v5.18.0/website/docs/r/certificate_manager_certificate_issuance_config.html.markdown - terraform-provider-google-beta - Git at Google

 ---
 # ----------------------------------------------------------------------------
 #
 #     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
 #
 # ----------------------------------------------------------------------------
 #
 #     This file is automatically generated by Magic Modules and manual
 #     changes will be clobbered when the file is regenerated.
 #
 #     Please read more about how to change this file in
 #     .github/CONTRIBUTING.md.
 #
 # ----------------------------------------------------------------------------
 subcategory: "Certificate manager"
 description: |-
   Certificate represents a HTTP-reachable backend for a Certificate.
 ---

 # google\_certificate\_manager\_certificate\_issuance\_config

 Certificate represents a HTTP-reachable backend for a Certificate.


 To get more information about CertificateIssuanceConfig, see:

 * [API documentation](https://cloud.google.com/certificate-manager/docs/reference/certificate-manager/rest/v1/projects.locations.certificateIssuanceConfigs)
 * How-to Guides
     * [Manage certificate issuance configs](https://cloud.google.com/certificate-manager/docs/issuance-configs)

 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
   <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=certificate_manager_certificate_issuance_config&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
     <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
   </a>
 </div>
 ## Example Usage - Certificate Manager Certificate Issuance Config


 ```hcl
 resource "google_certificate_manager_certificate_issuance_config" "default" {
   name    = "issuance-config"
   description = "sample description for the certificate issuanceConfigs"
   certificate_authority_config {
     certificate_authority_service_config {
         ca_pool = google_privateca_ca_pool.pool.id
     }
   }
   lifetime = "1814400s"
   rotation_window_percentage = 34
   key_algorithm = "ECDSA_P256"
   labels = { "name": "wrench", "count": "3" }

   depends_on=[google_privateca_certificate_authority.ca_authority]
 }

 resource "google_privateca_ca_pool" "pool" {
   name     = "ca-pool"
   location = "us-central1"
   tier     = "ENTERPRISE"
 }

 resource "google_privateca_certificate_authority" "ca_authority" {
   location = "us-central1"
   pool = google_privateca_ca_pool.pool.name
   certificate_authority_id = "ca-authority"
   config {
     subject_config {
       subject {
         organization = "HashiCorp"
         common_name = "my-certificate-authority"
       }
       subject_alt_name {
         dns_names = ["hashicorp.com"]
       }
     }
     x509_config {
       ca_options {
         is_ca = true
       }
       key_usage {
         base_key_usage {
           cert_sign = true
           crl_sign = true
         }
         extended_key_usage {
           server_auth = true
         }
       }
     }
   }
   key_spec {
     algorithm = "RSA_PKCS1_4096_SHA256"
   }

   // Disable CA deletion related safe checks for easier cleanup.
   deletion_protection                    = false
   skip_grace_period                      = true
   ignore_active_certificates_on_deletion = true
 }
 ```

 ## Argument Reference

 The following arguments are supported:


 * `rotation_window_percentage` -
   (Required)
   It specifies the percentage of elapsed time of the certificate lifetime to wait before renewing the certificate.
   Must be a number between 1-99, inclusive.
   You must set the rotation window percentage in relation to the certificate lifetime so that certificate renewal occurs at least 7 days after
   the certificate has been issued and at least 7 days before it expires.

 * `key_algorithm` -
   (Required)
   Key algorithm to use when generating the private key.
   Possible values are: `RSA_2048`, `ECDSA_P256`.

 * `lifetime` -
   (Required)
   Lifetime of issued certificates. A duration in seconds with up to nine fractional digits, ending with 's'.
   Example: "1814400s". Valid values are from 21 days (1814400s) to 30 days (2592000s)

 * `certificate_authority_config` -
   (Required)
   The CA that issues the workload certificate. It includes the CA address, type, authentication to CA service, etc.
   Structure is [documented below](#nested_certificate_authority_config).

 * `name` -
   (Required)
   A user-defined name of the certificate issuance config.
   CertificateIssuanceConfig names must be unique globally.


 <a name="nested_certificate_authority_config"></a>The `certificate_authority_config` block supports:

 * `certificate_authority_service_config` -
   (Optional)
   Defines a CertificateAuthorityServiceConfig.
   Structure is [documented below](#nested_certificate_authority_service_config).


 <a name="nested_certificate_authority_service_config"></a>The `certificate_authority_service_config` block supports:

 * `ca_pool` -
   (Required)
   A CA pool resource used to issue a certificate.
   The CA pool string has a relative resource path following the form
   "projects/{project}/locations/{location}/caPools/{caPool}".

 - - -


 * `description` -
   (Optional)
   One or more paragraphs of text description of a CertificateIssuanceConfig.

 * `labels` -
   (Optional)
   'Set of label tags associated with the CertificateIssuanceConfig resource.
    An object containing a list of "key": value pairs. Example: { "name": "wrench", "count": "3" }.

   **Note**: This field is non-authoritative, and will only manage the labels present in your configuration.
   Please refer to the field `effective_labels` for all of the labels present on the resource.

 * `location` -
   (Optional)
   The Certificate Manager location. If not specified, "global" is used.

 * `project` - (Optional) The ID of the project in which the resource belongs.
     If it is not provided, the provider project is used.


 ## Attributes Reference

 In addition to the arguments listed above, the following computed attributes are exported:

 * `id` - an identifier for the resource with format `projects/{{project}}/locations/{{location}}/certificateIssuanceConfigs/{{name}}`

 * `create_time` -
   The creation timestamp of a CertificateIssuanceConfig. Timestamp is in RFC3339 UTC "Zulu" format,
   accurate to nanoseconds with up to nine fractional digits.
   Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

 * `update_time` -
   The last update timestamp of a CertificateIssuanceConfig. Timestamp is in RFC3339 UTC "Zulu" format,
   accurate to nanoseconds with up to nine fractional digits.
   Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

 * `terraform_labels` -
   The combination of labels configured directly on the resource
    and default labels configured on the provider.

 * `effective_labels` -
   All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.


 ## Timeouts

 This resource provides the following
 [Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

 - `create` - Default is 20 minutes.
 - `update` - Default is 20 minutes.
 - `delete` - Default is 20 minutes.

 ## Import


 CertificateIssuanceConfig can be imported using any of these accepted formats:

 * `projects/{{project}}/locations/{{location}}/certificateIssuanceConfigs/{{name}}`
 * `{{project}}/{{location}}/{{name}}`
 * `{{location}}/{{name}}`


 In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import CertificateIssuanceConfig using one of the formats above. For example:

 ```tf
 import {
   id = "projects/{{project}}/locations/{{location}}/certificateIssuanceConfigs/{{name}}"
   to = google_certificate_manager_certificate_issuance_config.default
 }
 ```

 When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), CertificateIssuanceConfig can be imported using one of the formats above. For example:

 ```
 $ terraform import google_certificate_manager_certificate_issuance_config.default projects/{{project}}/locations/{{location}}/certificateIssuanceConfigs/{{name}}
 $ terraform import google_certificate_manager_certificate_issuance_config.default {{project}}/{{location}}/{{name}}
 $ terraform import google_certificate_manager_certificate_issuance_config.default {{location}}/{{name}}
 ```

 ## User Project Overrides

 This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).
	---
	# ----------------------------------------------------------------------------
	#
	# * AUTO GENERATED CODE * Type: MMv1 ***
	#
	# ----------------------------------------------------------------------------
	#
	# This file is automatically generated by Magic Modules and manual
	# changes will be clobbered when the file is regenerated.
	#
	# Please read more about how to change this file in
	# .github/CONTRIBUTING.md.
	#
	# ----------------------------------------------------------------------------
	subcategory: "Certificate manager"
	description: \|-
	Certificate represents a HTTP-reachable backend for a Certificate.
	---

	# google\_certificate\_manager\_certificate\_issuance\_config

	Certificate represents a HTTP-reachable backend for a Certificate.


	To get more information about CertificateIssuanceConfig, see:

	* [API documentation](https://cloud.google.com/certificate-manager/docs/reference/certificate-manager/rest/v1/projects.locations.certificateIssuanceConfigs)
	* How-to Guides
	* [Manage certificate issuance configs](https://cloud.google.com/certificate-manager/docs/issuance-configs)

	<div class = "oics-button" style="float: right; margin: 0 0 -15px">
	<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=certificate_manager_certificate_issuance_config&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
	<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
	</a>
	</div>
	## Example Usage - Certificate Manager Certificate Issuance Config


	```hcl
	resource "google_certificate_manager_certificate_issuance_config" "default" {
	name = "issuance-config"
	description = "sample description for the certificate issuanceConfigs"
	certificate_authority_config {
	certificate_authority_service_config {
	ca_pool = google_privateca_ca_pool.pool.id
	}
	}
	lifetime = "1814400s"
	rotation_window_percentage = 34
	key_algorithm = "ECDSA_P256"
	labels = { "name": "wrench", "count": "3" }

	depends_on=[google_privateca_certificate_authority.ca_authority]
	}

	resource "google_privateca_ca_pool" "pool" {
	name = "ca-pool"
	location = "us-central1"
	tier = "ENTERPRISE"
	}

	resource "google_privateca_certificate_authority" "ca_authority" {
	location = "us-central1"
	pool = google_privateca_ca_pool.pool.name
	certificate_authority_id = "ca-authority"
	config {
	subject_config {
	subject {
	organization = "HashiCorp"
	common_name = "my-certificate-authority"
	}
	subject_alt_name {
	dns_names = ["hashicorp.com"]
	}
	}
	x509_config {
	ca_options {
	is_ca = true
	}
	key_usage {
	base_key_usage {
	cert_sign = true
	crl_sign = true
	}
	extended_key_usage {
	server_auth = true
	}
	}
	}
	}
	key_spec {
	algorithm = "RSA_PKCS1_4096_SHA256"
	}

	// Disable CA deletion related safe checks for easier cleanup.
	deletion_protection = false
	skip_grace_period = true
	ignore_active_certificates_on_deletion = true
	}
	```

	## Argument Reference

	The following arguments are supported:


	* `rotation_window_percentage` -
	(Required)
	It specifies the percentage of elapsed time of the certificate lifetime to wait before renewing the certificate.
	Must be a number between 1-99, inclusive.
	You must set the rotation window percentage in relation to the certificate lifetime so that certificate renewal occurs at least 7 days after
	the certificate has been issued and at least 7 days before it expires.

	* `key_algorithm` -
	(Required)
	Key algorithm to use when generating the private key.
	Possible values are: `RSA_2048`, `ECDSA_P256`.

	* `lifetime` -
	(Required)
	Lifetime of issued certificates. A duration in seconds with up to nine fractional digits, ending with 's'.
	Example: "1814400s". Valid values are from 21 days (1814400s) to 30 days (2592000s)

	* `certificate_authority_config` -
	(Required)
	The CA that issues the workload certificate. It includes the CA address, type, authentication to CA service, etc.
	Structure is [documented below](#nested_certificate_authority_config).

	* `name` -
	(Required)
	A user-defined name of the certificate issuance config.
	CertificateIssuanceConfig names must be unique globally.


	<a name="nested_certificate_authority_config"></a>The `certificate_authority_config` block supports:

	* `certificate_authority_service_config` -
	(Optional)
	Defines a CertificateAuthorityServiceConfig.
	Structure is [documented below](#nested_certificate_authority_service_config).


	<a name="nested_certificate_authority_service_config"></a>The `certificate_authority_service_config` block supports:

	* `ca_pool` -
	(Required)
	A CA pool resource used to issue a certificate.
	The CA pool string has a relative resource path following the form
	"projects/{project}/locations/{location}/caPools/{caPool}".

	- - -


	* `description` -
	(Optional)
	One or more paragraphs of text description of a CertificateIssuanceConfig.

	* `labels` -
	(Optional)
	'Set of label tags associated with the CertificateIssuanceConfig resource.
	An object containing a list of "key": value pairs. Example: { "name": "wrench", "count": "3" }.

	Note: This field is non-authoritative, and will only manage the labels present in your configuration.
	Please refer to the field `effective_labels` for all of the labels present on the resource.

	* `location` -
	(Optional)
	The Certificate Manager location. If not specified, "global" is used.

	* `project` - (Optional) The ID of the project in which the resource belongs.
	If it is not provided, the provider project is used.


	## Attributes Reference

	In addition to the arguments listed above, the following computed attributes are exported:

	* `id` - an identifier for the resource with format `projects/{{project}}/locations/{{location}}/certificateIssuanceConfigs/{{name}}`

	* `create_time` -
	The creation timestamp of a CertificateIssuanceConfig. Timestamp is in RFC3339 UTC "Zulu" format,
	accurate to nanoseconds with up to nine fractional digits.
	Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

	* `update_time` -
	The last update timestamp of a CertificateIssuanceConfig. Timestamp is in RFC3339 UTC "Zulu" format,
	accurate to nanoseconds with up to nine fractional digits.
	Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

	* `terraform_labels` -
	The combination of labels configured directly on the resource
	and default labels configured on the provider.

	* `effective_labels` -
	All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.


	## Timeouts

	This resource provides the following
	[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

	- `create` - Default is 20 minutes.
	- `update` - Default is 20 minutes.
	- `delete` - Default is 20 minutes.

	## Import


	CertificateIssuanceConfig can be imported using any of these accepted formats:

	* `projects/{{project}}/locations/{{location}}/certificateIssuanceConfigs/{{name}}`
	* `{{project}}/{{location}}/{{name}}`
	* `{{location}}/{{name}}`


	In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import CertificateIssuanceConfig using one of the formats above. For example:

	```tf
	import {
	id = "projects/{{project}}/locations/{{location}}/certificateIssuanceConfigs/{{name}}"
	to = google_certificate_manager_certificate_issuance_config.default
	}
	```

	When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), CertificateIssuanceConfig can be imported using one of the formats above. For example:

	```
	$ terraform import google_certificate_manager_certificate_issuance_config.default projects/{{project}}/locations/{{location}}/certificateIssuanceConfigs/{{name}}
	$ terraform import google_certificate_manager_certificate_issuance_config.default {{project}}/{{location}}/{{name}}
	$ terraform import google_certificate_manager_certificate_issuance_config.default {{location}}/{{name}}
	```

	## User Project Overrides

	This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).