Docs Home
Google Cloud v8.32.1 published on Thursday, May 22, 2025 by Pulumi
gcp.certificateauthority.CaPool
Explore with Pulumi AI
A CaPool represents a group of CertificateAuthorities that form a trust anchor. A CaPool can be used to manage issuance policies for one or more CertificateAuthority resources and to rotate CA certificates in and out of the trust anchor.
To get more information about CaPool, see:
Example Usage
Privateca Capool Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const _default = new gcp.certificateauthority.CaPool("default", {
name: "my-pool",
location: "us-central1",
tier: "ENTERPRISE",
publishingOptions: {
publishCaCert: true,
publishCrl: true,
},
labels: {
foo: "bar",
},
});
import pulumi
import pulumi_gcp as gcp
default = gcp.certificateauthority.CaPool("default",
name="my-pool",
location="us-central1",
tier="ENTERPRISE",
publishing_options={
"publish_ca_cert": True,
"publish_crl": True,
},
labels={
"foo": "bar",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/certificateauthority"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := certificateauthority.NewCaPool(ctx, "default", &certificateauthority.CaPoolArgs{
Name: pulumi.String("my-pool"),
Location: pulumi.String("us-central1"),
Tier: pulumi.String("ENTERPRISE"),
PublishingOptions: &certificateauthority.CaPoolPublishingOptionsArgs{
PublishCaCert: pulumi.Bool(true),
PublishCrl: pulumi.Bool(true),
},
Labels: pulumi.StringMap{
"foo": pulumi.String("bar"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CertificateAuthority.CaPool("default", new()
{
Name = "my-pool",
Location = "us-central1",
Tier = "ENTERPRISE",
PublishingOptions = new Gcp.CertificateAuthority.Inputs.CaPoolPublishingOptionsArgs
{
PublishCaCert = true,
PublishCrl = true,
},
Labels =
{
{ "foo", "bar" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPool;
import com.pulumi.gcp.certificateauthority.CaPoolArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolPublishingOptionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new CaPool("default", CaPoolArgs.builder()
.name("my-pool")
.location("us-central1")
.tier("ENTERPRISE")
.publishingOptions(CaPoolPublishingOptionsArgs.builder()
.publishCaCert(true)
.publishCrl(true)
.build())
.labels(Map.of("foo", "bar"))
.build());
}
}
resources:
default:
type: gcp:certificateauthority:CaPool
properties:
name: my-pool
location: us-central1
tier: ENTERPRISE
publishingOptions:
publishCaCert: true
publishCrl: true
labels:
foo: bar
Privateca Capool All Fields
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const _default = new gcp.certificateauthority.CaPool("default", {
name: "my-pool",
location: "us-central1",
tier: "ENTERPRISE",
publishingOptions: {
publishCaCert: false,
publishCrl: true,
encodingFormat: "PEM",
},
labels: {
foo: "bar",
},
issuancePolicy: {
allowedKeyTypes: [
{
ellipticCurve: {
signatureAlgorithm: "ECDSA_P256",
},
},
{
rsa: {
minModulusSize: "5",
maxModulusSize: "10",
},
},
],
backdateDuration: "3600s",
maximumLifetime: "50000s",
allowedIssuanceModes: {
allowCsrBasedIssuance: true,
allowConfigBasedIssuance: true,
},
identityConstraints: {
allowSubjectPassthrough: true,
allowSubjectAltNamesPassthrough: true,
celExpression: {
expression: "subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )",
title: "My title",
},
},
baselineValues: {
aiaOcspServers: ["example.com"],
additionalExtensions: [{
critical: true,
value: "asdf",
objectId: {
objectIdPaths: [
1,
7,
],
},
}],
policyIds: [
{
objectIdPaths: [
1,
5,
],
},
{
objectIdPaths: [
1,
5,
7,
],
},
],
caOptions: {
isCa: true,
maxIssuerPathLength: 10,
},
keyUsage: {
baseKeyUsage: {
digitalSignature: true,
contentCommitment: true,
keyEncipherment: false,
dataEncipherment: true,
keyAgreement: true,
certSign: false,
crlSign: true,
decipherOnly: true,
},
extendedKeyUsage: {
serverAuth: true,
clientAuth: false,
emailProtection: true,
codeSigning: true,
timeStamping: true,
},
},
nameConstraints: {
critical: true,
permittedDnsNames: [
"*.example1.com",
"*.example2.com",
],
excludedDnsNames: [
"*.deny.example1.com",
"*.deny.example2.com",
],
permittedIpRanges: [
"10.0.0.0/8",
"11.0.0.0/8",
],
excludedIpRanges: [
"10.1.1.0/24",
"11.1.1.0/24",
],
permittedEmailAddresses: [
".example1.com",
".example2.com",
],
excludedEmailAddresses: [
".deny.example1.com",
".deny.example2.com",
],
permittedUris: [
".example1.com",
".example2.com",
],
excludedUris: [
".deny.example1.com",
".deny.example2.com",
],
},
},
},
});
import pulumi
import pulumi_gcp as gcp
default = gcp.certificateauthority.CaPool("default",
name="my-pool",
location="us-central1",
tier="ENTERPRISE",
publishing_options={
"publish_ca_cert": False,
"publish_crl": True,
"encoding_format": "PEM",
},
labels={
"foo": "bar",
},
issuance_policy={
"allowed_key_types": [
{
"elliptic_curve": {
"signature_algorithm": "ECDSA_P256",
},
},
{
"rsa": {
"min_modulus_size": "5",
"max_modulus_size": "10",
},
},
],
"backdate_duration": "3600s",
"maximum_lifetime": "50000s",
"allowed_issuance_modes": {
"allow_csr_based_issuance": True,
"allow_config_based_issuance": True,
},
"identity_constraints": {
"allow_subject_passthrough": True,
"allow_subject_alt_names_passthrough": True,
"cel_expression": {
"expression": "subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )",
"title": "My title",
},
},
"baseline_values": {
"aia_ocsp_servers": ["example.com"],
"additional_extensions": [{
"critical": True,
"value": "asdf",
"object_id": {
"object_id_paths": [
1,
7,
],
},
}],
"policy_ids": [
{
"object_id_paths": [
1,
5,
],
},
{
"object_id_paths": [
1,
5,
7,
],
},
],
"ca_options": {
"is_ca": True,
"max_issuer_path_length": 10,
},
"key_usage": {
"base_key_usage": {
"digital_signature": True,
"content_commitment": True,
"key_encipherment": False,
"data_encipherment": True,
"key_agreement": True,
"cert_sign": False,
"crl_sign": True,
"decipher_only": True,
},
"extended_key_usage": {
"server_auth": True,
"client_auth": False,
"email_protection": True,
"code_signing": True,
"time_stamping": True,
},
},
"name_constraints": {
"critical": True,
"permitted_dns_names": [
"*.example1.com",
"*.example2.com",
],
"excluded_dns_names": [
"*.deny.example1.com",
"*.deny.example2.com",
],
"permitted_ip_ranges": [
"10.0.0.0/8",
"11.0.0.0/8",
],
"excluded_ip_ranges": [
"10.1.1.0/24",
"11.1.1.0/24",
],
"permitted_email_addresses": [
".example1.com",
".example2.com",
],
"excluded_email_addresses": [
".deny.example1.com",
".deny.example2.com",
],
"permitted_uris": [
".example1.com",
".example2.com",
],
"excluded_uris": [
".deny.example1.com",
".deny.example2.com",
],
},
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/certificateauthority"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := certificateauthority.NewCaPool(ctx, "default", &certificateauthority.CaPoolArgs{
Name: pulumi.String("my-pool"),
Location: pulumi.String("us-central1"),
Tier: pulumi.String("ENTERPRISE"),
PublishingOptions: &certificateauthority.CaPoolPublishingOptionsArgs{
PublishCaCert: pulumi.Bool(false),
PublishCrl: pulumi.Bool(true),
EncodingFormat: pulumi.String("PEM"),
},
Labels: pulumi.StringMap{
"foo": pulumi.String("bar"),
},
IssuancePolicy: &certificateauthority.CaPoolIssuancePolicyArgs{
AllowedKeyTypes: certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeArray{
&certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeArgs{
EllipticCurve: &certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeEllipticCurveArgs{
SignatureAlgorithm: pulumi.String("ECDSA_P256"),
},
},
&certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeArgs{
Rsa: &certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeRsaArgs{
MinModulusSize: pulumi.String("5"),
MaxModulusSize: pulumi.String("10"),
},
},
},
BackdateDuration: pulumi.String("3600s"),
MaximumLifetime: pulumi.String("50000s"),
AllowedIssuanceModes: &certificateauthority.CaPoolIssuancePolicyAllowedIssuanceModesArgs{
AllowCsrBasedIssuance: pulumi.Bool(true),
AllowConfigBasedIssuance: pulumi.Bool(true),
},
IdentityConstraints: &certificateauthority.CaPoolIssuancePolicyIdentityConstraintsArgs{
AllowSubjectPassthrough: pulumi.Bool(true),
AllowSubjectAltNamesPassthrough: pulumi.Bool(true),
CelExpression: &certificateauthority.CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs{
Expression: pulumi.String("subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )"),
Title: pulumi.String("My title"),
},
},
BaselineValues: &certificateauthority.CaPoolIssuancePolicyBaselineValuesArgs{
AiaOcspServers: pulumi.StringArray{
pulumi.String("example.com"),
},
AdditionalExtensions: certificateauthority.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArray{
&certificateauthority.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArgs{
Critical: pulumi.Bool(true),
Value: pulumi.String("asdf"),
ObjectId: &certificateauthority.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectIdArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(1),
pulumi.Int(7),
},
},
},
},
PolicyIds: certificateauthority.CaPoolIssuancePolicyBaselineValuesPolicyIdArray{
&certificateauthority.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(1),
pulumi.Int(5),
},
},
&certificateauthority.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(1),
pulumi.Int(5),
pulumi.Int(7),
},
},
},
CaOptions: &certificateauthority.CaPoolIssuancePolicyBaselineValuesCaOptionsArgs{
IsCa: pulumi.Bool(true),
MaxIssuerPathLength: pulumi.Int(10),
},
KeyUsage: &certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageArgs{
BaseKeyUsage: &certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs{
DigitalSignature: pulumi.Bool(true),
ContentCommitment: pulumi.Bool(true),
KeyEncipherment: pulumi.Bool(false),
DataEncipherment: pulumi.Bool(true),
KeyAgreement: pulumi.Bool(true),
CertSign: pulumi.Bool(false),
CrlSign: pulumi.Bool(true),
DecipherOnly: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(true),
ClientAuth: pulumi.Bool(false),
EmailProtection: pulumi.Bool(true),
CodeSigning: pulumi.Bool(true),
TimeStamping: pulumi.Bool(true),
},
},
NameConstraints: &certificateauthority.CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs{
Critical: pulumi.Bool(true),
PermittedDnsNames: pulumi.StringArray{
pulumi.String("*.example1.com"),
pulumi.String("*.example2.com"),
},
ExcludedDnsNames: pulumi.StringArray{
pulumi.String("*.deny.example1.com"),
pulumi.String("*.deny.example2.com"),
},
PermittedIpRanges: pulumi.StringArray{
pulumi.String("10.0.0.0/8"),
pulumi.String("11.0.0.0/8"),
},
ExcludedIpRanges: pulumi.StringArray{
pulumi.String("10.1.1.0/24"),
pulumi.String("11.1.1.0/24"),
},
PermittedEmailAddresses: pulumi.StringArray{
pulumi.String(".example1.com"),
pulumi.String(".example2.com"),
},
ExcludedEmailAddresses: pulumi.StringArray{
pulumi.String(".deny.example1.com"),
pulumi.String(".deny.example2.com"),
},
PermittedUris: pulumi.StringArray{
pulumi.String(".example1.com"),
pulumi.String(".example2.com"),
},
ExcludedUris: pulumi.StringArray{
pulumi.String(".deny.example1.com"),
pulumi.String(".deny.example2.com"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CertificateAuthority.CaPool("default", new()
{
Name = "my-pool",
Location = "us-central1",
Tier = "ENTERPRISE",
PublishingOptions = new Gcp.CertificateAuthority.Inputs.CaPoolPublishingOptionsArgs
{
PublishCaCert = false,
PublishCrl = true,
EncodingFormat = "PEM",
},
Labels =
{
{ "foo", "bar" },
},
IssuancePolicy = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyArgs
{
AllowedKeyTypes = new[]
{
new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeArgs
{
EllipticCurve = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeEllipticCurveArgs
{
SignatureAlgorithm = "ECDSA_P256",
},
},
new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeArgs
{
Rsa = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeRsaArgs
{
MinModulusSize = "5",
MaxModulusSize = "10",
},
},
},
BackdateDuration = "3600s",
MaximumLifetime = "50000s",
AllowedIssuanceModes = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedIssuanceModesArgs
{
AllowCsrBasedIssuance = true,
AllowConfigBasedIssuance = true,
},
IdentityConstraints = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyIdentityConstraintsArgs
{
AllowSubjectPassthrough = true,
AllowSubjectAltNamesPassthrough = true,
CelExpression = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs
{
Expression = "subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )",
Title = "My title",
},
},
BaselineValues = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesArgs
{
AiaOcspServers = new[]
{
"example.com",
},
AdditionalExtensions = new[]
{
new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArgs
{
Critical = true,
Value = "asdf",
ObjectId = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectIdArgs
{
ObjectIdPaths = new[]
{
1,
7,
},
},
},
},
PolicyIds = new[]
{
new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs
{
ObjectIdPaths = new[]
{
1,
5,
},
},
new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs
{
ObjectIdPaths = new[]
{
1,
5,
7,
},
},
},
CaOptions = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesCaOptionsArgs
{
IsCa = true,
MaxIssuerPathLength = 10,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs
{
DigitalSignature = true,
ContentCommitment = true,
KeyEncipherment = false,
DataEncipherment = true,
KeyAgreement = true,
CertSign = false,
CrlSign = true,
DecipherOnly = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs
{
ServerAuth = true,
ClientAuth = false,
EmailProtection = true,
CodeSigning = true,
TimeStamping = true,
},
},
NameConstraints = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs
{
Critical = true,
PermittedDnsNames = new[]
{
"*.example1.com",
"*.example2.com",
},
ExcludedDnsNames = new[]
{
"*.deny.example1.com",
"*.deny.example2.com",
},
PermittedIpRanges = new[]
{
"10.0.0.0/8",
"11.0.0.0/8",
},
ExcludedIpRanges = new[]
{
"10.1.1.0/24",
"11.1.1.0/24",
},
PermittedEmailAddresses = new[]
{
".example1.com",
".example2.com",
},
ExcludedEmailAddresses = new[]
{
".deny.example1.com",
".deny.example2.com",
},
PermittedUris = new[]
{
".example1.com",
".example2.com",
},
ExcludedUris = new[]
{
".deny.example1.com",
".deny.example2.com",
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPool;
import com.pulumi.gcp.certificateauthority.CaPoolArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolPublishingOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyAllowedIssuanceModesArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyIdentityConstraintsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new CaPool("default", CaPoolArgs.builder()
.name("my-pool")
.location("us-central1")
.tier("ENTERPRISE")
.publishingOptions(CaPoolPublishingOptionsArgs.builder()
.publishCaCert(false)
.publishCrl(true)
.encodingFormat("PEM")
.build())
.labels(Map.of("foo", "bar"))
.issuancePolicy(CaPoolIssuancePolicyArgs.builder()
.allowedKeyTypes(
CaPoolIssuancePolicyAllowedKeyTypeArgs.builder()
.ellipticCurve(CaPoolIssuancePolicyAllowedKeyTypeEllipticCurveArgs.builder()
.signatureAlgorithm("ECDSA_P256")
.build())
.build(),
CaPoolIssuancePolicyAllowedKeyTypeArgs.builder()
.rsa(CaPoolIssuancePolicyAllowedKeyTypeRsaArgs.builder()
.minModulusSize("5")
.maxModulusSize("10")
.build())
.build())
.backdateDuration("3600s")
.maximumLifetime("50000s")
.allowedIssuanceModes(CaPoolIssuancePolicyAllowedIssuanceModesArgs.builder()
.allowCsrBasedIssuance(true)
.allowConfigBasedIssuance(true)
.build())
.identityConstraints(CaPoolIssuancePolicyIdentityConstraintsArgs.builder()
.allowSubjectPassthrough(true)
.allowSubjectAltNamesPassthrough(true)
.celExpression(CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs.builder()
.expression("subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )")
.title("My title")
.build())
.build())
.baselineValues(CaPoolIssuancePolicyBaselineValuesArgs.builder()
.aiaOcspServers("example.com")
.additionalExtensions(CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArgs.builder()
.critical(true)
.value("asdf")
.objectId(CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectIdArgs.builder()
.objectIdPaths(
1,
7)
.build())
.build())
.policyIds(
CaPoolIssuancePolicyBaselineValuesPolicyIdArgs.builder()
.objectIdPaths(
1,
5)
.build(),
CaPoolIssuancePolicyBaselineValuesPolicyIdArgs.builder()
.objectIdPaths(
1,
5,
7)
.build())
.caOptions(CaPoolIssuancePolicyBaselineValuesCaOptionsArgs.builder()
.isCa(true)
.maxIssuerPathLength(10)
.build())
.keyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageArgs.builder()
.baseKeyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs.builder()
.digitalSignature(true)
.contentCommitment(true)
.keyEncipherment(false)
.dataEncipherment(true)
.keyAgreement(true)
.certSign(false)
.crlSign(true)
.decipherOnly(true)
.build())
.extendedKeyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(true)
.clientAuth(false)
.emailProtection(true)
.codeSigning(true)
.timeStamping(true)
.build())
.build())
.nameConstraints(CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs.builder()
.critical(true)
.permittedDnsNames(
"*.example1.com",
"*.example2.com")
.excludedDnsNames(
"*.deny.example1.com",
"*.deny.example2.com")
.permittedIpRanges(
"10.0.0.0/8",
"11.0.0.0/8")
.excludedIpRanges(
"10.1.1.0/24",
"11.1.1.0/24")
.permittedEmailAddresses(
".example1.com",
".example2.com")
.excludedEmailAddresses(
".deny.example1.com",
".deny.example2.com")
.permittedUris(
".example1.com",
".example2.com")
.excludedUris(
".deny.example1.com",
".deny.example2.com")
.build())
.build())
.build())
.build());
}
}
resources:
default:
type: gcp:certificateauthority:CaPool
properties:
name: my-pool
location: us-central1
tier: ENTERPRISE
publishingOptions:
publishCaCert: false
publishCrl: true
encodingFormat: PEM
labels:
foo: bar
issuancePolicy:
allowedKeyTypes:
- ellipticCurve:
signatureAlgorithm: ECDSA_P256
- rsa:
minModulusSize: 5
maxModulusSize: 10
backdateDuration: 3600s
maximumLifetime: 50000s
allowedIssuanceModes:
allowCsrBasedIssuance: true
allowConfigBasedIssuance: true
identityConstraints:
allowSubjectPassthrough: true
allowSubjectAltNamesPassthrough: true
celExpression:
expression: subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )
title: My title
baselineValues:
aiaOcspServers:
- example.com
additionalExtensions:
- critical: true
value: asdf
objectId:
objectIdPaths:
- 1
- 7
policyIds:
- objectIdPaths:
- 1
- 5
- objectIdPaths:
- 1
- 5
- 7
caOptions:
isCa: true
maxIssuerPathLength: 10
keyUsage:
baseKeyUsage:
digitalSignature: true
contentCommitment: true
keyEncipherment: false
dataEncipherment: true
keyAgreement: true
certSign: false
crlSign: true
decipherOnly: true
extendedKeyUsage:
serverAuth: true
clientAuth: false
emailProtection: true
codeSigning: true
timeStamping: true
nameConstraints:
critical: true
permittedDnsNames:
- '*.example1.com'
- '*.example2.com'
excludedDnsNames:
- '*.deny.example1.com'
- '*.deny.example2.com'
permittedIpRanges:
- 10.0.0.0/8
- 11.0.0.0/8
excludedIpRanges:
- 10.1.1.0/24
- 11.1.1.0/24
permittedEmailAddresses:
- .example1.com
- .example2.com
excludedEmailAddresses:
- .deny.example1.com
- .deny.example2.com
permittedUris:
- .example1.com
- .example2.com
excludedUris:
- .deny.example1.com
- .deny.example2.com
Create CaPool Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new CaPool(name: string, args: CaPoolArgs, opts?: CustomResourceOptions);@overload
def CaPool(resource_name: str,
args: CaPoolArgs,
opts: Optional[ResourceOptions] = None)
@overload
def CaPool(resource_name: str,
opts: Optional[ResourceOptions] = None,
location: Optional[str] = None,
tier: Optional[str] = None,
issuance_policy: Optional[CaPoolIssuancePolicyArgs] = None,
labels: Optional[Mapping[str, str]] = None,
name: Optional[str] = None,
project: Optional[str] = None,
publishing_options: Optional[CaPoolPublishingOptionsArgs] = None)func NewCaPool(ctx *Context, name string, args CaPoolArgs, opts ...ResourceOption) (*CaPool, error)public CaPool(string name, CaPoolArgs args, CustomResourceOptions? opts = null)
public CaPool(String name, CaPoolArgs args)
public CaPool(String name, CaPoolArgs args, CustomResourceOptions options)
type: gcp:certificateauthority:CaPool
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args CaPoolArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args CaPoolArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args CaPoolArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args CaPoolArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args CaPoolArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var caPoolResource = new Gcp.CertificateAuthority.CaPool("caPoolResource", new()
{
Location = "string",
Tier = "string",
IssuancePolicy = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyArgs
{
AllowedIssuanceModes = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedIssuanceModesArgs
{
AllowConfigBasedIssuance = false,
AllowCsrBasedIssuance = false,
},
AllowedKeyTypes = new[]
{
new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeArgs
{
EllipticCurve = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeEllipticCurveArgs
{
SignatureAlgorithm = "string",
},
Rsa = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeRsaArgs
{
MaxModulusSize = "string",
MinModulusSize = "string",
},
},
},
BackdateDuration = "string",
BaselineValues = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesArgs
{
CaOptions = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesCaOptionsArgs
{
IsCa = false,
MaxIssuerPathLength = 0,
NonCa = false,
ZeroMaxIssuerPathLength = false,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs
{
CertSign = false,
ContentCommitment = false,
CrlSign = false,
DataEncipherment = false,
DecipherOnly = false,
DigitalSignature = false,
EncipherOnly = false,
KeyAgreement = false,
KeyEncipherment = false,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs
{
ClientAuth = false,
CodeSigning = false,
EmailProtection = false,
OcspSigning = false,
ServerAuth = false,
TimeStamping = false,
},
UnknownExtendedKeyUsages = new[]
{
new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsageArgs
{
ObjectIdPaths = new[]
{
0,
},
},
},
},
AdditionalExtensions = new[]
{
new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArgs
{
Critical = false,
ObjectId = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectIdArgs
{
ObjectIdPaths = new[]
{
0,
},
},
Value = "string",
},
},
AiaOcspServers = new[]
{
"string",
},
NameConstraints = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs
{
Critical = false,
ExcludedDnsNames = new[]
{
"string",
},
ExcludedEmailAddresses = new[]
{
"string",
},
ExcludedIpRanges = new[]
{
"string",
},
ExcludedUris = new[]
{
"string",
},
PermittedDnsNames = new[]
{
"string",
},
PermittedEmailAddresses = new[]
{
"string",
},
PermittedIpRanges = new[]
{
"string",
},
PermittedUris = new[]
{
"string",
},
},
PolicyIds = new[]
{
new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs
{
ObjectIdPaths = new[]
{
0,
},
},
},
},
IdentityConstraints = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyIdentityConstraintsArgs
{
AllowSubjectAltNamesPassthrough = false,
AllowSubjectPassthrough = false,
CelExpression = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs
{
Expression = "string",
Description = "string",
Location = "string",
Title = "string",
},
},
MaximumLifetime = "string",
},
Labels =
{
{ "string", "string" },
},
Name = "string",
Project = "string",
PublishingOptions = new Gcp.CertificateAuthority.Inputs.CaPoolPublishingOptionsArgs
{
PublishCaCert = false,
PublishCrl = false,
EncodingFormat = "string",
},
});
example, err := certificateauthority.NewCaPool(ctx, "caPoolResource", &certificateauthority.CaPoolArgs{
Location: pulumi.String("string"),
Tier: pulumi.String("string"),
IssuancePolicy: &certificateauthority.CaPoolIssuancePolicyArgs{
AllowedIssuanceModes: &certificateauthority.CaPoolIssuancePolicyAllowedIssuanceModesArgs{
AllowConfigBasedIssuance: pulumi.Bool(false),
AllowCsrBasedIssuance: pulumi.Bool(false),
},
AllowedKeyTypes: certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeArray{
&certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeArgs{
EllipticCurve: &certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeEllipticCurveArgs{
SignatureAlgorithm: pulumi.String("string"),
},
Rsa: &certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeRsaArgs{
MaxModulusSize: pulumi.String("string"),
MinModulusSize: pulumi.String("string"),
},
},
},
BackdateDuration: pulumi.String("string"),
BaselineValues: &certificateauthority.CaPoolIssuancePolicyBaselineValuesArgs{
CaOptions: &certificateauthority.CaPoolIssuancePolicyBaselineValuesCaOptionsArgs{
IsCa: pulumi.Bool(false),
MaxIssuerPathLength: pulumi.Int(0),
NonCa: pulumi.Bool(false),
ZeroMaxIssuerPathLength: pulumi.Bool(false),
},
KeyUsage: &certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageArgs{
BaseKeyUsage: &certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs{
CertSign: pulumi.Bool(false),
ContentCommitment: pulumi.Bool(false),
CrlSign: pulumi.Bool(false),
DataEncipherment: pulumi.Bool(false),
DecipherOnly: pulumi.Bool(false),
DigitalSignature: pulumi.Bool(false),
EncipherOnly: pulumi.Bool(false),
KeyAgreement: pulumi.Bool(false),
KeyEncipherment: pulumi.Bool(false),
},
ExtendedKeyUsage: &certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs{
ClientAuth: pulumi.Bool(false),
CodeSigning: pulumi.Bool(false),
EmailProtection: pulumi.Bool(false),
OcspSigning: pulumi.Bool(false),
ServerAuth: pulumi.Bool(false),
TimeStamping: pulumi.Bool(false),
},
UnknownExtendedKeyUsages: certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsageArray{
&certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsageArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(0),
},
},
},
},
AdditionalExtensions: certificateauthority.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArray{
&certificateauthority.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArgs{
Critical: pulumi.Bool(false),
ObjectId: &certificateauthority.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectIdArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(0),
},
},
Value: pulumi.String("string"),
},
},
AiaOcspServers: pulumi.StringArray{
pulumi.String("string"),
},
NameConstraints: &certificateauthority.CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs{
Critical: pulumi.Bool(false),
ExcludedDnsNames: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedEmailAddresses: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedIpRanges: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedUris: pulumi.StringArray{
pulumi.String("string"),
},
PermittedDnsNames: pulumi.StringArray{
pulumi.String("string"),
},
PermittedEmailAddresses: pulumi.StringArray{
pulumi.String("string"),
},
PermittedIpRanges: pulumi.StringArray{
pulumi.String("string"),
},
PermittedUris: pulumi.StringArray{
pulumi.String("string"),
},
},
PolicyIds: certificateauthority.CaPoolIssuancePolicyBaselineValuesPolicyIdArray{
&certificateauthority.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(0),
},
},
},
},
IdentityConstraints: &certificateauthority.CaPoolIssuancePolicyIdentityConstraintsArgs{
AllowSubjectAltNamesPassthrough: pulumi.Bool(false),
AllowSubjectPassthrough: pulumi.Bool(false),
CelExpression: &certificateauthority.CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs{
Expression: pulumi.String("string"),
Description: pulumi.String("string"),
Location: pulumi.String("string"),
Title: pulumi.String("string"),
},
},
MaximumLifetime: pulumi.String("string"),
},
Labels: pulumi.StringMap{
"string": pulumi.String("string"),
},
Name: pulumi.String("string"),
Project: pulumi.String("string"),
PublishingOptions: &certificateauthority.CaPoolPublishingOptionsArgs{
PublishCaCert: pulumi.Bool(false),
PublishCrl: pulumi.Bool(false),
EncodingFormat: pulumi.String("string"),
},
})
var caPoolResource = new CaPool("caPoolResource", CaPoolArgs.builder()
.location("string")
.tier("string")
.issuancePolicy(CaPoolIssuancePolicyArgs.builder()
.allowedIssuanceModes(CaPoolIssuancePolicyAllowedIssuanceModesArgs.builder()
.allowConfigBasedIssuance(false)
.allowCsrBasedIssuance(false)
.build())
.allowedKeyTypes(CaPoolIssuancePolicyAllowedKeyTypeArgs.builder()
.ellipticCurve(CaPoolIssuancePolicyAllowedKeyTypeEllipticCurveArgs.builder()
.signatureAlgorithm("string")
.build())
.rsa(CaPoolIssuancePolicyAllowedKeyTypeRsaArgs.builder()
.maxModulusSize("string")
.minModulusSize("string")
.build())
.build())
.backdateDuration("string")
.baselineValues(CaPoolIssuancePolicyBaselineValuesArgs.builder()
.caOptions(CaPoolIssuancePolicyBaselineValuesCaOptionsArgs.builder()
.isCa(false)
.maxIssuerPathLength(0)
.nonCa(false)
.zeroMaxIssuerPathLength(false)
.build())
.keyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageArgs.builder()
.baseKeyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs.builder()
.certSign(false)
.contentCommitment(false)
.crlSign(false)
.dataEncipherment(false)
.decipherOnly(false)
.digitalSignature(false)
.encipherOnly(false)
.keyAgreement(false)
.keyEncipherment(false)
.build())
.extendedKeyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs.builder()
.clientAuth(false)
.codeSigning(false)
.emailProtection(false)
.ocspSigning(false)
.serverAuth(false)
.timeStamping(false)
.build())
.unknownExtendedKeyUsages(CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsageArgs.builder()
.objectIdPaths(0)
.build())
.build())
.additionalExtensions(CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArgs.builder()
.critical(false)
.objectId(CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectIdArgs.builder()
.objectIdPaths(0)
.build())
.value("string")
.build())
.aiaOcspServers("string")
.nameConstraints(CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs.builder()
.critical(false)
.excludedDnsNames("string")
.excludedEmailAddresses("string")
.excludedIpRanges("string")
.excludedUris("string")
.permittedDnsNames("string")
.permittedEmailAddresses("string")
.permittedIpRanges("string")
.permittedUris("string")
.build())
.policyIds(CaPoolIssuancePolicyBaselineValuesPolicyIdArgs.builder()
.objectIdPaths(0)
.build())
.build())
.identityConstraints(CaPoolIssuancePolicyIdentityConstraintsArgs.builder()
.allowSubjectAltNamesPassthrough(false)
.allowSubjectPassthrough(false)
.celExpression(CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs.builder()
.expression("string")
.description("string")
.location("string")
.title("string")
.build())
.build())
.maximumLifetime("string")
.build())
.labels(Map.of("string", "string"))
.name("string")
.project("string")
.publishingOptions(CaPoolPublishingOptionsArgs.builder()
.publishCaCert(false)
.publishCrl(false)
.encodingFormat("string")
.build())
.build());
ca_pool_resource = gcp.certificateauthority.CaPool("caPoolResource",
location="string",
tier="string",
issuance_policy={
"allowed_issuance_modes": {
"allow_config_based_issuance": False,
"allow_csr_based_issuance": False,
},
"allowed_key_types": [{
"elliptic_curve": {
"signature_algorithm": "string",
},
"rsa": {
"max_modulus_size": "string",
"min_modulus_size": "string",
},
}],
"backdate_duration": "string",
"baseline_values": {
"ca_options": {
"is_ca": False,
"max_issuer_path_length": 0,
"non_ca": False,
"zero_max_issuer_path_length": False,
},
"key_usage": {
"base_key_usage": {
"cert_sign": False,
"content_commitment": False,
"crl_sign": False,
"data_encipherment": False,
"decipher_only": False,
"digital_signature": False,
"encipher_only": False,
"key_agreement": False,
"key_encipherment": False,
},
"extended_key_usage": {
"client_auth": False,
"code_signing": False,
"email_protection": False,
"ocsp_signing": False,
"server_auth": False,
"time_stamping": False,
},
"unknown_extended_key_usages": [{
"object_id_paths": [0],
}],
},
"additional_extensions": [{
"critical": False,
"object_id": {
"object_id_paths": [0],
},
"value": "string",
}],
"aia_ocsp_servers": ["string"],
"name_constraints": {
"critical": False,
"excluded_dns_names": ["string"],
"excluded_email_addresses": ["string"],
"excluded_ip_ranges": ["string"],
"excluded_uris": ["string"],
"permitted_dns_names": ["string"],
"permitted_email_addresses": ["string"],
"permitted_ip_ranges": ["string"],
"permitted_uris": ["string"],
},
"policy_ids": [{
"object_id_paths": [0],
}],
},
"identity_constraints": {
"allow_subject_alt_names_passthrough": False,
"allow_subject_passthrough": False,
"cel_expression": {
"expression": "string",
"description": "string",
"location": "string",
"title": "string",
},
},
"maximum_lifetime": "string",
},
labels={
"string": "string",
},
name="string",
project="string",
publishing_options={
"publish_ca_cert": False,
"publish_crl": False,
"encoding_format": "string",
})
const caPoolResource = new gcp.certificateauthority.CaPool("caPoolResource", {
location: "string",
tier: "string",
issuancePolicy: {
allowedIssuanceModes: {
allowConfigBasedIssuance: false,
allowCsrBasedIssuance: false,
},
allowedKeyTypes: [{
ellipticCurve: {
signatureAlgorithm: "string",
},
rsa: {
maxModulusSize: "string",
minModulusSize: "string",
},
}],
backdateDuration: "string",
baselineValues: {
caOptions: {
isCa: false,
maxIssuerPathLength: 0,
nonCa: false,
zeroMaxIssuerPathLength: false,
},
keyUsage: {
baseKeyUsage: {
certSign: false,
contentCommitment: false,
crlSign: false,
dataEncipherment: false,
decipherOnly: false,
digitalSignature: false,
encipherOnly: false,
keyAgreement: false,
keyEncipherment: false,
},
extendedKeyUsage: {
clientAuth: false,
codeSigning: false,
emailProtection: false,
ocspSigning: false,
serverAuth: false,
timeStamping: false,
},
unknownExtendedKeyUsages: [{
objectIdPaths: [0],
}],
},
additionalExtensions: [{
critical: false,
objectId: {
objectIdPaths: [0],
},
value: "string",
}],
aiaOcspServers: ["string"],
nameConstraints: {
critical: false,
excludedDnsNames: ["string"],
excludedEmailAddresses: ["string"],
excludedIpRanges: ["string"],
excludedUris: ["string"],
permittedDnsNames: ["string"],
permittedEmailAddresses: ["string"],
permittedIpRanges: ["string"],
permittedUris: ["string"],
},
policyIds: [{
objectIdPaths: [0],
}],
},
identityConstraints: {
allowSubjectAltNamesPassthrough: false,
allowSubjectPassthrough: false,
celExpression: {
expression: "string",
description: "string",
location: "string",
title: "string",
},
},
maximumLifetime: "string",
},
labels: {
string: "string",
},
name: "string",
project: "string",
publishingOptions: {
publishCaCert: false,
publishCrl: false,
encodingFormat: "string",
},
});
type: gcp:certificateauthority:CaPool
properties:
issuancePolicy:
allowedIssuanceModes:
allowConfigBasedIssuance: false
allowCsrBasedIssuance: false
allowedKeyTypes:
- ellipticCurve:
signatureAlgorithm: string
rsa:
maxModulusSize: string
minModulusSize: string
backdateDuration: string
baselineValues:
additionalExtensions:
- critical: false
objectId:
objectIdPaths:
- 0
value: string
aiaOcspServers:
- string
caOptions:
isCa: false
maxIssuerPathLength: 0
nonCa: false
zeroMaxIssuerPathLength: false
keyUsage:
baseKeyUsage:
certSign: false
contentCommitment: false
crlSign: false
dataEncipherment: false
decipherOnly: false
digitalSignature: false
encipherOnly: false
keyAgreement: false
keyEncipherment: false
extendedKeyUsage:
clientAuth: false
codeSigning: false
emailProtection: false
ocspSigning: false
serverAuth: false
timeStamping: false
unknownExtendedKeyUsages:
- objectIdPaths:
- 0
nameConstraints:
critical: false
excludedDnsNames:
- string
excludedEmailAddresses:
- string
excludedIpRanges:
- string
excludedUris:
- string
permittedDnsNames:
- string
permittedEmailAddresses:
- string
permittedIpRanges:
- string
permittedUris:
- string
policyIds:
- objectIdPaths:
- 0
identityConstraints:
allowSubjectAltNamesPassthrough: false
allowSubjectPassthrough: false
celExpression:
description: string
expression: string
location: string
title: string
maximumLifetime: string
labels:
string: string
location: string
name: string
project: string
publishingOptions:
encodingFormat: string
publishCaCert: false
publishCrl: false
tier: string
CaPool Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The CaPool resource accepts the following input properties:
- Location string
- Location of the CaPool. A full list of valid locations can be found by
running
gcloud privateca locations list. - Tier string
- The Tier of this CaPool.
Possible values are:
ENTERPRISE,DEVOPS. - Issuance
Policy CaPool Issuance Policy - The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- Labels Dictionary<string, string>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- Name string
- The name for this CaPool.
- Project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Publishing
Options CaPool Publishing Options - The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- Location string
- Location of the CaPool. A full list of valid locations can be found by
running
gcloud privateca locations list. - Tier string
- The Tier of this CaPool.
Possible values are:
ENTERPRISE,DEVOPS. - Issuance
Policy CaPool Issuance Policy Args - The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- Labels map[string]string
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- Name string
- The name for this CaPool.
- Project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Publishing
Options CaPool Publishing Options Args - The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- location String
- Location of the CaPool. A full list of valid locations can be found by
running
gcloud privateca locations list. - tier String
- The Tier of this CaPool.
Possible values are:
ENTERPRISE,DEVOPS. - issuance
Policy CaPool Issuance Policy - The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- labels Map<String,String>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- name String
- The name for this CaPool.
- project String
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- publishing
Options CaPool Publishing Options - The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- location string
- Location of the CaPool. A full list of valid locations can be found by
running
gcloud privateca locations list. - tier string
- The Tier of this CaPool.
Possible values are:
ENTERPRISE,DEVOPS. - issuance
Policy CaPool Issuance Policy - The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- labels {[key: string]: string}
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- name string
- The name for this CaPool.
- project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- publishing
Options CaPool Publishing Options - The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- location str
- Location of the CaPool. A full list of valid locations can be found by
running
gcloud privateca locations list. - tier str
- The Tier of this CaPool.
Possible values are:
ENTERPRISE,DEVOPS. - issuance_
policy CaPool Issuance Policy Args - The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- labels Mapping[str, str]
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- name str
- The name for this CaPool.
- project str
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- publishing_
options CaPool Publishing Options Args - The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- location String
- Location of the CaPool. A full list of valid locations can be found by
running
gcloud privateca locations list. - tier String
- The Tier of this CaPool.
Possible values are:
ENTERPRISE,DEVOPS. - issuance
Policy Property Map - The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- labels Map<String>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- name String
- The name for this CaPool.
- project String
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- publishing
Options Property Map - The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
Outputs
All input properties are implicitly available as output properties. Additionally, the CaPool resource produces the following output properties:
- Effective
Labels Dictionary<string, string> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- Id string
- The provider-assigned unique ID for this managed resource.
- Pulumi
Labels Dictionary<string, string> - The combination of labels configured directly on the resource and default labels configured on the provider.
- Effective
Labels map[string]string - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- Id string
- The provider-assigned unique ID for this managed resource.
- Pulumi
Labels map[string]string - The combination of labels configured directly on the resource and default labels configured on the provider.
- effective
Labels Map<String,String> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- id String
- The provider-assigned unique ID for this managed resource.
- pulumi
Labels Map<String,String> - The combination of labels configured directly on the resource and default labels configured on the provider.
- effective
Labels {[key: string]: string} - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- id string
- The provider-assigned unique ID for this managed resource.
- pulumi
Labels {[key: string]: string} - The combination of labels configured directly on the resource and default labels configured on the provider.
- effective_
labels Mapping[str, str] - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- id str
- The provider-assigned unique ID for this managed resource.
- pulumi_
labels Mapping[str, str] - The combination of labels configured directly on the resource and default labels configured on the provider.
- effective
Labels Map<String> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- id String
- The provider-assigned unique ID for this managed resource.
- pulumi
Labels Map<String> - The combination of labels configured directly on the resource and default labels configured on the provider.
Look up Existing CaPool Resource
Get an existing CaPool resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: CaPoolState, opts?: CustomResourceOptions): CaPool@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
effective_labels: Optional[Mapping[str, str]] = None,
issuance_policy: Optional[CaPoolIssuancePolicyArgs] = None,
labels: Optional[Mapping[str, str]] = None,
location: Optional[str] = None,
name: Optional[str] = None,
project: Optional[str] = None,
publishing_options: Optional[CaPoolPublishingOptionsArgs] = None,
pulumi_labels: Optional[Mapping[str, str]] = None,
tier: Optional[str] = None) -> CaPoolfunc GetCaPool(ctx *Context, name string, id IDInput, state *CaPoolState, opts ...ResourceOption) (*CaPool, error)public static CaPool Get(string name, Input<string> id, CaPoolState? state, CustomResourceOptions? opts = null)public static CaPool get(String name, Output<String> id, CaPoolState state, CustomResourceOptions options)resources: _: type: gcp:certificateauthority:CaPool get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Effective
Labels Dictionary<string, string> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- Issuance
Policy CaPool Issuance Policy - The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- Labels Dictionary<string, string>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- Location string
- Location of the CaPool. A full list of valid locations can be found by
running
gcloud privateca locations list. - Name string
- The name for this CaPool.
- Project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Publishing
Options CaPool Publishing Options - The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- Pulumi
Labels Dictionary<string, string> - The combination of labels configured directly on the resource and default labels configured on the provider.
- Tier string
- The Tier of this CaPool.
Possible values are:
ENTERPRISE,DEVOPS.
- Effective
Labels map[string]string - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- Issuance
Policy CaPool Issuance Policy Args - The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- Labels map[string]string
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- Location string
- Location of the CaPool. A full list of valid locations can be found by
running
gcloud privateca locations list. - Name string
- The name for this CaPool.
- Project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- Publishing
Options CaPool Publishing Options Args - The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- Pulumi
Labels map[string]string - The combination of labels configured directly on the resource and default labels configured on the provider.
- Tier string
- The Tier of this CaPool.
Possible values are:
ENTERPRISE,DEVOPS.
- effective
Labels Map<String,String> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- issuance
Policy CaPool Issuance Policy - The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- labels Map<String,String>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- location String
- Location of the CaPool. A full list of valid locations can be found by
running
gcloud privateca locations list. - name String
- The name for this CaPool.
- project String
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- publishing
Options CaPool Publishing Options - The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- pulumi
Labels Map<String,String> - The combination of labels configured directly on the resource and default labels configured on the provider.
- tier String
- The Tier of this CaPool.
Possible values are:
ENTERPRISE,DEVOPS.
- effective
Labels {[key: string]: string} - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- issuance
Policy CaPool Issuance Policy - The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- labels {[key: string]: string}
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- location string
- Location of the CaPool. A full list of valid locations can be found by
running
gcloud privateca locations list. - name string
- The name for this CaPool.
- project string
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- publishing
Options CaPool Publishing Options - The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- pulumi
Labels {[key: string]: string} - The combination of labels configured directly on the resource and default labels configured on the provider.
- tier string
- The Tier of this CaPool.
Possible values are:
ENTERPRISE,DEVOPS.
- effective_
labels Mapping[str, str] - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- issuance_
policy CaPool Issuance Policy Args - The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- labels Mapping[str, str]
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- location str
- Location of the CaPool. A full list of valid locations can be found by
running
gcloud privateca locations list. - name str
- The name for this CaPool.
- project str
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- publishing_
options CaPool Publishing Options Args - The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- pulumi_
labels Mapping[str, str] - The combination of labels configured directly on the resource and default labels configured on the provider.
- tier str
- The Tier of this CaPool.
Possible values are:
ENTERPRISE,DEVOPS.
- effective
Labels Map<String> - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
- issuance
Policy Property Map - The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
- labels Map<String>
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field
effective_labelsfor all of the labels present on the resource.- location String
- Location of the CaPool. A full list of valid locations can be found by
running
gcloud privateca locations list. - name String
- The name for this CaPool.
- project String
- The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
- publishing
Options Property Map - The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
- pulumi
Labels Map<String> - The combination of labels configured directly on the resource and default labels configured on the provider.
- tier String
- The Tier of this CaPool.
Possible values are:
ENTERPRISE,DEVOPS.
Supporting Types
CaPoolIssuancePolicy, CaPoolIssuancePolicyArgs
- Allowed
Issuance CaModes Pool Issuance Policy Allowed Issuance Modes - IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.
- Allowed
Key List<CaTypes Pool Issuance Policy Allowed Key Type> - If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.
- Backdate
Duration string - The duration to backdate all certificates issued from this CaPool. If not set, the certificates will be issued with a not_before_time of the issuance time (i.e. the current time). If set, the certificates will be issued with a not_before_time of the issuance time minus the backdate_duration. The not_after_time will be adjusted to preserve the requested lifetime. The backdate_duration must be less than or equal to 48 hours.
- Baseline
Values CaPool Issuance Policy Baseline Values - A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.
- Identity
Constraints CaPool Issuance Policy Identity Constraints - Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.
- Maximum
Lifetime string - The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.
- Allowed
Issuance CaModes Pool Issuance Policy Allowed Issuance Modes - IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.
- Allowed
Key []CaTypes Pool Issuance Policy Allowed Key Type - If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.
- Backdate
Duration string - The duration to backdate all certificates issued from this CaPool. If not set, the certificates will be issued with a not_before_time of the issuance time (i.e. the current time). If set, the certificates will be issued with a not_before_time of the issuance time minus the backdate_duration. The not_after_time will be adjusted to preserve the requested lifetime. The backdate_duration must be less than or equal to 48 hours.
- Baseline
Values CaPool Issuance Policy Baseline Values - A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.
- Identity
Constraints CaPool Issuance Policy Identity Constraints - Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.
- Maximum
Lifetime string - The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.
- allowed
Issuance CaModes Pool Issuance Policy Allowed Issuance Modes - IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.
- allowed
Key List<CaTypes Pool Issuance Policy Allowed Key Type> - If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.
- backdate
Duration String - The duration to backdate all certificates issued from this CaPool. If not set, the certificates will be issued with a not_before_time of the issuance time (i.e. the current time). If set, the certificates will be issued with a not_before_time of the issuance time minus the backdate_duration. The not_after_time will be adjusted to preserve the requested lifetime. The backdate_duration must be less than or equal to 48 hours.
- baseline
Values CaPool Issuance Policy Baseline Values - A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.
- identity
Constraints CaPool Issuance Policy Identity Constraints - Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.
- maximum
Lifetime String - The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.
- allowed
Issuance CaModes Pool Issuance Policy Allowed Issuance Modes - IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.
- allowed
Key CaTypes Pool Issuance Policy Allowed Key Type[] - If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.
- backdate
Duration string - The duration to backdate all certificates issued from this CaPool. If not set, the certificates will be issued with a not_before_time of the issuance time (i.e. the current time). If set, the certificates will be issued with a not_before_time of the issuance time minus the backdate_duration. The not_after_time will be adjusted to preserve the requested lifetime. The backdate_duration must be less than or equal to 48 hours.
- baseline
Values CaPool Issuance Policy Baseline Values - A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.
- identity
Constraints CaPool Issuance Policy Identity Constraints - Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.
- maximum
Lifetime string - The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.
- allowed_
issuance_ Camodes Pool Issuance Policy Allowed Issuance Modes - IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.
- allowed_
key_ Sequence[Catypes Pool Issuance Policy Allowed Key Type] - If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.
- backdate_
duration str - The duration to backdate all certificates issued from this CaPool. If not set, the certificates will be issued with a not_before_time of the issuance time (i.e. the current time). If set, the certificates will be issued with a not_before_time of the issuance time minus the backdate_duration. The not_after_time will be adjusted to preserve the requested lifetime. The backdate_duration must be less than or equal to 48 hours.
- baseline_
values CaPool Issuance Policy Baseline Values - A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.
- identity_
constraints CaPool Issuance Policy Identity Constraints - Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.
- maximum_
lifetime str - The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.
- allowed
Issuance Property MapModes - IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.
- allowed
Key List<Property Map>Types - If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.
- backdate
Duration String - The duration to backdate all certificates issued from this CaPool. If not set, the certificates will be issued with a not_before_time of the issuance time (i.e. the current time). If set, the certificates will be issued with a not_before_time of the issuance time minus the backdate_duration. The not_after_time will be adjusted to preserve the requested lifetime. The backdate_duration must be less than or equal to 48 hours.
- baseline
Values Property Map - A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.
- identity
Constraints Property Map - Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.
- maximum
Lifetime String - The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.
CaPoolIssuancePolicyAllowedIssuanceModes, CaPoolIssuancePolicyAllowedIssuanceModesArgs
- Allow
Config boolBased Issuance - When true, allows callers to create Certificates by specifying a CertificateConfig.
- Allow
Csr boolBased Issuance - When true, allows callers to create Certificates by specifying a CSR.
- Allow
Config boolBased Issuance - When true, allows callers to create Certificates by specifying a CertificateConfig.
- Allow
Csr boolBased Issuance - When true, allows callers to create Certificates by specifying a CSR.
- allow
Config BooleanBased Issuance - When true, allows callers to create Certificates by specifying a CertificateConfig.
- allow
Csr BooleanBased Issuance - When true, allows callers to create Certificates by specifying a CSR.
- allow
Config booleanBased Issuance - When true, allows callers to create Certificates by specifying a CertificateConfig.
- allow
Csr booleanBased Issuance - When true, allows callers to create Certificates by specifying a CSR.
- allow_
config_ boolbased_ issuance - When true, allows callers to create Certificates by specifying a CertificateConfig.
- allow_
csr_ boolbased_ issuance - When true, allows callers to create Certificates by specifying a CSR.
- allow
Config BooleanBased Issuance - When true, allows callers to create Certificates by specifying a CertificateConfig.
- allow
Csr BooleanBased Issuance - When true, allows callers to create Certificates by specifying a CSR.
CaPoolIssuancePolicyAllowedKeyType, CaPoolIssuancePolicyAllowedKeyTypeArgs
- Elliptic
Curve CaPool Issuance Policy Allowed Key Type Elliptic Curve - Represents an allowed Elliptic Curve key type. Structure is documented below.
- Rsa
Ca
Pool Issuance Policy Allowed Key Type Rsa - Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.
- Elliptic
Curve CaPool Issuance Policy Allowed Key Type Elliptic Curve - Represents an allowed Elliptic Curve key type. Structure is documented below.
- Rsa
Ca
Pool Issuance Policy Allowed Key Type Rsa - Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.
- elliptic
Curve CaPool Issuance Policy Allowed Key Type Elliptic Curve - Represents an allowed Elliptic Curve key type. Structure is documented below.
- rsa
Ca
Pool Issuance Policy Allowed Key Type Rsa - Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.
- elliptic
Curve CaPool Issuance Policy Allowed Key Type Elliptic Curve - Represents an allowed Elliptic Curve key type. Structure is documented below.
- rsa
Ca
Pool Issuance Policy Allowed Key Type Rsa - Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.
- elliptic_
curve CaPool Issuance Policy Allowed Key Type Elliptic Curve - Represents an allowed Elliptic Curve key type. Structure is documented below.
- rsa
Ca
Pool Issuance Policy Allowed Key Type Rsa - Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.
- elliptic
Curve Property Map - Represents an allowed Elliptic Curve key type. Structure is documented below.
- rsa Property Map
- Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.
CaPoolIssuancePolicyAllowedKeyTypeEllipticCurve, CaPoolIssuancePolicyAllowedKeyTypeEllipticCurveArgs
- Signature
Algorithm string - The algorithm used.
Possible values are:
ECDSA_P256,ECDSA_P384,EDDSA_25519.
- Signature
Algorithm string - The algorithm used.
Possible values are:
ECDSA_P256,ECDSA_P384,EDDSA_25519.
- signature
Algorithm String - The algorithm used.
Possible values are:
ECDSA_P256,ECDSA_P384,EDDSA_25519.
- signature
Algorithm string - The algorithm used.
Possible values are:
ECDSA_P256,ECDSA_P384,EDDSA_25519.
- signature_
algorithm str - The algorithm used.
Possible values are:
ECDSA_P256,ECDSA_P384,EDDSA_25519.
- signature
Algorithm String - The algorithm used.
Possible values are:
ECDSA_P256,ECDSA_P384,EDDSA_25519.
CaPoolIssuancePolicyAllowedKeyTypeRsa, CaPoolIssuancePolicyAllowedKeyTypeRsaArgs
- Max
Modulus stringSize - The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
- Min
Modulus stringSize - The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.
- Max
Modulus stringSize - The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
- Min
Modulus stringSize - The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.
- max
Modulus StringSize - The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
- min
Modulus StringSize - The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.
- max
Modulus stringSize - The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
- min
Modulus stringSize - The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.
- max_
modulus_ strsize - The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
- min_
modulus_ strsize - The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.
- max
Modulus StringSize - The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
- min
Modulus StringSize - The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.
CaPoolIssuancePolicyBaselineValues, CaPoolIssuancePolicyBaselineValuesArgs
- Ca
Options CaPool Issuance Policy Baseline Values Ca Options - Describes values that are relevant in a CA certificate. Structure is documented below.
- Key
Usage CaPool Issuance Policy Baseline Values Key Usage - Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- Additional
Extensions List<CaPool Issuance Policy Baseline Values Additional Extension> - Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- Aia
Ocsp List<string>Servers - Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- Name
Constraints CaPool Issuance Policy Baseline Values Name Constraints - Describes the X.509 name constraints extension. Structure is documented below.
- Policy
Ids List<CaPool Issuance Policy Baseline Values Policy Id> - Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- Ca
Options CaPool Issuance Policy Baseline Values Ca Options - Describes values that are relevant in a CA certificate. Structure is documented below.
- Key
Usage CaPool Issuance Policy Baseline Values Key Usage - Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- Additional
Extensions []CaPool Issuance Policy Baseline Values Additional Extension - Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- Aia
Ocsp []stringServers - Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- Name
Constraints CaPool Issuance Policy Baseline Values Name Constraints - Describes the X.509 name constraints extension. Structure is documented below.
- Policy
Ids []CaPool Issuance Policy Baseline Values Policy Id - Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- ca
Options CaPool Issuance Policy Baseline Values Ca Options - Describes values that are relevant in a CA certificate. Structure is documented below.
- key
Usage CaPool Issuance Policy Baseline Values Key Usage - Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional
Extensions List<CaPool Issuance Policy Baseline Values Additional Extension> - Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia
Ocsp List<String>Servers - Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- name
Constraints CaPool Issuance Policy Baseline Values Name Constraints - Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids List<CaPool Issuance Policy Baseline Values Policy Id> - Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- ca
Options CaPool Issuance Policy Baseline Values Ca Options - Describes values that are relevant in a CA certificate. Structure is documented below.
- key
Usage CaPool Issuance Policy Baseline Values Key Usage - Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional
Extensions CaPool Issuance Policy Baseline Values Additional Extension[] - Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia
Ocsp string[]Servers - Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- name
Constraints CaPool Issuance Policy Baseline Values Name Constraints - Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids CaPool Issuance Policy Baseline Values Policy Id[] - Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- ca_
options CaPool Issuance Policy Baseline Values Ca Options - Describes values that are relevant in a CA certificate. Structure is documented below.
- key_
usage CaPool Issuance Policy Baseline Values Key Usage - Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional_
extensions Sequence[CaPool Issuance Policy Baseline Values Additional Extension] - Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia_
ocsp_ Sequence[str]servers - Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- name_
constraints CaPool Issuance Policy Baseline Values Name Constraints - Describes the X.509 name constraints extension. Structure is documented below.
- policy_
ids Sequence[CaPool Issuance Policy Baseline Values Policy Id] - Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
- ca
Options Property Map - Describes values that are relevant in a CA certificate. Structure is documented below.
- key
Usage Property Map - Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
- additional
Extensions List<Property Map> - Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
- aia
Ocsp List<String>Servers - Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
- name
Constraints Property Map - Describes the X.509 name constraints extension. Structure is documented below.
- policy
Ids List<Property Map> - Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
CaPoolIssuancePolicyBaselineValuesAdditionalExtension, CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArgs
- Critical bool
- Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- Object
Id CaPool Issuance Policy Baseline Values Additional Extension Object Id - Describes values that are relevant in a CA certificate. Structure is documented below.
- Value string
- The value of this X.509 extension. A base64-encoded string.
- Critical bool
- Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- Object
Id CaPool Issuance Policy Baseline Values Additional Extension Object Id - Describes values that are relevant in a CA certificate. Structure is documented below.
- Value string
- The value of this X.509 extension. A base64-encoded string.
- critical Boolean
- Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Id CaPool Issuance Policy Baseline Values Additional Extension Object Id - Describes values that are relevant in a CA certificate. Structure is documented below.
- value String
- The value of this X.509 extension. A base64-encoded string.
- critical boolean
- Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Id CaPool Issuance Policy Baseline Values Additional Extension Object Id - Describes values that are relevant in a CA certificate. Structure is documented below.
- value string
- The value of this X.509 extension. A base64-encoded string.
- critical bool
- Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object_
id CaPool Issuance Policy Baseline Values Additional Extension Object Id - Describes values that are relevant in a CA certificate. Structure is documented below.
- value str
- The value of this X.509 extension. A base64-encoded string.
- critical Boolean
- Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
- object
Id Property Map - Describes values that are relevant in a CA certificate. Structure is documented below.
- value String
- The value of this X.509 extension. A base64-encoded string.
CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectId, CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectIdArgs
- Object
Id List<int>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
CaPoolIssuancePolicyBaselineValuesCaOptions, CaPoolIssuancePolicyBaselineValuesCaOptionsArgs
- Is
Ca bool - When true, the "CA" in Basic Constraints extension will be set to true.
- Max
Issuer intPath Length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- Non
Ca bool - When true, the "CA" in Basic Constraints extension will be set to false.
If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate. - Zero
Max boolIssuer Path Length - When true, the "path length constraint" in Basic Constraints extension will be set to 0.
if both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- Is
Ca bool - When true, the "CA" in Basic Constraints extension will be set to true.
- Max
Issuer intPath Length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- Non
Ca bool - When true, the "CA" in Basic Constraints extension will be set to false.
If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate. - Zero
Max boolIssuer Path Length - When true, the "path length constraint" in Basic Constraints extension will be set to 0.
if both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- is
Ca Boolean - When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer IntegerPath Length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- non
Ca Boolean - When true, the "CA" in Basic Constraints extension will be set to false.
If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate. - zero
Max BooleanIssuer Path Length - When true, the "path length constraint" in Basic Constraints extension will be set to 0.
if both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- is
Ca boolean - When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer numberPath Length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- non
Ca boolean - When true, the "CA" in Basic Constraints extension will be set to false.
If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate. - zero
Max booleanIssuer Path Length - When true, the "path length constraint" in Basic Constraints extension will be set to 0.
if both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- is_
ca bool - When true, the "CA" in Basic Constraints extension will be set to true.
- max_
issuer_ intpath_ length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- non_
ca bool - When true, the "CA" in Basic Constraints extension will be set to false.
If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate. - zero_
max_ boolissuer_ path_ length - When true, the "path length constraint" in Basic Constraints extension will be set to 0.
if both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
- is
Ca Boolean - When true, the "CA" in Basic Constraints extension will be set to true.
- max
Issuer NumberPath Length - Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
- non
Ca Boolean - When true, the "CA" in Basic Constraints extension will be set to false.
If both
is_caandnon_caare unset, the extension will be omitted from the CA certificate. - zero
Max BooleanIssuer Path Length - When true, the "path length constraint" in Basic Constraints extension will be set to 0.
if both
max_issuer_path_lengthandzero_max_issuer_path_lengthare unset, the max path length will be omitted from the CA certificate.
CaPoolIssuancePolicyBaselineValuesKeyUsage, CaPoolIssuancePolicyBaselineValuesKeyUsageArgs
- Base
Key CaUsage Pool Issuance Policy Baseline Values Key Usage Base Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- Extended
Key CaUsage Pool Issuance Policy Baseline Values Key Usage Extended Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- Unknown
Extended List<CaKey Usages Pool Issuance Policy Baseline Values Key Usage Unknown Extended Key Usage> - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- Base
Key CaUsage Pool Issuance Policy Baseline Values Key Usage Base Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- Extended
Key CaUsage Pool Issuance Policy Baseline Values Key Usage Extended Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- Unknown
Extended []CaKey Usages Pool Issuance Policy Baseline Values Key Usage Unknown Extended Key Usage - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key CaUsage Pool Issuance Policy Baseline Values Key Usage Base Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key CaUsage Pool Issuance Policy Baseline Values Key Usage Extended Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended List<CaKey Usages Pool Issuance Policy Baseline Values Key Usage Unknown Extended Key Usage> - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key CaUsage Pool Issuance Policy Baseline Values Key Usage Base Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key CaUsage Pool Issuance Policy Baseline Values Key Usage Extended Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended CaKey Usages Pool Issuance Policy Baseline Values Key Usage Unknown Extended Key Usage[] - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base_
key_ Causage Pool Issuance Policy Baseline Values Key Usage Base Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- extended_
key_ Causage Pool Issuance Policy Baseline Values Key Usage Extended Key Usage - Describes high-level ways in which a key may be used. Structure is documented below.
- unknown_
extended_ Sequence[Cakey_ usages Pool Issuance Policy Baseline Values Key Usage Unknown Extended Key Usage] - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
- base
Key Property MapUsage - Describes high-level ways in which a key may be used. Structure is documented below.
- extended
Key Property MapUsage - Describes high-level ways in which a key may be used. Structure is documented below.
- unknown
Extended List<Property Map>Key Usages - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsage, CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs
- Cert
Sign bool - The key may be used to sign certificates.
- Content
Commitment bool - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- Crl
Sign bool - The key may be used sign certificate revocation lists.
- Data
Encipherment bool - The key may be used to encipher data.
- Decipher
Only bool - The key may be used to decipher only.
- Digital
Signature bool - The key may be used for digital signatures.
- Encipher
Only bool - The key may be used to encipher only.
- Key
Agreement bool - The key may be used in a key agreement protocol.
- Key
Encipherment bool - The key may be used to encipher other keys.
- Cert
Sign bool - The key may be used to sign certificates.
- Content
Commitment bool - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- Crl
Sign bool - The key may be used sign certificate revocation lists.
- Data
Encipherment bool - The key may be used to encipher data.
- Decipher
Only bool - The key may be used to decipher only.
- Digital
Signature bool - The key may be used for digital signatures.
- Encipher
Only bool - The key may be used to encipher only.
- Key
Agreement bool - The key may be used in a key agreement protocol.
- Key
Encipherment bool - The key may be used to encipher other keys.
- cert
Sign Boolean - The key may be used to sign certificates.
- content
Commitment Boolean - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign Boolean - The key may be used sign certificate revocation lists.
- data
Encipherment Boolean - The key may be used to encipher data.
- decipher
Only Boolean - The key may be used to decipher only.
- digital
Signature Boolean - The key may be used for digital signatures.
- encipher
Only Boolean - The key may be used to encipher only.
- key
Agreement Boolean - The key may be used in a key agreement protocol.
- key
Encipherment Boolean - The key may be used to encipher other keys.
- cert
Sign boolean - The key may be used to sign certificates.
- content
Commitment boolean - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign boolean - The key may be used sign certificate revocation lists.
- data
Encipherment boolean - The key may be used to encipher data.
- decipher
Only boolean - The key may be used to decipher only.
- digital
Signature boolean - The key may be used for digital signatures.
- encipher
Only boolean - The key may be used to encipher only.
- key
Agreement boolean - The key may be used in a key agreement protocol.
- key
Encipherment boolean - The key may be used to encipher other keys.
- cert_
sign bool - The key may be used to sign certificates.
- content_
commitment bool - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl_
sign bool - The key may be used sign certificate revocation lists.
- data_
encipherment bool - The key may be used to encipher data.
- decipher_
only bool - The key may be used to decipher only.
- digital_
signature bool - The key may be used for digital signatures.
- encipher_
only bool - The key may be used to encipher only.
- key_
agreement bool - The key may be used in a key agreement protocol.
- key_
encipherment bool - The key may be used to encipher other keys.
- cert
Sign Boolean - The key may be used to sign certificates.
- content
Commitment Boolean - The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
- crl
Sign Boolean - The key may be used sign certificate revocation lists.
- data
Encipherment Boolean - The key may be used to encipher data.
- decipher
Only Boolean - The key may be used to decipher only.
- digital
Signature Boolean - The key may be used for digital signatures.
- encipher
Only Boolean - The key may be used to encipher only.
- key
Agreement Boolean - The key may be used in a key agreement protocol.
- key
Encipherment Boolean - The key may be used to encipher other keys.
CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsage, CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs
- Client
Auth bool - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- Code
Signing bool - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- Email
Protection bool - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- Ocsp
Signing bool - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- Server
Auth bool - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- Time
Stamping bool - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- Client
Auth bool - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- Code
Signing bool - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- Email
Protection bool - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- Ocsp
Signing bool - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- Server
Auth bool - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- Time
Stamping bool - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth boolean - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing boolean - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection boolean - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing boolean - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth boolean - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping boolean - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client_
auth bool - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code_
signing bool - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email_
protection bool - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp_
signing bool - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server_
auth bool - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time_
stamping bool - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
- client
Auth Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
- code
Signing Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
- email
Protection Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
- ocsp
Signing Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
- server
Auth Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
- time
Stamping Boolean - Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsage, CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsageArgs
- Object
Id List<int>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
CaPoolIssuancePolicyBaselineValuesNameConstraints, CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs
- Critical bool
- Indicates whether or not the name constraints are marked critical.
- Excluded
Dns List<string>Names - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - Excluded
Email List<string>Addresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - Excluded
Ip List<string>Ranges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Excluded
Uris List<string> - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - Permitted
Dns List<string>Names - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - Permitted
Email List<string>Addresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - Permitted
Ip List<string>Ranges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Permitted
Uris List<string> - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
- Critical bool
- Indicates whether or not the name constraints are marked critical.
- Excluded
Dns []stringNames - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - Excluded
Email []stringAddresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - Excluded
Ip []stringRanges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Excluded
Uris []string - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - Permitted
Dns []stringNames - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - Permitted
Email []stringAddresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - Permitted
Ip []stringRanges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- Permitted
Uris []string - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
- critical Boolean
- Indicates whether or not the name constraints are marked critical.
- excluded
Dns List<String>Names - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - excluded
Email List<String>Addresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - excluded
Ip List<String>Ranges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded
Uris List<String> - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - permitted
Dns List<String>Names - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - permitted
Email List<String>Addresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - permitted
Ip List<String>Ranges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted
Uris List<String> - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
- critical boolean
- Indicates whether or not the name constraints are marked critical.
- excluded
Dns string[]Names - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - excluded
Email string[]Addresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - excluded
Ip string[]Ranges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded
Uris string[] - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - permitted
Dns string[]Names - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - permitted
Email string[]Addresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - permitted
Ip string[]Ranges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted
Uris string[] - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
- critical bool
- Indicates whether or not the name constraints are marked critical.
- excluded_
dns_ Sequence[str]names - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - excluded_
email_ Sequence[str]addresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - excluded_
ip_ Sequence[str]ranges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded_
uris Sequence[str] - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - permitted_
dns_ Sequence[str]names - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - permitted_
email_ Sequence[str]addresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - permitted_
ip_ Sequence[str]ranges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted_
uris Sequence[str] - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
- critical Boolean
- Indicates whether or not the name constraints are marked critical.
- excluded
Dns List<String>Names - Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - excluded
Email List<String>Addresses - Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - excluded
Ip List<String>Ranges - Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- excluded
Uris List<String> - Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com) - permitted
Dns List<String>Names - Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example,
example.com,www.example.com,www.sub.example.comwould satisfyexample.comwhileexample1.comdoes not. - permitted
Email List<String>Addresses - Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g.
.example.com) to indicate all email addresses in that domain. - permitted
Ip List<String>Ranges - Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
- permitted
Uris List<String> - Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like
.example.com)
CaPoolIssuancePolicyBaselineValuesPolicyId, CaPoolIssuancePolicyBaselineValuesPolicyIdArgs
- Object
Id List<int>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- Object
Id []intPaths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Integer>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id number[]Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object_
id_ Sequence[int]paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- object
Id List<Number>Paths - An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
CaPoolIssuancePolicyIdentityConstraints, CaPoolIssuancePolicyIdentityConstraintsArgs
- Allow
Subject boolAlt Names Passthrough - If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
- Allow
Subject boolPassthrough - If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
- Cel
Expression CaPool Issuance Policy Identity Constraints Cel Expression - A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.
- Allow
Subject boolAlt Names Passthrough - If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
- Allow
Subject boolPassthrough - If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
- Cel
Expression CaPool Issuance Policy Identity Constraints Cel Expression - A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.
- allow
Subject BooleanAlt Names Passthrough - If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
- allow
Subject BooleanPassthrough - If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
- cel
Expression CaPool Issuance Policy Identity Constraints Cel Expression - A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.
- allow
Subject booleanAlt Names Passthrough - If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
- allow
Subject booleanPassthrough - If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
- cel
Expression CaPool Issuance Policy Identity Constraints Cel Expression - A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.
- allow_
subject_ boolalt_ names_ passthrough - If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
- allow_
subject_ boolpassthrough - If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
- cel_
expression CaPool Issuance Policy Identity Constraints Cel Expression - A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.
- allow
Subject BooleanAlt Names Passthrough - If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
- allow
Subject BooleanPassthrough - If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
- cel
Expression Property Map - A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.
CaPoolIssuancePolicyIdentityConstraintsCelExpression, CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs
- Expression string
- Textual representation of an expression in Common Expression Language syntax.
- Description string
- Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- Location string
- String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- Title string
- Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- Expression string
- Textual representation of an expression in Common Expression Language syntax.
- Description string
- Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- Location string
- String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- Title string
- Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- expression String
- Textual representation of an expression in Common Expression Language syntax.
- description String
- Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- location String
- String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- title String
- Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- expression string
- Textual representation of an expression in Common Expression Language syntax.
- description string
- Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- location string
- String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- title string
- Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- expression str
- Textual representation of an expression in Common Expression Language syntax.
- description str
- Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- location str
- String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- title str
- Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
- expression String
- Textual representation of an expression in Common Expression Language syntax.
- description String
- Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
- location String
- String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
- title String
- Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
CaPoolPublishingOptions, CaPoolPublishingOptionsArgs
- Publish
Ca boolCert - When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
- Publish
Crl bool - When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.
- Encoding
Format string - Specifies the encoding format of each CertificateAuthority's CA
certificate and CRLs. If this is omitted, CA certificates and CRLs
will be published in PEM.
Possible values are:
PEM,DER.
- Publish
Ca boolCert - When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
- Publish
Crl bool - When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.
- Encoding
Format string - Specifies the encoding format of each CertificateAuthority's CA
certificate and CRLs. If this is omitted, CA certificates and CRLs
will be published in PEM.
Possible values are:
PEM,DER.
- publish
Ca BooleanCert - When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
- publish
Crl Boolean - When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.
- encoding
Format String - Specifies the encoding format of each CertificateAuthority's CA
certificate and CRLs. If this is omitted, CA certificates and CRLs
will be published in PEM.
Possible values are:
PEM,DER.
- publish
Ca booleanCert - When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
- publish
Crl boolean - When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.
- encoding
Format string - Specifies the encoding format of each CertificateAuthority's CA
certificate and CRLs. If this is omitted, CA certificates and CRLs
will be published in PEM.
Possible values are:
PEM,DER.
- publish_
ca_ boolcert - When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
- publish_
crl bool - When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.
- encoding_
format str - Specifies the encoding format of each CertificateAuthority's CA
certificate and CRLs. If this is omitted, CA certificates and CRLs
will be published in PEM.
Possible values are:
PEM,DER.
- publish
Ca BooleanCert - When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
- publish
Crl Boolean - When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.
- encoding
Format String - Specifies the encoding format of each CertificateAuthority's CA
certificate and CRLs. If this is omitted, CA certificates and CRLs
will be published in PEM.
Possible values are:
PEM,DER.
Import
CaPool can be imported using any of these accepted formats:
projects/{{project}}/locations/{{location}}/caPools/{{name}}{{project}}/{{location}}/{{name}}{{location}}/{{name}}
When using the pulumi import command, CaPool can be imported using one of the formats above. For example:
$ pulumi import gcp:certificateauthority/caPool:CaPool default projects/{{project}}/locations/{{location}}/caPools/{{name}}
$ pulumi import gcp:certificateauthority/caPool:CaPool default {{project}}/{{location}}/{{name}}
$ pulumi import gcp:certificateauthority/caPool:CaPool default {{location}}/{{name}}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-betaTerraform Provider.