googlePrivatecaCertificateAuthority
A CertificateAuthority represents an individual Certificate Authority. A CertificateAuthority can be used to create Certificates.
To get more information about CertificateAuthority, see:
- API documentation
- How-to Guides
- Official Documentation
\~> Warning: On newer versions of the provider, you must explicitly set deletionProtection=false
(and run terraformApply
to write the field to state) in order to destroy a CertificateAuthority. It is recommended to not set this field (or set it to true) until you're ready to destroy.
Example Usage - Privateca Certificate Authority Basic
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.privatecaCertificateAuthority.PrivatecaCertificateAuthority(
this,
"default",
{
certificate_authority_id: "my-certificate-authority",
config: [
{
subject_config: [
{
subject: [
{
common_name: "my-certificate-authority",
organization: "HashiCorp",
},
],
subject_alt_name: [
{
dns_names: ["hashicorp.com"],
},
],
},
],
x509_config: [
{
ca_options: [
{
is_ca: true,
max_issuer_path_length: 10,
},
],
key_usage: [
{
base_key_usage: [
{
cert_sign: true,
content_commitment: true,
crl_sign: true,
data_encipherment: true,
decipher_only: true,
digital_signature: true,
key_agreement: true,
key_encipherment: false,
},
],
extended_key_usage: [
{
client_auth: false,
code_signing: true,
email_protection: true,
server_auth: true,
time_stamping: true,
},
],
},
],
},
],
},
],
deletion_protection: "true",
key_spec: [
{
algorithm: "RSA_PKCS1_4096_SHA256",
},
],
lifetime: "86400s",
location: "us-central1",
pool: "ca-pool",
}
);
Example Usage - Privateca Certificate Authority Subordinate
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googlePrivatecaCertificateAuthorityRootCa =
new google.privatecaCertificateAuthority.PrivatecaCertificateAuthority(
this,
"root-ca",
{
certificate_authority_id: "my-certificate-authority-root",
config: [
{
subject_config: [
{
subject: [
{
common_name: "my-certificate-authority",
organization: "HashiCorp",
},
],
subject_alt_name: [
{
dns_names: ["hashicorp.com"],
},
],
},
],
x509_config: [
{
ca_options: [
{
is_ca: true,
},
],
key_usage: [
{
base_key_usage: [
{
cert_sign: true,
crl_sign: true,
},
],
extended_key_usage: [
{
server_auth: false,
},
],
},
],
},
],
},
],
deletion_protection: false,
ignore_active_certificates_on_deletion: true,
key_spec: [
{
algorithm: "RSA_PKCS1_4096_SHA256",
},
],
location: "us-central1",
pool: "ca-pool",
skip_grace_period: true,
}
);
new google.privatecaCertificateAuthority.PrivatecaCertificateAuthority(
this,
"default",
{
certificate_authority_id: "my-certificate-authority-sub",
config: [
{
subject_config: [
{
subject: [
{
common_name: "my-subordinate-authority",
organization: "HashiCorp",
},
],
subject_alt_name: [
{
dns_names: ["hashicorp.com"],
},
],
},
],
x509_config: [
{
ca_options: [
{
is_ca: true,
max_issuer_path_length: 0,
},
],
key_usage: [
{
base_key_usage: [
{
cert_sign: true,
content_commitment: true,
crl_sign: true,
data_encipherment: true,
decipher_only: true,
digital_signature: true,
key_agreement: true,
key_encipherment: false,
},
],
extended_key_usage: [
{
client_auth: false,
code_signing: true,
email_protection: true,
server_auth: true,
time_stamping: true,
},
],
},
],
},
],
},
],
deletion_protection: "true",
key_spec: [
{
algorithm: "RSA_PKCS1_4096_SHA256",
},
],
lifetime: "86400s",
location: "us-central1",
pool: "ca-pool",
subordinate_config: [
{
certificate_authority: googlePrivatecaCertificateAuthorityRootCa.name,
},
],
type: "SUBORDINATE",
}
);
Example Usage - Privateca Certificate Authority Byo Key
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleProjectServiceIdentityPrivatecaSa =
new google.projectServiceIdentity.ProjectServiceIdentity(
this,
"privateca_sa",
{
service: "privateca.googleapis.com",
}
);
const googleKmsCryptoKeyIamBindingPrivatecaSaKeyuserSignerverifier =
new google.kmsCryptoKeyIamBinding.KmsCryptoKeyIamBinding(
this,
"privateca_sa_keyuser_signerverifier",
{
crypto_key_id:
"projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
members: [
`serviceAccount:\${${googleProjectServiceIdentityPrivatecaSa.email}}`,
],
role: "roles/cloudkms.signerVerifier",
}
);
const googleKmsCryptoKeyIamBindingPrivatecaSaKeyuserViewer =
new google.kmsCryptoKeyIamBinding.KmsCryptoKeyIamBinding(
this,
"privateca_sa_keyuser_viewer",
{
crypto_key_id:
"projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
members: [
`serviceAccount:\${${googleProjectServiceIdentityPrivatecaSa.email}}`,
],
role: "roles/viewer",
}
);
new google.privatecaCertificateAuthority.PrivatecaCertificateAuthority(
this,
"default",
{
certificate_authority_id: "my-certificate-authority",
config: [
{
subject_config: [
{
subject: [
{
common_name: "Example Authority",
organization: "Example, Org.",
},
],
},
],
x509_config: [
{
ca_options: [
{
is_ca: true,
max_issuer_path_length: 10,
},
],
key_usage: [
{
base_key_usage: [
{
cert_sign: true,
crl_sign: true,
},
],
extended_key_usage: [
{
server_auth: false,
},
],
},
],
name_constraints: [
{
critical: true,
excluded_dns_names: ["*.deny.example.com"],
excluded_email_addresses: [".deny.example.com"],
excluded_ip_ranges: ["10.1.1.0/24"],
excluded_uris: [".deny.example.com"],
permitted_dns_names: ["*.example.com"],
permitted_email_addresses: [".example.com"],
permitted_ip_ranges: ["10.0.0.0/8"],
permitted_uris: [".example.com"],
},
],
},
],
},
],
deletion_protection: "true",
depends_on: [
`\${${googleKmsCryptoKeyIamBindingPrivatecaSaKeyuserSignerverifier.fqn}}`,
`\${${googleKmsCryptoKeyIamBindingPrivatecaSaKeyuserViewer.fqn}}`,
],
key_spec: [
{
cloud_kms_key_version:
"projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1",
},
],
location: "us-central1",
pool: "ca-pool",
}
);
Argument Reference
The following arguments are supported:
-
location
- (Required) Location of the CertificateAuthority. A full list of valid locations can be found by runninggcloudPrivatecaLocationsList
. -
certificateAuthorityId
- (Required) The user provided Resource ID for this Certificate Authority. -
pool
- (Required) The name of the CaPool this Certificate Authority belongs to. -
config
- (Required) The config used to create a self-signed X.509 certificate or CSR. Structure is documented below. -
keySpec
- (Required) Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
-
x509Config
- (Required) Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below. -
subjectConfig
- (Required) Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
The x509Config
block supports:
-
additionalExtensions
- (Optional) Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below. -
policyIds
- (Optional) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below. -
aiaOcspServers
- (Optional) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate. -
caOptions
- (Required) Describes values that are relevant in a CA certificate. Structure is documented below. -
keyUsage
- (Required) Indicates the intended use for keys that correspond to a certificate. Structure is documented below. -
nameConstraints
- (Optional) Describes the X.509 name constraints extension. Structure is documented below.
The additionalExtensions
block supports:
-
critical
- (Required) Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). -
value
- (Required) The value of this X.509 extension. A base64-encoded string. -
objectId
- (Required) Describes values that are relevant in a CA certificate. Structure is documented below.
objectIdPath
- (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
objectIdPath
- (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
-
isCa
- (Required) When true, the "CA" in Basic Constraints extension will be set to true. -
nonCa
- (Optional) When true, the "CA" in Basic Constraints extension will be set to false. If bothisCa
andnonCa
are unset, the extension will be omitted from the CA certificate. -
maxIssuerPathLength
- (Optional) Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0 requires settingzeroMaxIssuerPathLength =True
. -
zeroMaxIssuerPathLength
- (Optional) When true, the "path length constraint" in Basic Constraints extension will be set to 0. If bothmaxIssuerPathLength
andzeroMaxIssuerPathLength
are unset, the max path length will be omitted from the CA certificate.
-
baseKeyUsage
- (Required) Describes high-level ways in which a key may be used. Structure is documented below. -
extendedKeyUsage
- (Required) Describes high-level ways in which a key may be used. Structure is documented below. -
unknownExtendedKeyUsages
- (Optional) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
The baseKeyUsage
block supports:
-
digitalSignature
- (Optional) The key may be used for digital signatures. -
contentCommitment
- (Optional) The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation". -
keyEncipherment
- (Optional) The key may be used to encipher other keys. -
dataEncipherment
- (Optional) The key may be used to encipher data. -
keyAgreement
- (Optional) The key may be used in a key agreement protocol. -
certSign
- (Optional) The key may be used to sign certificates. -
crlSign
- (Optional) The key may be used sign certificate revocation lists. -
encipherOnly
- (Optional) The key may be used to encipher only. -
decipherOnly
- (Optional) The key may be used to decipher only.
The extendedKeyUsage
block supports:
-
serverAuth
- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS. -
clientAuth
- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS. -
codeSigning
- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication". -
emailProtection
- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection". -
timeStamping
- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time". -
ocspSigning
- (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
The unknownExtendedKeyUsages
block supports:
objectIdPath
- (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
The nameConstraints
block supports:
-
critical
- (Required) Indicates whether or not the name constraints are marked critical. -
permittedDnsNames
- (Optional) Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,exampleCom
,wwwExampleCom
,wwwSubExampleCom
would satisfyexampleCom
whileexample1Com
does not. -
excludedDnsNames
- (Optional) Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example,exampleCom
,wwwExampleCom
,wwwSubExampleCom
would satisfyexampleCom
whileexample1Com
does not. -
permittedIpRanges
- (Optional) Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses. -
excludedIpRanges
- (Optional) Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses. -
permittedEmailAddresses
- (Optional) Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.exampleCom
) to indicate all email addresses in that domain. -
excludedEmailAddresses
- (Optional) Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g.exampleCom
) to indicate all email addresses in that domain. -
permittedUris
- (Optional) Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (likeexampleCom
) -
excludedUris
- (Optional) Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (likeexampleCom
)
The subjectConfig
block supports:
-
subject
- (Required) Contains distinguished name fields such as the location and organization. Structure is documented below. -
subjectAltName
- (Optional) The subject alternative name fields. Structure is documented below.
-
countryCode
- (Optional) The country code of the subject. -
organization
- (Required) The organization of the subject. -
organizationalUnit
- (Optional) The organizational unit of the subject. -
locality
- (Optional) The locality or city of the subject. -
province
- (Optional) The province, territory, or regional state of the subject. -
streetAddress
- (Optional) The street address of the subject. -
postalCode
- (Optional) The postal code of the subject. -
commonName
- (Required) The common name of the distinguished name.
The subjectAltName
block supports:
-
dnsNames
- (Optional) Contains only valid, fully-qualified host names. -
uris
- (Optional) Contains only valid RFC 3986 URIs. -
emailAddresses
- (Optional) Contains only valid RFC 2822 E-mail addresses. -
ipAddresses
- (Optional) Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
-
cloudKmsKeyVersion
- (Optional) The resource name for an existing Cloud KMS CryptoKeyVersion in the formatprojects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*
. -
algorithm
- (Optional) The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values aresignHashAlgorithmUnspecified
,rsaPss2048Sha256
,rsaPss3072Sha256
,rsaPss4096Sha256
,rsaPkcs12048Sha256
,rsaPkcs13072Sha256
,rsaPkcs14096Sha256
,ecP256Sha256
, andecP384Sha384
.
-
pemCaCertificate
- (Optional) The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer. -
ignoreActiveCertificatesOnDeletion
- (Optional) This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults tofalse
. -
skipGracePeriod
- (Optional) If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults tofalse
. -
type
- (Optional) The Type of this CertificateAuthority. \~> Note: Forsubordinate
Certificate Authorities, they need to be activated before they can issue certificates. Default value isselfSigned
. Possible values areselfSigned
andsubordinate
. -
lifetime
- (Optional) The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". -
subordinateConfig
- (Optional) If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below. -
gcsBucket
- (Optional) The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such asgs://
) or suffixes (such asgoogleapisCom
). For example, to use a bucket named my-bucket, you would simply specifymyBucket
. If not specified, a managed bucket will be created. -
labels
- (Optional) Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. -
project
- (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used. -
deletionProtection
- (Optional) Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, aterraformDestroy
orterraformApply
that would delete the instance will fail. -
desiredState
- (Optional) Desired state of the CertificateAuthority. Set this field tostaged
to create astaged
root CA.
The subordinateConfig
block supports:
-
certificateAuthority
- (Optional) This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the formatprojects/*/locations/*/caPools/*/certificateAuthorities/*
. -
pemIssuerChain
- (Optional) Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.
The pemIssuerChain
block supports:
pemCertificates
- (Optional) Expected to be in leaf-to-root order according to RFC 5246.
Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
-
id
- an identifier for the resource with formatprojects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificateAuthorityId}}
-
name
- The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*. -
state
- The State for this CertificateAuthority. -
pemCaCertificates
- This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate. -
accessUrls
- URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below. -
createTime
- The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". -
updateTime
- The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
The accessUrls
block contains:
-
caCertificateAccessUrl
- (Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated. -
crlAccessUrls
- (Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.
Timeouts
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.
Import
CertificateAuthority can be imported using any of these accepted formats:
$ terraform import google_privateca_certificate_authority.default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}
$ terraform import google_privateca_certificate_authority.default {{project}}/{{location}}/{{pool}}/{{certificate_authority_id}}
$ terraform import google_privateca_certificate_authority.default {{location}}/{{pool}}/{{certificate_authority_id}}
User Project Overrides
This resource supports User Project Overrides.