pulumi-gcp-kotlin/com.pulumi.gcp.certificateauthority.kotlin/AuthorityArgs

AuthorityArgs

data class AuthorityArgs(val certificateAuthorityId: Output<String>? = null, val config: Output<AuthorityConfigArgs>? = null, val deletionProtection: Output<Boolean>? = null, val desiredState: Output<String>? = null, val gcsBucket: Output<String>? = null, val ignoreActiveCertificatesOnDeletion: Output<Boolean>? = null, val keySpec: Output<AuthorityKeySpecArgs>? = null, val labels: Output<Map<String, String>>? = null, val lifetime: Output<String>? = null, val location: Output<String>? = null, val pemCaCertificate: Output<String>? = null, val pool: Output<String>? = null, val project: Output<String>? = null, val skipGracePeriod: Output<Boolean>? = null, val subordinateConfig: Output<AuthoritySubordinateConfigArgs>? = null, val type: Output<String>? = null) : ConvertibleToJava<AuthorityArgs>

Example Usage

Privateca Certificate Authority Basic

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var default_ = new Authority("default", AuthorityArgs.builder()
            .certificateAuthorityId("my-certificate-authority")
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .commonName("my-certificate-authority")
                        .organization("HashiCorp")
                        .build())
                    .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                        .dnsNames("hashicorp.com")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .maxIssuerPathLength(10)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .certSign(true)
                            .contentCommitment(true)
                            .crlSign(true)
                            .dataEncipherment(true)
                            .decipherOnly(true)
                            .digitalSignature(true)
                            .keyAgreement(true)
                            .keyEncipherment(false)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .clientAuth(false)
                            .codeSigning(true)
                            .emailProtection(true)
                            .serverAuth(true)
                            .timeStamping(true)
                            .build())
                        .build())
                    .build())
                .build())
            .deletionProtection("true")
            .keySpec(AuthorityKeySpecArgs.builder()
                .algorithm("RSA_PKCS1_4096_SHA256")
                .build())
            .lifetime("86400s")
            .location("us-central1")
            .pool("ca-pool")
            .build());
    }
}
Content copied to clipboard

Privateca Certificate Authority Subordinate

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthoritySubordinateConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var root_ca = new Authority("root-ca", AuthorityArgs.builder()
            .pool("ca-pool")
            .certificateAuthorityId("my-certificate-authority-root")
            .location("us-central1")
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .organization("HashiCorp")
                        .commonName("my-certificate-authority")
                        .build())
                    .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                        .dnsNames("hashicorp.com")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .certSign(true)
                            .crlSign(true)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(false)
                            .build())
                        .build())
                    .build())
                .build())
            .keySpec(AuthorityKeySpecArgs.builder()
                .algorithm("RSA_PKCS1_4096_SHA256")
                .build())
            .deletionProtection(false)
            .skipGracePeriod(true)
            .ignoreActiveCertificatesOnDeletion(true)
            .build());
        var default_ = new Authority("default", AuthorityArgs.builder()
            .pool("ca-pool")
            .certificateAuthorityId("my-certificate-authority-sub")
            .location("us-central1")
            .deletionProtection("true")
            .subordinateConfig(AuthoritySubordinateConfigArgs.builder()
                .certificateAuthority(root_ca.name())
                .build())
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .organization("HashiCorp")
                        .commonName("my-subordinate-authority")
                        .build())
                    .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                        .dnsNames("hashicorp.com")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .maxIssuerPathLength(0)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .digitalSignature(true)
                            .contentCommitment(true)
                            .keyEncipherment(false)
                            .dataEncipherment(true)
                            .keyAgreement(true)
                            .certSign(true)
                            .crlSign(true)
                            .decipherOnly(true)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(true)
                            .clientAuth(false)
                            .emailProtection(true)
                            .codeSigning(true)
                            .timeStamping(true)
                            .build())
                        .build())
                    .build())
                .build())
            .lifetime("86400s")
            .keySpec(AuthorityKeySpecArgs.builder()
                .algorithm("RSA_PKCS1_4096_SHA256")
                .build())
            .type("SUBORDINATE")
            .build());
    }
}
Content copied to clipboard

Privateca Certificate Authority Byo Key

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.projects.ServiceIdentity;
import com.pulumi.gcp.projects.ServiceIdentityArgs;
import com.pulumi.gcp.kms.CryptoKeyIAMBinding;
import com.pulumi.gcp.kms.CryptoKeyIAMBindingArgs;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var privatecaSa = new ServiceIdentity("privatecaSa", ServiceIdentityArgs.builder()
            .service("privateca.googleapis.com")
            .build());
        var privatecaSaKeyuserSignerverifier = new CryptoKeyIAMBinding("privatecaSaKeyuserSignerverifier", CryptoKeyIAMBindingArgs.builder()
            .cryptoKeyId("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key")
            .role("roles/cloudkms.signerVerifier")
            .members(privatecaSa.email().applyValue(email -> String.format("serviceAccount:%s", email)))
            .build());
        var privatecaSaKeyuserViewer = new CryptoKeyIAMBinding("privatecaSaKeyuserViewer", CryptoKeyIAMBindingArgs.builder()
            .cryptoKeyId("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key")
            .role("roles/viewer")
            .members(privatecaSa.email().applyValue(email -> String.format("serviceAccount:%s", email)))
            .build());
        var default_ = new Authority("default", AuthorityArgs.builder()
            .pool("ca-pool")
            .certificateAuthorityId("my-certificate-authority")
            .location("us-central1")
            .deletionProtection("true")
            .keySpec(AuthorityKeySpecArgs.builder()
                .cloudKmsKeyVersion("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1")
                .build())
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .organization("Example, Org.")
                        .commonName("Example Authority")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .maxIssuerPathLength(10)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .certSign(true)
                            .crlSign(true)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(false)
                            .build())
                        .build())
                    .build())
                .build())
            .build(), CustomResourceOptions.builder()
                .dependsOn(
                    privatecaSaKeyuserSignerverifier,
                    privatecaSaKeyuserViewer)
                .build());
    }
}
Content copied to clipboard

Import

CertificateAuthority can be imported using any of these accepted formats

$ pulumi import gcp:certificateauthority/authority:Authority default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}
Content copied to clipboard
$ pulumi import gcp:certificateauthority/authority:Authority default {{project}}/{{location}}/{{pool}}/{{certificate_authority_id}}
Content copied to clipboard
$ pulumi import gcp:certificateauthority/authority:Authority default {{location}}/{{pool}}/{{certificate_authority_id}}
Content copied to clipboard

Constructors

Link copied to clipboard
fun AuthorityArgs(certificateAuthorityId: Output<String>? = null, config: Output<AuthorityConfigArgs>? = null, deletionProtection: Output<Boolean>? = null, desiredState: Output<String>? = null, gcsBucket: Output<String>? = null, ignoreActiveCertificatesOnDeletion: Output<Boolean>? = null, keySpec: Output<AuthorityKeySpecArgs>? = null, labels: Output<Map<String, String>>? = null, lifetime: Output<String>? = null, location: Output<String>? = null, pemCaCertificate: Output<String>? = null, pool: Output<String>? = null, project: Output<String>? = null, skipGracePeriod: Output<Boolean>? = null, subordinateConfig: Output<AuthoritySubordinateConfigArgs>? = null, type: Output<String>? = null)

Functions

Link copied to clipboard
open override fun toJava(): AuthorityArgs

Properties

Link copied to clipboard
val certificateAuthorityId: Output<String>? = null

The user provided Resource ID for this Certificate Authority.

Link copied to clipboard
val config: Output<AuthorityConfigArgs>? = null

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

Link copied to clipboard
val deletionProtection: Output<Boolean>? = null

Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.

Link copied to clipboard
val desiredState: Output<String>? = null

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

Link copied to clipboard
val gcsBucket: Output<String>? = null

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

Link copied to clipboard
val ignoreActiveCertificatesOnDeletion: Output<Boolean>? = null

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

Link copied to clipboard
val keySpec: Output<AuthorityKeySpecArgs>? = null

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

Link copied to clipboard
val labels: Output<Map<String, String>>? = null

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Link copied to clipboard
val lifetime: Output<String>? = null

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

Link copied to clipboard
val location: Output<String>? = null

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

Link copied to clipboard
val pemCaCertificate: Output<String>? = null

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

Link copied to clipboard
val pool: Output<String>? = null

The name of the CaPool this Certificate Authority belongs to.

Link copied to clipboard
val project: Output<String>? = null

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Link copied to clipboard
val skipGracePeriod: Output<Boolean>? = null

If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to false.

Link copied to clipboard
val subordinateConfig: Output<AuthoritySubordinateConfigArgs>? = null

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

Link copied to clipboard
val type: Output<String>? = null

The Type of this CertificateAuthority.