Authority
data class AuthorityArgs(val certificateAuthorityId: Output<String>? = null, val config: Output<AuthorityConfigArgs>? = null, val deletionProtection: Output<Boolean>? = null, val desiredState: Output<String>? = null, val gcsBucket: Output<String>? = null, val ignoreActiveCertificatesOnDeletion: Output<Boolean>? = null, val keySpec: Output<AuthorityKeySpecArgs>? = null, val labels: Output<Map<String, String>>? = null, val lifetime: Output<String>? = null, val location: Output<String>? = null, val pemCaCertificate: Output<String>? = null, val pool: Output<String>? = null, val project: Output<String>? = null, val skipGracePeriod: Output<Boolean>? = null, val subordinateConfig: Output<AuthoritySubordinateConfigArgs>? = null, val type: Output<String>? = null) : ConvertibleToJava<AuthorityArgs>
A CertificateAuthority represents an individual Certificate Authority. A CertificateAuthority can be used to create Certificates. To get more information about CertificateAuthority, see:
How-to Guides
Warning: On newer versions of the provider, you must explicitly set
deletion_protection=false(and runpulumi upto write the field to state) in order to destroy a CertificateAuthority. It is recommended to not set this field (or set it to true) until you're ready to destroy.
Example Usage
Privateca Certificate Authority Basic
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new Authority("default", AuthorityArgs.builder()
.certificateAuthorityId("my-certificate-authority")
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.commonName("my-certificate-authority")
.organization("HashiCorp")
.build())
.subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("hashicorp.com")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.maxIssuerPathLength(10)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.certSign(true)
.contentCommitment(true)
.crlSign(true)
.dataEncipherment(true)
.decipherOnly(true)
.digitalSignature(true)
.keyAgreement(true)
.keyEncipherment(false)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.clientAuth(false)
.codeSigning(true)
.emailProtection(true)
.serverAuth(true)
.timeStamping(true)
.build())
.build())
.build())
.build())
.deletionProtection("true")
.keySpec(AuthorityKeySpecArgs.builder()
.algorithm("RSA_PKCS1_4096_SHA256")
.build())
.lifetime("86400s")
.location("us-central1")
.pool("ca-pool")
.build());
}
}Content copied to clipboard
Privateca Certificate Authority Subordinate
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthoritySubordinateConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var root_ca = new Authority("root-ca", AuthorityArgs.builder()
.pool("ca-pool")
.certificateAuthorityId("my-certificate-authority-root")
.location("us-central1")
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.organization("HashiCorp")
.commonName("my-certificate-authority")
.build())
.subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("hashicorp.com")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.certSign(true)
.crlSign(true)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(false)
.build())
.build())
.build())
.build())
.keySpec(AuthorityKeySpecArgs.builder()
.algorithm("RSA_PKCS1_4096_SHA256")
.build())
.deletionProtection(false)
.skipGracePeriod(true)
.ignoreActiveCertificatesOnDeletion(true)
.build());
var default_ = new Authority("default", AuthorityArgs.builder()
.pool("ca-pool")
.certificateAuthorityId("my-certificate-authority-sub")
.location("us-central1")
.deletionProtection("true")
.subordinateConfig(AuthoritySubordinateConfigArgs.builder()
.certificateAuthority(root_ca.name())
.build())
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.organization("HashiCorp")
.commonName("my-subordinate-authority")
.build())
.subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
.dnsNames("hashicorp.com")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.maxIssuerPathLength(0)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.digitalSignature(true)
.contentCommitment(true)
.keyEncipherment(false)
.dataEncipherment(true)
.keyAgreement(true)
.certSign(true)
.crlSign(true)
.decipherOnly(true)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(true)
.clientAuth(false)
.emailProtection(true)
.codeSigning(true)
.timeStamping(true)
.build())
.build())
.build())
.build())
.lifetime("86400s")
.keySpec(AuthorityKeySpecArgs.builder()
.algorithm("RSA_PKCS1_4096_SHA256")
.build())
.type("SUBORDINATE")
.build());
}
}Content copied to clipboard
Privateca Certificate Authority Byo Key
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.projects.ServiceIdentity;
import com.pulumi.gcp.projects.ServiceIdentityArgs;
import com.pulumi.gcp.kms.CryptoKeyIAMBinding;
import com.pulumi.gcp.kms.CryptoKeyIAMBindingArgs;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigNameConstraintsArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var privatecaSa = new ServiceIdentity("privatecaSa", ServiceIdentityArgs.builder()
.service("privateca.googleapis.com")
.build());
var privatecaSaKeyuserSignerverifier = new CryptoKeyIAMBinding("privatecaSaKeyuserSignerverifier", CryptoKeyIAMBindingArgs.builder()
.cryptoKeyId("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key")
.role("roles/cloudkms.signerVerifier")
.members(privatecaSa.email().applyValue(email -> String.format("serviceAccount:%s", email)))
.build());
var privatecaSaKeyuserViewer = new CryptoKeyIAMBinding("privatecaSaKeyuserViewer", CryptoKeyIAMBindingArgs.builder()
.cryptoKeyId("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key")
.role("roles/viewer")
.members(privatecaSa.email().applyValue(email -> String.format("serviceAccount:%s", email)))
.build());
var default_ = new Authority("default", AuthorityArgs.builder()
.pool("ca-pool")
.certificateAuthorityId("my-certificate-authority")
.location("us-central1")
.deletionProtection("true")
.keySpec(AuthorityKeySpecArgs.builder()
.cloudKmsKeyVersion("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1")
.build())
.config(AuthorityConfigArgs.builder()
.subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
.subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
.organization("Example, Org.")
.commonName("Example Authority")
.build())
.build())
.x509Config(AuthorityConfigX509ConfigArgs.builder()
.caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
.isCa(true)
.maxIssuerPathLength(10)
.build())
.keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
.baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
.certSign(true)
.crlSign(true)
.build())
.extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(false)
.build())
.build())
.nameConstraints(AuthorityConfigX509ConfigNameConstraintsArgs.builder()
.critical(true)
.permittedDnsNames("*.example.com")
.excludedDnsNames("*.deny.example.com")
.permittedIpRanges("10.0.0.0/8")
.excludedIpRanges("10.1.1.0/24")
.permittedEmailAddresses(".example.com")
.excludedEmailAddresses(".deny.example.com")
.permittedUris(".example.com")
.excludedUris(".deny.example.com")
.build())
.build())
.build())
.build(), CustomResourceOptions.builder()
.dependsOn(
privatecaSaKeyuserSignerverifier,
privatecaSaKeyuserViewer)
.build());
}
}Content copied to clipboard
Import
CertificateAuthority can be imported using any of these accepted formats
$ pulumi import gcp:certificateauthority/authority:Authority default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}Content copied to clipboard
$ pulumi import gcp:certificateauthority/authority:Authority default {{project}}/{{location}}/{{pool}}/{{certificate_authority_id}}Content copied to clipboard
$ pulumi import gcp:certificateauthority/authority:Authority default {{location}}/{{pool}}/{{certificate_authority_id}}Content copied to clipboard
Constructors
Link copied to clipboard
constructor(certificateAuthorityId: Output<String>? = null, config: Output<AuthorityConfigArgs>? = null, deletionProtection: Output<Boolean>? = null, desiredState: Output<String>? = null, gcsBucket: Output<String>? = null, ignoreActiveCertificatesOnDeletion: Output<Boolean>? = null, keySpec: Output<AuthorityKeySpecArgs>? = null, labels: Output<Map<String, String>>? = null, lifetime: Output<String>? = null, location: Output<String>? = null, pemCaCertificate: Output<String>? = null, pool: Output<String>? = null, project: Output<String>? = null, skipGracePeriod: Output<Boolean>? = null, subordinateConfig: Output<AuthoritySubordinateConfigArgs>? = null, type: Output<String>? = null)
Properties
Link copied to clipboard
The user provided Resource ID for this Certificate Authority.
Link copied to clipboard
The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
Link copied to clipboard
Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.
Link copied to clipboard
Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.
Link copied to clipboard
The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.
Link copied to clipboard
This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.
Link copied to clipboard
Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
Link copied to clipboard
The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
Link copied to clipboard
If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to false.
Link copied to clipboard
If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.