Docs
Packagesgcp.certificateauthority.Authority
Explore with Pulumi AI
A CertificateAuthority represents an individual Certificate Authority. A CertificateAuthority can be used to create Certificates.
To get more information about CertificateAuthority, see:
- API documentation
- How-to Guides
Warning: On newer versions of the provider, you must explicitly set
deletion_protection=false(and runpulumi upto write the field to state) in order to destroy a CertificateAuthority. It is recommended to not set this field (or set it to true) until you’re ready to destroy.
Example Usage
Privateca Certificate Authority Basic
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CertificateAuthority.Authority("default", new()
{
CertificateAuthorityId = "my-certificate-authority",
Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
{
CommonName = "my-certificate-authority",
Organization = "HashiCorp",
},
SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
{
DnsNames = new[]
{
"hashicorp.com",
},
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
{
IsCa = true,
MaxIssuerPathLength = 10,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
CertSign = true,
ContentCommitment = true,
CrlSign = true,
DataEncipherment = true,
DecipherOnly = true,
DigitalSignature = true,
KeyAgreement = true,
KeyEncipherment = false,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ClientAuth = false,
CodeSigning = true,
EmailProtection = true,
ServerAuth = true,
TimeStamping = true,
},
},
},
},
DeletionProtection = true,
KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
{
Algorithm = "RSA_PKCS1_4096_SHA256",
},
Lifetime = "86400s",
Location = "us-central1",
Pool = "ca-pool",
});
});
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
CertificateAuthorityId: pulumi.String("my-certificate-authority"),
Config: &certificateauthority.AuthorityConfigArgs{
SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
CommonName: pulumi.String("my-certificate-authority"),
Organization: pulumi.String("HashiCorp"),
},
SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
DnsNames: pulumi.StringArray{
pulumi.String("hashicorp.com"),
},
},
},
X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(true),
MaxIssuerPathLength: pulumi.Int(10),
},
KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
CertSign: pulumi.Bool(true),
ContentCommitment: pulumi.Bool(true),
CrlSign: pulumi.Bool(true),
DataEncipherment: pulumi.Bool(true),
DecipherOnly: pulumi.Bool(true),
DigitalSignature: pulumi.Bool(true),
KeyAgreement: pulumi.Bool(true),
KeyEncipherment: pulumi.Bool(false),
},
ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ClientAuth: pulumi.Bool(false),
CodeSigning: pulumi.Bool(true),
EmailProtection: pulumi.Bool(true),
ServerAuth: pulumi.Bool(true),
TimeStamping: pulumi.Bool(true),
},
},
},
},
DeletionProtection: pulumi.Bool(true),
KeySpec: &certificateauthority.AuthorityKeySpecArgs{
Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
},
Lifetime: pulumi.String("86400s"),
Location: pulumi.String("us-central1"),
Pool: pulumi.String("ca-pool"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new Authority("default", AuthorityArgs.builder()
.certificateAuthorityId("my-certificate-authority")
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.commonName("my-certificate-authority")
.organization("HashiCorp")
.build())
.subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("hashicorp.com")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.maxIssuerPathLength(10)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.certSign(true)
.contentCommitment(true)
.crlSign(true)
.dataEncipherment(true)
.decipherOnly(true)
.digitalSignature(true)
.keyAgreement(true)
.keyEncipherment(false)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.clientAuth(false)
.codeSigning(true)
.emailProtection(true)
.serverAuth(true)
.timeStamping(true)
.build())
.build())
.build())
.build())
.deletionProtection("true")
.keySpec(AuthorityKeySpecArgs.builder()
.algorithm("RSA_PKCS1_4096_SHA256")
.build())
.lifetime("86400s")
.location("us-central1")
.pool("ca-pool")
.build());
}
}
import pulumi
import pulumi_gcp as gcp
default = gcp.certificateauthority.Authority("default",
certificate_authority_id="my-certificate-authority",
config=gcp.certificateauthority.AuthorityConfigArgs(
subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
common_name="my-certificate-authority",
organization="HashiCorp",
),
subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
dns_names=["hashicorp.com"],
),
),
x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
is_ca=True,
max_issuer_path_length=10,
),
key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
cert_sign=True,
content_commitment=True,
crl_sign=True,
data_encipherment=True,
decipher_only=True,
digital_signature=True,
key_agreement=True,
key_encipherment=False,
),
extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
client_auth=False,
code_signing=True,
email_protection=True,
server_auth=True,
time_stamping=True,
),
),
),
),
deletion_protection=True,
key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
algorithm="RSA_PKCS1_4096_SHA256",
),
lifetime="86400s",
location="us-central1",
pool="ca-pool")
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const _default = new gcp.certificateauthority.Authority("default", {
certificateAuthorityId: "my-certificate-authority",
config: {
subjectConfig: {
subject: {
commonName: "my-certificate-authority",
organization: "HashiCorp",
},
subjectAltName: {
dnsNames: ["hashicorp.com"],
},
},
x509Config: {
caOptions: {
isCa: true,
maxIssuerPathLength: 10,
},
keyUsage: {
baseKeyUsage: {
certSign: true,
contentCommitment: true,
crlSign: true,
dataEncipherment: true,
decipherOnly: true,
digitalSignature: true,
keyAgreement: true,
keyEncipherment: false,
},
extendedKeyUsage: {
clientAuth: false,
codeSigning: true,
emailProtection: true,
serverAuth: true,
timeStamping: true,
},
},
},
},
deletionProtection: true,
keySpec: {
algorithm: "RSA_PKCS1_4096_SHA256",
},
lifetime: "86400s",
location: "us-central1",
pool: "ca-pool",
});
resources:
default:
type: gcp:certificateauthority:Authority
properties:
certificateAuthorityId: my-certificate-authority
config:
subjectConfig:
subject:
commonName: my-certificate-authority
organization: HashiCorp
subjectAltName:
dnsNames:
- hashicorp.com
x509Config:
caOptions:
isCa: true
maxIssuerPathLength: 10
keyUsage:
baseKeyUsage:
certSign: true
contentCommitment: true
crlSign: true
dataEncipherment: true
decipherOnly: true
digitalSignature: true
keyAgreement: true
keyEncipherment: false
extendedKeyUsage:
clientAuth: false
codeSigning: true
emailProtection: true
serverAuth: true
timeStamping: true
deletionProtection: 'true'
keySpec:
algorithm: RSA_PKCS1_4096_SHA256
lifetime: 86400s
location: us-central1
# This example assumes this pool already exists.
# // Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool: ca-pool
Privateca Certificate Authority Subordinate
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var root_ca = new Gcp.CertificateAuthority.Authority("root-ca", new()
{
Pool = "ca-pool",
CertificateAuthorityId = "my-certificate-authority-root",
Location = "us-central1",
Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
{
Organization = "HashiCorp",
CommonName = "my-certificate-authority",
},
SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
{
DnsNames = new[]
{
"hashicorp.com",
},
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
{
IsCa = true,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
CertSign = true,
CrlSign = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = false,
},
},
},
},
KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
{
Algorithm = "RSA_PKCS1_4096_SHA256",
},
DeletionProtection = false,
SkipGracePeriod = true,
IgnoreActiveCertificatesOnDeletion = true,
});
var @default = new Gcp.CertificateAuthority.Authority("default", new()
{
Pool = "ca-pool",
CertificateAuthorityId = "my-certificate-authority-sub",
Location = "us-central1",
DeletionProtection = true,
SubordinateConfig = new Gcp.CertificateAuthority.Inputs.AuthoritySubordinateConfigArgs
{
CertificateAuthority = root_ca.Name,
},
Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
{
Organization = "HashiCorp",
CommonName = "my-subordinate-authority",
},
SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
{
DnsNames = new[]
{
"hashicorp.com",
},
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
{
IsCa = true,
MaxIssuerPathLength = 0,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
DigitalSignature = true,
ContentCommitment = true,
KeyEncipherment = false,
DataEncipherment = true,
KeyAgreement = true,
CertSign = true,
CrlSign = true,
DecipherOnly = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = true,
ClientAuth = false,
EmailProtection = true,
CodeSigning = true,
TimeStamping = true,
},
},
},
},
Lifetime = "86400s",
KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
{
Algorithm = "RSA_PKCS1_4096_SHA256",
},
Type = "SUBORDINATE",
});
});
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := certificateauthority.NewAuthority(ctx, "root-ca", &certificateauthority.AuthorityArgs{
Pool: pulumi.String("ca-pool"),
CertificateAuthorityId: pulumi.String("my-certificate-authority-root"),
Location: pulumi.String("us-central1"),
Config: &certificateauthority.AuthorityConfigArgs{
SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
Organization: pulumi.String("HashiCorp"),
CommonName: pulumi.String("my-certificate-authority"),
},
SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
DnsNames: pulumi.StringArray{
pulumi.String("hashicorp.com"),
},
},
},
X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(true),
},
KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
CertSign: pulumi.Bool(true),
CrlSign: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(false),
},
},
},
},
KeySpec: &certificateauthority.AuthorityKeySpecArgs{
Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
},
DeletionProtection: pulumi.Bool(false),
SkipGracePeriod: pulumi.Bool(true),
IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
Pool: pulumi.String("ca-pool"),
CertificateAuthorityId: pulumi.String("my-certificate-authority-sub"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(true),
SubordinateConfig: &certificateauthority.AuthoritySubordinateConfigArgs{
CertificateAuthority: root_ca.Name,
},
Config: &certificateauthority.AuthorityConfigArgs{
SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
Organization: pulumi.String("HashiCorp"),
CommonName: pulumi.String("my-subordinate-authority"),
},
SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
DnsNames: pulumi.StringArray{
pulumi.String("hashicorp.com"),
},
},
},
X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(true),
MaxIssuerPathLength: pulumi.Int(0),
},
KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
DigitalSignature: pulumi.Bool(true),
ContentCommitment: pulumi.Bool(true),
KeyEncipherment: pulumi.Bool(false),
DataEncipherment: pulumi.Bool(true),
KeyAgreement: pulumi.Bool(true),
CertSign: pulumi.Bool(true),
CrlSign: pulumi.Bool(true),
DecipherOnly: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(true),
ClientAuth: pulumi.Bool(false),
EmailProtection: pulumi.Bool(true),
CodeSigning: pulumi.Bool(true),
TimeStamping: pulumi.Bool(true),
},
},
},
},
Lifetime: pulumi.String("86400s"),
KeySpec: &certificateauthority.AuthorityKeySpecArgs{
Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
},
Type: pulumi.String("SUBORDINATE"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthoritySubordinateConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var root_ca = new Authority("root-ca", AuthorityArgs.builder()
.pool("ca-pool")
.certificateAuthorityId("my-certificate-authority-root")
.location("us-central1")
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.organization("HashiCorp")
.commonName("my-certificate-authority")
.build())
.subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("hashicorp.com")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.certSign(true)
.crlSign(true)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(false)
.build())
.build())
.build())
.build())
.keySpec(AuthorityKeySpecArgs.builder()
.algorithm("RSA_PKCS1_4096_SHA256")
.build())
.deletionProtection(false)
.skipGracePeriod(true)
.ignoreActiveCertificatesOnDeletion(true)
.build());
var default_ = new Authority("default", AuthorityArgs.builder()
.pool("ca-pool")
.certificateAuthorityId("my-certificate-authority-sub")
.location("us-central1")
.deletionProtection("true")
.subordinateConfig(AuthoritySubordinateConfigArgs.builder()
.certificateAuthority(root_ca.name())
.build())
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.organization("HashiCorp")
.commonName("my-subordinate-authority")
.build())
.subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("hashicorp.com")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.maxIssuerPathLength(0)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.digitalSignature(true)
.contentCommitment(true)
.keyEncipherment(false)
.dataEncipherment(true)
.keyAgreement(true)
.certSign(true)
.crlSign(true)
.decipherOnly(true)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(true)
.clientAuth(false)
.emailProtection(true)
.codeSigning(true)
.timeStamping(true)
.build())
.build())
.build())
.build())
.lifetime("86400s")
.keySpec(AuthorityKeySpecArgs.builder()
.algorithm("RSA_PKCS1_4096_SHA256")
.build())
.type("SUBORDINATE")
.build());
}
}
import pulumi
import pulumi_gcp as gcp
root_ca = gcp.certificateauthority.Authority("root-ca",
pool="ca-pool",
certificate_authority_id="my-certificate-authority-root",
location="us-central1",
config=gcp.certificateauthority.AuthorityConfigArgs(
subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
organization="HashiCorp",
common_name="my-certificate-authority",
),
subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
dns_names=["hashicorp.com"],
),
),
x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
is_ca=True,
),
key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
cert_sign=True,
crl_sign=True,
),
extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
server_auth=False,
),
),
),
),
key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
algorithm="RSA_PKCS1_4096_SHA256",
),
deletion_protection=False,
skip_grace_period=True,
ignore_active_certificates_on_deletion=True)
default = gcp.certificateauthority.Authority("default",
pool="ca-pool",
certificate_authority_id="my-certificate-authority-sub",
location="us-central1",
deletion_protection=True,
subordinate_config=gcp.certificateauthority.AuthoritySubordinateConfigArgs(
certificate_authority=root_ca.name,
),
config=gcp.certificateauthority.AuthorityConfigArgs(
subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
organization="HashiCorp",
common_name="my-subordinate-authority",
),
subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
dns_names=["hashicorp.com"],
),
),
x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
is_ca=True,
max_issuer_path_length=0,
),
key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
digital_signature=True,
content_commitment=True,
key_encipherment=False,
data_encipherment=True,
key_agreement=True,
cert_sign=True,
crl_sign=True,
decipher_only=True,
),
extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
server_auth=True,
client_auth=False,
email_protection=True,
code_signing=True,
time_stamping=True,
),
),
),
),
lifetime="86400s",
key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
algorithm="RSA_PKCS1_4096_SHA256",
),
type="SUBORDINATE")
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const root_ca = new gcp.certificateauthority.Authority("root-ca", {
pool: "ca-pool",
certificateAuthorityId: "my-certificate-authority-root",
location: "us-central1",
config: {
subjectConfig: {
subject: {
organization: "HashiCorp",
commonName: "my-certificate-authority",
},
subjectAltName: {
dnsNames: ["hashicorp.com"],
},
},
x509Config: {
caOptions: {
isCa: true,
},
keyUsage: {
baseKeyUsage: {
certSign: true,
crlSign: true,
},
extendedKeyUsage: {
serverAuth: false,
},
},
},
},
keySpec: {
algorithm: "RSA_PKCS1_4096_SHA256",
},
deletionProtection: false,
skipGracePeriod: true,
ignoreActiveCertificatesOnDeletion: true,
});
const _default = new gcp.certificateauthority.Authority("default", {
pool: "ca-pool",
certificateAuthorityId: "my-certificate-authority-sub",
location: "us-central1",
deletionProtection: true,
subordinateConfig: {
certificateAuthority: root_ca.name,
},
config: {
subjectConfig: {
subject: {
organization: "HashiCorp",
commonName: "my-subordinate-authority",
},
subjectAltName: {
dnsNames: ["hashicorp.com"],
},
},
x509Config: {
caOptions: {
isCa: true,
maxIssuerPathLength: 0,
},
keyUsage: {
baseKeyUsage: {
digitalSignature: true,
contentCommitment: true,
keyEncipherment: false,
dataEncipherment: true,
keyAgreement: true,
certSign: true,
crlSign: true,
decipherOnly: true,
},
extendedKeyUsage: {
serverAuth: true,
clientAuth: false,
emailProtection: true,
codeSigning: true,
timeStamping: true,
},
},
},
},
lifetime: "86400s",
keySpec: {
algorithm: "RSA_PKCS1_4096_SHA256",
},
type: "SUBORDINATE",
});
resources:
root-ca:
type: gcp:certificateauthority:Authority
properties:
pool: ca-pool
certificateAuthorityId: my-certificate-authority-root
location: us-central1
config:
subjectConfig:
subject:
organization: HashiCorp
commonName: my-certificate-authority
subjectAltName:
dnsNames:
- hashicorp.com
x509Config:
caOptions:
isCa: true
keyUsage:
baseKeyUsage:
certSign: true
crlSign: true
extendedKeyUsage:
serverAuth: false
keySpec:
algorithm: RSA_PKCS1_4096_SHA256
# Disable CA deletion related safe checks for easier cleanup.
deletionProtection: false
skipGracePeriod: true
ignoreActiveCertificatesOnDeletion: true
default:
type: gcp:certificateauthority:Authority
properties:
# This example assumes this pool already exists.
# // Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool: ca-pool
certificateAuthorityId: my-certificate-authority-sub
location: us-central1
deletionProtection: 'true'
subordinateConfig:
certificateAuthority: ${["root-ca"].name}
config:
subjectConfig:
subject:
organization: HashiCorp
commonName: my-subordinate-authority
subjectAltName:
dnsNames:
- hashicorp.com
x509Config:
caOptions:
isCa: true
maxIssuerPathLength: 0
keyUsage:
baseKeyUsage:
digitalSignature: true
contentCommitment: true
keyEncipherment: false
dataEncipherment: true
keyAgreement: true
certSign: true
crlSign: true
decipherOnly: true
extendedKeyUsage:
serverAuth: true
clientAuth: false
emailProtection: true
codeSigning: true
timeStamping: true
lifetime: 86400s
keySpec:
algorithm: RSA_PKCS1_4096_SHA256
type: SUBORDINATE
Privateca Certificate Authority Byo Key
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var privatecaSa = new Gcp.Projects.ServiceIdentity("privatecaSa", new()
{
Service = "privateca.googleapis.com",
});
var privatecaSaKeyuserSignerverifier = new Gcp.Kms.CryptoKeyIAMBinding("privatecaSaKeyuserSignerverifier", new()
{
CryptoKeyId = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
Role = "roles/cloudkms.signerVerifier",
Members = new[]
{
privatecaSa.Email.Apply(email => $"serviceAccount:{email}"),
},
});
var privatecaSaKeyuserViewer = new Gcp.Kms.CryptoKeyIAMBinding("privatecaSaKeyuserViewer", new()
{
CryptoKeyId = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
Role = "roles/viewer",
Members = new[]
{
privatecaSa.Email.Apply(email => $"serviceAccount:{email}"),
},
});
var @default = new Gcp.CertificateAuthority.Authority("default", new()
{
Pool = "ca-pool",
CertificateAuthorityId = "my-certificate-authority",
Location = "us-central1",
DeletionProtection = true,
KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
{
CloudKmsKeyVersion = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1",
},
Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
{
SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
{
Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
{
Organization = "Example, Org.",
CommonName = "Example Authority",
},
},
X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
{
IsCa = true,
MaxIssuerPathLength = 10,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
{
CertSign = true,
CrlSign = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
{
ServerAuth = false,
},
},
NameConstraints = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigNameConstraintsArgs
{
Critical = true,
PermittedDnsNames = new[]
{
"*.example.com",
},
ExcludedDnsNames = new[]
{
"*.deny.example.com",
},
PermittedIpRanges = new[]
{
"10.0.0.0/8",
},
ExcludedIpRanges = new[]
{
"10.1.1.0/24",
},
PermittedEmailAddresses = new[]
{
".example.com",
},
ExcludedEmailAddresses = new[]
{
".deny.example.com",
},
PermittedUris = new[]
{
".example.com",
},
ExcludedUris = new[]
{
".deny.example.com",
},
},
},
},
}, new CustomResourceOptions
{
DependsOn = new[]
{
privatecaSaKeyuserSignerverifier,
privatecaSaKeyuserViewer,
},
});
});
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/kms"
"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/projects"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
privatecaSa, err := projects.NewServiceIdentity(ctx, "privatecaSa", &projects.ServiceIdentityArgs{
Service: pulumi.String("privateca.googleapis.com"),
})
if err != nil {
return err
}
privatecaSaKeyuserSignerverifier, err := kms.NewCryptoKeyIAMBinding(ctx, "privatecaSaKeyuserSignerverifier", &kms.CryptoKeyIAMBindingArgs{
CryptoKeyId: pulumi.String("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"),
Role: pulumi.String("roles/cloudkms.signerVerifier"),
Members: pulumi.StringArray{
privatecaSa.Email.ApplyT(func(email string) (string, error) {
return fmt.Sprintf("serviceAccount:%v", email), nil
}).(pulumi.StringOutput),
},
})
if err != nil {
return err
}
privatecaSaKeyuserViewer, err := kms.NewCryptoKeyIAMBinding(ctx, "privatecaSaKeyuserViewer", &kms.CryptoKeyIAMBindingArgs{
CryptoKeyId: pulumi.String("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
privatecaSa.Email.ApplyT(func(email string) (string, error) {
return fmt.Sprintf("serviceAccount:%v", email), nil
}).(pulumi.StringOutput),
},
})
if err != nil {
return err
}
_, err = certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
Pool: pulumi.String("ca-pool"),
CertificateAuthorityId: pulumi.String("my-certificate-authority"),
Location: pulumi.String("us-central1"),
DeletionProtection: pulumi.Bool(true),
KeySpec: &certificateauthority.AuthorityKeySpecArgs{
CloudKmsKeyVersion: pulumi.String("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1"),
},
Config: &certificateauthority.AuthorityConfigArgs{
SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
Organization: pulumi.String("Example, Org."),
CommonName: pulumi.String("Example Authority"),
},
},
X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
IsCa: pulumi.Bool(true),
MaxIssuerPathLength: pulumi.Int(10),
},
KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
CertSign: pulumi.Bool(true),
CrlSign: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(false),
},
},
NameConstraints: &certificateauthority.AuthorityConfigX509ConfigNameConstraintsArgs{
Critical: pulumi.Bool(true),
PermittedDnsNames: pulumi.StringArray{
pulumi.String("*.example.com"),
},
ExcludedDnsNames: pulumi.StringArray{
pulumi.String("*.deny.example.com"),
},
PermittedIpRanges: pulumi.StringArray{
pulumi.String("10.0.0.0/8"),
},
ExcludedIpRanges: pulumi.StringArray{
pulumi.String("10.1.1.0/24"),
},
PermittedEmailAddresses: pulumi.StringArray{
pulumi.String(".example.com"),
},
ExcludedEmailAddresses: pulumi.StringArray{
pulumi.String(".deny.example.com"),
},
PermittedUris: pulumi.StringArray{
pulumi.String(".example.com"),
},
ExcludedUris: pulumi.StringArray{
pulumi.String(".deny.example.com"),
},
},
},
},
}, pulumi.DependsOn([]pulumi.Resource{
privatecaSaKeyuserSignerverifier,
privatecaSaKeyuserViewer,
}))
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.projects.ServiceIdentity;
import com.pulumi.gcp.projects.ServiceIdentityArgs;
import com.pulumi.gcp.kms.CryptoKeyIAMBinding;
import com.pulumi.gcp.kms.CryptoKeyIAMBindingArgs;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigNameConstraintsArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var privatecaSa = new ServiceIdentity("privatecaSa", ServiceIdentityArgs.builder()
.service("privateca.googleapis.com")
.build());
var privatecaSaKeyuserSignerverifier = new CryptoKeyIAMBinding("privatecaSaKeyuserSignerverifier", CryptoKeyIAMBindingArgs.builder()
.cryptoKeyId("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key")
.role("roles/cloudkms.signerVerifier")
.members(privatecaSa.email().applyValue(email -> String.format("serviceAccount:%s", email)))
.build());
var privatecaSaKeyuserViewer = new CryptoKeyIAMBinding("privatecaSaKeyuserViewer", CryptoKeyIAMBindingArgs.builder()
.cryptoKeyId("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key")
.role("roles/viewer")
.members(privatecaSa.email().applyValue(email -> String.format("serviceAccount:%s", email)))
.build());
var default_ = new Authority("default", AuthorityArgs.builder()
.pool("ca-pool")
.certificateAuthorityId("my-certificate-authority")
.location("us-central1")
.deletionProtection("true")
.keySpec(AuthorityKeySpecArgs.builder()
.cloudKmsKeyVersion("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1")
.build())
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.organization("Example, Org.")
.commonName("Example Authority")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.maxIssuerPathLength(10)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.certSign(true)
.crlSign(true)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(false)
.build())
.build())
.nameConstraints(AuthorityConfigX509ConfigNameConstraintsArgs.builder()
.critical(true)
.permittedDnsNames("*.example.com")
.excludedDnsNames("*.deny.example.com")
.permittedIpRanges("10.0.0.0/8")
.excludedIpRanges("10.1.1.0/24")
.permittedEmailAddresses(".example.com")
.excludedEmailAddresses(".deny.example.com")
.permittedUris(".example.com")
.excludedUris(".deny.example.com")
.build())
.build())
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(
privatecaSaKeyuserSignerverifier,
privatecaSaKeyuserViewer)
.build());
}
}
import pulumi
import pulumi_gcp as gcp
privateca_sa = gcp.projects.ServiceIdentity("privatecaSa", service="privateca.googleapis.com")
privateca_sa_keyuser_signerverifier = gcp.kms.CryptoKeyIAMBinding("privatecaSaKeyuserSignerverifier",
crypto_key_id="projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
role="roles/cloudkms.signerVerifier",
members=[privateca_sa.email.apply(lambda email: f"serviceAccount:{email}")])
privateca_sa_keyuser_viewer = gcp.kms.CryptoKeyIAMBinding("privatecaSaKeyuserViewer",
crypto_key_id="projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
role="roles/viewer",
members=[privateca_sa.email.apply(lambda email: f"serviceAccount:{email}")])
default = gcp.certificateauthority.Authority("default",
pool="ca-pool",
certificate_authority_id="my-certificate-authority",
location="us-central1",
deletion_protection=True,
key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
cloud_kms_key_version="projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1",
),
config=gcp.certificateauthority.AuthorityConfigArgs(
subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
organization="Example, Org.",
common_name="Example Authority",
),
),
x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
is_ca=True,
max_issuer_path_length=10,
),
key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
cert_sign=True,
crl_sign=True,
),
extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
server_auth=False,
),
),
name_constraints=gcp.certificateauthority.AuthorityConfigX509ConfigNameConstraintsArgs(
critical=True,
permitted_dns_names=["*.example.com"],
excluded_dns_names=["*.deny.example.com"],
permitted_ip_ranges=["10.0.0.0/8"],
excluded_ip_ranges=["10.1.1.0/24"],
permitted_email_addresses=[".example.com"],
excluded_email_addresses=[".deny.example.com"],
permitted_uris=[".example.com"],
excluded_uris=[".deny.example.com"],
),
),
),
opts=pulumi.ResourceOptions(depends_on=[
privateca_sa_keyuser_signerverifier,
privateca_sa_keyuser_viewer,
]))
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const privatecaSa = new gcp.projects.ServiceIdentity("privatecaSa", {service: "privateca.googleapis.com"});
const privatecaSaKeyuserSignerverifier = new gcp.kms.CryptoKeyIAMBinding("privatecaSaKeyuserSignerverifier", {
cryptoKeyId: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
role: "roles/cloudkms.signerVerifier",
members: [pulumi.interpolate`serviceAccount:${privatecaSa.email}`],
});
const privatecaSaKeyuserViewer = new gcp.kms.CryptoKeyIAMBinding("privatecaSaKeyuserViewer", {
cryptoKeyId: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
role: "roles/viewer",
members: [pulumi.interpolate`serviceAccount:${privatecaSa.email}`],
});
const _default = new gcp.certificateauthority.Authority("default", {
pool: "ca-pool",
certificateAuthorityId: "my-certificate-authority",
location: "us-central1",
deletionProtection: true,
keySpec: {
cloudKmsKeyVersion: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1",
},
config: {
subjectConfig: {
subject: {
organization: "Example, Org.",
commonName: "Example Authority",
},
},
x509Config: {
caOptions: {
isCa: true,
maxIssuerPathLength: 10,
},
keyUsage: {
baseKeyUsage: {
certSign: true,
crlSign: true,
},
extendedKeyUsage: {
serverAuth: false,
},
},
nameConstraints: {
critical: true,
permittedDnsNames: ["*.example.com"],
excludedDnsNames: ["*.deny.example.com"],
permittedIpRanges: ["10.0.0.0/8"],
excludedIpRanges: ["10.1.1.0/24"],
permittedEmailAddresses: [".example.com"],
excludedEmailAddresses: [".deny.example.com"],
permittedUris: [".example.com"],
excludedUris: [".deny.example.com"],
},
},
},
}, {
dependsOn: [
privatecaSaKeyuserSignerverifier,
privatecaSaKeyuserViewer,
],
});
resources:
privatecaSa:
type: gcp:projects:ServiceIdentity
properties:
service: privateca.googleapis.com
privatecaSaKeyuserSignerverifier:
type: gcp:kms:CryptoKeyIAMBinding
properties:
cryptoKeyId: projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key
role: roles/cloudkms.signerVerifier
members:
- serviceAccount:${privatecaSa.email}
privatecaSaKeyuserViewer:
type: gcp:kms:CryptoKeyIAMBinding
properties:
cryptoKeyId: projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key
role: roles/viewer
members:
- serviceAccount:${privatecaSa.email}
default:
type: gcp:certificateauthority:Authority
properties:
# This example assumes this pool already exists.
# // Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool: ca-pool
certificateAuthorityId: my-certificate-authority
location: us-central1
deletionProtection: 'true'
keySpec:
cloudKmsKeyVersion: projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1
config:
subjectConfig:
subject:
organization: Example, Org.
commonName: Example Authority
x509Config:
caOptions:
isCa: true
maxIssuerPathLength: 10
keyUsage:
baseKeyUsage:
certSign: true
crlSign: true
extendedKeyUsage:
serverAuth: false
nameConstraints:
critical: true
permittedDnsNames:
- '*.example.com'
excludedDnsNames:
- '*.deny.example.com'
permittedIpRanges:
- 10.0.0.0/8
excludedIpRanges:
- 10.1.1.0/24
permittedEmailAddresses:
- .example.com
excludedEmailAddresses:
- .deny.example.com
permittedUris:
- .example.com
excludedUris:
- .deny.example.com
options:
dependson:
- ${privatecaSaKeyuserSignerverifier}
- ${privatecaSaKeyuserViewer}
Create Authority Resource
new Authority(name: string, args: AuthorityArgs, opts?: CustomResourceOptions);@overload
def Authority(resource_name: str,
opts: Optional[ResourceOptions] = None,
certificate_authority_id: Optional[str] = None,
config: Optional[AuthorityConfigArgs] = None,
deletion_protection: Optional[bool] = None,
desired_state: Optional[str] = None,
gcs_bucket: Optional[str] = None,
ignore_active_certificates_on_deletion: Optional[bool] = None,
key_spec: Optional[AuthorityKeySpecArgs] = None,
labels: Optional[Mapping[str, str]] = None,
lifetime: Optional[str] = None,
location: Optional[str] = None,
pem_ca_certificate: Optional[str] = None,
pool: Optional[str] = None,
project: Optional[str] = None,
skip_grace_period: Optional[bool] = None,
subordinate_config: Optional[AuthoritySubordinateConfigArgs] = None,
type: Optional[str] = None)
@overload
def Authority(resource_name: str,
args: AuthorityArgs,
opts: Optional[ResourceOptions] = None)func NewAuthority(ctx *Context, name string, args AuthorityArgs, opts ...ResourceOption) (*Authority, error)public Authority(string name, AuthorityArgs args, CustomResourceOptions? opts = null)
public Authority(String name, AuthorityArgs args)
public Authority(String name, AuthorityArgs args, CustomResourceOptions options)
type: gcp:certificateauthority:Authority
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AuthorityArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AuthorityArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AuthorityArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AuthorityArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AuthorityArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Authority Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The Authority resource accepts the following input properties:
- string
The user provided Resource ID for this Certificate Authority.
- Config
Authority
Config The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- Key
Spec AuthorityKey Spec Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- Location string
Location of the CertificateAuthority. A full list of valid locations can be found by running
gcloud privateca locations list.- Pool string
The name of the CaPool this Certificate Authority belongs to.
- Deletion
Protection bool Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- Desired
State string Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA.- Gcs
Bucket string The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created.- Ignore
Active boolCertificates On Deletion This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to
false.- Labels Dictionary<string, string>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- Lifetime string
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- Pem
Ca stringCertificate The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- Project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Skip
Grace boolPeriod If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to
false.- Subordinate
Config AuthoritySubordinate Config If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- Type string
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.
- string
The user provided Resource ID for this Certificate Authority.
- Config
Authority
Config Args The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- Key
Spec AuthorityKey Spec Args Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- Location string
Location of the CertificateAuthority. A full list of valid locations can be found by running
gcloud privateca locations list.- Pool string
The name of the CaPool this Certificate Authority belongs to.
- Deletion
Protection bool Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- Desired
State string Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA.- Gcs
Bucket string The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created.- Ignore
Active boolCertificates On Deletion This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to
false.- Labels map[string]string
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- Lifetime string
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- Pem
Ca stringCertificate The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- Project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Skip
Grace boolPeriod If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to
false.- Subordinate
Config AuthoritySubordinate Config Args If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- Type string
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.
- String
The user provided Resource ID for this Certificate Authority.
- config
Authority
Config The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- key
Spec AuthorityKey Spec Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- location String
Location of the CertificateAuthority. A full list of valid locations can be found by running
gcloud privateca locations list.- pool String
The name of the CaPool this Certificate Authority belongs to.
- deletion
Protection Boolean Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- desired
State String Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA.- gcs
Bucket String The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created.- ignore
Active BooleanCertificates On Deletion This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to
false.- labels Map<String,String>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- lifetime String
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- pem
Ca StringCertificate The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- project String
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- skip
Grace BooleanPeriod If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to
false.- subordinate
Config AuthoritySubordinate Config If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- type String
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.
- string
The user provided Resource ID for this Certificate Authority.
- config
Authority
Config The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- key
Spec AuthorityKey Spec Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- location string
Location of the CertificateAuthority. A full list of valid locations can be found by running
gcloud privateca locations list.- pool string
The name of the CaPool this Certificate Authority belongs to.
- deletion
Protection boolean Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- desired
State string Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA.- gcs
Bucket string The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created.- ignore
Active booleanCertificates On Deletion This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to
false.- labels {[key: string]: string}
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- lifetime string
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- pem
Ca stringCertificate The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- skip
Grace booleanPeriod If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to
false.- subordinate
Config AuthoritySubordinate Config If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- type string
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.
- str
The user provided Resource ID for this Certificate Authority.
- config
Authority
Config Args The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- key_
spec AuthorityKey Spec Args Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- location str
Location of the CertificateAuthority. A full list of valid locations can be found by running
gcloud privateca locations list.- pool str
The name of the CaPool this Certificate Authority belongs to.
- deletion_
protection bool Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- desired_
state str Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA.- gcs_
bucket str The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created.- ignore_
active_ boolcertificates_ on_ deletion This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to
false.- labels Mapping[str, str]
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- lifetime str
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- pem_
ca_ strcertificate The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- project str
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- skip_
grace_ boolperiod If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to
false.- subordinate_
config AuthoritySubordinate Config Args If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- type str
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.
- String
The user provided Resource ID for this Certificate Authority.
- config Property Map
The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- key
Spec Property Map Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- location String
Location of the CertificateAuthority. A full list of valid locations can be found by running
gcloud privateca locations list.- pool String
The name of the CaPool this Certificate Authority belongs to.
- deletion
Protection Boolean Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- desired
State String Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA.- gcs
Bucket String The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created.- ignore
Active BooleanCertificates On Deletion This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to
false.- labels Map<String>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- lifetime String
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- pem
Ca StringCertificate The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- project String
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- skip
Grace BooleanPeriod If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to
false.- subordinate
Config Property Map If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- type String
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.
Outputs
All input properties are implicitly available as output properties. Additionally, the Authority resource produces the following output properties:
- Access
Urls List<AuthorityAccess Url> URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- Create
Time string The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- Id string
The provider-assigned unique ID for this managed resource.
- Name string
The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- Pem
Ca List<string>Certificates This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- State string
The State for this CertificateAuthority.
- Update
Time string The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- Access
Urls []AuthorityAccess Url URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- Create
Time string The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- Id string
The provider-assigned unique ID for this managed resource.
- Name string
The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- Pem
Ca []stringCertificates This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- State string
The State for this CertificateAuthority.
- Update
Time string The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- access
Urls List<AuthorityAccess Url> URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- create
Time String The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- id String
The provider-assigned unique ID for this managed resource.
- name String
The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- pem
Ca List<String>Certificates This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- state String
The State for this CertificateAuthority.
- update
Time String The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- access
Urls AuthorityAccess Url[] URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- create
Time string The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- id string
The provider-assigned unique ID for this managed resource.
- name string
The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- pem
Ca string[]Certificates This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- state string
The State for this CertificateAuthority.
- update
Time string The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- access_
urls Sequence[AuthorityAccess Url] URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- create_
time str The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- id str
The provider-assigned unique ID for this managed resource.
- name str
The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- pem_
ca_ Sequence[str]certificates This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- state str
The State for this CertificateAuthority.
- update_
time str The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- access
Urls List<Property Map> URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- create
Time String The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- id String
The provider-assigned unique ID for this managed resource.
- name String
The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- pem
Ca List<String>Certificates This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- state String
The State for this CertificateAuthority.
- update
Time String The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
Look up Existing Authority Resource
Get an existing Authority resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AuthorityState, opts?: CustomResourceOptions): Authority@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
access_urls: Optional[Sequence[AuthorityAccessUrlArgs]] = None,
certificate_authority_id: Optional[str] = None,
config: Optional[AuthorityConfigArgs] = None,
create_time: Optional[str] = None,
deletion_protection: Optional[bool] = None,
desired_state: Optional[str] = None,
gcs_bucket: Optional[str] = None,
ignore_active_certificates_on_deletion: Optional[bool] = None,
key_spec: Optional[AuthorityKeySpecArgs] = None,
labels: Optional[Mapping[str, str]] = None,
lifetime: Optional[str] = None,
location: Optional[str] = None,
name: Optional[str] = None,
pem_ca_certificate: Optional[str] = None,
pem_ca_certificates: Optional[Sequence[str]] = None,
pool: Optional[str] = None,
project: Optional[str] = None,
skip_grace_period: Optional[bool] = None,
state: Optional[str] = None,
subordinate_config: Optional[AuthoritySubordinateConfigArgs] = None,
type: Optional[str] = None,
update_time: Optional[str] = None) -> Authorityfunc GetAuthority(ctx *Context, name string, id IDInput, state *AuthorityState, opts ...ResourceOption) (*Authority, error)public static Authority Get(string name, Input<string> id, AuthorityState? state, CustomResourceOptions? opts = null)public static Authority get(String name, Output<String> id, AuthorityState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Access
Urls List<AuthorityAccess Url> URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- string
The user provided Resource ID for this Certificate Authority.
- Config
Authority
Config The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- Create
Time string The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- Deletion
Protection bool Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- Desired
State string Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA.- Gcs
Bucket string The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created.- Ignore
Active boolCertificates On Deletion This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to
false.- Key
Spec AuthorityKey Spec Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- Labels Dictionary<string, string>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- Lifetime string
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- Location string
Location of the CertificateAuthority. A full list of valid locations can be found by running
gcloud privateca locations list.- Name string
The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- Pem
Ca stringCertificate The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- Pem
Ca List<string>Certificates This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- Pool string
The name of the CaPool this Certificate Authority belongs to.
- Project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Skip
Grace boolPeriod If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to
false.- State string
The State for this CertificateAuthority.
- Subordinate
Config AuthoritySubordinate Config If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- Type string
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.- Update
Time string The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- Access
Urls []AuthorityAccess Url Args URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- string
The user provided Resource ID for this Certificate Authority.
- Config
Authority
Config Args The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- Create
Time string The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- Deletion
Protection bool Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- Desired
State string Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA.- Gcs
Bucket string The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created.- Ignore
Active boolCertificates On Deletion This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to
false.- Key
Spec AuthorityKey Spec Args Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- Labels map[string]string
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- Lifetime string
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- Location string
Location of the CertificateAuthority. A full list of valid locations can be found by running
gcloud privateca locations list.- Name string
The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- Pem
Ca stringCertificate The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- Pem
Ca []stringCertificates This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- Pool string
The name of the CaPool this Certificate Authority belongs to.
- Project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Skip
Grace boolPeriod If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to
false.- State string
The State for this CertificateAuthority.
- Subordinate
Config AuthoritySubordinate Config Args If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- Type string
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.- Update
Time string The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- access
Urls List<AuthorityAccess Url> URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- String
The user provided Resource ID for this Certificate Authority.
- config
Authority
Config The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- create
Time String The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- deletion
Protection Boolean Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- desired
State String Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA.- gcs
Bucket String The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created.- ignore
Active BooleanCertificates On Deletion This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to
false.- key
Spec AuthorityKey Spec Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- labels Map<String,String>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- lifetime String
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- location String
Location of the CertificateAuthority. A full list of valid locations can be found by running
gcloud privateca locations list.- name String
The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- pem
Ca StringCertificate The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- pem
Ca List<String>Certificates This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- pool String
The name of the CaPool this Certificate Authority belongs to.
- project String
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- skip
Grace BooleanPeriod If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to
false.- state String
The State for this CertificateAuthority.
- subordinate
Config AuthoritySubordinate Config If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- type String
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.- update
Time String The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- access
Urls AuthorityAccess Url[] URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- string
The user provided Resource ID for this Certificate Authority.
- config
Authority
Config The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- create
Time string The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- deletion
Protection boolean Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- desired
State string Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA.- gcs
Bucket string The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created.- ignore
Active booleanCertificates On Deletion This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to
false.- key
Spec AuthorityKey Spec Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- labels {[key: string]: string}
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- lifetime string
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- location string
Location of the CertificateAuthority. A full list of valid locations can be found by running
gcloud privateca locations list.- name string
The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- pem
Ca stringCertificate The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- pem
Ca string[]Certificates This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- pool string
The name of the CaPool this Certificate Authority belongs to.
- project string
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- skip
Grace booleanPeriod If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to
false.- state string
The State for this CertificateAuthority.
- subordinate
Config AuthoritySubordinate Config If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- type string
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.- update
Time string The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- access_
urls Sequence[AuthorityAccess Url Args] URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- str
The user provided Resource ID for this Certificate Authority.
- config
Authority
Config Args The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- create_
time str The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- deletion_
protection bool Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- desired_
state str Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA.- gcs_
bucket str The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created.- ignore_
active_ boolcertificates_ on_ deletion This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to
false.- key_
spec AuthorityKey Spec Args Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- labels Mapping[str, str]
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- lifetime str
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- location str
Location of the CertificateAuthority. A full list of valid locations can be found by running
gcloud privateca locations list.- name str
The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- pem_
ca_ strcertificate The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- pem_
ca_ Sequence[str]certificates This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- pool str
The name of the CaPool this Certificate Authority belongs to.
- project str
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- skip_
grace_ boolperiod If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to
false.- state str
The State for this CertificateAuthority.
- subordinate_
config AuthoritySubordinate Config Args If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- type str
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.- update_
time str The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- access
Urls List<Property Map> URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
- String
The user provided Resource ID for this Certificate Authority.
- config Property Map
The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
- create
Time String The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
- deletion
Protection Boolean Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
- desired
State String Desired state of the CertificateAuthority. Set this field to
STAGEDto create aSTAGEDroot CA.- gcs
Bucket String The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as
gs://) or suffixes (such as.googleapis.com). For example, to use a bucket named my-bucket, you would simply specifymy-bucket. If not specified, a managed bucket will be created.- ignore
Active BooleanCertificates On Deletion This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to
false.- key
Spec Property Map Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
- labels Map<String>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
- lifetime String
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- location String
Location of the CertificateAuthority. A full list of valid locations can be found by running
gcloud privateca locations list.- name String
The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
- pem
Ca StringCertificate The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
- pem
Ca List<String>Certificates This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
- pool String
The name of the CaPool this Certificate Authority belongs to.
- project String
The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- skip
Grace BooleanPeriod If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to
false.- state String
The State for this CertificateAuthority.
- subordinate
Config Property Map If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.
- type String
The Type of this CertificateAuthority.
Note: For
SUBORDINATECertificate Authorities, they need to be activated before they can issue certificates. Default value isSELF_SIGNED. Possible values are:SELF_SIGNED,SUBORDINATE.- update
Time String The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
Supporting Types
AuthorityAccessUrl, AuthorityAccessUrlArgs
- Ca
Certificate stringAccess Url (Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.
- Crl
Access List<string>Urls (Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.
- Ca
Certificate stringAccess Url (Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.
- Crl
Access []stringUrls (Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.
- ca
Certificate StringAccess Url (Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.
- crl
Access List<String>Urls (Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.
- ca
Certificate stringAccess Url (Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.
- crl
Access string[]Urls (Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.
- ca_
certificate_ straccess_ url (Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.
- crl_
access_ Sequence[str]urls (Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.
- ca
Certificate StringAccess Url (Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.
- crl
Access List<String>Urls (Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.
AuthorityConfig, AuthorityConfigArgs
- Subject
Config AuthorityConfig Subject Config Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
The
x509_configblock supports:- X509Config
Authority
Config X509Config Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
- Subject
Config AuthorityConfig Subject Config Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
The
x509_configblock supports:- X509Config
Authority
Config X509Config Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
- subject
Config AuthorityConfig Subject Config Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
The
x509_configblock supports:- x509Config
Authority
Config X509Config Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
- subject
Config AuthorityConfig Subject Config Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
The
x509_configblock supports:- x509Config
Authority
Config X509Config Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
- subject_
config AuthorityConfig Subject Config Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
The
x509_configblock supports:- x509_
config AuthorityConfig X509Config Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
- subject
Config Property Map Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
The
x509_configblock supports:- x509Config Property Map
Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
AuthorityConfigSubjectConfig, AuthorityConfigSubjectConfigArgs
- Subject
Authority
Config Subject Config Subject Contains distinguished name fields such as the location and organization. Structure is documented below.
- Subject
Alt AuthorityName Config Subject Config Subject Alt Name The subject alternative name fields. Structure is documented below.
- Subject
Authority
Config Subject Config Subject Contains distinguished name fields such as the location and organization. Structure is documented below.
- Subject
Alt AuthorityName Config Subject Config Subject Alt Name The subject alternative name fields. Structure is documented below.
- subject
Authority
Config Subject Config Subject Contains distinguished name fields such as the location and organization. Structure is documented below.
- subject
Alt AuthorityName Config Subject Config Subject Alt Name The subject alternative name fields. Structure is documented below.
- subject
Authority
Config Subject Config Subject Contains distinguished name fields such as the location and organization. Structure is documented below.
- subject
Alt AuthorityName Config Subject Config Subject Alt Name The subject alternative name fields. Structure is documented below.
- subject
Authority
Config Subject Config Subject Contains distinguished name fields such as the location and organization. Structure is documented below.
- subject_
alt_ Authorityname Config Subject Config Subject Alt Name The subject alternative name fields. Structure is documented below.
- subject Property Map
Contains distinguished name fields such as the location and organization. Structure is documented below.
- subject
Alt Property MapName The subject alternative name fields. Structure is documented below.
AuthorityConfigSubjectConfigSubject, AuthorityConfigSubjectConfigSubjectArgs
- Common
Name string The common name of the distinguished name.
- Organization string
The organization of the subject.
- Country
Code string The country code of the subject.
- Locality string
The locality or city of the subject.
- Organizational
Unit string The organizational unit of the subject.
- Postal
Code string The postal code of the subject.
- Province string
The province, territory, or regional state of the subject.
- Street
Address string The street address of the subject.
- Common
Name string The common name of the distinguished name.
- Organization string
The organization of the subject.
- Country
Code string The country code of the subject.
- Locality string
The locality or city of the subject.
- Organizational
Unit string The organizational unit of the subject.
- Postal
Code string The postal code of the subject.
- Province string
The province, territory, or regional state of the subject.
- Street
Address string The street address of the subject.
- common
Name String The common name of the distinguished name.
- organization String
The organization of the subject.
- country
Code String The country code of the subject.
- locality String
The locality or city of the subject.
- organizational
Unit String The organizational unit of the subject.
- postal
Code String The postal code of the subject.
- province String
The province, territory, or regional state of the subject.
- street
Address String The street address of the subject.
- common
Name string The common name of the distinguished name.
- organization string
The organization of the subject.
- country
Code string The country code of the subject.
- locality string
The locality or city of the subject.
- organizational
Unit string The organizational unit of the subject.
- postal
Code string The postal code of the subject.
- province string
The province, territory, or regional state of the subject.
- street
Address string The street address of the subject.
- common_
name str The common name of the distinguished name.
- organization str
The organization of the subject.
- country_
code str The country code of the subject.
- locality str
The locality or city of the subject.
- organizational_
unit str The organizational unit of the subject.
- postal_
code str The postal code of the subject.
- province str
The province, territory, or regional state of the subject.
- street_
address str The street address of the subject.
- common
Name String The common name of the distinguished name.
- organization String
The organization of the subject.
- country
Code String The country code of the subject.
- locality String
The locality or city of the subject.
- organizational
Unit String The organizational unit of the subject.
- postal
Code String The postal code of the subject.
- province String
The province, territory, or regional state of the subject.
- street
Address String The street address of the subject.
AuthorityConfigSubjectConfigSubjectAltName, AuthorityConfigSubjectConfigSubjectAltNameArgs
- Dns
Names List<string> Contains only valid, fully-qualified host names.
- Email
Addresses List<string> Contains only valid RFC 2822 E-mail addresses.
- Ip
Addresses List<string> Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- Uris List<string>
Contains only valid RFC 3986 URIs.
- Dns
Names []string Contains only valid, fully-qualified host names.
- Email
Addresses []string Contains only valid RFC 2822 E-mail addresses.
- Ip
Addresses []string Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- Uris []string
Contains only valid RFC 3986 URIs.
- dns
Names List<String> Contains only valid, fully-qualified host names.
- email
Addresses List<String> Contains only valid RFC 2822 E-mail addresses.
- ip
Addresses List<String> Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris List<String>
Contains only valid RFC 3986 URIs.
- dns
Names string[] Contains only valid, fully-qualified host names.
- email
Addresses string[] Contains only valid RFC 2822 E-mail addresses.
- ip
Addresses string[] Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris string[]
Contains only valid RFC 3986 URIs.
- dns_
names Sequence[str] Contains only valid, fully-qualified host names.
- email_
addresses Sequence[str] Contains only valid RFC 2822 E-mail addresses.
- ip_
addresses Sequence[str] Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris Sequence[str]
Contains only valid RFC 3986 URIs.
- dns
Names List<String> Contains only valid, fully-qualified host names.
- email
Addresses List<String> Contains only valid RFC 2822 E-mail addresses.
- ip
Addresses List<String> Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
- uris List<String>
Contains only valid RFC 3986 URIs.
AuthorityConfigX509Config, AuthorityConfigX509ConfigArgs
- Ca
Options AuthorityConfig X509Config Ca Options Describes values that are relevant in a CA certificate. Structure is documented below.
- Key
Usage AuthorityConfig X509Config Key Usage Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- Additional
Extensions List<AuthorityConfig X509Config Additional Extension> Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- Aia
Ocsp List<string>Servers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- Name
Constraints AuthorityConfig X509Config Name Constraints Describes the X.509 name constraints extension. Structure is documented below.
- Policy
Ids List<AuthorityConfig X509Config Policy Id> Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- Ca
Options AuthorityConfig X509Config Ca Options Describes values that are relevant in a CA certificate. Structure is documented below.
- Key
Usage AuthorityConfig X509Config Key Usage Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- Additional
Extensions []AuthorityConfig X509Config Additional Extension Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- Aia
Ocsp []stringServers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- Name
Constraints AuthorityConfig X509Config Name Constraints Describes the X.509 name constraints extension. Structure is documented below.
- Policy
Ids []AuthorityConfig X509Config Policy Id Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- ca
Options AuthorityConfig X509Config Ca Options Describes values that are relevant in a CA certificate. Structure is documented below.
- key
Usage AuthorityConfig X509Config Key Usage Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional
Extensions List<AuthorityConfig X509Config Additional Extension> Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia
Ocsp List<String>Servers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- name
Constraints AuthorityConfig X509Config Name Constraints Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids List<AuthorityConfig X509Config Policy Id> Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- ca
Options AuthorityConfig X509Config Ca Options Describes values that are relevant in a CA certificate. Structure is documented below.
- key
Usage AuthorityConfig X509Config Key Usage Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional
Extensions AuthorityConfig X509Config Additional Extension[] Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia
Ocsp string[]Servers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- name
Constraints AuthorityConfig X509Config Name Constraints Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids AuthorityConfig X509Config Policy Id[] Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- ca_
options AuthorityConfig X509Config Ca Options Describes values that are relevant in a CA certificate. Structure is documented below.
- key_
usage AuthorityConfig X509Config Key Usage Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional_
extensions Sequence[AuthorityConfig X509Config Additional Extension] Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia_
ocsp_ Sequence[str]servers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- name_
constraints AuthorityConfig X509Config Name Constraints Describes the X.509 name constraints extension. Structure is documented below.
- policy_
ids Sequence[AuthorityConfig X509Config Policy Id] Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- ca
Options Property Map Describes values that are relevant in a CA certificate. Structure is documented below.
- key
Usage Property Map Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional
Extensions List<Property Map> Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia
Ocsp List<String>Servers Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- name
Constraints Property Map Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids List<Property Map> Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
AuthorityConfigX509ConfigAdditionalExtension, AuthorityConfigX509ConfigAdditionalExtensionArgs
- Critical bool
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- Object
Id AuthorityConfig X509Config Additional Extension Object Id Describes values that are relevant in a CA certificate. Structure is documented below.
- Value string
The value of this X.509 extension. A base64-encoded string.
- Critical bool
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- Object
Id AuthorityConfig X509Config Additional Extension Object Id Describes values that are relevant in a CA certificate. Structure is documented below.
- Value string
The value of this X.509 extension. A base64-encoded string.
- critical Boolean
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Id AuthorityConfig X509Config Additional Extension Object Id Describes values that are relevant in a CA certificate. Structure is documented below.
- value String
The value of this X.509 extension. A base64-encoded string.
- critical boolean
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Id AuthorityConfig X509Config Additional Extension Object Id Describes values that are relevant in a CA certificate. Structure is documented below.
- value string
The value of this X.509 extension. A base64-encoded string.
- critical bool
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object_
id AuthorityConfig X509Config Additional Extension Object Id Describes values that are relevant in a CA certificate. Structure is documented below.
- value str
The value of this X.509 extension. A base64-encoded string.
- critical Boolean
Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Id Property Map Describes values that are relevant in a CA certificate. Structure is documented below.
- value String
The value of this X.509 extension. A base64-encoded string.
AuthorityConfigX509ConfigAdditionalExtensionObjectId, AuthorityConfigX509ConfigAdditionalExtensionObjectIdArgs
- Object
Id List<int>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
AuthorityConfigX509ConfigCaOptions, AuthorityConfigX509ConfigCaOptionsArgs
- Is
Ca bool When true, the "CA" in Basic Constraints extension will be set to true.
- Max
Issuer intPath Length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0 requires setting
zero_max_issuer_path_length = true.- Non
Ca bool When true, the "CA" in Basic Constraints extension will be set to false. If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate.- Zero
Max boolIssuer Path Length When true, the "path length constraint" in Basic Constraints extension will be set to 0. If both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- Is
Ca bool When true, the "CA" in Basic Constraints extension will be set to true.
- Max
Issuer intPath Length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0 requires setting
zero_max_issuer_path_length = true.- Non
Ca bool When true, the "CA" in Basic Constraints extension will be set to false. If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate.- Zero
Max boolIssuer Path Length When true, the "path length constraint" in Basic Constraints extension will be set to 0. If both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- is
Ca Boolean When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer IntegerPath Length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0 requires setting
zero_max_issuer_path_length = true.- non
Ca Boolean When true, the "CA" in Basic Constraints extension will be set to false. If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate.- zero
Max BooleanIssuer Path Length When true, the "path length constraint" in Basic Constraints extension will be set to 0. If both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- is
Ca boolean When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer numberPath Length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0 requires setting
zero_max_issuer_path_length = true.- non
Ca boolean When true, the "CA" in Basic Constraints extension will be set to false. If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate.- zero
Max booleanIssuer Path Length When true, the "path length constraint" in Basic Constraints extension will be set to 0. If both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- is_
ca bool When true, the "CA" in Basic Constraints extension will be set to true.
- max_
issuer_ intpath_ length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0 requires setting
zero_max_issuer_path_length = true.- non_
ca bool When true, the "CA" in Basic Constraints extension will be set to false. If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate.- zero_
max_ boolissuer_ path_ length When true, the "path length constraint" in Basic Constraints extension will be set to 0. If both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- is
Ca Boolean When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer NumberPath Length Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0 requires setting
zero_max_issuer_path_length = true.- non
Ca Boolean When true, the "CA" in Basic Constraints extension will be set to false. If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate.- zero
Max BooleanIssuer Path Length When true, the "path length constraint" in Basic Constraints extension will be set to 0. If both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
AuthorityConfigX509ConfigKeyUsage, AuthorityConfigX509ConfigKeyUsageArgs
- Base
Key AuthorityUsage Config X509Config Key Usage Base Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- Extended
Key AuthorityUsage Config X509Config Key Usage Extended Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- Unknown
Extended List<AuthorityKey Usages Config X509Config Key Usage Unknown Extended Key Usage> An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- Base
Key AuthorityUsage Config X509Config Key Usage Base Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- Extended
Key AuthorityUsage Config X509Config Key Usage Extended Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- Unknown
Extended []AuthorityKey Usages Config X509Config Key Usage Unknown Extended Key Usage An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key AuthorityUsage Config X509Config Key Usage Base Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key AuthorityUsage Config X509Config Key Usage Extended Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended List<AuthorityKey Usages Config X509Config Key Usage Unknown Extended Key Usage> An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key AuthorityUsage Config X509Config Key Usage Base Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key AuthorityUsage Config X509Config Key Usage Extended Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended AuthorityKey Usages Config X509Config Key Usage Unknown Extended Key Usage[] An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base_
key_ Authorityusage Config X509Config Key Usage Base Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- extended_
key_ Authorityusage Config X509Config Key Usage Extended Key Usage Describes high-level ways in which a key may be used. Structure is documented below.
- unknown_
extended_ Sequence[Authoritykey_ usages Config X509Config Key Usage Unknown Extended Key Usage] An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key Property MapUsage Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key Property MapUsage Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended List<Property Map>Key Usages An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
AuthorityConfigX509ConfigKeyUsageBaseKeyUsage, AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
- Cert
Sign bool The key may be used to sign certificates.
- Content
Commitment bool The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- Crl
Sign bool The key may be used sign certificate revocation lists.
- Data
Encipherment bool The key may be used to encipher data.
- Decipher
Only bool The key may be used to decipher only.
- Digital
Signature bool The key may be used for digital signatures.
- Encipher
Only bool The key may be used to encipher only.
- Key
Agreement bool The key may be used in a key agreement protocol.
- Key
Encipherment bool The key may be used to encipher other keys.
- Cert
Sign bool The key may be used to sign certificates.
- Content
Commitment bool The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- Crl
Sign bool The key may be used sign certificate revocation lists.
- Data
Encipherment bool The key may be used to encipher data.
- Decipher
Only bool The key may be used to decipher only.
- Digital
Signature bool The key may be used for digital signatures.
- Encipher
Only bool The key may be used to encipher only.
- Key
Agreement bool The key may be used in a key agreement protocol.
- Key
Encipherment bool The key may be used to encipher other keys.
- cert
Sign Boolean The key may be used to sign certificates.
- content
Commitment Boolean The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign Boolean The key may be used sign certificate revocation lists.
- data
Encipherment Boolean The key may be used to encipher data.
- decipher
Only Boolean The key may be used to decipher only.
- digital
Signature Boolean The key may be used for digital signatures.
- encipher
Only Boolean The key may be used to encipher only.
- key
Agreement Boolean The key may be used in a key agreement protocol.
- key
Encipherment Boolean The key may be used to encipher other keys.
- cert
Sign boolean The key may be used to sign certificates.
- content
Commitment boolean The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign boolean The key may be used sign certificate revocation lists.
- data
Encipherment boolean The key may be used to encipher data.
- decipher
Only boolean The key may be used to decipher only.
- digital
Signature boolean The key may be used for digital signatures.
- encipher
Only boolean The key may be used to encipher only.
- key
Agreement boolean The key may be used in a key agreement protocol.
- key
Encipherment boolean The key may be used to encipher other keys.
- cert_
sign bool The key may be used to sign certificates.
- content_
commitment bool The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl_
sign bool The key may be used sign certificate revocation lists.
- data_
encipherment bool The key may be used to encipher data.
- decipher_
only bool The key may be used to decipher only.
- digital_
signature bool The key may be used for digital signatures.
- encipher_
only bool The key may be used to encipher only.
- key_
agreement bool The key may be used in a key agreement protocol.
- key_
encipherment bool The key may be used to encipher other keys.
- cert
Sign Boolean The key may be used to sign certificates.
- content
Commitment Boolean The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign Boolean The key may be used sign certificate revocation lists.
- data
Encipherment Boolean The key may be used to encipher data.
- decipher
Only Boolean The key may be used to decipher only.
- digital
Signature Boolean The key may be used for digital signatures.
- encipher
Only Boolean The key may be used to encipher only.
- key
Agreement Boolean The key may be used in a key agreement protocol.
- key
Encipherment Boolean The key may be used to encipher other keys.
AuthorityConfigX509ConfigKeyUsageExtendedKeyUsage, AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
- Client
Auth bool Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- Code
Signing bool Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- Email
Protection bool Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- Ocsp
Signing bool Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- Server
Auth bool Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- Time
Stamping bool Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- Client
Auth bool Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- Code
Signing bool Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- Email
Protection bool Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- Ocsp
Signing bool Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- Server
Auth bool Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- Time
Stamping bool Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth Boolean Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing Boolean Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection Boolean Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing Boolean Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth Boolean Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping Boolean Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth boolean Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing boolean Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection boolean Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing boolean Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth boolean Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping boolean Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client_
auth bool Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code_
signing bool Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email_
protection bool Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp_
signing bool Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server_
auth bool Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time_
stamping bool Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth Boolean Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing Boolean Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection Boolean Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing Boolean Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth Boolean Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping Boolean Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsage, AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArgs
- Object
Id List<int>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
AuthorityConfigX509ConfigNameConstraints, AuthorityConfigX509ConfigNameConstraintsArgs
- Critical bool
Indicates whether or not the name constraints are marked critical.
- Excluded
Dns List<string>Names Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- Excluded
Email List<string>Addresses Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- Excluded
Ip List<string>Ranges Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Excluded
Uris List<string> Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)- Permitted
Dns List<string>Names Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- Permitted
Email List<string>Addresses Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- Permitted
Ip List<string>Ranges Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Permitted
Uris List<string> Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)
- Critical bool
Indicates whether or not the name constraints are marked critical.
- Excluded
Dns []stringNames Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- Excluded
Email []stringAddresses Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- Excluded
Ip []stringRanges Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Excluded
Uris []string Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)- Permitted
Dns []stringNames Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- Permitted
Email []stringAddresses Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- Permitted
Ip []stringRanges Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Permitted
Uris []string Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)
- critical Boolean
Indicates whether or not the name constraints are marked critical.
- excluded
Dns List<String>Names Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- excluded
Email List<String>Addresses Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- excluded
Ip List<String>Ranges Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded
Uris List<String> Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)- permitted
Dns List<String>Names Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- permitted
Email List<String>Addresses Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- permitted
Ip List<String>Ranges Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted
Uris List<String> Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)
- critical boolean
Indicates whether or not the name constraints are marked critical.
- excluded
Dns string[]Names Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- excluded
Email string[]Addresses Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- excluded
Ip string[]Ranges Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded
Uris string[] Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)- permitted
Dns string[]Names Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- permitted
Email string[]Addresses Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- permitted
Ip string[]Ranges Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted
Uris string[] Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)
- critical bool
Indicates whether or not the name constraints are marked critical.
- excluded_
dns_ Sequence[str]names Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- excluded_
email_ Sequence[str]addresses Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- excluded_
ip_ Sequence[str]ranges Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded_
uris Sequence[str] Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)- permitted_
dns_ Sequence[str]names Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- permitted_
email_ Sequence[str]addresses Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- permitted_
ip_ Sequence[str]ranges Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted_
uris Sequence[str] Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)
- critical Boolean
Indicates whether or not the name constraints are marked critical.
- excluded
Dns List<String>Names Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- excluded
Email List<String>Addresses Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- excluded
Ip List<String>Ranges Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded
Uris List<String> Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)- permitted
Dns List<String>Names Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not.- permitted
Email List<String>Addresses Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain.- permitted
Ip List<String>Ranges Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted
Uris List<String> Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like
.example.com)
AuthorityConfigX509ConfigPolicyId, AuthorityConfigX509ConfigPolicyIdArgs
- Object
Id List<int>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
AuthorityKeySpec, AuthorityKeySpecArgs
- Algorithm string
The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are:
SIGN_HASH_ALGORITHM_UNSPECIFIED,RSA_PSS_2048_SHA256,RSA_PSS_3072_SHA256,RSA_PSS_4096_SHA256,RSA_PKCS1_2048_SHA256,RSA_PKCS1_3072_SHA256,RSA_PKCS1_4096_SHA256,EC_P256_SHA256,EC_P384_SHA384.- Cloud
Kms stringKey Version The resource name for an existing Cloud KMS CryptoKeyVersion in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
- Algorithm string
The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are:
SIGN_HASH_ALGORITHM_UNSPECIFIED,RSA_PSS_2048_SHA256,RSA_PSS_3072_SHA256,RSA_PSS_4096_SHA256,RSA_PKCS1_2048_SHA256,RSA_PKCS1_3072_SHA256,RSA_PKCS1_4096_SHA256,EC_P256_SHA256,EC_P384_SHA384.- Cloud
Kms stringKey Version The resource name for an existing Cloud KMS CryptoKeyVersion in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
- algorithm String
The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are:
SIGN_HASH_ALGORITHM_UNSPECIFIED,RSA_PSS_2048_SHA256,RSA_PSS_3072_SHA256,RSA_PSS_4096_SHA256,RSA_PKCS1_2048_SHA256,RSA_PKCS1_3072_SHA256,RSA_PKCS1_4096_SHA256,EC_P256_SHA256,EC_P384_SHA384.- cloud
Kms StringKey Version The resource name for an existing Cloud KMS CryptoKeyVersion in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
- algorithm string
The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are:
SIGN_HASH_ALGORITHM_UNSPECIFIED,RSA_PSS_2048_SHA256,RSA_PSS_3072_SHA256,RSA_PSS_4096_SHA256,RSA_PKCS1_2048_SHA256,RSA_PKCS1_3072_SHA256,RSA_PKCS1_4096_SHA256,EC_P256_SHA256,EC_P384_SHA384.- cloud
Kms stringKey Version The resource name for an existing Cloud KMS CryptoKeyVersion in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
- algorithm str
The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are:
SIGN_HASH_ALGORITHM_UNSPECIFIED,RSA_PSS_2048_SHA256,RSA_PSS_3072_SHA256,RSA_PSS_4096_SHA256,RSA_PKCS1_2048_SHA256,RSA_PKCS1_3072_SHA256,RSA_PKCS1_4096_SHA256,EC_P256_SHA256,EC_P384_SHA384.- cloud_
kms_ strkey_ version The resource name for an existing Cloud KMS CryptoKeyVersion in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
- algorithm String
The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are:
SIGN_HASH_ALGORITHM_UNSPECIFIED,RSA_PSS_2048_SHA256,RSA_PSS_3072_SHA256,RSA_PSS_4096_SHA256,RSA_PKCS1_2048_SHA256,RSA_PKCS1_3072_SHA256,RSA_PKCS1_4096_SHA256,EC_P256_SHA256,EC_P384_SHA384.- cloud
Kms StringKey Version The resource name for an existing Cloud KMS CryptoKeyVersion in the format
projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
AuthoritySubordinateConfig, AuthoritySubordinateConfigArgs
- string
This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*.- Pem
Issuer AuthorityChain Subordinate Config Pem Issuer Chain Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.
- string
This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*.- Pem
Issuer AuthorityChain Subordinate Config Pem Issuer Chain Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.
- String
This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*.- pem
Issuer AuthorityChain Subordinate Config Pem Issuer Chain Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.
- string
This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*.- pem
Issuer AuthorityChain Subordinate Config Pem Issuer Chain Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.
- str
This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*.- pem_
issuer_ Authoritychain Subordinate Config Pem Issuer Chain Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.
- String
This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format
projects/*/locations/*/caPools/*/certificateAuthorities/*.- pem
Issuer Property MapChain Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.
AuthoritySubordinateConfigPemIssuerChain, AuthoritySubordinateConfigPemIssuerChainArgs
- Pem
Certificates List<string> Expected to be in leaf-to-root order according to RFC 5246.
- Pem
Certificates []string Expected to be in leaf-to-root order according to RFC 5246.
- pem
Certificates List<String> Expected to be in leaf-to-root order according to RFC 5246.
- pem
Certificates string[] Expected to be in leaf-to-root order according to RFC 5246.
- pem_
certificates Sequence[str] Expected to be in leaf-to-root order according to RFC 5246.
- pem
Certificates List<String> Expected to be in leaf-to-root order according to RFC 5246.
Import
CertificateAuthority can be imported using any of these accepted formats
$ pulumi import gcp:certificateauthority/authority:Authority default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}
$ pulumi import gcp:certificateauthority/authority:Authority default {{project}}/{{location}}/{{pool}}/{{certificate_authority_id}}
$ pulumi import gcp:certificateauthority/authority:Authority default {{location}}/{{pool}}/{{certificate_authority_id}}
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
google-betaTerraform Provider.