v5.18.0/website/docs/r/certificate_manager_trust_config.html.markdown

---
# ----------------------------------------------------------------------------
#
#     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
#
# ----------------------------------------------------------------------------
#
#     This file is automatically generated by Magic Modules and manual
#     changes will be clobbered when the file is regenerated.
#
#     Please read more about how to change this file in
#     .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
subcategory: "Certificate manager"
description: |-
  TrustConfig represents a resource that represents your Public Key Infrastructure (PKI) configuration in Certificate Manager for use in mutual TLS authentication scenarios.
---

# google\_certificate\_manager\_trust\_config

TrustConfig represents a resource that represents your Public Key Infrastructure (PKI) configuration in Certificate Manager for use in mutual TLS authentication scenarios.


To get more information about TrustConfig, see:

* [API documentation](https://cloud.google.com/certificate-manager/docs/reference/certificate-manager/rest/v1/projects.locations.trustConfigs/create)
* How-to Guides
    * [Official Documentation](https://cloud.google.com/certificate-manager/docs)

~> **Warning:** All arguments including the following potentially sensitive
values will be stored in the raw state as plain text: `trust_stores.trust_stores.trust_anchors.trust_anchors.pem_certificate`, `trust_stores.trust_stores.intermediate_cas.intermediate_cas.pem_certificate`.
[Read more about sensitive data in state](https://www.terraform.io/language/state/sensitive-data).

<div class = "oics-button" style="float: right; margin: 0 0 -15px">
  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=certificate_manager_trust_config&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
    <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
  </a>
</div>
## Example Usage - Certificate Manager Trust Config


```hcl
resource "google_certificate_manager_trust_config" "default" {
  name        = "trust-config"
  description = "sample description for the trust config"
  location    = "us-central1"

  trust_stores {
    trust_anchors { 
      pem_certificate = file("test-fixtures/cert.pem")
    }
    intermediate_cas { 
      pem_certificate = file("test-fixtures/cert.pem")
    }
  }

  labels = {
    foo = "bar"
  }
}
```

## Argument Reference

The following arguments are supported:


* `name` -
  (Required)
  A user-defined name of the trust config. Trust config names must be unique globally.

* `location` -
  (Required)
  The trust config location.


- - -


* `labels` -
  (Optional)
  Set of label tags associated with the trust config.
  **Note**: This field is non-authoritative, and will only manage the labels present in your configuration.
  Please refer to the field `effective_labels` for all of the labels present on the resource.

* `description` -
  (Optional)
  One or more paragraphs of text description of a trust config.

* `trust_stores` -
  (Optional)
  Set of trust stores to perform validation against.
  This field is supported when TrustConfig is configured with Load Balancers, currently not supported for SPIFFE certificate validation.
  Structure is [documented below](#nested_trust_stores).

* `project` - (Optional) The ID of the project in which the resource belongs.
    If it is not provided, the provider project is used.


<a name="nested_trust_stores"></a>The `trust_stores` block supports:

* `trust_anchors` -
  (Optional)
  List of Trust Anchors to be used while performing validation against a given TrustStore.
  Structure is [documented below](#nested_trust_anchors).

* `intermediate_cas` -
  (Optional)
  Set of intermediate CA certificates used for the path building phase of chain validation.
  The field is currently not supported if trust config is used for the workload certificate feature.
  Structure is [documented below](#nested_intermediate_cas).


<a name="nested_trust_anchors"></a>The `trust_anchors` block supports:

* `pem_certificate` -
  (Optional)
  PEM root certificate of the PKI used for validation.
  Each certificate provided in PEM format may occupy up to 5kB.
  **Note**: This property is sensitive and will not be displayed in the plan.

<a name="nested_intermediate_cas"></a>The `intermediate_cas` block supports:

* `pem_certificate` -
  (Optional)
  PEM intermediate certificate used for building up paths for validation.
  Each certificate provided in PEM format may occupy up to 5kB.
  **Note**: This property is sensitive and will not be displayed in the plan.

## Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

* `id` - an identifier for the resource with format `projects/{{project}}/locations/{{location}}/trustConfigs/{{name}}`

* `create_time` -
  The creation timestamp of a TrustConfig.
  A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits.
  Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

* `update_time` -
  The last update timestamp of a TrustConfig.
  A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits.
  Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

* `terraform_labels` -
  The combination of labels configured directly on the resource
   and default labels configured on the provider.

* `effective_labels` -
  All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.


## Timeouts

This resource provides the following
[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

- `create` - Default is 20 minutes.
- `update` - Default is 20 minutes.
- `delete` - Default is 20 minutes.

## Import


TrustConfig can be imported using any of these accepted formats:

* `projects/{{project}}/locations/{{location}}/trustConfigs/{{name}}`
* `{{project}}/{{location}}/{{name}}`
* `{{location}}/{{name}}`


In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import TrustConfig using one of the formats above. For example:

```tf
import {
  id = "projects/{{project}}/locations/{{location}}/trustConfigs/{{name}}"
  to = google_certificate_manager_trust_config.default
}
```

When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), TrustConfig can be imported using one of the formats above. For example:

```
$ terraform import google_certificate_manager_trust_config.default projects/{{project}}/locations/{{location}}/trustConfigs/{{name}}
$ terraform import google_certificate_manager_trust_config.default {{project}}/{{location}}/{{name}}
$ terraform import google_certificate_manager_trust_config.default {{location}}/{{name}}
```

## User Project Overrides

This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).