Google Git
Sign in
third-party-mirror / terraform-provider-google-beta / 7018e2f3f116fdacfd66c03551fbf0c3db62170a / . / v5.18.0 / website / docs / r / privateca_certificate_authority.html.markdown
blob: b680cdbdfce01beb28f1c9f56d2e5d34b451225b [file] [log] [blame]
---
# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** Type: MMv1 ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in
# .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
subcategory: "Certificate Authority Service"
description: |-
A CertificateAuthority represents an individual Certificate Authority.
---
# google\_privateca\_certificate\_authority
A CertificateAuthority represents an individual Certificate Authority. A
CertificateAuthority can be used to create Certificates.
To get more information about CertificateAuthority, see:
* [API documentation](https://cloud.google.com/certificate-authority-service/docs/reference/rest)
* How-to Guides
* [Official Documentation](https://cloud.google.com/certificate-authority-service)
~> **Warning:** On newer versions of the provider, you must explicitly set `deletion_protection=false`
(and run `terraform apply` to write the field to state) in order to destroy a CertificateAuthority.
It is recommended to not set this field (or set it to true) until you're ready to destroy.
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=privateca_certificate_authority_basic&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Privateca Certificate Authority Basic
```hcl
resource "google_privateca_certificate_authority" "default" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "ca-pool"
certificate_authority_id = "my-certificate-authority"
location = "us-central1"
deletion_protection = "true"
config {
subject_config {
subject {
organization = "HashiCorp"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
is_ca = true
max_issuer_path_length = 10
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
cert_sign = true
crl_sign = true
decipher_only = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=privateca_certificate_authority_subordinate&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Privateca Certificate Authority Subordinate
```hcl
resource "google_privateca_certificate_authority" "root-ca" {
pool = "ca-pool"
certificate_authority_id = "my-certificate-authority-root"
location = "us-central1"
config {
subject_config {
subject {
organization = "HashiCorp"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
# is_ca *MUST* be true for certificate authorities
is_ca = true
}
key_usage {
base_key_usage {
# cert_sign and crl_sign *MUST* be true for certificate authorities
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = false
}
}
}
}
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
// Disable CA deletion related safe checks for easier cleanup.
deletion_protection = false
skip_grace_period = true
ignore_active_certificates_on_deletion = true
}
resource "google_privateca_certificate_authority" "default" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "ca-pool"
certificate_authority_id = "my-certificate-authority-sub"
location = "us-central1"
deletion_protection = "true"
subordinate_config {
certificate_authority = google_privateca_certificate_authority.root-ca.name
}
config {
subject_config {
subject {
organization = "HashiCorp"
common_name = "my-subordinate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
is_ca = true
# Force the sub CA to only issue leaf certs
max_issuer_path_length = 0
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
cert_sign = true
crl_sign = true
decipher_only = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
type = "SUBORDINATE"
}
```
## Example Usage - Privateca Certificate Authority Byo Key
```hcl
resource "google_project_service_identity" "privateca_sa" {
service = "privateca.googleapis.com"
}
resource "google_kms_crypto_key_iam_member" "privateca_sa_keyuser_signerverifier" {
crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"
role = "roles/cloudkms.signerVerifier"
member = "serviceAccount:${google_project_service_identity.privateca_sa.email}"
}
resource "google_kms_crypto_key_iam_member" "privateca_sa_keyuser_viewer" {
crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"
role = "roles/viewer"
member = "serviceAccount:${google_project_service_identity.privateca_sa.email}"
}
resource "google_privateca_certificate_authority" "default" {
// This example assumes this pool already exists.
// Pools cannot be deleted in normal test circumstances, so we depend on static pools
pool = "ca-pool"
certificate_authority_id = "my-certificate-authority"
location = "us-central1"
deletion_protection = "true"
key_spec {
cloud_kms_key_version = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1"
}
config {
subject_config {
subject {
organization = "Example, Org."
common_name = "Example Authority"
}
}
x509_config {
ca_options {
# is_ca *MUST* be true for certificate authorities
is_ca = true
max_issuer_path_length = 10
}
key_usage {
base_key_usage {
# cert_sign and crl_sign *MUST* be true for certificate authorities
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = false
}
}
name_constraints {
critical = true
permitted_dns_names = ["*.example.com"]
excluded_dns_names = ["*.deny.example.com"]
permitted_ip_ranges = ["10.0.0.0/8"]
excluded_ip_ranges = ["10.1.1.0/24"]
permitted_email_addresses = [".example.com"]
excluded_email_addresses = [".deny.example.com"]
permitted_uris = [".example.com"]
excluded_uris = [".deny.example.com"]
}
}
}
depends_on = [
google_kms_crypto_key_iam_member.privateca_sa_keyuser_signerverifier,
google_kms_crypto_key_iam_member.privateca_sa_keyuser_viewer,
]
}
```
## Argument Reference
The following arguments are supported:
* `location` -
(Required)
Location of the CertificateAuthority. A full list of valid locations can be found by
running `gcloud privateca locations list`.
* `certificate_authority_id` -
(Required)
The user provided Resource ID for this Certificate Authority.
* `pool` -
(Required)
The name of the CaPool this Certificate Authority belongs to.
* `config` -
(Required)
The config used to create a self-signed X.509 certificate or CSR.
Structure is [documented below](#nested_config).
* `key_spec` -
(Required)
Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority
is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA
certificate. Otherwise, it is used to sign a CSR.
Structure is [documented below](#nested_key_spec).
<a name="nested_config"></a>The `config` block supports:
* `x509_config` -
(Required)
Describes how some of the technical X.509 fields in a certificate should be populated.
Structure is [documented below](#nested_x509_config).
* `subject_config` -
(Required)
Specifies some of the values in a certificate that are related to the subject.
Structure is [documented below](#nested_subject_config).
<a name="nested_x509_config"></a>The `x509_config` block supports:
* `additional_extensions` -
(Optional)
Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs.
Structure is [documented below](#nested_additional_extensions).
* `policy_ids` -
(Optional)
Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
Structure is [documented below](#nested_policy_ids).
* `aia_ocsp_servers` -
(Optional)
Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the
"Authority Information Access" extension in the certificate.
* `ca_options` -
(Required)
Describes values that are relevant in a CA certificate.
Structure is [documented below](#nested_ca_options).
* `key_usage` -
(Required)
Indicates the intended use for keys that correspond to a certificate.
Structure is [documented below](#nested_key_usage).
* `name_constraints` -
(Optional)
Describes the X.509 name constraints extension.
Structure is [documented below](#nested_name_constraints).
<a name="nested_additional_extensions"></a>The `additional_extensions` block supports:
* `critical` -
(Required)
Indicates whether or not this extension is critical (i.e., if the client does not know how to
handle this extension, the client should consider this to be an error).
* `value` -
(Required)
The value of this X.509 extension. A base64-encoded string.
* `object_id` -
(Required)
Describes values that are relevant in a CA certificate.
Structure is [documented below](#nested_object_id).
<a name="nested_object_id"></a>The `object_id` block supports:
* `object_id_path` -
(Required)
An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
<a name="nested_policy_ids"></a>The `policy_ids` block supports:
* `object_id_path` -
(Required)
An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
<a name="nested_ca_options"></a>The `ca_options` block supports:
* `is_ca` -
(Required)
When true, the "CA" in Basic Constraints extension will be set to true.
* `non_ca` -
(Optional)
When true, the "CA" in Basic Constraints extension will be set to false.
If both `is_ca` and `non_ca` are unset, the extension will be omitted from the CA certificate.
* `max_issuer_path_length` -
(Optional)
Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of
subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0
requires setting `zero_max_issuer_path_length = true`.
* `zero_max_issuer_path_length` -
(Optional)
When true, the "path length constraint" in Basic Constraints extension will be set to 0.
If both `max_issuer_path_length` and `zero_max_issuer_path_length` are unset,
the max path length will be omitted from the CA certificate.
<a name="nested_key_usage"></a>The `key_usage` block supports:
* `base_key_usage` -
(Required)
Describes high-level ways in which a key may be used.
Structure is [documented below](#nested_base_key_usage).
* `extended_key_usage` -
(Required)
Describes high-level ways in which a key may be used.
Structure is [documented below](#nested_extended_key_usage).
* `unknown_extended_key_usages` -
(Optional)
An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
Structure is [documented below](#nested_unknown_extended_key_usages).
<a name="nested_base_key_usage"></a>The `base_key_usage` block supports:
* `digital_signature` -
(Optional)
The key may be used for digital signatures.
* `content_commitment` -
(Optional)
The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
* `key_encipherment` -
(Optional)
The key may be used to encipher other keys.
* `data_encipherment` -
(Optional)
The key may be used to encipher data.
* `key_agreement` -
(Optional)
The key may be used in a key agreement protocol.
* `cert_sign` -
(Optional)
The key may be used to sign certificates.
* `crl_sign` -
(Optional)
The key may be used sign certificate revocation lists.
* `encipher_only` -
(Optional)
The key may be used to encipher only.
* `decipher_only` -
(Optional)
The key may be used to decipher only.
<a name="nested_extended_key_usage"></a>The `extended_key_usage` block supports:
* `server_auth` -
(Optional)
Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
* `client_auth` -
(Optional)
Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
* `code_signing` -
(Optional)
Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
* `email_protection` -
(Optional)
Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
* `time_stamping` -
(Optional)
Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
* `ocsp_signing` -
(Optional)
Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
<a name="nested_unknown_extended_key_usages"></a>The `unknown_extended_key_usages` block supports:
* `object_id_path` -
(Required)
An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
<a name="nested_name_constraints"></a>The `name_constraints` block supports:
* `critical` -
(Required)
Indicates whether or not the name constraints are marked critical.
* `permitted_dns_names` -
(Optional)
Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example, `example.com`, `www.example.com`, `www.sub.example.com`
would satisfy `example.com` while `example1.com` does not.
* `excluded_dns_names` -
(Optional)
Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example, `example.com`, `www.example.com`, `www.sub.example.com`
would satisfy `example.com` while `example1.com` does not.
* `permitted_ip_ranges` -
(Optional)
Contains the permitted IP ranges. For IPv4 addresses, the ranges
are expressed using CIDR notation as specified in RFC 4632.
For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
addresses.
* `excluded_ip_ranges` -
(Optional)
Contains the excluded IP ranges. For IPv4 addresses, the ranges
are expressed using CIDR notation as specified in RFC 4632.
For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
addresses.
* `permitted_email_addresses` -
(Optional)
Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g. `.example.com`) to indicate
all email addresses in that domain.
* `excluded_email_addresses` -
(Optional)
Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g. `.example.com`) to indicate
all email addresses in that domain.
* `permitted_uris` -
(Optional)
Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like `.example.com`)
* `excluded_uris` -
(Optional)
Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like `.example.com`)
<a name="nested_subject_config"></a>The `subject_config` block supports:
* `subject` -
(Required)
Contains distinguished name fields such as the location and organization.
Structure is [documented below](#nested_subject).
* `subject_alt_name` -
(Optional)
The subject alternative name fields.
Structure is [documented below](#nested_subject_alt_name).
<a name="nested_subject"></a>The `subject` block supports:
* `country_code` -
(Optional)
The country code of the subject.
* `organization` -
(Required)
The organization of the subject.
* `organizational_unit` -
(Optional)
The organizational unit of the subject.
* `locality` -
(Optional)
The locality or city of the subject.
* `province` -
(Optional)
The province, territory, or regional state of the subject.
* `street_address` -
(Optional)
The street address of the subject.
* `postal_code` -
(Optional)
The postal code of the subject.
* `common_name` -
(Required)
The common name of the distinguished name.
<a name="nested_subject_alt_name"></a>The `subject_alt_name` block supports:
* `dns_names` -
(Optional)
Contains only valid, fully-qualified host names.
* `uris` -
(Optional)
Contains only valid RFC 3986 URIs.
* `email_addresses` -
(Optional)
Contains only valid RFC 2822 E-mail addresses.
* `ip_addresses` -
(Optional)
Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
<a name="nested_key_spec"></a>The `key_spec` block supports:
* `cloud_kms_key_version` -
(Optional)
The resource name for an existing Cloud KMS CryptoKeyVersion in the format
`projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
* `algorithm` -
(Optional)
The algorithm to use for creating a managed Cloud KMS key for a for a simplified
experience. All managed keys will be have their ProtectionLevel as HSM.
Possible values are: `SIGN_HASH_ALGORITHM_UNSPECIFIED`, `RSA_PSS_2048_SHA256`, `RSA_PSS_3072_SHA256`, `RSA_PSS_4096_SHA256`, `RSA_PKCS1_2048_SHA256`, `RSA_PKCS1_3072_SHA256`, `RSA_PKCS1_4096_SHA256`, `EC_P256_SHA256`, `EC_P384_SHA384`.
- - -
* `pem_ca_certificate` -
(Optional)
The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
* `ignore_active_certificates_on_deletion` -
(Optional)
This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs.
Use with care. Defaults to `false`.
* `skip_grace_period` -
(Optional)
If this flag is set, the Certificate Authority will be deleted as soon as
possible without a 30-day grace period where undeletion would have been
allowed. If you proceed, there will be no way to recover this CA.
Use with care. Defaults to `false`.
* `type` -
(Optional)
The Type of this CertificateAuthority.
~> **Note:** For `SUBORDINATE` Certificate Authorities, they need to
be activated before they can issue certificates.
Default value is `SELF_SIGNED`.
Possible values are: `SELF_SIGNED`, `SUBORDINATE`.
* `lifetime` -
(Optional)
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and
"notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine
fractional digits, terminated by 's'. Example: "3.5s".
* `subordinate_config` -
(Optional)
If this is a subordinate CertificateAuthority, this field will be set
with the subordinate configuration, which describes its issuers.
Structure is [documented below](#nested_subordinate_config).
* `gcs_bucket` -
(Optional)
The name of a Cloud Storage bucket where this CertificateAuthority will publish content,
such as the CA certificate and CRLs. This must be a bucket name, without any prefixes
(such as `gs://`) or suffixes (such as `.googleapis.com`). For example, to use a bucket named
my-bucket, you would simply specify `my-bucket`. If not specified, a managed bucket will be
created.
* `labels` -
(Optional)
Labels with user-defined metadata.
An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass":
"1.3kg", "count": "3" }.
**Note**: This field is non-authoritative, and will only manage the labels present in your configuration.
Please refer to the field `effective_labels` for all of the labels present on the resource.
* `project` - (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
* `deletion_protection` - (Optional) Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false
in Terraform state, a `terraform destroy` or `terraform apply` that would delete the instance will fail.
* `desired_state` - (Optional) Desired state of the CertificateAuthority. Set this field to `STAGED` to create a `STAGED` root CA.
<a name="nested_subordinate_config"></a>The `subordinate_config` block supports:
* `certificate_authority` -
(Optional)
This can refer to a CertificateAuthority that was used to create a
subordinate CertificateAuthority. This field is used for information
and usability purposes only. The resource name is in the format
`projects/*/locations/*/caPools/*/certificateAuthorities/*`.
* `pem_issuer_chain` -
(Optional)
Contains the PEM certificate chain for the issuers of this CertificateAuthority,
but not pem certificate for this CA itself.
Structure is [documented below](#nested_pem_issuer_chain).
<a name="nested_pem_issuer_chain"></a>The `pem_issuer_chain` block supports:
* `pem_certificates` -
(Optional)
Expected to be in leaf-to-root order according to RFC 5246.
## Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
* `id` - an identifier for the resource with format `projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}`
* `name` -
The resource name for this CertificateAuthority in the format
projects/*/locations/*/certificateAuthorities/*.
* `state` -
The State for this CertificateAuthority.
* `pem_ca_certificates` -
This CertificateAuthority's certificate chain, including the current
CertificateAuthority's certificate. Ordered such that the root issuer is the final
element (consistent with RFC 5246). For a self-signed CA, this will only list the current
CertificateAuthority's certificate.
* `access_urls` -
URLs for accessing content published by this CA, such as the CA certificate and CRLs.
Structure is [documented below](#nested_access_urls).
* `create_time` -
The time at which this CertificateAuthority was created.
A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine
fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
* `update_time` -
The time at which this CertificateAuthority was updated.
A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine
fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
* `terraform_labels` -
The combination of labels configured directly on the resource
and default labels configured on the provider.
* `effective_labels` -
All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.
<a name="nested_access_urls"></a>The `access_urls` block contains:
* `ca_certificate_access_url` -
(Output)
The URL where this CertificateAuthority's CA certificate is published. This will only be
set for CAs that have been activated.
* `crl_access_urls` -
(Output)
The URL where this CertificateAuthority's CRLs are published. This will only be set for
CAs that have been activated.
## Timeouts
This resource provides the following
[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:
- `create` - Default is 20 minutes.
- `update` - Default is 20 minutes.
- `delete` - Default is 20 minutes.
## Import
CertificateAuthority can be imported using any of these accepted formats:
* `projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}`
* `{{project}}/{{location}}/{{pool}}/{{certificate_authority_id}}`
* `{{location}}/{{pool}}/{{certificate_authority_id}}`
In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import CertificateAuthority using one of the formats above. For example:
```tf
import {
id = "projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}"
to = google_privateca_certificate_authority.default
}
```
When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), CertificateAuthority can be imported using one of the formats above. For example:
```
$ terraform import google_privateca_certificate_authority.default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}
$ terraform import google_privateca_certificate_authority.default {{project}}/{{location}}/{{pool}}/{{certificate_authority_id}}
$ terraform import google_privateca_certificate_authority.default {{location}}/{{pool}}/{{certificate_authority_id}}
```
## User Project Overrides
This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).