| --- |
| # ---------------------------------------------------------------------------- |
| # |
| # *** AUTO GENERATED CODE *** Type: MMv1 *** |
| # |
| # ---------------------------------------------------------------------------- |
| # |
| # This file is automatically generated by Magic Modules and manual |
| # changes will be clobbered when the file is regenerated. |
| # |
| # Please read more about how to change this file in |
| # .github/CONTRIBUTING.md. |
| # |
| # ---------------------------------------------------------------------------- |
| subcategory: "Certificate Authority Service" |
| description: |- |
| A Certificate corresponds to a signed X. |
| --- |
| |
| # google_privateca_certificate |
| |
| A Certificate corresponds to a signed X.509 certificate issued by a Certificate. |
| |
| |
| ~> **Note:** The Certificate Authority that is referenced by this resource **must** be |
| `tier = "ENTERPRISE"` |
| |
| |
| |
| ## Example Usage - Privateca Certificate Generated Key |
| |
| |
| ```hcl |
| resource "google_privateca_ca_pool" "default" { |
| location = "us-central1" |
| name = "default" |
| tier = "ENTERPRISE" |
| } |
| |
| resource "google_privateca_certificate_authority" "default" { |
| location = "us-central1" |
| pool = google_privateca_ca_pool.default.name |
| certificate_authority_id = "my-authority" |
| config { |
| subject_config { |
| subject { |
| organization = "HashiCorp" |
| common_name = "my-certificate-authority" |
| } |
| subject_alt_name { |
| dns_names = ["hashicorp.com"] |
| } |
| } |
| x509_config { |
| ca_options { |
| is_ca = true |
| } |
| key_usage { |
| base_key_usage { |
| cert_sign = true |
| crl_sign = true |
| } |
| extended_key_usage { |
| server_auth = true |
| } |
| } |
| } |
| } |
| key_spec { |
| algorithm = "RSA_PKCS1_4096_SHA256" |
| } |
| |
| // Disable CA deletion related safe checks for easier cleanup. |
| deletion_protection = false |
| skip_grace_period = true |
| ignore_active_certificates_on_deletion = true |
| } |
| |
| resource "tls_private_key" "cert_key" { |
| algorithm = "RSA" |
| } |
| |
| resource "google_privateca_certificate" "default" { |
| location = "us-central1" |
| pool = google_privateca_ca_pool.default.name |
| certificate_authority = google_privateca_certificate_authority.default.certificate_authority_id |
| lifetime = "86000s" |
| name = "cert-1" |
| config { |
| subject_config { |
| subject { |
| common_name = "san1.example.com" |
| country_code = "us" |
| organization = "google" |
| organizational_unit = "enterprise" |
| locality = "mountain view" |
| province = "california" |
| street_address = "1600 amphitheatre parkway" |
| } |
| subject_alt_name { |
| email_addresses = ["email@example.com"] |
| ip_addresses = ["127.0.0.1"] |
| uris = ["http://www.ietf.org/rfc/rfc3986.txt"] |
| } |
| } |
| x509_config { |
| ca_options { |
| is_ca = true |
| } |
| key_usage { |
| base_key_usage { |
| cert_sign = true |
| crl_sign = true |
| } |
| extended_key_usage { |
| server_auth = false |
| } |
| } |
| name_constraints { |
| critical = true |
| permitted_dns_names = ["*.example.com"] |
| excluded_dns_names = ["*.deny.example.com"] |
| permitted_ip_ranges = ["10.0.0.0/8"] |
| excluded_ip_ranges = ["10.1.1.0/24"] |
| permitted_email_addresses = [".example.com"] |
| excluded_email_addresses = [".deny.example.com"] |
| permitted_uris = [".example.com"] |
| excluded_uris = [".deny.example.com"] |
| } |
| } |
| public_key { |
| format = "PEM" |
| key = base64encode(tls_private_key.cert_key.public_key_pem) |
| } |
| } |
| } |
| ``` |
| ## Example Usage - Privateca Certificate With Template |
| |
| |
| ```hcl |
| resource "google_privateca_ca_pool" "default" { |
| location = "us-central1" |
| name = "my-pool" |
| tier = "ENTERPRISE" |
| } |
| |
| resource "google_privateca_certificate_template" "default" { |
| location = "us-central1" |
| name = "my-certificate-template" |
| description = "An updated sample certificate template" |
| |
| identity_constraints { |
| allow_subject_alt_names_passthrough = true |
| allow_subject_passthrough = true |
| |
| cel_expression { |
| description = "Always true" |
| expression = "true" |
| location = "any.file.anywhere" |
| title = "Sample expression" |
| } |
| } |
| |
| passthrough_extensions { |
| additional_extensions { |
| object_id_path = [1, 6] |
| } |
| |
| known_extensions = ["EXTENDED_KEY_USAGE"] |
| } |
| |
| predefined_values { |
| additional_extensions { |
| object_id { |
| object_id_path = [1, 6] |
| } |
| |
| value = "c3RyaW5nCg==" |
| critical = true |
| } |
| |
| aia_ocsp_servers = ["string"] |
| |
| ca_options { |
| is_ca = false |
| max_issuer_path_length = 6 |
| } |
| |
| key_usage { |
| base_key_usage { |
| cert_sign = false |
| content_commitment = true |
| crl_sign = false |
| data_encipherment = true |
| decipher_only = true |
| digital_signature = true |
| encipher_only = true |
| key_agreement = true |
| key_encipherment = true |
| } |
| |
| extended_key_usage { |
| client_auth = true |
| code_signing = true |
| email_protection = true |
| ocsp_signing = true |
| server_auth = true |
| time_stamping = true |
| } |
| |
| unknown_extended_key_usages { |
| object_id_path = [1, 6] |
| } |
| } |
| |
| policy_ids { |
| object_id_path = [1, 6] |
| } |
| } |
| } |
| |
| resource "google_privateca_certificate_authority" "default" { |
| location = "us-central1" |
| pool = google_privateca_ca_pool.default.name |
| certificate_authority_id = "my-authority" |
| config { |
| subject_config { |
| subject { |
| organization = "HashiCorp" |
| common_name = "my-certificate-authority" |
| } |
| subject_alt_name { |
| dns_names = ["hashicorp.com"] |
| } |
| } |
| x509_config { |
| ca_options { |
| # is_ca *MUST* be true for certificate authorities |
| is_ca = true |
| } |
| key_usage { |
| base_key_usage { |
| # cert_sign and crl_sign *MUST* be true for certificate authorities |
| cert_sign = true |
| crl_sign = true |
| } |
| extended_key_usage { |
| server_auth = false |
| } |
| } |
| } |
| } |
| key_spec { |
| algorithm = "RSA_PKCS1_4096_SHA256" |
| } |
| |
| // Disable CA deletion related safe checks for easier cleanup. |
| deletion_protection = false |
| skip_grace_period = true |
| ignore_active_certificates_on_deletion = true |
| } |
| |
| |
| resource "google_privateca_certificate" "default" { |
| location = "us-central1" |
| pool = google_privateca_ca_pool.default.name |
| certificate_authority = google_privateca_certificate_authority.default.certificate_authority_id |
| name = "my-certificate" |
| lifetime = "860s" |
| pem_csr = file("test-fixtures/rsa_csr.pem") |
| certificate_template = google_privateca_certificate_template.default.id |
| } |
| ``` |
| ## Example Usage - Privateca Certificate Csr |
| |
| |
| ```hcl |
| resource "google_privateca_ca_pool" "default" { |
| location = "us-central1" |
| name = "my-pool" |
| tier = "ENTERPRISE" |
| } |
| |
| resource "google_privateca_certificate_authority" "default" { |
| location = "us-central1" |
| pool = google_privateca_ca_pool.default.name |
| certificate_authority_id = "my-authority" |
| config { |
| subject_config { |
| subject { |
| organization = "HashiCorp" |
| common_name = "my-certificate-authority" |
| } |
| subject_alt_name { |
| dns_names = ["hashicorp.com"] |
| } |
| } |
| x509_config { |
| ca_options { |
| # is_ca *MUST* be true for certificate authorities |
| is_ca = true |
| } |
| key_usage { |
| base_key_usage { |
| # cert_sign and crl_sign *MUST* be true for certificate authorities |
| cert_sign = true |
| crl_sign = true |
| } |
| extended_key_usage { |
| server_auth = false |
| } |
| } |
| } |
| } |
| key_spec { |
| algorithm = "RSA_PKCS1_4096_SHA256" |
| } |
| |
| // Disable CA deletion related safe checks for easier cleanup. |
| deletion_protection = false |
| skip_grace_period = true |
| ignore_active_certificates_on_deletion = true |
| } |
| |
| |
| resource "google_privateca_certificate" "default" { |
| location = "us-central1" |
| pool = google_privateca_ca_pool.default.name |
| certificate_authority = google_privateca_certificate_authority.default.certificate_authority_id |
| name = "my-certificate" |
| lifetime = "860s" |
| pem_csr = file("test-fixtures/rsa_csr.pem") |
| } |
| ``` |
| ## Example Usage - Privateca Certificate No Authority |
| |
| |
| ```hcl |
| resource "google_privateca_ca_pool" "default" { |
| location = "us-central1" |
| name = "my-pool" |
| tier = "ENTERPRISE" |
| } |
| |
| resource "google_privateca_certificate_authority" "default" { |
| location = "us-central1" |
| pool = google_privateca_ca_pool.default.name |
| certificate_authority_id = "my-authority" |
| config { |
| subject_config { |
| subject { |
| organization = "HashiCorp" |
| common_name = "my-certificate-authority" |
| } |
| subject_alt_name { |
| dns_names = ["hashicorp.com"] |
| } |
| } |
| x509_config { |
| ca_options { |
| is_ca = true |
| } |
| key_usage { |
| base_key_usage { |
| digital_signature = true |
| cert_sign = true |
| crl_sign = true |
| } |
| extended_key_usage { |
| server_auth = true |
| } |
| } |
| } |
| } |
| lifetime = "86400s" |
| key_spec { |
| algorithm = "RSA_PKCS1_4096_SHA256" |
| } |
| |
| // Disable CA deletion related safe checks for easier cleanup. |
| deletion_protection = false |
| skip_grace_period = true |
| ignore_active_certificates_on_deletion = true |
| } |
| |
| |
| resource "google_privateca_certificate" "default" { |
| location = "us-central1" |
| pool = google_privateca_ca_pool.default.name |
| name = "my-certificate" |
| lifetime = "860s" |
| config { |
| subject_config { |
| subject { |
| common_name = "san1.example.com" |
| country_code = "us" |
| organization = "google" |
| organizational_unit = "enterprise" |
| locality = "mountain view" |
| province = "california" |
| street_address = "1600 amphitheatre parkway" |
| postal_code = "94109" |
| } |
| } |
| x509_config { |
| ca_options { |
| is_ca = false |
| } |
| key_usage { |
| base_key_usage { |
| crl_sign = true |
| } |
| extended_key_usage { |
| server_auth = true |
| } |
| } |
| } |
| public_key { |
| format = "PEM" |
| key = filebase64("test-fixtures/rsa_public.pem") |
| } |
| } |
| // Certificates require an authority to exist in the pool, though they don't |
| // need to be explicitly connected to it |
| depends_on = [google_privateca_certificate_authority.default] |
| } |
| ``` |
| ## Example Usage - Privateca Certificate Custom Ski |
| |
| |
| ```hcl |
| resource "google_privateca_ca_pool" "default" { |
| location = "us-central1" |
| name = "my-pool" |
| tier = "ENTERPRISE" |
| } |
| |
| resource "google_privateca_certificate_authority" "default" { |
| location = "us-central1" |
| pool = google_privateca_ca_pool.default.name |
| certificate_authority_id = "my-authority" |
| config { |
| subject_config { |
| subject { |
| organization = "HashiCorp" |
| common_name = "my-certificate-authority" |
| } |
| subject_alt_name { |
| dns_names = ["hashicorp.com"] |
| } |
| } |
| x509_config { |
| ca_options { |
| is_ca = true |
| } |
| key_usage { |
| base_key_usage { |
| digital_signature = true |
| cert_sign = true |
| crl_sign = true |
| } |
| extended_key_usage { |
| server_auth = true |
| } |
| } |
| } |
| } |
| lifetime = "86400s" |
| key_spec { |
| algorithm = "RSA_PKCS1_4096_SHA256" |
| } |
| |
| // Disable CA deletion related safe checks for easier cleanup. |
| deletion_protection = false |
| skip_grace_period = true |
| ignore_active_certificates_on_deletion = true |
| } |
| |
| |
| resource "google_privateca_certificate" "default" { |
| location = "us-central1" |
| pool = google_privateca_ca_pool.default.name |
| name = "my-certificate" |
| lifetime = "860s" |
| config { |
| subject_config { |
| subject { |
| common_name = "san1.example.com" |
| country_code = "us" |
| organization = "google" |
| organizational_unit = "enterprise" |
| locality = "mountain view" |
| province = "california" |
| street_address = "1600 amphitheatre parkway" |
| postal_code = "94109" |
| } |
| } |
| subject_key_id { |
| key_id = "4cf3372289b1d411b999dbb9ebcd44744b6b2fca" |
| } |
| x509_config { |
| ca_options { |
| is_ca = false |
| } |
| key_usage { |
| base_key_usage { |
| crl_sign = true |
| } |
| extended_key_usage { |
| server_auth = true |
| } |
| } |
| } |
| public_key { |
| format = "PEM" |
| key = filebase64("test-fixtures/rsa_public.pem") |
| } |
| } |
| // Certificates require an authority to exist in the pool, though they don't |
| // need to be explicitly connected to it |
| depends_on = [google_privateca_certificate_authority.default] |
| } |
| ``` |
| |
| ## Argument Reference |
| |
| The following arguments are supported: |
| |
| |
| * `pool` - |
| (Required) |
| The name of the CaPool this Certificate belongs to. |
| |
| * `name` - |
| (Required) |
| The name for this Certificate. |
| |
| * `location` - |
| (Required) |
| Location of the Certificate. A full list of valid locations can be found by |
| running `gcloud privateca locations list`. |
| |
| |
| - - - |
| |
| |
| * `lifetime` - |
| (Optional) |
| The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and |
| "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine |
| fractional digits, terminated by 's'. Example: "3.5s". |
| |
| * `certificate_template` - |
| (Optional) |
| The resource name for a CertificateTemplate used to issue this certificate, |
| in the format `projects/*/locations/*/certificateTemplates/*`. If this is specified, |
| the caller must have the necessary permission to use this template. If this is |
| omitted, no template will be used. This template must be in the same location |
| as the Certificate. |
| |
| * `labels` - |
| (Optional) |
| Labels with user-defined metadata to apply to this resource. |
| |
| **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. |
| Please refer to the field `effective_labels` for all of the labels present on the resource. |
| |
| * `pem_csr` - |
| (Optional) |
| Immutable. A pem-encoded X.509 certificate signing request (CSR). |
| |
| * `config` - |
| (Optional) |
| The config used to create a self-signed X.509 certificate or CSR. |
| Structure is [documented below](#nested_config). |
| |
| * `certificate_authority` - |
| (Optional) |
| The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from |
| a Certificate Authority with resource name `projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca`, |
| argument `pool` should be set to `projects/my-project/locations/us-central1/caPools/my-pool`, argument `certificate_authority` |
| should be set to `my-ca`. |
| |
| * `project` - (Optional) The ID of the project in which the resource belongs. |
| If it is not provided, the provider project is used. |
| |
| |
| <a name="nested_config"></a>The `config` block supports: |
| |
| * `x509_config` - |
| (Required) |
| Describes how some of the technical X.509 fields in a certificate should be populated. |
| Structure is [documented below](#nested_x509_config). |
| |
| * `subject_config` - |
| (Required) |
| Specifies some of the values in a certificate that are related to the subject. |
| Structure is [documented below](#nested_subject_config). |
| |
| * `subject_key_id` - |
| (Optional) |
| When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.. |
| Structure is [documented below](#nested_subject_key_id). |
| |
| * `public_key` - |
| (Required) |
| A PublicKey describes a public key. |
| Structure is [documented below](#nested_public_key). |
| |
| |
| <a name="nested_x509_config"></a>The `x509_config` block supports: |
| |
| * `additional_extensions` - |
| (Optional) |
| Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. |
| Structure is [documented below](#nested_additional_extensions). |
| |
| * `policy_ids` - |
| (Optional) |
| Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. |
| Structure is [documented below](#nested_policy_ids). |
| |
| * `aia_ocsp_servers` - |
| (Optional) |
| Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the |
| "Authority Information Access" extension in the certificate. |
| |
| * `ca_options` - |
| (Optional) |
| Describes values that are relevant in a CA certificate. |
| Structure is [documented below](#nested_ca_options). |
| |
| * `key_usage` - |
| (Required) |
| Indicates the intended use for keys that correspond to a certificate. |
| Structure is [documented below](#nested_key_usage). |
| |
| * `name_constraints` - |
| (Optional) |
| Describes the X.509 name constraints extension. |
| Structure is [documented below](#nested_name_constraints). |
| |
| |
| <a name="nested_additional_extensions"></a>The `additional_extensions` block supports: |
| |
| * `critical` - |
| (Required) |
| Indicates whether or not this extension is critical (i.e., if the client does not know how to |
| handle this extension, the client should consider this to be an error). |
| |
| * `value` - |
| (Required) |
| The value of this X.509 extension. A base64-encoded string. |
| |
| * `object_id` - |
| (Required) |
| Describes values that are relevant in a CA certificate. |
| Structure is [documented below](#nested_object_id). |
| |
| |
| <a name="nested_object_id"></a>The `object_id` block supports: |
| |
| * `object_id_path` - |
| (Required) |
| An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. |
| |
| <a name="nested_policy_ids"></a>The `policy_ids` block supports: |
| |
| * `object_id_path` - |
| (Required) |
| An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. |
| |
| <a name="nested_ca_options"></a>The `ca_options` block supports: |
| |
| * `is_ca` - |
| (Optional) |
| When true, the "CA" in Basic Constraints extension will be set to true. |
| |
| * `non_ca` - |
| (Optional) |
| When true, the "CA" in Basic Constraints extension will be set to false. |
| If both `is_ca` and `non_ca` are unset, the extension will be omitted from the CA certificate. |
| |
| * `max_issuer_path_length` - |
| (Optional) |
| Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of |
| subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. |
| |
| * `zero_max_issuer_path_length` - |
| (Optional) |
| When true, the "path length constraint" in Basic Constraints extension will be set to 0. |
| if both `max_issuer_path_length` and `zero_max_issuer_path_length` are unset, |
| the max path length will be omitted from the CA certificate. |
| |
| <a name="nested_key_usage"></a>The `key_usage` block supports: |
| |
| * `base_key_usage` - |
| (Required) |
| Describes high-level ways in which a key may be used. |
| Structure is [documented below](#nested_base_key_usage). |
| |
| * `extended_key_usage` - |
| (Required) |
| Describes high-level ways in which a key may be used. |
| Structure is [documented below](#nested_extended_key_usage). |
| |
| * `unknown_extended_key_usages` - |
| (Optional) |
| An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. |
| Structure is [documented below](#nested_unknown_extended_key_usages). |
| |
| |
| <a name="nested_base_key_usage"></a>The `base_key_usage` block supports: |
| |
| * `digital_signature` - |
| (Optional) |
| The key may be used for digital signatures. |
| |
| * `content_commitment` - |
| (Optional) |
| The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation". |
| |
| * `key_encipherment` - |
| (Optional) |
| The key may be used to encipher other keys. |
| |
| * `data_encipherment` - |
| (Optional) |
| The key may be used to encipher data. |
| |
| * `key_agreement` - |
| (Optional) |
| The key may be used in a key agreement protocol. |
| |
| * `cert_sign` - |
| (Optional) |
| The key may be used to sign certificates. |
| |
| * `crl_sign` - |
| (Optional) |
| The key may be used sign certificate revocation lists. |
| |
| * `encipher_only` - |
| (Optional) |
| The key may be used to encipher only. |
| |
| * `decipher_only` - |
| (Optional) |
| The key may be used to decipher only. |
| |
| <a name="nested_extended_key_usage"></a>The `extended_key_usage` block supports: |
| |
| * `server_auth` - |
| (Optional) |
| Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS. |
| |
| * `client_auth` - |
| (Optional) |
| Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS. |
| |
| * `code_signing` - |
| (Optional) |
| Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication". |
| |
| * `email_protection` - |
| (Optional) |
| Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection". |
| |
| * `time_stamping` - |
| (Optional) |
| Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time". |
| |
| * `ocsp_signing` - |
| (Optional) |
| Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses". |
| |
| <a name="nested_unknown_extended_key_usages"></a>The `unknown_extended_key_usages` block supports: |
| |
| * `object_id_path` - |
| (Required) |
| An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. |
| |
| <a name="nested_name_constraints"></a>The `name_constraints` block supports: |
| |
| * `critical` - |
| (Required) |
| Indicates whether or not the name constraints are marked critical. |
| |
| * `permitted_dns_names` - |
| (Optional) |
| Contains permitted DNS names. Any DNS name that can be |
| constructed by simply adding zero or more labels to |
| the left-hand side of the name satisfies the name constraint. |
| For example, `example.com`, `www.example.com`, `www.sub.example.com` |
| would satisfy `example.com` while `example1.com` does not. |
| |
| * `excluded_dns_names` - |
| (Optional) |
| Contains excluded DNS names. Any DNS name that can be |
| constructed by simply adding zero or more labels to |
| the left-hand side of the name satisfies the name constraint. |
| For example, `example.com`, `www.example.com`, `www.sub.example.com` |
| would satisfy `example.com` while `example1.com` does not. |
| |
| * `permitted_ip_ranges` - |
| (Optional) |
| Contains the permitted IP ranges. For IPv4 addresses, the ranges |
| are expressed using CIDR notation as specified in RFC 4632. |
| For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 |
| addresses. |
| |
| * `excluded_ip_ranges` - |
| (Optional) |
| Contains the excluded IP ranges. For IPv4 addresses, the ranges |
| are expressed using CIDR notation as specified in RFC 4632. |
| For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 |
| addresses. |
| |
| * `permitted_email_addresses` - |
| (Optional) |
| Contains the permitted email addresses. The value can be a particular |
| email address, a hostname to indicate all email addresses on that host or |
| a domain with a leading period (e.g. `.example.com`) to indicate |
| all email addresses in that domain. |
| |
| * `excluded_email_addresses` - |
| (Optional) |
| Contains the excluded email addresses. The value can be a particular |
| email address, a hostname to indicate all email addresses on that host or |
| a domain with a leading period (e.g. `.example.com`) to indicate |
| all email addresses in that domain. |
| |
| * `permitted_uris` - |
| (Optional) |
| Contains the permitted URIs that apply to the host part of the name. |
| The value can be a hostname or a domain with a |
| leading period (like `.example.com`) |
| |
| * `excluded_uris` - |
| (Optional) |
| Contains the excluded URIs that apply to the host part of the name. |
| The value can be a hostname or a domain with a |
| leading period (like `.example.com`) |
| |
| <a name="nested_subject_config"></a>The `subject_config` block supports: |
| |
| * `subject` - |
| (Required) |
| Contains distinguished name fields such as the location and organization. |
| Structure is [documented below](#nested_subject). |
| |
| * `subject_alt_name` - |
| (Optional) |
| The subject alternative name fields. |
| Structure is [documented below](#nested_subject_alt_name). |
| |
| |
| <a name="nested_subject"></a>The `subject` block supports: |
| |
| * `country_code` - |
| (Optional) |
| The country code of the subject. |
| |
| * `organization` - |
| (Required) |
| The organization of the subject. |
| |
| * `organizational_unit` - |
| (Optional) |
| The organizational unit of the subject. |
| |
| * `locality` - |
| (Optional) |
| The locality or city of the subject. |
| |
| * `province` - |
| (Optional) |
| The province, territory, or regional state of the subject. |
| |
| * `street_address` - |
| (Optional) |
| The street address of the subject. |
| |
| * `postal_code` - |
| (Optional) |
| The postal code of the subject. |
| |
| * `common_name` - |
| (Required) |
| The common name of the distinguished name. |
| |
| <a name="nested_subject_alt_name"></a>The `subject_alt_name` block supports: |
| |
| * `dns_names` - |
| (Optional) |
| Contains only valid, fully-qualified host names. |
| |
| * `uris` - |
| (Optional) |
| Contains only valid RFC 3986 URIs. |
| |
| * `email_addresses` - |
| (Optional) |
| Contains only valid RFC 2822 E-mail addresses. |
| |
| * `ip_addresses` - |
| (Optional) |
| Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses. |
| |
| <a name="nested_subject_key_id"></a>The `subject_key_id` block supports: |
| |
| * `key_id` - |
| (Optional) |
| The value of the KeyId in lowercase hexidecimal. |
| |
| <a name="nested_public_key"></a>The `public_key` block supports: |
| |
| * `key` - |
| (Optional) |
| Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string. |
| |
| * `format` - |
| (Required) |
| The format of the public key. Currently, only PEM format is supported. |
| Possible values are: `KEY_TYPE_UNSPECIFIED`, `PEM`. |
| |
| ## Attributes Reference |
| |
| In addition to the arguments listed above, the following computed attributes are exported: |
| |
| * `id` - an identifier for the resource with format `projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificates/{{name}}` |
| |
| * `issuer_certificate_authority` - |
| The resource name of the issuing CertificateAuthority in the format `projects/*/locations/*/caPools/*/certificateAuthorities/*`. |
| |
| * `revocation_details` - |
| Output only. Details regarding the revocation of this Certificate. This Certificate is |
| considered revoked if and only if this field is present. |
| Structure is [documented below](#nested_revocation_details). |
| |
| * `pem_certificate` - |
| Output only. The pem-encoded, signed X.509 certificate. |
| |
| * `certificate_description` - |
| Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. |
| Structure is [documented below](#nested_certificate_description). |
| |
| * `pem_certificate_chain` - |
| The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246. |
| |
| * `create_time` - |
| The time that this resource was created on the server. |
| This is in RFC3339 text format. |
| |
| * `update_time` - |
| Output only. The time at which this CertificateAuthority was updated. |
| This is in RFC3339 text format. |
| |
| * `terraform_labels` - |
| The combination of labels configured directly on the resource |
| and default labels configured on the provider. |
| |
| * `effective_labels` - |
| All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services. |
| |
| |
| <a name="nested_revocation_details"></a>The `revocation_details` block contains: |
| |
| * `revocation_state` - |
| (Output) |
| Indicates why a Certificate was revoked. |
| |
| * `revocation_time` - |
| (Output) |
| The time at which this Certificate was revoked. |
| |
| <a name="nested_certificate_description"></a>The `certificate_description` block contains: |
| |
| * `subject_description` - |
| (Output) |
| Describes some of the values in a certificate that are related to the subject and lifetime. |
| Structure is [documented below](#nested_subject_description). |
| |
| * `x509_description` - |
| (Output) |
| A structured description of the issued X.509 certificate. |
| Structure is [documented below](#nested_x509_description). |
| |
| * `public_key` - |
| (Output) |
| A PublicKey describes a public key. |
| Structure is [documented below](#nested_public_key). |
| |
| * `subject_key_id` - |
| (Output) |
| Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. |
| Structure is [documented below](#nested_subject_key_id). |
| |
| * `authority_key_id` - |
| (Output) |
| Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 |
| Structure is [documented below](#nested_authority_key_id). |
| |
| * `crl_distribution_points` - |
| (Output) |
| Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13 |
| |
| * `aia_issuing_certificate_urls` - |
| (Output) |
| Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate. |
| |
| * `cert_fingerprint` - |
| (Output) |
| The hash of the x.509 certificate. |
| Structure is [documented below](#nested_cert_fingerprint). |
| |
| |
| <a name="nested_subject_description"></a>The `subject_description` block contains: |
| |
| * `subject` - |
| (Output) |
| Contains distinguished name fields such as the location and organization. |
| Structure is [documented below](#nested_subject). |
| |
| * `subject_alt_name` - |
| (Output) |
| The subject alternative name fields. |
| Structure is [documented below](#nested_subject_alt_name). |
| |
| * `hex_serial_number` - |
| (Output) |
| The serial number encoded in lowercase hexadecimal. |
| |
| * `lifetime` - |
| (Output) |
| For convenience, the actual lifetime of an issued certificate. Corresponds to 'notAfterTime' - 'notBeforeTime'. |
| |
| * `not_before_time` - |
| (Output) |
| The time at which the certificate becomes valid. |
| |
| * `not_after_time` - |
| (Output) |
| The time at which the certificate expires. |
| |
| |
| <a name="nested_subject"></a>The `subject` block contains: |
| |
| * `country_code` - |
| (Output) |
| The country code of the subject. |
| |
| * `organization` - |
| (Output) |
| The organization of the subject. |
| |
| * `organizational_unit` - |
| (Output) |
| The organizationalUnit of the subject. |
| |
| * `locality` - |
| (Output) |
| The locality or city of the subject. |
| |
| * `province` - |
| (Output) |
| The province of the subject. |
| |
| * `street_address` - |
| (Output) |
| The streetAddress or city of the subject. |
| |
| * `postal_code` - |
| (Output) |
| The postalCode or city of the subject. |
| |
| * `common_name` - |
| (Output) |
| The "common name" of the distinguished name. |
| |
| <a name="nested_subject_alt_name"></a>The `subject_alt_name` block contains: |
| |
| * `dns_names` - |
| (Output) |
| Contains only valid, fully-qualified host names. |
| |
| * `uris` - |
| (Output) |
| Contains only valid RFC 3986 URIs. |
| |
| * `email_addresses` - |
| (Output) |
| Contains only valid RFC 2822 E-mail addresses. |
| |
| * `ip_addresses` - |
| (Output) |
| Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses. |
| |
| * `custom_sans` - |
| (Output) |
| Contains additional subject alternative name values. |
| Structure is [documented below](#nested_custom_sans). |
| |
| |
| <a name="nested_custom_sans"></a>The `custom_sans` block contains: |
| |
| * `obect_id` - |
| (Output) |
| Describes how some of the technical fields in a certificate should be populated. |
| Structure is [documented below](#nested_obect_id). |
| |
| * `critical` - |
| (Output) |
| Required. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). |
| |
| * `value` - |
| (Output) |
| The value of this X.509 extension. |
| |
| |
| <a name="nested_obect_id"></a>The `obect_id` block contains: |
| |
| * `object_id_path` - |
| (Output) |
| An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. |
| |
| <a name="nested_x509_description"></a>The `x509_description` block contains: |
| |
| * `additional_extensions` - |
| (Output) |
| Describes custom X.509 extensions. |
| Structure is [documented below](#nested_additional_extensions). |
| |
| * `policy_ids` - |
| (Output) |
| Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. |
| Structure is [documented below](#nested_policy_ids). |
| |
| * `aia_ocsp_servers` - |
| (Output) |
| Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the |
| "Authority Information Access" extension in the certificate. |
| |
| * `ca_options` - |
| (Output) |
| Describes values that are relevant in a CA certificate. |
| Structure is [documented below](#nested_ca_options). |
| |
| * `key_usage` - |
| (Output) |
| Indicates the intended use for keys that correspond to a certificate. |
| Structure is [documented below](#nested_key_usage). |
| |
| * `name_constraints` - |
| (Output) |
| Describes the X.509 name constraints extension. |
| Structure is [documented below](#nested_name_constraints). |
| |
| |
| <a name="nested_additional_extensions"></a>The `additional_extensions` block contains: |
| |
| * `critical` - |
| (Output) |
| Indicates whether or not this extension is critical (i.e., if the client does not know how to |
| handle this extension, the client should consider this to be an error). |
| |
| * `value` - |
| (Optional) |
| The value of this X.509 extension. A base64-encoded string. |
| |
| * `object_id` - |
| (Output) |
| Describes values that are relevant in a CA certificate. |
| Structure is [documented below](#nested_object_id). |
| |
| |
| <a name="nested_object_id"></a>The `object_id` block contains: |
| |
| * `object_id_path` - |
| (Output) |
| An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. |
| |
| <a name="nested_policy_ids"></a>The `policy_ids` block contains: |
| |
| * `object_id_path` - |
| (Output) |
| An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. |
| |
| <a name="nested_ca_options"></a>The `ca_options` block contains: |
| |
| * `is_ca` - |
| (Output) |
| When true, the "CA" in Basic Constraints extension will be set to true. |
| |
| * `max_issuer_path_length` - |
| (Output) |
| Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of |
| subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. |
| |
| <a name="nested_key_usage"></a>The `key_usage` block contains: |
| |
| * `base_key_usage` - |
| (Output) |
| Describes high-level ways in which a key may be used. |
| Structure is [documented below](#nested_base_key_usage). |
| |
| * `extended_key_usage` - |
| (Output) |
| Describes high-level ways in which a key may be used. |
| Structure is [documented below](#nested_extended_key_usage). |
| |
| * `unknown_extended_key_usages` - |
| (Output) |
| An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. |
| Structure is [documented below](#nested_unknown_extended_key_usages). |
| |
| |
| <a name="nested_base_key_usage"></a>The `base_key_usage` block contains: |
| |
| * `digital_signature` - |
| (Output) |
| The key may be used for digital signatures. |
| |
| * `content_commitment` - |
| (Output) |
| The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation". |
| |
| * `key_encipherment` - |
| (Output) |
| The key may be used to encipher other keys. |
| |
| * `data_encipherment` - |
| (Output) |
| The key may be used to encipher data. |
| |
| * `key_agreement` - |
| (Output) |
| The key may be used in a key agreement protocol. |
| |
| * `cert_sign` - |
| (Output) |
| The key may be used to sign certificates. |
| |
| * `crl_sign` - |
| (Output) |
| The key may be used sign certificate revocation lists. |
| |
| * `encipher_only` - |
| (Output) |
| The key may be used to encipher only. |
| |
| * `decipher_only` - |
| (Output) |
| The key may be used to decipher only. |
| |
| <a name="nested_extended_key_usage"></a>The `extended_key_usage` block contains: |
| |
| * `server_auth` - |
| (Output) |
| Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS. |
| |
| * `client_auth` - |
| (Output) |
| Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS. |
| |
| * `code_signing` - |
| (Output) |
| Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication". |
| |
| * `email_protection` - |
| (Output) |
| Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection". |
| |
| * `time_stamping` - |
| (Output) |
| Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time". |
| |
| * `ocsp_signing` - |
| (Output) |
| Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses". |
| |
| <a name="nested_unknown_extended_key_usages"></a>The `unknown_extended_key_usages` block contains: |
| |
| * `object_id_path` - |
| (Output) |
| An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. |
| |
| <a name="nested_name_constraints"></a>The `name_constraints` block contains: |
| |
| * `critical` - |
| (Output) |
| Indicates whether or not the name constraints are marked critical. |
| |
| * `permitted_dns_names` - |
| (Output) |
| Contains permitted DNS names. Any DNS name that can be |
| constructed by simply adding zero or more labels to |
| the left-hand side of the name satisfies the name constraint. |
| For example, `example.com`, `www.example.com`, `www.sub.example.com` |
| would satisfy `example.com` while `example1.com` does not. |
| |
| * `excluded_dns_names` - |
| (Output) |
| Contains excluded DNS names. Any DNS name that can be |
| constructed by simply adding zero or more labels to |
| the left-hand side of the name satisfies the name constraint. |
| For example, `example.com`, `www.example.com`, `www.sub.example.com` |
| would satisfy `example.com` while `example1.com` does not. |
| |
| * `permitted_ip_ranges` - |
| (Output) |
| Contains the permitted IP ranges. For IPv4 addresses, the ranges |
| are expressed using CIDR notation as specified in RFC 4632. |
| For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 |
| addresses. |
| |
| * `excluded_ip_ranges` - |
| (Output) |
| Contains the excluded IP ranges. For IPv4 addresses, the ranges |
| are expressed using CIDR notation as specified in RFC 4632. |
| For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 |
| addresses. |
| |
| * `permitted_email_addresses` - |
| (Output) |
| Contains the permitted email addresses. The value can be a particular |
| email address, a hostname to indicate all email addresses on that host or |
| a domain with a leading period (e.g. `.example.com`) to indicate |
| all email addresses in that domain. |
| |
| * `excluded_email_addresses` - |
| (Output) |
| Contains the excluded email addresses. The value can be a particular |
| email address, a hostname to indicate all email addresses on that host or |
| a domain with a leading period (e.g. `.example.com`) to indicate |
| all email addresses in that domain. |
| |
| * `permitted_uris` - |
| (Output) |
| Contains the permitted URIs that apply to the host part of the name. |
| The value can be a hostname or a domain with a |
| leading period (like `.example.com`) |
| |
| * `excluded_uris` - |
| (Output) |
| Contains the excluded URIs that apply to the host part of the name. |
| The value can be a hostname or a domain with a |
| leading period (like `.example.com`) |
| |
| <a name="nested_public_key"></a>The `public_key` block contains: |
| |
| * `key` - |
| (Output) |
| Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string. |
| |
| * `format` - |
| (Output) |
| The format of the public key. Currently, only PEM format is supported. |
| |
| <a name="nested_subject_key_id"></a>The `subject_key_id` block contains: |
| |
| * `key_id` - |
| (Output) |
| Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key. |
| |
| <a name="nested_authority_key_id"></a>The `authority_key_id` block contains: |
| |
| * `key_id` - |
| (Output) |
| Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key. |
| |
| <a name="nested_cert_fingerprint"></a>The `cert_fingerprint` block contains: |
| |
| * `sha256_hash` - |
| (Output) |
| The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate. |
| |
| ## Timeouts |
| |
| This resource provides the following |
| [Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options: |
| |
| - `create` - Default is 20 minutes. |
| - `update` - Default is 20 minutes. |
| - `delete` - Default is 20 minutes. |
| |
| ## Import |
| |
| |
| Certificate can be imported using any of these accepted formats: |
| |
| * `projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificates/{{name}}` |
| * `{{project}}/{{location}}/{{pool}}/{{name}}` |
| * `{{location}}/{{pool}}/{{name}}` |
| |
| |
| In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import Certificate using one of the formats above. For example: |
| |
| ```tf |
| import { |
| id = "projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificates/{{name}}" |
| to = google_privateca_certificate.default |
| } |
| ``` |
| |
| When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), Certificate can be imported using one of the formats above. For example: |
| |
| ``` |
| $ terraform import google_privateca_certificate.default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificates/{{name}} |
| $ terraform import google_privateca_certificate.default {{project}}/{{location}}/{{pool}}/{{name}} |
| $ terraform import google_privateca_certificate.default {{location}}/{{pool}}/{{name}} |
| ``` |
| |
| ## User Project Overrides |
| |
| This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override). |