v6.2.0/website/docs/r/certificate_manager_certificate.html.markdown - terraform-provider-google-beta - Git at Google

 ---
 # ----------------------------------------------------------------------------
 #
 #     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
 #
 # ----------------------------------------------------------------------------
 #
 #     This file is automatically generated by Magic Modules and manual
 #     changes will be clobbered when the file is regenerated.
 #
 #     Please read more about how to change this file in
 #     .github/CONTRIBUTING.md.
 #
 # ----------------------------------------------------------------------------
 subcategory: "Certificate manager"
 description: |-
   Certificate represents a HTTP-reachable backend for a Certificate.
 ---

 # google_certificate_manager_certificate

 Certificate represents a HTTP-reachable backend for a Certificate.


 ~> **Warning:** All arguments including the following potentially sensitive
 values will be stored in the raw state as plain text: `self_managed.certificate_pem`, `self_managed.private_key_pem`, `self_managed.pem_private_key`.
 [Read more about sensitive data in state](https://www.terraform.io/language/state/sensitive-data).

 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
   <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=certificate_manager_google_managed_certificate_dns&open_in_editor=main.tf" target="_blank">
     <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
   </a>
 </div>
 ## Example Usage - Certificate Manager Google Managed Certificate Dns


 ```hcl
 resource "google_certificate_manager_certificate" "default" {
   name        = "dns-cert"
   description = "The default cert"
   scope       = "EDGE_CACHE"
   labels = {
     env = "test"
   }
   managed {
     domains = [
       google_certificate_manager_dns_authorization.instance.domain,
       google_certificate_manager_dns_authorization.instance2.domain,
       ]
     dns_authorizations = [
       google_certificate_manager_dns_authorization.instance.id,
       google_certificate_manager_dns_authorization.instance2.id,
       ]
   }
 }


 resource "google_certificate_manager_dns_authorization" "instance" {
   name        = "dns-auth"
   description = "The default dnss"
   domain      = "subdomain.hashicorptest.com"
 }

 resource "google_certificate_manager_dns_authorization" "instance2" {
   name        = "dns-auth2"
   description = "The default dnss"
   domain      = "subdomain2.hashicorptest.com"
 }
 ```
 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
   <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=certificate_manager_google_managed_certificate_issuance_config&open_in_editor=main.tf" target="_blank">
     <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
   </a>
 </div>
 ## Example Usage - Certificate Manager Google Managed Certificate Issuance Config


 ```hcl
 resource "google_certificate_manager_certificate" "default" {
   name        = "issuance-config-cert"
   description = "The default cert"
   scope       = "EDGE_CACHE"
   managed {
     domains = [
         "terraform.subdomain1.com"
       ]
     issuance_config = google_certificate_manager_certificate_issuance_config.issuanceconfig.id
   }
 }


 # creating certificate_issuance_config to use it in the managed certificate
 resource "google_certificate_manager_certificate_issuance_config" "issuanceconfig" {
   name    = "issuance-config"
   description = "sample description for the certificate issuanceConfigs"
   certificate_authority_config {
     certificate_authority_service_config {
         ca_pool = google_privateca_ca_pool.pool.id
     }
   }
   lifetime = "1814400s"
   rotation_window_percentage = 34
   key_algorithm = "ECDSA_P256"
   depends_on=[google_privateca_certificate_authority.ca_authority]
 }

 resource "google_privateca_ca_pool" "pool" {
   name     = "ca-pool"
   location = "us-central1"
   tier     = "ENTERPRISE"
 }

 resource "google_privateca_certificate_authority" "ca_authority" {
   location = "us-central1"
   pool = google_privateca_ca_pool.pool.name
   certificate_authority_id = "ca-authority"
   config {
     subject_config {
       subject {
         organization = "HashiCorp"
         common_name = "my-certificate-authority"
       }
       subject_alt_name {
         dns_names = ["hashicorp.com"]
       }
     }
     x509_config {
       ca_options {
         is_ca = true
       }
       key_usage {
         base_key_usage {
           cert_sign = true
           crl_sign = true
         }
         extended_key_usage {
           server_auth = true
         }
       }
     }
   }
   key_spec {
     algorithm = "RSA_PKCS1_4096_SHA256"
   }

   // Disable CA deletion related safe checks for easier cleanup.
   deletion_protection                    = false
   skip_grace_period                      = true
   ignore_active_certificates_on_deletion = true
 }
 ```
 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
   <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=certificate_manager_self_managed_certificate&open_in_editor=main.tf" target="_blank">
     <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
   </a>
 </div>
 ## Example Usage - Certificate Manager Self Managed Certificate


 ```hcl
 resource "google_certificate_manager_certificate" "default" {
   name        = "self-managed-cert"
   description = "Global cert"
   scope       = "ALL_REGIONS"
   self_managed {
     pem_certificate = file("test-fixtures/cert.pem")
     pem_private_key = file("test-fixtures/private-key.pem")
   }
 }
 ```
 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
   <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=certificate_manager_self_managed_certificate_regional&open_in_editor=main.tf" target="_blank">
     <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
   </a>
 </div>
 ## Example Usage - Certificate Manager Self Managed Certificate Regional


 ```hcl
 resource "google_certificate_manager_certificate" "default" {
   name        = "self-managed-cert"
   description = "Regional cert"
   location    = "us-central1"
   self_managed {
     pem_certificate = file("test-fixtures/cert.pem")
     pem_private_key = file("test-fixtures/private-key.pem")
   }
 }
 ```
 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
   <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=certificate_manager_google_managed_certificate_issuance_config_all_regions&open_in_editor=main.tf" target="_blank">
     <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
   </a>
 </div>
 ## Example Usage - Certificate Manager Google Managed Certificate Issuance Config All Regions


 ```hcl
 resource "google_certificate_manager_certificate" "default" {
   name        = "issuance-config-cert"
   description = "sample google managed all_regions certificate with issuance config for terraform"
   scope       = "ALL_REGIONS"
   managed {
     domains = [
         "terraform.subdomain1.com"
       ]
     issuance_config = google_certificate_manager_certificate_issuance_config.issuanceconfig.id
   }
 }


 # creating certificate_issuance_config to use it in the managed certificate
 resource "google_certificate_manager_certificate_issuance_config" "issuanceconfig" {
   name    = "issuance-config"
   description = "sample description for the certificate issuanceConfigs"
   certificate_authority_config {
     certificate_authority_service_config {
         ca_pool = google_privateca_ca_pool.pool.id
     }
   }
   lifetime = "1814400s"
   rotation_window_percentage = 34
   key_algorithm = "ECDSA_P256"
   depends_on=[google_privateca_certificate_authority.ca_authority]
 }

 resource "google_privateca_ca_pool" "pool" {
   name     = "ca-pool"
   location = "us-central1"
   tier     = "ENTERPRISE"
 }

 resource "google_privateca_certificate_authority" "ca_authority" {
   location = "us-central1"
   pool = google_privateca_ca_pool.pool.name
   certificate_authority_id = "ca-authority"
   config {
     subject_config {
       subject {
         organization = "HashiCorp"
         common_name = "my-certificate-authority"
       }
       subject_alt_name {
         dns_names = ["hashicorp.com"]
       }
     }
     x509_config {
       ca_options {
         is_ca = true
       }
       key_usage {
         base_key_usage {
           cert_sign = true
           crl_sign = true
         }
         extended_key_usage {
           server_auth = true
         }
       }
     }
   }
   key_spec {
     algorithm = "RSA_PKCS1_4096_SHA256"
   }

   // Disable CA deletion related safe checks for easier cleanup.
   deletion_protection                    = false
   skip_grace_period                      = true
   ignore_active_certificates_on_deletion = true
 }
 ```
 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
   <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=certificate_manager_google_managed_certificate_dns_all_regions&open_in_editor=main.tf" target="_blank">
     <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
   </a>
 </div>
 ## Example Usage - Certificate Manager Google Managed Certificate Dns All Regions


 ```hcl
 resource "google_certificate_manager_certificate" "default" {
   name        = "dns-cert"
   description = "The default cert"
   scope       = "ALL_REGIONS"
   managed {
     domains = [
       google_certificate_manager_dns_authorization.instance.domain,
       google_certificate_manager_dns_authorization.instance2.domain,
       ]
     dns_authorizations = [
       google_certificate_manager_dns_authorization.instance.id,
       google_certificate_manager_dns_authorization.instance2.id,
       ]
   }
 }


 resource "google_certificate_manager_dns_authorization" "instance" {
   name        = "dns-auth"
   description = "The default dnss"
   domain      = "subdomain.hashicorptest.com"
 }

 resource "google_certificate_manager_dns_authorization" "instance2" {
   name        = "dns-auth2"
   description = "The default dnss"
   domain      = "subdomain2.hashicorptest.com"
 }
 ```
 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
   <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=certificate_manager_google_managed_regional_certificate_dns_auth&open_in_editor=main.tf" target="_blank">
     <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
   </a>
 </div>
 ## Example Usage - Certificate Manager Google Managed Regional Certificate Dns Auth


 ```hcl
 resource "google_certificate_manager_certificate" "default" {
   name        = "dns-cert"
   description = "regional managed certs"
   location = "us-central1"
   managed {
     domains = [
       google_certificate_manager_dns_authorization.instance.domain,
       ]
     dns_authorizations = [
       google_certificate_manager_dns_authorization.instance.id,
       ]
   }
 }
 resource "google_certificate_manager_dns_authorization" "instance" {
   name        = "dns-auth"
   location    = "us-central1"
   description = "The default dnss"
   domain      = "subdomain.hashicorptest.com"
 }
 ```

 ## Argument Reference

 The following arguments are supported:


 * `name` -
   (Required)
   A user-defined name of the certificate. Certificate names must be unique
   The name must be 1-64 characters long, and match the regular expression [a-zA-Z][a-zA-Z0-9_-]* which means the first character must be a letter,
   and all following characters must be a dash, underscore, letter or digit.


 - - -


 * `description` -
   (Optional)
   A human-readable description of the resource.

 * `labels` -
   (Optional)
   Set of label tags associated with the Certificate resource.
   **Note**: This field is non-authoritative, and will only manage the labels present in your configuration.
   Please refer to the field `effective_labels` for all of the labels present on the resource.

 * `scope` -
   (Optional)
   The scope of the certificate.
   DEFAULT: Certificates with default scope are served from core Google data centers.
   If unsure, choose this option.
   EDGE_CACHE: Certificates with scope EDGE_CACHE are special-purposed certificates, served from Edge Points of Presence.
   See https://cloud.google.com/vpc/docs/edge-locations.
   ALL_REGIONS: Certificates with ALL_REGIONS scope are served from all GCP regions (You can only use ALL_REGIONS with global certs).
   See https://cloud.google.com/compute/docs/regions-zones

 * `self_managed` -
   (Optional)
   Certificate data for a SelfManaged Certificate.
   SelfManaged Certificates are uploaded by the user. Updating such
   certificates before they expire remains the user's responsibility.
   Structure is [documented below](#nested_self_managed).

 * `managed` -
   (Optional)
   Configuration and state of a Managed Certificate.
   Certificate Manager provisions and renews Managed Certificates
   automatically, for as long as it's authorized to do so.
   Structure is [documented below](#nested_managed).

 * `location` -
   (Optional)
   The Certificate Manager location. If not specified, "global" is used.

 * `project` - (Optional) The ID of the project in which the resource belongs.
     If it is not provided, the provider project is used.


 <a name="nested_self_managed"></a>The `self_managed` block supports:

 * `certificate_pem` -
   (Optional, Deprecated)
   The certificate chain in PEM-encoded form.
   Leaf certificate comes first, followed by intermediate ones if any.
   **Note**: This property is sensitive and will not be displayed in the plan.

   ~> **Warning:** `certificate_pem` is deprecated and will be removed in a future major release. Use `pem_certificate` instead.

 * `private_key_pem` -
   (Optional, Deprecated)
   The private key of the leaf certificate in PEM-encoded form.
   **Note**: This property is sensitive and will not be displayed in the plan.

   ~> **Warning:** `private_key_pem` is deprecated and will be removed in a future major release. Use `pem_private_key` instead.

 * `pem_certificate` -
   (Optional)
   The certificate chain in PEM-encoded form.
   Leaf certificate comes first, followed by intermediate ones if any.

 * `pem_private_key` -
   (Optional)
   The private key of the leaf certificate in PEM-encoded form.
   **Note**: This property is sensitive and will not be displayed in the plan.

 <a name="nested_managed"></a>The `managed` block supports:

 * `domains` -
   (Optional)
   The domains for which a managed SSL certificate will be generated.
   Wildcard domains are only supported with DNS challenge resolution

 * `dns_authorizations` -
   (Optional)
   Authorizations that will be used for performing domain authorization. Either issuanceConfig or dnsAuthorizations should be specificed, but not both.

 * `issuance_config` -
   (Optional)
   The resource name for a CertificateIssuanceConfig used to configure private PKI certificates in the format projects/*/locations/*/certificateIssuanceConfigs/*.
   If this field is not set, the certificates will instead be publicly signed as documented at https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#caa.
   Either issuanceConfig or dnsAuthorizations should be specificed, but not both.

 * `state` -
   (Output)
   A state of this Managed Certificate.

 * `provisioning_issue` -
   (Output)
   Information about issues with provisioning this Managed Certificate.
   Structure is [documented below](#nested_provisioning_issue).

 * `authorization_attempt_info` -
   (Output)
   Detailed state of the latest authorization attempt for each domain
   specified for this Managed Certificate.
   Structure is [documented below](#nested_authorization_attempt_info).


 <a name="nested_provisioning_issue"></a>The `provisioning_issue` block contains:

 * `reason` -
   (Output)
   Reason for provisioning failures.

 * `details` -
   (Output)
   Human readable explanation about the issue. Provided to help address
   the configuration issues.
   Not guaranteed to be stable. For programmatic access use `reason` field.

 <a name="nested_authorization_attempt_info"></a>The `authorization_attempt_info` block contains:

 * `domain` -
   (Output)
   Domain name of the authorization attempt.

 * `state` -
   (Output)
   State of the domain for managed certificate issuance.

 * `failure_reason` -
   (Output)
   Reason for failure of the authorization attempt for the domain.

 * `details` -
   (Output)
   Human readable explanation for reaching the state. Provided to help
   address the configuration issues.
   Not guaranteed to be stable. For programmatic access use `failure_reason` field.

 ## Attributes Reference

 In addition to the arguments listed above, the following computed attributes are exported:

 * `id` - an identifier for the resource with format `projects/{{project}}/locations/{{location}}/certificates/{{name}}`

 * `san_dnsnames` -
   The list of Subject Alternative Names of dnsName type defined in the certificate (see RFC 5280 4.2.1.6)

 * `terraform_labels` -
   The combination of labels configured directly on the resource
    and default labels configured on the provider.

 * `effective_labels` -
   All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.


 ## Timeouts

 This resource provides the following
 [Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

 - `create` - Default is 20 minutes.
 - `update` - Default is 20 minutes.
 - `delete` - Default is 20 minutes.

 ## Import


 Certificate can be imported using any of these accepted formats:

 * `projects/{{project}}/locations/{{location}}/certificates/{{name}}`
 * `{{project}}/{{location}}/{{name}}`
 * `{{location}}/{{name}}`


 In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import Certificate using one of the formats above. For example:

 ```tf
 import {
   id = "projects/{{project}}/locations/{{location}}/certificates/{{name}}"
   to = google_certificate_manager_certificate.default
 }
 ```

 When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), Certificate can be imported using one of the formats above. For example:

 ```
 $ terraform import google_certificate_manager_certificate.default projects/{{project}}/locations/{{location}}/certificates/{{name}}
 $ terraform import google_certificate_manager_certificate.default {{project}}/{{location}}/{{name}}
 $ terraform import google_certificate_manager_certificate.default {{location}}/{{name}}
 ```

 ## User Project Overrides

 This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).
	---
	# ----------------------------------------------------------------------------
	#
	# * AUTO GENERATED CODE * Type: MMv1 ***
	#
	# ----------------------------------------------------------------------------
	#
	# This file is automatically generated by Magic Modules and manual
	# changes will be clobbered when the file is regenerated.
	#
	# Please read more about how to change this file in
	# .github/CONTRIBUTING.md.
	#
	# ----------------------------------------------------------------------------
	subcategory: "Certificate manager"
	description: \|-
	Certificate represents a HTTP-reachable backend for a Certificate.
	---

	# google_certificate_manager_certificate

	Certificate represents a HTTP-reachable backend for a Certificate.



	~> Warning: All arguments including the following potentially sensitive
	values will be stored in the raw state as plain text: `self_managed.certificate_pem`, `self_managed.private_key_pem`, `self_managed.pem_private_key`.
	[Read more about sensitive data in state](https://www.terraform.io/language/state/sensitive-data).

	<div class = "oics-button" style="float: right; margin: 0 0 -15px">
	<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=certificate_manager_google_managed_certificate_dns&open_in_editor=main.tf" target="_blank">
	<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
	</a>
	</div>
	## Example Usage - Certificate Manager Google Managed Certificate Dns


	```hcl
	resource "google_certificate_manager_certificate" "default" {
	name = "dns-cert"
	description = "The default cert"
	scope = "EDGE_CACHE"
	labels = {
	env = "test"
	}
	managed {
	domains = [
	google_certificate_manager_dns_authorization.instance.domain,
	google_certificate_manager_dns_authorization.instance2.domain,
	]
	dns_authorizations = [
	google_certificate_manager_dns_authorization.instance.id,
	google_certificate_manager_dns_authorization.instance2.id,
	]
	}
	}


	resource "google_certificate_manager_dns_authorization" "instance" {
	name = "dns-auth"
	description = "The default dnss"
	domain = "subdomain.hashicorptest.com"
	}

	resource "google_certificate_manager_dns_authorization" "instance2" {
	name = "dns-auth2"
	description = "The default dnss"
	domain = "subdomain2.hashicorptest.com"
	}
	```
	<div class = "oics-button" style="float: right; margin: 0 0 -15px">
	<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=certificate_manager_google_managed_certificate_issuance_config&open_in_editor=main.tf" target="_blank">
	<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
	</a>
	</div>
	## Example Usage - Certificate Manager Google Managed Certificate Issuance Config


	```hcl
	resource "google_certificate_manager_certificate" "default" {
	name = "issuance-config-cert"
	description = "The default cert"
	scope = "EDGE_CACHE"
	managed {
	domains = [
	"terraform.subdomain1.com"
	]
	issuance_config = google_certificate_manager_certificate_issuance_config.issuanceconfig.id
	}
	}



	# creating certificate_issuance_config to use it in the managed certificate
	resource "google_certificate_manager_certificate_issuance_config" "issuanceconfig" {
	name = "issuance-config"
	description = "sample description for the certificate issuanceConfigs"
	certificate_authority_config {
	certificate_authority_service_config {
	ca_pool = google_privateca_ca_pool.pool.id
	}
	}
	lifetime = "1814400s"
	rotation_window_percentage = 34
	key_algorithm = "ECDSA_P256"
	depends_on=[google_privateca_certificate_authority.ca_authority]
	}

	resource "google_privateca_ca_pool" "pool" {
	name = "ca-pool"
	location = "us-central1"
	tier = "ENTERPRISE"
	}

	resource "google_privateca_certificate_authority" "ca_authority" {
	location = "us-central1"
	pool = google_privateca_ca_pool.pool.name
	certificate_authority_id = "ca-authority"
	config {
	subject_config {
	subject {
	organization = "HashiCorp"
	common_name = "my-certificate-authority"
	}
	subject_alt_name {
	dns_names = ["hashicorp.com"]
	}
	}
	x509_config {
	ca_options {
	is_ca = true
	}
	key_usage {
	base_key_usage {
	cert_sign = true
	crl_sign = true
	}
	extended_key_usage {
	server_auth = true
	}
	}
	}
	}
	key_spec {
	algorithm = "RSA_PKCS1_4096_SHA256"
	}

	// Disable CA deletion related safe checks for easier cleanup.
	deletion_protection = false
	skip_grace_period = true
	ignore_active_certificates_on_deletion = true
	}
	```
	<div class = "oics-button" style="float: right; margin: 0 0 -15px">
	<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=certificate_manager_self_managed_certificate&open_in_editor=main.tf" target="_blank">
	<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
	</a>
	</div>
	## Example Usage - Certificate Manager Self Managed Certificate


	```hcl
	resource "google_certificate_manager_certificate" "default" {
	name = "self-managed-cert"
	description = "Global cert"
	scope = "ALL_REGIONS"
	self_managed {
	pem_certificate = file("test-fixtures/cert.pem")
	pem_private_key = file("test-fixtures/private-key.pem")
	}
	}
	```
	<div class = "oics-button" style="float: right; margin: 0 0 -15px">
	<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=certificate_manager_self_managed_certificate_regional&open_in_editor=main.tf" target="_blank">
	<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
	</a>
	</div>
	## Example Usage - Certificate Manager Self Managed Certificate Regional


	```hcl
	resource "google_certificate_manager_certificate" "default" {
	name = "self-managed-cert"
	description = "Regional cert"
	location = "us-central1"
	self_managed {
	pem_certificate = file("test-fixtures/cert.pem")
	pem_private_key = file("test-fixtures/private-key.pem")
	}
	}
	```
	<div class = "oics-button" style="float: right; margin: 0 0 -15px">
	<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=certificate_manager_google_managed_certificate_issuance_config_all_regions&open_in_editor=main.tf" target="_blank">
	<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
	</a>
	</div>
	## Example Usage - Certificate Manager Google Managed Certificate Issuance Config All Regions


	```hcl
	resource "google_certificate_manager_certificate" "default" {
	name = "issuance-config-cert"
	description = "sample google managed all_regions certificate with issuance config for terraform"
	scope = "ALL_REGIONS"
	managed {
	domains = [
	"terraform.subdomain1.com"
	]
	issuance_config = google_certificate_manager_certificate_issuance_config.issuanceconfig.id
	}
	}



	# creating certificate_issuance_config to use it in the managed certificate
	resource "google_certificate_manager_certificate_issuance_config" "issuanceconfig" {
	name = "issuance-config"
	description = "sample description for the certificate issuanceConfigs"
	certificate_authority_config {
	certificate_authority_service_config {
	ca_pool = google_privateca_ca_pool.pool.id
	}
	}
	lifetime = "1814400s"
	rotation_window_percentage = 34
	key_algorithm = "ECDSA_P256"
	depends_on=[google_privateca_certificate_authority.ca_authority]
	}

	resource "google_privateca_ca_pool" "pool" {
	name = "ca-pool"
	location = "us-central1"
	tier = "ENTERPRISE"
	}

	resource "google_privateca_certificate_authority" "ca_authority" {
	location = "us-central1"
	pool = google_privateca_ca_pool.pool.name
	certificate_authority_id = "ca-authority"
	config {
	subject_config {
	subject {
	organization = "HashiCorp"
	common_name = "my-certificate-authority"
	}
	subject_alt_name {
	dns_names = ["hashicorp.com"]
	}
	}
	x509_config {
	ca_options {
	is_ca = true
	}
	key_usage {
	base_key_usage {
	cert_sign = true
	crl_sign = true
	}
	extended_key_usage {
	server_auth = true
	}
	}
	}
	}
	key_spec {
	algorithm = "RSA_PKCS1_4096_SHA256"
	}

	// Disable CA deletion related safe checks for easier cleanup.
	deletion_protection = false
	skip_grace_period = true
	ignore_active_certificates_on_deletion = true
	}
	```
	<div class = "oics-button" style="float: right; margin: 0 0 -15px">
	<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=certificate_manager_google_managed_certificate_dns_all_regions&open_in_editor=main.tf" target="_blank">
	<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
	</a>
	</div>
	## Example Usage - Certificate Manager Google Managed Certificate Dns All Regions


	```hcl
	resource "google_certificate_manager_certificate" "default" {
	name = "dns-cert"
	description = "The default cert"
	scope = "ALL_REGIONS"
	managed {
	domains = [
	google_certificate_manager_dns_authorization.instance.domain,
	google_certificate_manager_dns_authorization.instance2.domain,
	]
	dns_authorizations = [
	google_certificate_manager_dns_authorization.instance.id,
	google_certificate_manager_dns_authorization.instance2.id,
	]
	}
	}


	resource "google_certificate_manager_dns_authorization" "instance" {
	name = "dns-auth"
	description = "The default dnss"
	domain = "subdomain.hashicorptest.com"
	}

	resource "google_certificate_manager_dns_authorization" "instance2" {
	name = "dns-auth2"
	description = "The default dnss"
	domain = "subdomain2.hashicorptest.com"
	}
	```
	<div class = "oics-button" style="float: right; margin: 0 0 -15px">
	<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=certificate_manager_google_managed_regional_certificate_dns_auth&open_in_editor=main.tf" target="_blank">
	<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
	</a>
	</div>
	## Example Usage - Certificate Manager Google Managed Regional Certificate Dns Auth


	```hcl
	resource "google_certificate_manager_certificate" "default" {
	name = "dns-cert"
	description = "regional managed certs"
	location = "us-central1"
	managed {
	domains = [
	google_certificate_manager_dns_authorization.instance.domain,
	]
	dns_authorizations = [
	google_certificate_manager_dns_authorization.instance.id,
	]
	}
	}
	resource "google_certificate_manager_dns_authorization" "instance" {
	name = "dns-auth"
	location = "us-central1"
	description = "The default dnss"
	domain = "subdomain.hashicorptest.com"
	}
	```

	## Argument Reference

	The following arguments are supported:


	* `name` -
	(Required)
	A user-defined name of the certificate. Certificate names must be unique
	The name must be 1-64 characters long, and match the regular expression [a-zA-Z][a-zA-Z0-9_-]* which means the first character must be a letter,
	and all following characters must be a dash, underscore, letter or digit.


	- - -


	* `description` -
	(Optional)
	A human-readable description of the resource.

	* `labels` -
	(Optional)
	Set of label tags associated with the Certificate resource.
	Note: This field is non-authoritative, and will only manage the labels present in your configuration.
	Please refer to the field `effective_labels` for all of the labels present on the resource.

	* `scope` -
	(Optional)
	The scope of the certificate.
	DEFAULT: Certificates with default scope are served from core Google data centers.
	If unsure, choose this option.
	EDGE_CACHE: Certificates with scope EDGE_CACHE are special-purposed certificates, served from Edge Points of Presence.
	See https://cloud.google.com/vpc/docs/edge-locations.
	ALL_REGIONS: Certificates with ALL_REGIONS scope are served from all GCP regions (You can only use ALL_REGIONS with global certs).
	See https://cloud.google.com/compute/docs/regions-zones

	* `self_managed` -
	(Optional)
	Certificate data for a SelfManaged Certificate.
	SelfManaged Certificates are uploaded by the user. Updating such
	certificates before they expire remains the user's responsibility.
	Structure is [documented below](#nested_self_managed).

	* `managed` -
	(Optional)
	Configuration and state of a Managed Certificate.
	Certificate Manager provisions and renews Managed Certificates
	automatically, for as long as it's authorized to do so.
	Structure is [documented below](#nested_managed).

	* `location` -
	(Optional)
	The Certificate Manager location. If not specified, "global" is used.

	* `project` - (Optional) The ID of the project in which the resource belongs.
	If it is not provided, the provider project is used.


	<a name="nested_self_managed"></a>The `self_managed` block supports:

	* `certificate_pem` -
	(Optional, Deprecated)
	The certificate chain in PEM-encoded form.
	Leaf certificate comes first, followed by intermediate ones if any.
	Note: This property is sensitive and will not be displayed in the plan.

	~> Warning: `certificate_pem` is deprecated and will be removed in a future major release. Use `pem_certificate` instead.

	* `private_key_pem` -
	(Optional, Deprecated)
	The private key of the leaf certificate in PEM-encoded form.
	Note: This property is sensitive and will not be displayed in the plan.

	~> Warning: `private_key_pem` is deprecated and will be removed in a future major release. Use `pem_private_key` instead.

	* `pem_certificate` -
	(Optional)
	The certificate chain in PEM-encoded form.
	Leaf certificate comes first, followed by intermediate ones if any.

	* `pem_private_key` -
	(Optional)
	The private key of the leaf certificate in PEM-encoded form.
	Note: This property is sensitive and will not be displayed in the plan.

	<a name="nested_managed"></a>The `managed` block supports:

	* `domains` -
	(Optional)
	The domains for which a managed SSL certificate will be generated.
	Wildcard domains are only supported with DNS challenge resolution

	* `dns_authorizations` -
	(Optional)
	Authorizations that will be used for performing domain authorization. Either issuanceConfig or dnsAuthorizations should be specificed, but not both.

	* `issuance_config` -
	(Optional)
	The resource name for a CertificateIssuanceConfig used to configure private PKI certificates in the format projects//locations//certificateIssuanceConfigs/*.
	If this field is not set, the certificates will instead be publicly signed as documented at https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#caa.
	Either issuanceConfig or dnsAuthorizations should be specificed, but not both.

	* `state` -
	(Output)
	A state of this Managed Certificate.

	* `provisioning_issue` -
	(Output)
	Information about issues with provisioning this Managed Certificate.
	Structure is [documented below](#nested_provisioning_issue).

	* `authorization_attempt_info` -
	(Output)
	Detailed state of the latest authorization attempt for each domain
	specified for this Managed Certificate.
	Structure is [documented below](#nested_authorization_attempt_info).


	<a name="nested_provisioning_issue"></a>The `provisioning_issue` block contains:

	* `reason` -
	(Output)
	Reason for provisioning failures.

	* `details` -
	(Output)
	Human readable explanation about the issue. Provided to help address
	the configuration issues.
	Not guaranteed to be stable. For programmatic access use `reason` field.

	<a name="nested_authorization_attempt_info"></a>The `authorization_attempt_info` block contains:

	* `domain` -
	(Output)
	Domain name of the authorization attempt.

	* `state` -
	(Output)
	State of the domain for managed certificate issuance.

	* `failure_reason` -
	(Output)
	Reason for failure of the authorization attempt for the domain.

	* `details` -
	(Output)
	Human readable explanation for reaching the state. Provided to help
	address the configuration issues.
	Not guaranteed to be stable. For programmatic access use `failure_reason` field.

	## Attributes Reference

	In addition to the arguments listed above, the following computed attributes are exported:

	* `id` - an identifier for the resource with format `projects/{{project}}/locations/{{location}}/certificates/{{name}}`

	* `san_dnsnames` -
	The list of Subject Alternative Names of dnsName type defined in the certificate (see RFC 5280 4.2.1.6)

	* `terraform_labels` -
	The combination of labels configured directly on the resource
	and default labels configured on the provider.

	* `effective_labels` -
	All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.


	## Timeouts

	This resource provides the following
	[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

	- `create` - Default is 20 minutes.
	- `update` - Default is 20 minutes.
	- `delete` - Default is 20 minutes.

	## Import


	Certificate can be imported using any of these accepted formats:

	* `projects/{{project}}/locations/{{location}}/certificates/{{name}}`
	* `{{project}}/{{location}}/{{name}}`
	* `{{location}}/{{name}}`


	In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import Certificate using one of the formats above. For example:

	```tf
	import {
	id = "projects/{{project}}/locations/{{location}}/certificates/{{name}}"
	to = google_certificate_manager_certificate.default
	}
	```

	When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), Certificate can be imported using one of the formats above. For example:

	```
	$ terraform import google_certificate_manager_certificate.default projects/{{project}}/locations/{{location}}/certificates/{{name}}
	$ terraform import google_certificate_manager_certificate.default {{project}}/{{location}}/{{name}}
	$ terraform import google_certificate_manager_certificate.default {{location}}/{{name}}
	```

	## User Project Overrides

	This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).