjectConfigSubject

Contains distinguished name fields such as the location and organization. Structure is documented below.

subject_alt_name AuthorityConfigSubjectConfigSubjectAltName

The subject alternative name fields. Structure is documented below.

subject Property Map

Contains distinguished name fields such as the location and organization. Structure is documented below.

subjectAltName Property Map

The subject alternative name fields. Structure is documented below.

AuthorityConfigSubjectConfigSubject

CommonName string

The common name of the distinguished name.

Organization string

The organization of the subject.

CountryCode string

The country code of the subject.

Locality string

The locality or city of the subject.

OrganizationalUnit string

The organizational unit of the subject.

PostalCode string

The postal code of the subject.

Province string

The province, territory, or regional state of the subject.

StreetAddress string

The street address of the subject.

CommonName string

The common name of the distinguished name.

Organization string

The organization of the subject.

CountryCode string

The country code of the subject.

Locality string

The locality or city of the subject.

OrganizationalUnit string

The organizational unit of the subject.

PostalCode string

The postal code of the subject.

Province string

The province, territory, or regional state of the subject.

StreetAddress string

The street address of the subject.

commonName String

The common name of the distinguished name.

organization String

The organization of the subject.

countryCode String

The country code of the subject.

locality String

The locality or city of the subject.

organizationalUnit String

The organizational unit of the subject.

postalCode String

The postal code of the subject.

province String

The province, territory, or regional state of the subject.

streetAddress String

The street address of the subject.

commonName string

The common name of the distinguished name.

organization string

The organization of the subject.

countryCode string

The country code of the subject.

locality string

The locality or city of the subject.

organizationalUnit string

The organizational unit of the subject.

postalCode string

The postal code of the subject.

province string

The province, territory, or regional state of the subject.

streetAddress string

The street address of the subject.

common_name str

The common name of the distinguished name.

organization str

The organization of the subject.

country_code str

The country code of the subject.

locality str

The locality or city of the subject.

organizational_unit str

The organizational unit of the subject.

postal_code str

The postal code of the subject.

province str

The province, territory, or regional state of the subject.

street_address str

The street address of the subject.

commonName String

The common name of the distinguished name.

organization String

The organization of the subject.

countryCode String

The country code of the subject.

locality String

The locality or city of the subject.

organizationalUnit String

The organizational unit of the subject.

postalCode String

The postal code of the subject.

province String

The province, territory, or regional state of the subject.

streetAddress String

The street address of the subject.

AuthorityConfigSubjectConfigSubjectAltName

DnsNames List<string>

Contains only valid, fully-qualified host names.

EmailAddresses List<string>

Contains only valid RFC 2822 E-mail addresses.

IpAddresses List<string>

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

Uris List<string>

Contains only valid RFC 3986 URIs.

DnsNames []string

Contains only valid, fully-qualified host names.

EmailAddresses []string

Contains only valid RFC 2822 E-mail addresses.

IpAddresses []string

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

Uris []string

Contains only valid RFC 3986 URIs.

dnsNames List<String>

Contains only valid, fully-qualified host names.

emailAddresses List<String>

Contains only valid RFC 2822 E-mail addresses.

ipAddresses List<String>

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris List<String>

Contains only valid RFC 3986 URIs.

dnsNames string[]

Contains only valid, fully-qualified host names.

emailAddresses string[]

Contains only valid RFC 2822 E-mail addresses.

ipAddresses string[]

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris string[]

Contains only valid RFC 3986 URIs.

dns_names Sequence[str]

Contains only valid, fully-qualified host names.

email_addresses Sequence[str]

Contains only valid RFC 2822 E-mail addresses.

ip_addresses Sequence[str]

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris Sequence[str]

Contains only valid RFC 3986 URIs.

dnsNames List<String>

Contains only valid, fully-qualified host names.

emailAddresses List<String>

Contains only valid RFC 2822 E-mail addresses.

ipAddresses List<String>

Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

uris List<String>

Contains only valid RFC 3986 URIs.

AuthorityConfigX509Config

CaOptions AuthorityConfigX509ConfigCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

KeyUsage AuthorityConfigX509ConfigKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

AdditionalExtensions List<AuthorityConfigX509ConfigAdditionalExtension>

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

AiaOcspServers List<string>

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

NameConstraints AuthorityConfigX509ConfigNameConstraints

Describes the X.509 name constraints extension. Structure is documented below.

PolicyIds List<AuthorityConfigX509ConfigPolicyId>

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

CaOptions AuthorityConfigX509ConfigCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

KeyUsage AuthorityConfigX509ConfigKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

AdditionalExtensions []AuthorityConfigX509ConfigAdditionalExtension

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

AiaOcspServers []string

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

NameConstraints AuthorityConfigX509ConfigNameConstraints

Describes the X.509 name constraints extension. Structure is documented below.

PolicyIds []AuthorityConfigX509ConfigPolicyId

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

caOptions AuthorityConfigX509ConfigCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

keyUsage AuthorityConfigX509ConfigKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

additionalExtensions List<AuthorityConfigX509ConfigAdditionalExtension>

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aiaOcspServers List<String>

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

nameConstraints AuthorityConfigX509ConfigNameConstraints

Describes the X.509 name constraints extension. Structure is documented below.

policyIds List<AuthorityConfigX509ConfigPolicyId>

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

caOptions AuthorityConfigX509ConfigCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

keyUsage AuthorityConfigX509ConfigKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

additionalExtensions AuthorityConfigX509ConfigAdditionalExtension[]

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aiaOcspServers string[]

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

nameConstraints AuthorityConfigX509ConfigNameConstraints

Describes the X.509 name constraints extension. Structure is documented below.

policyIds AuthorityConfigX509ConfigPolicyId[]

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

ca_options AuthorityConfigX509ConfigCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

key_usage AuthorityConfigX509ConfigKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

additional_extensions Sequence[AuthorityConfigX509ConfigAdditionalExtension]

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aia_ocsp_servers Sequence[str]

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

name_constraints AuthorityConfigX509ConfigNameConstraints

Describes the X.509 name constraints extension. Structure is documented below.

policy_ids Sequence[AuthorityConfigX509ConfigPolicyId]

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

caOptions Property Map

Describes values that are relevant in a CA certificate. Structure is documented below.

keyUsage Property Map

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

additionalExtensions List<Property Map>

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aiaOcspServers List<String>

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

nameConstraints Property Map

Describes the X.509 name constraints extension. Structure is documented below.

policyIds List<Property Map>

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

AuthorityConfigX509ConfigAdditionalExtension

Critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

ObjectId AuthorityConfigX509ConfigAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

Value string

The value of this X.509 extension. A base64-encoded string.

Critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

ObjectId AuthorityConfigX509ConfigAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

Value string

The value of this X.509 extension. A base64-encoded string.

critical Boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectId AuthorityConfigX509ConfigAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

value String

The value of this X.509 extension. A base64-encoded string.

critical boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectId AuthorityConfigX509ConfigAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

value string

The value of this X.509 extension. A base64-encoded string.

critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

object_id AuthorityConfigX509ConfigAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

value str

The value of this X.509 extension. A base64-encoded string.

critical Boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectId Property Map

Describes values that are relevant in a CA certificate. Structure is documented below.

value String

The value of this X.509 extension. A base64-encoded string.

AuthorityConfigX509ConfigAdditionalExtensionObjectId

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Integer>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Number>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

AuthorityConfigX509ConfigCaOptions

IsCa bool

When true, the "CA" in Basic Constraints extension will be set to true.

MaxIssuerPathLength int

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0 requires setting zero_max_issuer_path_length = true.

NonCa bool

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

ZeroMaxIssuerPathLength bool

When true, the "path length constraint" in Basic Constraints extension will be set to 0. If both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

IsCa bool

When true, the "CA" in Basic Constraints extension will be set to true.

MaxIssuerPathLength int

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0 requires setting zero_max_issuer_path_length = true.

NonCa bool

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

ZeroMaxIssuerPathLength bool

When true, the "path length constraint" in Basic Constraints extension will be set to 0. If both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

isCa Boolean

When true, the "CA" in Basic Constraints extension will be set to true.

maxIssuerPathLength Integer

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0 requires setting zero_max_issuer_path_length = true.

nonCa Boolean

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

zeroMaxIssuerPathLength Boolean

When true, the "path length constraint" in Basic Constraints extension will be set to 0. If both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

isCa boolean

When true, the "CA" in Basic Constraints extension will be set to true.

maxIssuerPathLength number

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0 requires setting zero_max_issuer_path_length = true.

nonCa boolean

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

zeroMaxIssuerPathLength boolean

When true, the "path length constraint" in Basic Constraints extension will be set to 0. If both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

is_ca bool

When true, the "CA" in Basic Constraints extension will be set to true.

max_issuer_path_length int

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0 requires setting zero_max_issuer_path_length = true.

non_ca bool

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

zero_max_issuer_path_length bool

When true, the "path length constraint" in Basic Constraints extension will be set to 0. If both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

isCa Boolean

When true, the "CA" in Basic Constraints extension will be set to true.

maxIssuerPathLength Number

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0 requires setting zero_max_issuer_path_length = true.

nonCa Boolean

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

zeroMaxIssuerPathLength Boolean

When true, the "path length constraint" in Basic Constraints extension will be set to 0. If both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

AuthorityConfigX509ConfigKeyUsage

BaseKeyUsage AuthorityConfigX509ConfigKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

ExtendedKeyUsage AuthorityConfigX509ConfigKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

UnknownExtendedKeyUsages List<AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsage>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

BaseKeyUsage AuthorityConfigX509ConfigKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

ExtendedKeyUsage AuthorityConfigX509ConfigKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

UnknownExtendedKeyUsages []AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsage

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsage AuthorityConfigX509ConfigKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsage AuthorityConfigX509ConfigKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages List<AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsage>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsage AuthorityConfigX509ConfigKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsage AuthorityConfigX509ConfigKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsage[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

base_key_usage AuthorityConfigX509ConfigKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

extended_key_usage AuthorityConfigX509ConfigKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

unknown_extended_key_usages Sequence[AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsage]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsage Property Map

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsage Property Map

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages List<Property Map>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

AuthorityConfigX509ConfigKeyUsageBaseKeyUsage

CertSign bool

The key may be used to sign certificates.

ContentCommitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

CrlSign bool

The key may be used sign certificate revocation lists.

DataEncipherment bool

The key may be used to encipher data.

DecipherOnly bool

The key may be used to decipher only.

DigitalSignature bool

The key may be used for digital signatures.

EncipherOnly bool

The key may be used to encipher only.

KeyAgreement bool

The key may be used in a key agreement protocol.

KeyEncipherment bool

The key may be used to encipher other keys.

CertSign bool

The key may be used to sign certificates.

ContentCommitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

CrlSign bool

The key may be used sign certificate revocation lists.

DataEncipherment bool

The key may be used to encipher data.

DecipherOnly bool

The key may be used to decipher only.

DigitalSignature bool

The key may be used for digital signatures.

EncipherOnly bool

The key may be used to encipher only.

KeyAgreement bool

The key may be used in a key agreement protocol.

KeyEncipherment bool

The key may be used to encipher other keys.

certSign Boolean

The key may be used to sign certificates.

contentCommitment Boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign Boolean

The key may be used sign certificate revocation lists.

dataEncipherment Boolean

The key may be used to encipher data.

decipherOnly Boolean

The key may be used to decipher only.

digitalSignature Boolean

The key may be used for digital signatures.

encipherOnly Boolean

The key may be used to encipher only.

keyAgreement Boolean

The key may be used in a key agreement protocol.

keyEncipherment Boolean

The key may be used to encipher other keys.

certSign boolean

The key may be used to sign certificates.

contentCommitment boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign boolean

The key may be used sign certificate revocation lists.

dataEncipherment boolean

The key may be used to encipher data.

decipherOnly boolean

The key may be used to decipher only.

digitalSignature boolean

The key may be used for digital signatures.

encipherOnly boolean

The key may be used to encipher only.

keyAgreement boolean

The key may be used in a key agreement protocol.

keyEncipherment boolean

The key may be used to encipher other keys.

cert_sign bool

The key may be used to sign certificates.

content_commitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crl_sign bool

The key may be used sign certificate revocation lists.

data_encipherment bool

The key may be used to encipher data.

decipher_only bool

The key may be used to decipher only.

digital_signature bool

The key may be used for digital signatures.

encipher_only bool

The key may be used to encipher only.

key_agreement bool

The key may be used in a key agreement protocol.

key_encipherment bool

The key may be used to encipher other keys.

certSign Boolean

The key may be used to sign certificates.

contentCommitment Boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign Boolean

The key may be used sign certificate revocation lists.

dataEncipherment Boolean

The key may be used to encipher data.

decipherOnly Boolean

The key may be used to decipher only.

digitalSignature Boolean

The key may be used for digital signatures.

encipherOnly Boolean

The key may be used to encipher only.

keyAgreement Boolean

The key may be used in a key agreement protocol.

keyEncipherment Boolean

The key may be used to encipher other keys.

AuthorityConfigX509ConfigKeyUsageExtendedKeyUsage

ClientAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

CodeSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

EmailProtection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

OcspSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

ServerAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

TimeStamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

ClientAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

CodeSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

EmailProtection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

OcspSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

ServerAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

TimeStamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

client_auth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

code_signing bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

email_protection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocsp_signing bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

server_auth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

time_stamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsage

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Integer>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Number>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

AuthorityConfigX509ConfigNameConstraints

Critical bool

Indicates whether or not the name constraints are marked critical.

ExcludedDnsNames List<string>

Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

ExcludedEmailAddresses List<string>

Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

ExcludedIpRanges List<string>

Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

ExcludedUris List<string>

Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

PermittedDnsNames List<string>

Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

PermittedEmailAddresses List<string>

Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

PermittedIpRanges List<string>

Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

PermittedUris List<string>

Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

Critical bool

Indicates whether or not the name constraints are marked critical.

ExcludedDnsNames []string

Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

ExcludedEmailAddresses []string

Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

ExcludedIpRanges []string

Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

ExcludedUris []string

Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

PermittedDnsNames []string

Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

PermittedEmailAddresses []string

Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

PermittedIpRanges []string

Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

PermittedUris []string

Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

critical Boolean

Indicates whether or not the name constraints are marked critical.

excludedDnsNames List<String>

Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

excludedEmailAddresses List<String>

Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

excludedIpRanges List<String>

Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

excludedUris List<String>

Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

permittedDnsNames List<String>

Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

permittedEmailAddresses List<String>

Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

permittedIpRanges List<String>

Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

permittedUris List<String>

Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

critical boolean

Indicates whether or not the name constraints are marked critical.

excludedDnsNames string[]

Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

excludedEmailAddresses string[]

Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

excludedIpRanges string[]

Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

excludedUris string[]

Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

permittedDnsNames string[]

Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

permittedEmailAddresses string[]

Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

permittedIpRanges string[]

Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

permittedUris string[]

Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

critical bool

Indicates whether or not the name constraints are marked critical.

excluded_dns_names Sequence[str]

Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

excluded_email_addresses Sequence[str]

Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

excluded_ip_ranges Sequence[str]

Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

excluded_uris Sequence[str]

Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

permitted_dns_names Sequence[str]

Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

permitted_email_addresses Sequence[str]

Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

permitted_ip_ranges Sequence[str]

Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

permitted_uris Sequence[str]

Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

critical Boolean

Indicates whether or not the name constraints are marked critical.

excludedDnsNames List<String>

Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

excludedEmailAddresses List<String>

Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

excludedIpRanges List<String>

Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

excludedUris List<String>

Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

permittedDnsNames List<String>

Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.

permittedEmailAddresses List<String>

Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.

permittedIpRanges List<String>

Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.

permittedUris List<String>

Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

AuthorityConfigX509ConfigPolicyId

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Integer>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List<Number>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

AuthorityKeySpec

Algorithm string

The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, and EC_P384_SHA384.

CloudKmsKeyVersion string

The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.

Algorithm string

The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, and EC_P384_SHA384.

CloudKmsKeyVersion string

The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.

algorithm String

The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, and EC_P384_SHA384.

cloudKmsKeyVersion String

The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.

algorithm string

The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, and EC_P384_SHA384.

cloudKmsKeyVersion string

The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.

algorithm str

The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, and EC_P384_SHA384.

cloud_kms_key_version str

The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.

algorithm String

The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, and EC_P384_SHA384.

cloudKmsKeyVersion String

The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.

AuthoritySubordinateConfig

CertificateAuthority string

This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

PemIssuerChain AuthoritySubordinateConfigPemIssuerChain

Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.

CertificateAuthority string

This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

PemIssuerChain AuthoritySubordinateConfigPemIssuerChain

Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.

certificateAuthority String

This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

pemIssuerChain AuthoritySubordinateConfigPemIssuerChain

Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.

certificateAuthority string

This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

pemIssuerChain AuthoritySubordinateConfigPemIssuerChain

Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.

certificate_authority str

This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

pem_issuer_chain AuthoritySubordinateConfigPemIssuerChain

Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.

certificateAuthority String

This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.

pemIssuerChain Property Map

Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.

AuthoritySubordinateConfigPemIssuerChain

PemCertificates List<string>

Expected to be in leaf-to-root order according to RFC 5246.

PemCertificates []string

Expected to be in leaf-to-root order according to RFC 5246.

pemCertificates List<String>

Expected to be in leaf-to-root order according to RFC 5246.

pemCertificates string[]

Expected to be in leaf-to-root order according to RFC 5246.

pem_certificates Sequence[str]

Expected to be in leaf-to-root order according to RFC 5246.

pemCertificates List<String>

Expected to be in leaf-to-root order according to RFC 5246.

Package Details

Repository
Google Cloud (GCP) Classic pulumi/pulumi-gcp
License
Apache-2.0
Notes

This Pulumi package is based on the google-beta Terraform Provider.