Google Cloud (GCP) Classic

Pulumi Official
Package maintained by Pulumi
v6.24.0 published on Tuesday, May 17, 2022 by Pulumi

CaPool

A CaPool represents a group of CertificateAuthorities that form a trust anchor. A CaPool can be used to manage issuance policies for one or more CertificateAuthority resources and to rotate CA certificates in and out of the trust anchor.

Example Usage

Privateca Capool Basic

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
    public MyStack()
    {
        var @default = new Gcp.CertificateAuthority.CaPool("default", new Gcp.CertificateAuthority.CaPoolArgs
        {
            Labels = 
            {
                { "foo", "bar" },
            },
            Location = "us-central1",
            PublishingOptions = new Gcp.CertificateAuthority.Inputs.CaPoolPublishingOptionsArgs
            {
                PublishCaCert = true,
                PublishCrl = true,
            },
            Tier = "ENTERPRISE",
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := certificateauthority.NewCaPool(ctx, "default", &certificateauthority.CaPoolArgs{
			Labels: pulumi.StringMap{
				"foo": pulumi.String("bar"),
			},
			Location: pulumi.String("us-central1"),
			PublishingOptions: &certificateauthority.CaPoolPublishingOptionsArgs{
				PublishCaCert: pulumi.Bool(true),
				PublishCrl:    pulumi.Bool(true),
			},
			Tier: pulumi.String("ENTERPRISE"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var default_ = new CaPool("default", CaPoolArgs.builder()        
            .labels(Map.of("foo", "bar"))
            .location("us-central1")
            .publishingOptions(CaPoolPublishingOptions.builder()
                .publishCaCert(true)
                .publishCrl(true)
                .build())
            .tier("ENTERPRISE")
            .build());

        }
}
import pulumi
import pulumi_gcp as gcp

default = gcp.certificateauthority.CaPool("default",
    labels={
        "foo": "bar",
    },
    location="us-central1",
    publishing_options=gcp.certificateauthority.CaPoolPublishingOptionsArgs(
        publish_ca_cert=True,
        publish_crl=True,
    ),
    tier="ENTERPRISE")
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const defaultCaPool = new gcp.certificateauthority.CaPool("default", {
    labels: {
        foo: "bar",
    },
    location: "us-central1",
    publishingOptions: {
        publishCaCert: true,
        publishCrl: true,
    },
    tier: "ENTERPRISE",
});
resources:
  default:
    type: gcp:certificateauthority:CaPool
    properties:
      labels:
        foo: bar
      location: us-central1
      publishingOptions:
        publishCaCert: true
        publishCrl: true
      tier: ENTERPRISE

Privateca Capool All Fields

using Pulumi;
using Gcp = Pulumi.Gcp;

class MyStack : Stack
{
    public MyStack()
    {
        var @default = new Gcp.CertificateAuthority.CaPool("default", new Gcp.CertificateAuthority.CaPoolArgs
        {
            IssuancePolicy = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyArgs
            {
                AllowedIssuanceModes = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedIssuanceModesArgs
                {
                    AllowConfigBasedIssuance = true,
                    AllowCsrBasedIssuance = true,
                },
                AllowedKeyTypes = 
                {
                    new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeArgs
                    {
                        EllipticCurve = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeEllipticCurveArgs
                        {
                            SignatureAlgorithm = "ECDSA_P256",
                        },
                    },
                    new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeArgs
                    {
                        Rsa = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeRsaArgs
                        {
                            MaxModulusSize = "10",
                            MinModulusSize = "5",
                        },
                    },
                },
                BaselineValues = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesArgs
                {
                    AdditionalExtensions = 
                    {
                        new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArgs
                        {
                            Critical = true,
                            ObjectId = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectIdArgs
                            {
                                ObjectIdPath = 
                                {
                                    1,
                                    7,
                                },
                            },
                            Value = "asdf",
                        },
                    },
                    AiaOcspServers = 
                    {
                        "example.com",
                    },
                    CaOptions = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesCaOptionsArgs
                    {
                        IsCa = true,
                        MaxIssuerPathLength = 10,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs
                        {
                            CertSign = false,
                            ContentCommitment = true,
                            CrlSign = true,
                            DataEncipherment = true,
                            DecipherOnly = true,
                            DigitalSignature = true,
                            KeyAgreement = true,
                            KeyEncipherment = false,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs
                        {
                            ClientAuth = false,
                            CodeSigning = true,
                            EmailProtection = true,
                            ServerAuth = true,
                            TimeStamping = true,
                        },
                    },
                    PolicyIds = 
                    {
                        new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs
                        {
                            ObjectIdPath = 
                            {
                                1,
                                5,
                            },
                        },
                        new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs
                        {
                            ObjectIdPath = 
                            {
                                1,
                                5,
                                7,
                            },
                        },
                    },
                },
                IdentityConstraints = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyIdentityConstraintsArgs
                {
                    AllowSubjectAltNamesPassthrough = true,
                    AllowSubjectPassthrough = true,
                    CelExpression = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs
                    {
                        Expression = "subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )",
                        Title = "My title",
                    },
                },
                MaximumLifetime = "50000s",
            },
            Labels = 
            {
                { "foo", "bar" },
            },
            Location = "us-central1",
            PublishingOptions = new Gcp.CertificateAuthority.Inputs.CaPoolPublishingOptionsArgs
            {
                PublishCaCert = false,
                PublishCrl = true,
            },
            Tier = "ENTERPRISE",
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := certificateauthority.NewCaPool(ctx, "default", &certificateauthority.CaPoolArgs{
			IssuancePolicy: &certificateauthority.CaPoolIssuancePolicyArgs{
				AllowedIssuanceModes: &certificateauthority.CaPoolIssuancePolicyAllowedIssuanceModesArgs{
					AllowConfigBasedIssuance: pulumi.Bool(true),
					AllowCsrBasedIssuance:    pulumi.Bool(true),
				},
				AllowedKeyTypes: certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeArray{
					&certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeArgs{
						EllipticCurve: &certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeEllipticCurveArgs{
							SignatureAlgorithm: pulumi.String("ECDSA_P256"),
						},
					},
					&certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeArgs{
						Rsa: &certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeRsaArgs{
							MaxModulusSize: pulumi.String("10"),
							MinModulusSize: pulumi.String("5"),
						},
					},
				},
				BaselineValues: &certificateauthority.CaPoolIssuancePolicyBaselineValuesArgs{
					AdditionalExtensions: certificateauthority.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArray{
						&certificateauthority.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArgs{
							Critical: pulumi.Bool(true),
							ObjectId: &certificateauthority.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectIdArgs{
								ObjectIdPath: []float64{
									1,
									7,
								},
							},
							Value: pulumi.String("asdf"),
						},
					},
					AiaOcspServers: pulumi.StringArray{
						pulumi.String("example.com"),
					},
					CaOptions: &certificateauthority.CaPoolIssuancePolicyBaselineValuesCaOptionsArgs{
						IsCa:                pulumi.Bool(true),
						MaxIssuerPathLength: pulumi.Int(10),
					},
					KeyUsage: &certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs{
							CertSign:          pulumi.Bool(false),
							ContentCommitment: pulumi.Bool(true),
							CrlSign:           pulumi.Bool(true),
							DataEncipherment:  pulumi.Bool(true),
							DecipherOnly:      pulumi.Bool(true),
							DigitalSignature:  pulumi.Bool(true),
							KeyAgreement:      pulumi.Bool(true),
							KeyEncipherment:   pulumi.Bool(false),
						},
						ExtendedKeyUsage: &certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs{
							ClientAuth:      pulumi.Bool(false),
							CodeSigning:     pulumi.Bool(true),
							EmailProtection: pulumi.Bool(true),
							ServerAuth:      pulumi.Bool(true),
							TimeStamping:    pulumi.Bool(true),
						},
					},
					PolicyIds: certificateauthority.CaPoolIssuancePolicyBaselineValuesPolicyIdArray{
						&certificateauthority.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs{
							ObjectIdPath: []float64{
								1,
								5,
							},
						},
						&certificateauthority.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs{
							ObjectIdPath: []float64{
								1,
								5,
								7,
							},
						},
					},
				},
				IdentityConstraints: &certificateauthority.CaPoolIssuancePolicyIdentityConstraintsArgs{
					AllowSubjectAltNamesPassthrough: pulumi.Bool(true),
					AllowSubjectPassthrough:         pulumi.Bool(true),
					CelExpression: &certificateauthority.CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs{
						Expression: pulumi.String("subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )"),
						Title:      pulumi.String("My title"),
					},
				},
				MaximumLifetime: pulumi.String("50000s"),
			},
			Labels: pulumi.StringMap{
				"foo": pulumi.String("bar"),
			},
			Location: pulumi.String("us-central1"),
			PublishingOptions: &certificateauthority.CaPoolPublishingOptionsArgs{
				PublishCaCert: pulumi.Bool(false),
				PublishCrl:    pulumi.Bool(true),
			},
			Tier: pulumi.String("ENTERPRISE"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var default_ = new CaPool("default", CaPoolArgs.builder()        
            .issuancePolicy(CaPoolIssuancePolicy.builder()
                .allowedIssuanceModes(CaPoolIssuancePolicyAllowedIssuanceModes.builder()
                    .allowConfigBasedIssuance(true)
                    .allowCsrBasedIssuance(true)
                    .build())
                .allowedKeyTypes(                
                    CaPoolIssuancePolicyAllowedKeyType.builder()
                        .ellipticCurve(CaPoolIssuancePolicyAllowedKeyTypeEllipticCurve.builder()
                            .signatureAlgorithm("ECDSA_P256")
                            .build())
                        .build(),
                    CaPoolIssuancePolicyAllowedKeyType.builder()
                        .rsa(CaPoolIssuancePolicyAllowedKeyTypeRsa.builder()
                            .maxModulusSize(10)
                            .minModulusSize(5)
                            .build())
                        .build())
                .baselineValues(CaPoolIssuancePolicyBaselineValues.builder()
                    .additionalExtensions(CaPoolIssuancePolicyBaselineValuesAdditionalExtension.builder()
                        .critical(true)
                        .objectId(CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectId.builder()
                            .objectIdPath(                            
                                1,
                                7)
                            .build())
                        .value("asdf")
                        .build())
                    .aiaOcspServers("example.com")
                    .caOptions(CaPoolIssuancePolicyBaselineValuesCaOptions.builder()
                        .isCa(true)
                        .maxIssuerPathLength(10)
                        .build())
                    .keyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsage.builder()
                        .baseKeyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsage.builder()
                            .certSign(false)
                            .contentCommitment(true)
                            .crlSign(true)
                            .dataEncipherment(true)
                            .decipherOnly(true)
                            .digitalSignature(true)
                            .keyAgreement(true)
                            .keyEncipherment(false)
                            .build())
                        .extendedKeyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsage.builder()
                            .clientAuth(false)
                            .codeSigning(true)
                            .emailProtection(true)
                            .serverAuth(true)
                            .timeStamping(true)
                            .build())
                        .build())
                    .policyIds(                    
                        CaPoolIssuancePolicyBaselineValuesPolicyId.builder()
                            .objectIdPath(                            
                                1,
                                5)
                            .build(),
                        CaPoolIssuancePolicyBaselineValuesPolicyId.builder()
                            .objectIdPath(                            
                                1,
                                5,
                                7)
                            .build())
                    .build())
                .identityConstraints(CaPoolIssuancePolicyIdentityConstraints.builder()
                    .allowSubjectAltNamesPassthrough(true)
                    .allowSubjectPassthrough(true)
                    .celExpression(CaPoolIssuancePolicyIdentityConstraintsCelExpression.builder()
                        .expression("subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )")
                        .title("My title")
                        .build())
                    .build())
                .maximumLifetime("50000s")
                .build())
            .labels(Map.of("foo", "bar"))
            .location("us-central1")
            .publishingOptions(CaPoolPublishingOptions.builder()
                .publishCaCert(false)
                .publishCrl(true)
                .build())
            .tier("ENTERPRISE")
            .build());

        }
}
import pulumi
import pulumi_gcp as gcp

default = gcp.certificateauthority.CaPool("default",
    issuance_policy=gcp.certificateauthority.CaPoolIssuancePolicyArgs(
        allowed_issuance_modes=gcp.certificateauthority.CaPoolIssuancePolicyAllowedIssuanceModesArgs(
            allow_config_based_issuance=True,
            allow_csr_based_issuance=True,
        ),
        allowed_key_types=[
            gcp.certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeArgs(
                elliptic_curve=gcp.certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeEllipticCurveArgs(
                    signature_algorithm="ECDSA_P256",
                ),
            ),
            gcp.certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeArgs(
                rsa=gcp.certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeRsaArgs(
                    max_modulus_size="10",
                    min_modulus_size="5",
                ),
            ),
        ],
        baseline_values=gcp.certificateauthority.CaPoolIssuancePolicyBaselineValuesArgs(
            additional_extensions=[gcp.certificateauthority.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArgs(
                critical=True,
                object_id=gcp.certificateauthority.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectIdArgs(
                    object_id_path=[
                        1,
                        7,
                    ],
                ),
                value="asdf",
            )],
            aia_ocsp_servers=["example.com"],
            ca_options=gcp.certificateauthority.CaPoolIssuancePolicyBaselineValuesCaOptionsArgs(
                is_ca=True,
                max_issuer_path_length=10,
            ),
            key_usage=gcp.certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs(
                    cert_sign=False,
                    content_commitment=True,
                    crl_sign=True,
                    data_encipherment=True,
                    decipher_only=True,
                    digital_signature=True,
                    key_agreement=True,
                    key_encipherment=False,
                ),
                extended_key_usage=gcp.certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs(
                    client_auth=False,
                    code_signing=True,
                    email_protection=True,
                    server_auth=True,
                    time_stamping=True,
                ),
            ),
            policy_ids=[
                gcp.certificateauthority.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs(
                    object_id_path=[
                        1,
                        5,
                    ],
                ),
                gcp.certificateauthority.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs(
                    object_id_path=[
                        1,
                        5,
                        7,
                    ],
                ),
            ],
        ),
        identity_constraints=gcp.certificateauthority.CaPoolIssuancePolicyIdentityConstraintsArgs(
            allow_subject_alt_names_passthrough=True,
            allow_subject_passthrough=True,
            cel_expression=gcp.certificateauthority.CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs(
                expression="subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )",
                title="My title",
            ),
        ),
        maximum_lifetime="50000s",
    ),
    labels={
        "foo": "bar",
    },
    location="us-central1",
    publishing_options=gcp.certificateauthority.CaPoolPublishingOptionsArgs(
        publish_ca_cert=False,
        publish_crl=True,
    ),
    tier="ENTERPRISE")
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const defaultCaPool = new gcp.certificateauthority.CaPool("default", {
    issuancePolicy: {
        allowedIssuanceModes: {
            allowConfigBasedIssuance: true,
            allowCsrBasedIssuance: true,
        },
        allowedKeyTypes: [
            {
                ellipticCurve: {
                    signatureAlgorithm: "ECDSA_P256",
                },
            },
            {
                rsa: {
                    maxModulusSize: "10",
                    minModulusSize: "5",
                },
            },
        ],
        baselineValues: {
            additionalExtensions: [{
                critical: true,
                objectId: {
                    objectIdPaths: [
                        1,
                        7,
                    ],
                },
                value: "asdf",
            }],
            aiaOcspServers: ["example.com"],
            caOptions: {
                isCa: true,
                maxIssuerPathLength: 10,
            },
            keyUsage: {
                baseKeyUsage: {
                    certSign: false,
                    contentCommitment: true,
                    crlSign: true,
                    dataEncipherment: true,
                    decipherOnly: true,
                    digitalSignature: true,
                    keyAgreement: true,
                    keyEncipherment: false,
                },
                extendedKeyUsage: {
                    clientAuth: false,
                    codeSigning: true,
                    emailProtection: true,
                    serverAuth: true,
                    timeStamping: true,
                },
            },
            policyIds: [
                {
                    objectIdPaths: [
                        1,
                        5,
                    ],
                },
                {
                    objectIdPaths: [
                        1,
                        5,
                        7,
                    ],
                },
            ],
        },
        identityConstraints: {
            allowSubjectAltNamesPassthrough: true,
            allowSubjectPassthrough: true,
            celExpression: {
                expression: "subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )",
                title: "My title",
            },
        },
        maximumLifetime: "50000s",
    },
    labels: {
        foo: "bar",
    },
    location: "us-central1",
    publishingOptions: {
        publishCaCert: false,
        publishCrl: true,
    },
    tier: "ENTERPRISE",
});
resources:
  default:
    type: gcp:certificateauthority:CaPool
    properties:
      issuancePolicy:
        allowedIssuanceModes:
          allowConfigBasedIssuance: true
          allowCsrBasedIssuance: true
        allowedKeyTypes:
          - ellipticCurve:
              signatureAlgorithm: ECDSA_P256
          - rsa:
              maxModulusSize: 10
              minModulusSize: 5
        baselineValues:
          additionalExtensions:
            - critical: true
              objectId:
                objectIdPath:
                  - 1
                  - 7
              value: asdf
          aiaOcspServers:
            - example.com
          caOptions:
            isCa: true
            maxIssuerPathLength: 10
          keyUsage:
            baseKeyUsage:
              certSign: false
              contentCommitment: true
              crlSign: true
              dataEncipherment: true
              decipherOnly: true
              digitalSignature: true
              keyAgreement: true
              keyEncipherment: false
            extendedKeyUsage:
              clientAuth: false
              codeSigning: true
              emailProtection: true
              serverAuth: true
              timeStamping: true
          policyIds:
            - objectIdPath:
                - 1
                - 5
            - objectIdPath:
                - 1
                - 5
                - 7
        identityConstraints:
          allowSubjectAltNamesPassthrough: true
          allowSubjectPassthrough: true
          celExpression:
            expression: subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )
            title: My title
        maximumLifetime: 50000s
      labels:
        foo: bar
      location: us-central1
      publishingOptions:
        publishCaCert: false
        publishCrl: true
      tier: ENTERPRISE

Privateca Quickstart

using Pulumi;
using Gcp = Pulumi.Gcp;
using Tls = Pulumi.Tls;

class MyStack : Stack
{
    public MyStack()
    {
        var examplePrivateKey = new Tls.PrivateKey("examplePrivateKey", new Tls.PrivateKeyArgs
        {
            Algorithm = "RSA",
        });
        var exampleCertRequest = new Tls.CertRequest("exampleCertRequest", new Tls.CertRequestArgs
        {
            KeyAlgorithm = "RSA",
            PrivateKeyPem = examplePrivateKey.PrivateKeyPem,
            Subjects = 
            {
                new Tls.Inputs.CertRequestSubjectArgs
                {
                    CommonName = "example.com",
                    Organization = "ACME Examples, Inc",
                },
            },
        });
        var defaultCaPool = new Gcp.CertificateAuthority.CaPool("defaultCaPool", new Gcp.CertificateAuthority.CaPoolArgs
        {
            Location = "us-central1",
            Tier = "ENTERPRISE",
            Project = "project-id",
            PublishingOptions = new Gcp.CertificateAuthority.Inputs.CaPoolPublishingOptionsArgs
            {
                PublishCaCert = true,
                PublishCrl = true,
            },
            Labels = 
            {
                { "foo", "bar" },
            },
            IssuancePolicy = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyArgs
            {
                BaselineValues = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesCaOptionsArgs
                    {
                        IsCa = false,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs
                        {
                            DigitalSignature = true,
                            KeyEncipherment = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = true,
                        },
                    },
                },
            },
        });
        var test_ca = new Gcp.CertificateAuthority.Authority("test-ca", new Gcp.CertificateAuthority.AuthorityArgs
        {
            CertificateAuthorityId = "my-authority",
            Location = "us-central1",
            Project = "project-id",
            Pool = google_privateca_ca_pool.Pool.Name,
            Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                    {
                        CountryCode = "us",
                        Organization = "google",
                        OrganizationalUnit = "enterprise",
                        Locality = "mountain view",
                        Province = "california",
                        StreetAddress = "1600 amphitheatre parkway",
                        PostalCode = "94109",
                        CommonName = "my-certificate-authority",
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = true,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            CertSign = true,
                            CrlSign = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = true,
                        },
                    },
                },
            },
            Type = "SELF_SIGNED",
            KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
            {
                Algorithm = "RSA_PKCS1_4096_SHA256",
            },
        });
        var defaultCertificate = new Gcp.CertificateAuthority.Certificate("defaultCertificate", new Gcp.CertificateAuthority.CertificateArgs
        {
            Pool = google_privateca_ca_pool.Pool.Name,
            CertificateAuthority = test_ca.CertificateAuthorityId,
            Project = "project-id",
            Location = "us-central1",
            Lifetime = "860s",
            PemCsr = exampleCertRequest.CertRequestPem,
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/certificateauthority"
	"github.com/pulumi/pulumi-tls/sdk/v4/go/tls"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		examplePrivateKey, err := tls.NewPrivateKey(ctx, "examplePrivateKey", &tls.PrivateKeyArgs{
			Algorithm: pulumi.String("RSA"),
		})
		if err != nil {
			return err
		}
		exampleCertRequest, err := tls.NewCertRequest(ctx, "exampleCertRequest", &tls.CertRequestArgs{
			KeyAlgorithm:  pulumi.String("RSA"),
			PrivateKeyPem: examplePrivateKey.PrivateKeyPem,
			Subjects: CertRequestSubjectArray{
				&CertRequestSubjectArgs{
					CommonName:   pulumi.String("example.com"),
					Organization: pulumi.String("ACME Examples, Inc"),
				},
			},
		})
		if err != nil {
			return err
		}
		_, err = certificateauthority.NewCaPool(ctx, "defaultCaPool", &certificateauthority.CaPoolArgs{
			Location: pulumi.String("us-central1"),
			Tier:     pulumi.String("ENTERPRISE"),
			Project:  pulumi.String("project-id"),
			PublishingOptions: &certificateauthority.CaPoolPublishingOptionsArgs{
				PublishCaCert: pulumi.Bool(true),
				PublishCrl:    pulumi.Bool(true),
			},
			Labels: pulumi.StringMap{
				"foo": pulumi.String("bar"),
			},
			IssuancePolicy: &certificateauthority.CaPoolIssuancePolicyArgs{
				BaselineValues: &certificateauthority.CaPoolIssuancePolicyBaselineValuesArgs{
					CaOptions: &certificateauthority.CaPoolIssuancePolicyBaselineValuesCaOptionsArgs{
						IsCa: pulumi.Bool(false),
					},
					KeyUsage: &certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs{
							DigitalSignature: pulumi.Bool(true),
							KeyEncipherment:  pulumi.Bool(true),
						},
						ExtendedKeyUsage: &certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs{
							ServerAuth: pulumi.Bool(true),
						},
					},
				},
			},
		})
		if err != nil {
			return err
		}
		_, err = certificateauthority.NewAuthority(ctx, "test-ca", &certificateauthority.AuthorityArgs{
			CertificateAuthorityId: pulumi.String("my-authority"),
			Location:               pulumi.String("us-central1"),
			Project:                pulumi.String("project-id"),
			Pool:                   pulumi.Any(google_privateca_ca_pool.Pool.Name),
			Config: &certificateauthority.AuthorityConfigArgs{
				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
						CountryCode:        pulumi.String("us"),
						Organization:       pulumi.String("google"),
						OrganizationalUnit: pulumi.String("enterprise"),
						Locality:           pulumi.String("mountain view"),
						Province:           pulumi.String("california"),
						StreetAddress:      pulumi.String("1600 amphitheatre parkway"),
						PostalCode:         pulumi.String("94109"),
						CommonName:         pulumi.String("my-certificate-authority"),
					},
				},
				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
						IsCa: pulumi.Bool(true),
					},
					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
							CertSign: pulumi.Bool(true),
							CrlSign:  pulumi.Bool(true),
						},
						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
							ServerAuth: pulumi.Bool(true),
						},
					},
				},
			},
			Type: pulumi.String("SELF_SIGNED"),
			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
			},
		})
		if err != nil {
			return err
		}
		_, err = certificateauthority.NewCertificate(ctx, "defaultCertificate", &certificateauthority.CertificateArgs{
			Pool:                 pulumi.Any(google_privateca_ca_pool.Pool.Name),
			CertificateAuthority: test_ca.CertificateAuthorityId,
			Project:              pulumi.String("project-id"),
			Location:             pulumi.String("us-central1"),
			Lifetime:             pulumi.String("860s"),
			PemCsr:               exampleCertRequest.CertRequestPem,
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var examplePrivateKey = new PrivateKey("examplePrivateKey", PrivateKeyArgs.builder()        
            .algorithm("RSA")
            .build());

        var exampleCertRequest = new CertRequest("exampleCertRequest", CertRequestArgs.builder()        
            .keyAlgorithm("RSA")
            .privateKeyPem(examplePrivateKey.getPrivateKeyPem())
            .subjects(CertRequestSubject.builder()
                .commonName("example.com")
                .organization("ACME Examples, Inc")
                .build())
            .build());

        var defaultCaPool = new CaPool("defaultCaPool", CaPoolArgs.builder()        
            .location("us-central1")
            .tier("ENTERPRISE")
            .project("project-id")
            .publishingOptions(CaPoolPublishingOptions.builder()
                .publishCaCert(true)
                .publishCrl(true)
                .build())
            .labels(Map.of("foo", "bar"))
            .issuancePolicy(CaPoolIssuancePolicy.builder()
                .baselineValues(CaPoolIssuancePolicyBaselineValues.builder()
                    .caOptions(CaPoolIssuancePolicyBaselineValuesCaOptions.builder()
                        .isCa(false)
                        .build())
                    .keyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsage.builder()
                        .baseKeyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsage.builder()
                            .digitalSignature(true)
                            .keyEncipherment(true)
                            .build())
                        .extendedKeyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsage.builder()
                            .serverAuth(true)
                            .build())
                        .build())
                    .build())
                .build())
            .build());

        var test_ca = new Authority("test-ca", AuthorityArgs.builder()        
            .certificateAuthorityId("my-authority")
            .location("us-central1")
            .project("project-id")
            .pool(google_privateca_ca_pool.getPool().getName())
            .config(AuthorityConfig.builder()
                .subjectConfig(AuthorityConfigSubjectConfig.builder()
                    .subject(AuthorityConfigSubjectConfigSubject.builder()
                        .countryCode("us")
                        .organization("google")
                        .organizationalUnit("enterprise")
                        .locality("mountain view")
                        .province("california")
                        .streetAddress("1600 amphitheatre parkway")
                        .postalCode("94109")
                        .commonName("my-certificate-authority")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509Config.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptions.builder()
                        .isCa(true)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsage.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsage.builder()
                            .certSign(true)
                            .crlSign(true)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsage.builder()
                            .serverAuth(true)
                            .build())
                        .build())
                    .build())
                .build())
            .type("SELF_SIGNED")
            .keySpec(AuthorityKeySpec.builder()
                .algorithm("RSA_PKCS1_4096_SHA256")
                .build())
            .build());

        var defaultCertificate = new Certificate("defaultCertificate", CertificateArgs.builder()        
            .pool(google_privateca_ca_pool.getPool().getName())
            .certificateAuthority(test_ca.getCertificateAuthorityId())
            .project("project-id")
            .location("us-central1")
            .lifetime("860s")
            .pemCsr(exampleCertRequest.getCertRequestPem())
            .build());

        }
}
import pulumi
import pulumi_gcp as gcp
import pulumi_tls as tls

example_private_key = tls.PrivateKey("examplePrivateKey", algorithm="RSA")
example_cert_request = tls.CertRequest("exampleCertRequest",
    key_algorithm="RSA",
    private_key_pem=example_private_key.private_key_pem,
    subjects=[tls.CertRequestSubjectArgs(
        common_name="example.com",
        organization="ACME Examples, Inc",
    )])
default_ca_pool = gcp.certificateauthority.CaPool("defaultCaPool",
    location="us-central1",
    tier="ENTERPRISE",
    project="project-id",
    publishing_options=gcp.certificateauthority.CaPoolPublishingOptionsArgs(
        publish_ca_cert=True,
        publish_crl=True,
    ),
    labels={
        "foo": "bar",
    },
    issuance_policy=gcp.certificateauthority.CaPoolIssuancePolicyArgs(
        baseline_values=gcp.certificateauthority.CaPoolIssuancePolicyBaselineValuesArgs(
            ca_options=gcp.certificateauthority.CaPoolIssuancePolicyBaselineValuesCaOptionsArgs(
                is_ca=False,
            ),
            key_usage=gcp.certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs(
                    digital_signature=True,
                    key_encipherment=True,
                ),
                extended_key_usage=gcp.certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs(
                    server_auth=True,
                ),
            ),
        ),
    ))
test_ca = gcp.certificateauthority.Authority("test-ca",
    certificate_authority_id="my-authority",
    location="us-central1",
    project="project-id",
    pool=google_privateca_ca_pool["pool"]["name"],
    config=gcp.certificateauthority.AuthorityConfigArgs(
        subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
            subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                country_code="us",
                organization="google",
                organizational_unit="enterprise",
                locality="mountain view",
                province="california",
                street_address="1600 amphitheatre parkway",
                postal_code="94109",
                common_name="my-certificate-authority",
            ),
        ),
        x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
            ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                is_ca=True,
            ),
            key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                    cert_sign=True,
                    crl_sign=True,
                ),
                extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                    server_auth=True,
                ),
            ),
        ),
    ),
    type="SELF_SIGNED",
    key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
        algorithm="RSA_PKCS1_4096_SHA256",
    ))
default_certificate = gcp.certificateauthority.Certificate("defaultCertificate",
    pool=google_privateca_ca_pool["pool"]["name"],
    certificate_authority=test_ca.certificate_authority_id,
    project="project-id",
    location="us-central1",
    lifetime="860s",
    pem_csr=example_cert_request.cert_request_pem)
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as tls from "@pulumi/tls";

const examplePrivateKey = new tls.PrivateKey("examplePrivateKey", {algorithm: "RSA"});
const exampleCertRequest = new tls.CertRequest("exampleCertRequest", {
    keyAlgorithm: "RSA",
    privateKeyPem: examplePrivateKey.privateKeyPem,
    subjects: [{
        commonName: "example.com",
        organization: "ACME Examples, Inc",
    }],
});
const defaultCaPool = new gcp.certificateauthority.CaPool("defaultCaPool", {
    location: "us-central1",
    tier: "ENTERPRISE",
    project: "project-id",
    publishingOptions: {
        publishCaCert: true,
        publishCrl: true,
    },
    labels: {
        foo: "bar",
    },
    issuancePolicy: {
        baselineValues: {
            caOptions: {
                isCa: false,
            },
            keyUsage: {
                baseKeyUsage: {
                    digitalSignature: true,
                    keyEncipherment: true,
                },
                extendedKeyUsage: {
                    serverAuth: true,
                },
            },
        },
    },
});
const test_ca = new gcp.certificateauthority.Authority("test-ca", {
    certificateAuthorityId: "my-authority",
    location: "us-central1",
    project: "project-id",
    pool: google_privateca_ca_pool.pool.name,
    config: {
        subjectConfig: {
            subject: {
                countryCode: "us",
                organization: "google",
                organizationalUnit: "enterprise",
                locality: "mountain view",
                province: "california",
                streetAddress: "1600 amphitheatre parkway",
                postalCode: "94109",
                commonName: "my-certificate-authority",
            },
        },
        x509Config: {
            caOptions: {
                isCa: true,
            },
            keyUsage: {
                baseKeyUsage: {
                    certSign: true,
                    crlSign: true,
                },
                extendedKeyUsage: {
                    serverAuth: true,
                },
            },
        },
    },
    type: "SELF_SIGNED",
    keySpec: {
        algorithm: "RSA_PKCS1_4096_SHA256",
    },
});
const defaultCertificate = new gcp.certificateauthority.Certificate("defaultCertificate", {
    pool: google_privateca_ca_pool.pool.name,
    certificateAuthority: test_ca.certificateAuthorityId,
    project: "project-id",
    location: "us-central1",
    lifetime: "860s",
    pemCsr: exampleCertRequest.certRequestPem,
});
resources:
  examplePrivateKey:
    type: tls:PrivateKey
    properties:
      algorithm: RSA
  exampleCertRequest:
    type: tls:CertRequest
    properties:
      keyAlgorithm: RSA
      privateKeyPem: ${examplePrivateKey.privateKeyPem}
      subjects:
        - commonName: example.com
          organization: ACME Examples, Inc
  defaultCaPool:
    type: gcp:certificateauthority:CaPool
    properties:
      location: us-central1
      tier: ENTERPRISE
      project: project-id
      publishingOptions:
        publishCaCert: true
        publishCrl: true
      labels:
        foo: bar
      issuancePolicy:
        baselineValues:
          caOptions:
            isCa: false
          keyUsage:
            baseKeyUsage:
              digitalSignature: true
              keyEncipherment: true
            extendedKeyUsage:
              serverAuth: true
  test-ca:
    type: gcp:certificateauthority:Authority
    properties:
      certificateAuthorityId: my-authority
      location: us-central1
      project: project-id
      pool: ${google_privateca_ca_pool.pool.name}
      config:
        subjectConfig:
          subject:
            countryCode: us
            organization: google
            organizationalUnit: enterprise
            locality: mountain view
            province: california
            streetAddress: 1600 amphitheatre parkway
            postalCode: 94109
            commonName: my-certificate-authority
        x509Config:
          caOptions:
            isCa: true
          keyUsage:
            baseKeyUsage:
              certSign: true
              crlSign: true
            extendedKeyUsage:
              serverAuth: true
      type: SELF_SIGNED
      keySpec:
        algorithm: RSA_PKCS1_4096_SHA256
  defaultCertificate:
    type: gcp:certificateauthority:Certificate
    properties:
      pool: ${google_privateca_ca_pool.pool.name}
      certificateAuthority: ${["test-ca"].certificateAuthorityId}
      project: project-id
      location: us-central1
      lifetime: 860s
      pemCsr: ${exampleCertRequest.certRequestPem}

Create a CaPool Resource

new CaPool(name: string, args: CaPoolArgs, opts?: CustomResourceOptions);
@overload
def CaPool(resource_name: str,
           opts: Optional[ResourceOptions] = None,
           issuance_policy: Optional[CaPoolIssuancePolicyArgs] = None,
           labels: Optional[Mapping[str, str]] = None,
           location: Optional[str] = None,
           name: Optional[str] = None,
           project: Optional[str] = None,
           publishing_options: Optional[CaPoolPublishingOptionsArgs] = None,
           tier: Optional[str] = None)
@overload
def CaPool(resource_name: str,
           args: CaPoolArgs,
           opts: Optional[ResourceOptions] = None)
func NewCaPool(ctx *Context, name string, args CaPoolArgs, opts ...ResourceOption) (*CaPool, error)
public CaPool(string name, CaPoolArgs args, CustomResourceOptions? opts = null)
public CaPool(String name, CaPoolArgs args)
public CaPool(String name, CaPoolArgs args, CustomResourceOptions options)
type: gcp:certificateauthority:CaPool
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args CaPoolArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args CaPoolArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args CaPoolArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args CaPoolArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args CaPoolArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

CaPool Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The CaPool resource accepts the following input properties:

Location string

String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

Tier string

The Tier of this CaPool. Possible values are ENTERPRISE and DEVOPS.

IssuancePolicy CaPoolIssuancePolicyArgs

The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.

Labels Dictionary<string, string>

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Name string

The name for this CaPool.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

PublishingOptions CaPoolPublishingOptionsArgs

The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.

Location string

String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

Tier string

The Tier of this CaPool. Possible values are ENTERPRISE and DEVOPS.

IssuancePolicy CaPoolIssuancePolicyArgs

The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.

Labels map[string]string

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Name string

The name for this CaPool.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

PublishingOptions CaPoolPublishingOptionsArgs

The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.

location String

String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

tier String

The Tier of this CaPool. Possible values are ENTERPRISE and DEVOPS.

issuancePolicy CaPoolIssuancePolicyArgs

The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.

labels Map

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

name String

The name for this CaPool.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

publishingOptions CaPoolPublishingOptionsArgs

The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.

location string

String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

tier string

The Tier of this CaPool. Possible values are ENTERPRISE and DEVOPS.

issuancePolicy CaPoolIssuancePolicyArgs

The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.

labels {[key: string]: string}

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

name string

The name for this CaPool.

project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

publishingOptions CaPoolPublishingOptionsArgs

The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.

location str

String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

tier str

The Tier of this CaPool. Possible values are ENTERPRISE and DEVOPS.

issuance_policy CaPoolIssuancePolicyArgs

The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.

labels Mapping[str, str]

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

name str

The name for this CaPool.

project str

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

publishing_options CaPoolPublishingOptionsArgs

The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.

location String

String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

tier String

The Tier of this CaPool. Possible values are ENTERPRISE and DEVOPS.

issuancePolicy Property Map

The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.

labels Map

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

name String

The name for this CaPool.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

publishingOptions Property Map

The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.

Outputs

All input properties are implicitly available as output properties. Additionally, the CaPool resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Id string

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

id string

The provider-assigned unique ID for this managed resource.

id str

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

Look up an Existing CaPool Resource

Get an existing CaPool resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: CaPoolState, opts?: CustomResourceOptions): CaPool
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        issuance_policy: Optional[CaPoolIssuancePolicyArgs] = None,
        labels: Optional[Mapping[str, str]] = None,
        location: Optional[str] = None,
        name: Optional[str] = None,
        project: Optional[str] = None,
        publishing_options: Optional[CaPoolPublishingOptionsArgs] = None,
        tier: Optional[str] = None) -> CaPool
func GetCaPool(ctx *Context, name string, id IDInput, state *CaPoolState, opts ...ResourceOption) (*CaPool, error)
public static CaPool Get(string name, Input<string> id, CaPoolState? state, CustomResourceOptions? opts = null)
public static CaPool get(String name, Output<String> id, CaPoolState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
IssuancePolicy CaPoolIssuancePolicyArgs

The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.

Labels Dictionary<string, string>

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Location string

String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

Name string

The name for this CaPool.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

PublishingOptions CaPoolPublishingOptionsArgs

The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.

Tier string

The Tier of this CaPool. Possible values are ENTERPRISE and DEVOPS.

IssuancePolicy CaPoolIssuancePolicyArgs

The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.

Labels map[string]string

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Location string

String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

Name string

The name for this CaPool.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

PublishingOptions CaPoolPublishingOptionsArgs

The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.

Tier string

The Tier of this CaPool. Possible values are ENTERPRISE and DEVOPS.

issuancePolicy CaPoolIssuancePolicyArgs

The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.

labels Map

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

location String

String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

name String

The name for this CaPool.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

publishingOptions CaPoolPublishingOptionsArgs

The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.

tier String

The Tier of this CaPool. Possible values are ENTERPRISE and DEVOPS.

issuancePolicy CaPoolIssuancePolicyArgs

The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.

labels {[key: string]: string}

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

location string

String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

name string

The name for this CaPool.

project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

publishingOptions CaPoolPublishingOptionsArgs

The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.

tier string

The Tier of this CaPool. Possible values are ENTERPRISE and DEVOPS.

issuance_policy CaPoolIssuancePolicyArgs

The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.

labels Mapping[str, str]

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

location str

String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

name str

The name for this CaPool.

project str

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

publishing_options CaPoolPublishingOptionsArgs

The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.

tier str

The Tier of this CaPool. Possible values are ENTERPRISE and DEVOPS.

issuancePolicy Property Map

The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.

labels Map

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

location String

String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

name String

The name for this CaPool.

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

publishingOptions Property Map

The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.

tier String

The Tier of this CaPool. Possible values are ENTERPRISE and DEVOPS.

Supporting Types

CaPoolIssuancePolicy

AllowedIssuanceModes CaPoolIssuancePolicyAllowedIssuanceModes

IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.

AllowedKeyTypes List<CaPoolIssuancePolicyAllowedKeyType>

If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.

BaselineValues CaPoolIssuancePolicyBaselineValues

A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.

IdentityConstraints CaPoolIssuancePolicyIdentityConstraints

Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.

MaximumLifetime string

The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.

AllowedIssuanceModes CaPoolIssuancePolicyAllowedIssuanceModes

IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.

AllowedKeyTypes []CaPoolIssuancePolicyAllowedKeyType

If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.

BaselineValues CaPoolIssuancePolicyBaselineValues

A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.

IdentityConstraints CaPoolIssuancePolicyIdentityConstraints

Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.

MaximumLifetime string

The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.

allowedIssuanceModes CaPoolIssuancePolicyAllowedIssuanceModes

IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.

allowedKeyTypes ListPoolIssuancePolicyAllowedKeyType>

If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.

baselineValues CaPoolIssuancePolicyBaselineValues

A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.

identityConstraints CaPoolIssuancePolicyIdentityConstraints

Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.

maximumLifetime String

The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.

allowedIssuanceModes CaPoolIssuancePolicyAllowedIssuanceModes

IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.

allowedKeyTypes CaPoolIssuancePolicyAllowedKeyType[]

If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.

baselineValues CaPoolIssuancePolicyBaselineValues

A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.

identityConstraints CaPoolIssuancePolicyIdentityConstraints

Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.

maximumLifetime string

The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.

allowed_issuance_modes CaPoolIssuancePolicyAllowedIssuanceModes

IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.

allowed_key_types Sequence[CaPoolIssuancePolicyAllowedKeyType]

If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.

baseline_values CaPoolIssuancePolicyBaselineValues

A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.

identity_constraints CaPoolIssuancePolicyIdentityConstraints

Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.

maximum_lifetime str

The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.

allowedIssuanceModes Property Map

IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.

allowedKeyTypes List

If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.

baselineValues Property Map

A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.

identityConstraints Property Map

Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.

maximumLifetime String

The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.

CaPoolIssuancePolicyAllowedIssuanceModes

AllowConfigBasedIssuance bool

When true, allows callers to create Certificates by specifying a CertificateConfig.

AllowCsrBasedIssuance bool

When true, allows callers to create Certificates by specifying a CSR.

AllowConfigBasedIssuance bool

When true, allows callers to create Certificates by specifying a CertificateConfig.

AllowCsrBasedIssuance bool

When true, allows callers to create Certificates by specifying a CSR.

allowConfigBasedIssuance Boolean

When true, allows callers to create Certificates by specifying a CertificateConfig.

allowCsrBasedIssuance Boolean

When true, allows callers to create Certificates by specifying a CSR.

allowConfigBasedIssuance boolean

When true, allows callers to create Certificates by specifying a CertificateConfig.

allowCsrBasedIssuance boolean

When true, allows callers to create Certificates by specifying a CSR.

allow_config_based_issuance bool

When true, allows callers to create Certificates by specifying a CertificateConfig.

allow_csr_based_issuance bool

When true, allows callers to create Certificates by specifying a CSR.

allowConfigBasedIssuance Boolean

When true, allows callers to create Certificates by specifying a CertificateConfig.

allowCsrBasedIssuance Boolean

When true, allows callers to create Certificates by specifying a CSR.

CaPoolIssuancePolicyAllowedKeyType

EllipticCurve CaPoolIssuancePolicyAllowedKeyTypeEllipticCurve

Represents an allowed Elliptic Curve key type. Structure is documented below.

Rsa CaPoolIssuancePolicyAllowedKeyTypeRsa

Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.

EllipticCurve CaPoolIssuancePolicyAllowedKeyTypeEllipticCurve

Represents an allowed Elliptic Curve key type. Structure is documented below.

Rsa CaPoolIssuancePolicyAllowedKeyTypeRsa

Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.

ellipticCurve CaPoolIssuancePolicyAllowedKeyTypeEllipticCurve

Represents an allowed Elliptic Curve key type. Structure is documented below.

rsa CaPoolIssuancePolicyAllowedKeyTypeRsa

Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.

ellipticCurve CaPoolIssuancePolicyAllowedKeyTypeEllipticCurve

Represents an allowed Elliptic Curve key type. Structure is documented below.

rsa CaPoolIssuancePolicyAllowedKeyTypeRsa

Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.

elliptic_curve CaPoolIssuancePolicyAllowedKeyTypeEllipticCurve

Represents an allowed Elliptic Curve key type. Structure is documented below.

rsa CaPoolIssuancePolicyAllowedKeyTypeRsa

Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.

ellipticCurve Property Map

Represents an allowed Elliptic Curve key type. Structure is documented below.

rsa Property Map

Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.

CaPoolIssuancePolicyAllowedKeyTypeEllipticCurve

SignatureAlgorithm string

The algorithm used. Possible values are ECDSA_P256, ECDSA_P384, and EDDSA_25519.

SignatureAlgorithm string

The algorithm used. Possible values are ECDSA_P256, ECDSA_P384, and EDDSA_25519.

signatureAlgorithm String

The algorithm used. Possible values are ECDSA_P256, ECDSA_P384, and EDDSA_25519.

signatureAlgorithm string

The algorithm used. Possible values are ECDSA_P256, ECDSA_P384, and EDDSA_25519.

signature_algorithm str

The algorithm used. Possible values are ECDSA_P256, ECDSA_P384, and EDDSA_25519.

signatureAlgorithm String

The algorithm used. Possible values are ECDSA_P256, ECDSA_P384, and EDDSA_25519.

CaPoolIssuancePolicyAllowedKeyTypeRsa

MaxModulusSize string

The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.

MinModulusSize string

The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

MaxModulusSize string

The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.

MinModulusSize string

The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

maxModulusSize String

The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.

minModulusSize String

The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

maxModulusSize string

The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.

minModulusSize string

The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

max_modulus_size str

The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.

min_modulus_size str

The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

maxModulusSize String

The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.

minModulusSize String

The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

CaPoolIssuancePolicyBaselineValues

CaOptions CaPoolIssuancePolicyBaselineValuesCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

KeyUsage CaPoolIssuancePolicyBaselineValuesKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

AdditionalExtensions List<CaPoolIssuancePolicyBaselineValuesAdditionalExtension>

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

AiaOcspServers List<string>

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

PolicyIds List<CaPoolIssuancePolicyBaselineValuesPolicyId>

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

CaOptions CaPoolIssuancePolicyBaselineValuesCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

KeyUsage CaPoolIssuancePolicyBaselineValuesKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

AdditionalExtensions []CaPoolIssuancePolicyBaselineValuesAdditionalExtension

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

AiaOcspServers []string

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

PolicyIds []CaPoolIssuancePolicyBaselineValuesPolicyId

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

caOptions CaPoolIssuancePolicyBaselineValuesCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

keyUsage CaPoolIssuancePolicyBaselineValuesKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

additionalExtensions ListPoolIssuancePolicyBaselineValuesAdditionalExtension>

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aiaOcspServers List

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

policyIds ListPoolIssuancePolicyBaselineValuesPolicyId>

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

caOptions CaPoolIssuancePolicyBaselineValuesCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

keyUsage CaPoolIssuancePolicyBaselineValuesKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

additionalExtensions CaPoolIssuancePolicyBaselineValuesAdditionalExtension[]

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aiaOcspServers string[]

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

policyIds CaPoolIssuancePolicyBaselineValuesPolicyId[]

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

ca_options CaPoolIssuancePolicyBaselineValuesCaOptions

Describes values that are relevant in a CA certificate. Structure is documented below.

key_usage CaPoolIssuancePolicyBaselineValuesKeyUsage

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

additional_extensions Sequence[CaPoolIssuancePolicyBaselineValuesAdditionalExtension]

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aia_ocsp_servers Sequence[str]

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

policy_ids Sequence[CaPoolIssuancePolicyBaselineValuesPolicyId]

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

caOptions Property Map

Describes values that are relevant in a CA certificate. Structure is documented below.

keyUsage Property Map

Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

additionalExtensions List

Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

aiaOcspServers List

Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

policyIds List

Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

CaPoolIssuancePolicyBaselineValuesAdditionalExtension

Critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

ObjectId CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

Value string

The value of this X.509 extension. A base64-encoded string.

Critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

ObjectId CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

Value string

The value of this X.509 extension. A base64-encoded string.

critical Boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectId CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

value String

The value of this X.509 extension. A base64-encoded string.

critical boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectId CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

value string

The value of this X.509 extension. A base64-encoded string.

critical bool

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

object_id CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectId

Describes values that are relevant in a CA certificate. Structure is documented below.

value str

The value of this X.509 extension. A base64-encoded string.

critical Boolean

Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

objectId Property Map

Describes values that are relevant in a CA certificate. Structure is documented below.

value String

The value of this X.509 extension. A base64-encoded string.

CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectId

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

CaPoolIssuancePolicyBaselineValuesCaOptions

IsCa bool

When true, the "CA" in Basic Constraints extension will be set to true.

MaxIssuerPathLength int

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

NonCa bool

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

ZeroMaxIssuerPathLength bool

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

IsCa bool

When true, the "CA" in Basic Constraints extension will be set to true.

MaxIssuerPathLength int

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

NonCa bool

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

ZeroMaxIssuerPathLength bool

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

isCa Boolean

When true, the "CA" in Basic Constraints extension will be set to true.

maxIssuerPathLength Integer

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

nonCa Boolean

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

zeroMaxIssuerPathLength Boolean

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

isCa boolean

When true, the "CA" in Basic Constraints extension will be set to true.

maxIssuerPathLength number

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

nonCa boolean

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

zeroMaxIssuerPathLength boolean

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

is_ca bool

When true, the "CA" in Basic Constraints extension will be set to true.

max_issuer_path_length int

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

non_ca bool

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

zero_max_issuer_path_length bool

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

isCa Boolean

When true, the "CA" in Basic Constraints extension will be set to true.

maxIssuerPathLength Number

Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.

nonCa Boolean

When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.

zeroMaxIssuerPathLength Boolean

When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

CaPoolIssuancePolicyBaselineValuesKeyUsage

BaseKeyUsage CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

ExtendedKeyUsage CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

UnknownExtendedKeyUsages List<CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsage>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

BaseKeyUsage CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

ExtendedKeyUsage CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

UnknownExtendedKeyUsages []CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsage

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsage CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsage CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages ListPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsage>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsage CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsage CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsage[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

base_key_usage CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

extended_key_usage CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsage

Describes high-level ways in which a key may be used. Structure is documented below.

unknown_extended_key_usages Sequence[CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsage]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

baseKeyUsage Property Map

Describes high-level ways in which a key may be used. Structure is documented below.

extendedKeyUsage Property Map

Describes high-level ways in which a key may be used. Structure is documented below.

unknownExtendedKeyUsages List

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsage

CertSign bool

The key may be used to sign certificates.

ContentCommitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

CrlSign bool

The key may be used sign certificate revocation lists.

DataEncipherment bool

The key may be used to encipher data.

DecipherOnly bool

The key may be used to decipher only.

DigitalSignature bool

The key may be used for digital signatures.

EncipherOnly bool

The key may be used to encipher only.

KeyAgreement bool

The key may be used in a key agreement protocol.

KeyEncipherment bool

The key may be used to encipher other keys.

CertSign bool

The key may be used to sign certificates.

ContentCommitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

CrlSign bool

The key may be used sign certificate revocation lists.

DataEncipherment bool

The key may be used to encipher data.

DecipherOnly bool

The key may be used to decipher only.

DigitalSignature bool

The key may be used for digital signatures.

EncipherOnly bool

The key may be used to encipher only.

KeyAgreement bool

The key may be used in a key agreement protocol.

KeyEncipherment bool

The key may be used to encipher other keys.

certSign Boolean

The key may be used to sign certificates.

contentCommitment Boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign Boolean

The key may be used sign certificate revocation lists.

dataEncipherment Boolean

The key may be used to encipher data.

decipherOnly Boolean

The key may be used to decipher only.

digitalSignature Boolean

The key may be used for digital signatures.

encipherOnly Boolean

The key may be used to encipher only.

keyAgreement Boolean

The key may be used in a key agreement protocol.

keyEncipherment Boolean

The key may be used to encipher other keys.

certSign boolean

The key may be used to sign certificates.

contentCommitment boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign boolean

The key may be used sign certificate revocation lists.

dataEncipherment boolean

The key may be used to encipher data.

decipherOnly boolean

The key may be used to decipher only.

digitalSignature boolean

The key may be used for digital signatures.

encipherOnly boolean

The key may be used to encipher only.

keyAgreement boolean

The key may be used in a key agreement protocol.

keyEncipherment boolean

The key may be used to encipher other keys.

cert_sign bool

The key may be used to sign certificates.

content_commitment bool

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crl_sign bool

The key may be used sign certificate revocation lists.

data_encipherment bool

The key may be used to encipher data.

decipher_only bool

The key may be used to decipher only.

digital_signature bool

The key may be used for digital signatures.

encipher_only bool

The key may be used to encipher only.

key_agreement bool

The key may be used in a key agreement protocol.

key_encipherment bool

The key may be used to encipher other keys.

certSign Boolean

The key may be used to sign certificates.

contentCommitment Boolean

The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

crlSign Boolean

The key may be used sign certificate revocation lists.

dataEncipherment Boolean

The key may be used to encipher data.

decipherOnly Boolean

The key may be used to decipher only.

digitalSignature Boolean

The key may be used for digital signatures.

encipherOnly Boolean

The key may be used to encipher only.

keyAgreement Boolean

The key may be used in a key agreement protocol.

keyEncipherment Boolean

The key may be used to encipher other keys.

CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsage

ClientAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

CodeSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

EmailProtection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

OcspSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

ServerAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

TimeStamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

ClientAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

CodeSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

EmailProtection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

OcspSigning bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

ServerAuth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

TimeStamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

client_auth bool

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

code_signing bool

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

email_protection bool

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocsp_signing bool

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

server_auth bool

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

time_stamping bool

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

clientAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

codeSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

emailProtection Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

ocspSigning Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

serverAuth Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

timeStamping Boolean

Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsage

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

CaPoolIssuancePolicyBaselineValuesPolicyId

ObjectIdPaths List<int>

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

ObjectIdPaths []int

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths number[]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

object_id_paths Sequence[int]

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

objectIdPaths List

An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

CaPoolIssuancePolicyIdentityConstraints

AllowSubjectAltNamesPassthrough bool

If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.

AllowSubjectPassthrough bool

If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.

CelExpression CaPoolIssuancePolicyIdentityConstraintsCelExpression

A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.

AllowSubjectAltNamesPassthrough bool

If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.

AllowSubjectPassthrough bool

If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.

CelExpression CaPoolIssuancePolicyIdentityConstraintsCelExpression

A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.

allowSubjectAltNamesPassthrough Boolean

If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.

allowSubjectPassthrough Boolean

If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.

celExpression CaPoolIssuancePolicyIdentityConstraintsCelExpression

A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.

allowSubjectAltNamesPassthrough boolean

If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.

allowSubjectPassthrough boolean

If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.

celExpression CaPoolIssuancePolicyIdentityConstraintsCelExpression

A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.

allow_subject_alt_names_passthrough bool

If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.

allow_subject_passthrough bool

If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.

cel_expression CaPoolIssuancePolicyIdentityConstraintsCelExpression

A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.

allowSubjectAltNamesPassthrough Boolean

If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.

allowSubjectPassthrough Boolean

If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.

celExpression Property Map

A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.

CaPoolIssuancePolicyIdentityConstraintsCelExpression

Expression string

Textual representation of an expression in Common Expression Language syntax.

Description string

Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

Location string

String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

Title string

Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

Expression string

Textual representation of an expression in Common Expression Language syntax.

Description string

Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

Location string

String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

Title string

Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

expression String

Textual representation of an expression in Common Expression Language syntax.

description String

Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

location String

String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

title String

Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

expression string

Textual representation of an expression in Common Expression Language syntax.

description string

Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

location string

String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

title string

Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

expression str

Textual representation of an expression in Common Expression Language syntax.

description str

Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

location str

String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

title str

Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

expression String

Textual representation of an expression in Common Expression Language syntax.

description String

Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

location String

String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

title String

Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

CaPoolPublishingOptions

PublishCaCert bool

When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.

PublishCrl bool

When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

PublishCaCert bool

When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.

PublishCrl bool

When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

publishCaCert Boolean

When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.

publishCrl Boolean

When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

publishCaCert boolean

When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.

publishCrl boolean

When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

publish_ca_cert bool

When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.

publish_crl bool

When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

publishCaCert Boolean

When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.

publishCrl Boolean

When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

Import

CaPool can be imported using any of these accepted formats

 $ pulumi import gcp:certificateauthority/caPool:CaPool default projects/{{project}}/locations/{{location}}/caPools/{{name}}
 $ pulumi import gcp:certificateauthority/caPool:CaPool default {{project}}/{{location}}/{{name}}
 $ pulumi import gcp:certificateauthority/caPool:CaPool default {{location}}/{{name}}

Package Details

Repository
https://github.com/pulumi/pulumi-gcp
License
Apache-2.0
Notes

This Pulumi package is based on the google-beta Terraform Provider.