pulumi-gcp-kotlin/com.pulumi.gcp.certificateauthority.kotlin/Authority

Authority

class Authority : KotlinCustomResource

A CertificateAuthority represents an individual Certificate Authority. A CertificateAuthority can be used to create Certificates. To get more information about CertificateAuthority, see:

Warning: On newer versions of the provider, you must explicitly set deletion_protection=false (and run pulumi up to write the field to state) in order to destroy a CertificateAuthority. It is recommended to not set this field (or set it to true) until you're ready to destroy.

Example Usage

Privateca Certificate Authority Basic

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var default_ = new Authority("default", AuthorityArgs.builder()
            .certificateAuthorityId("my-certificate-authority")
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .commonName("my-certificate-authority")
                        .organization("HashiCorp")
                        .build())
                    .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                        .dnsNames("hashicorp.com")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .maxIssuerPathLength(10)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .certSign(true)
                            .contentCommitment(true)
                            .crlSign(true)
                            .dataEncipherment(true)
                            .decipherOnly(true)
                            .digitalSignature(true)
                            .keyAgreement(true)
                            .keyEncipherment(false)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .clientAuth(false)
                            .codeSigning(true)
                            .emailProtection(true)
                            .serverAuth(true)
                            .timeStamping(true)
                            .build())
                        .build())
                    .build())
                .build())
            .deletionProtection("true")
            .keySpec(AuthorityKeySpecArgs.builder()
                .algorithm("RSA_PKCS1_4096_SHA256")
                .build())
            .lifetime("86400s")
            .location("us-central1")
            .pool("ca-pool")
            .build());
    }
}
Content copied to clipboard

Privateca Certificate Authority Subordinate

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthoritySubordinateConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var root_ca = new Authority("root-ca", AuthorityArgs.builder()
            .pool("ca-pool")
            .certificateAuthorityId("my-certificate-authority-root")
            .location("us-central1")
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .organization("HashiCorp")
                        .commonName("my-certificate-authority")
                        .build())
                    .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                        .dnsNames("hashicorp.com")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .certSign(true)
                            .crlSign(true)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(false)
                            .build())
                        .build())
                    .build())
                .build())
            .keySpec(AuthorityKeySpecArgs.builder()
                .algorithm("RSA_PKCS1_4096_SHA256")
                .build())
            .deletionProtection(false)
            .skipGracePeriod(true)
            .ignoreActiveCertificatesOnDeletion(true)
            .build());
        var default_ = new Authority("default", AuthorityArgs.builder()
            .pool("ca-pool")
            .certificateAuthorityId("my-certificate-authority-sub")
            .location("us-central1")
            .deletionProtection("true")
            .subordinateConfig(AuthoritySubordinateConfigArgs.builder()
                .certificateAuthority(root_ca.name())
                .build())
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .organization("HashiCorp")
                        .commonName("my-subordinate-authority")
                        .build())
                    .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                        .dnsNames("hashicorp.com")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .maxIssuerPathLength(0)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .digitalSignature(true)
                            .contentCommitment(true)
                            .keyEncipherment(false)
                            .dataEncipherment(true)
                            .keyAgreement(true)
                            .certSign(true)
                            .crlSign(true)
                            .decipherOnly(true)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(true)
                            .clientAuth(false)
                            .emailProtection(true)
                            .codeSigning(true)
                            .timeStamping(true)
                            .build())
                        .build())
                    .build())
                .build())
            .lifetime("86400s")
            .keySpec(AuthorityKeySpecArgs.builder()
                .algorithm("RSA_PKCS1_4096_SHA256")
                .build())
            .type("SUBORDINATE")
            .build());
    }
}
Content copied to clipboard

Privateca Certificate Authority Byo Key

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.projects.ServiceIdentity;
import com.pulumi.gcp.projects.ServiceIdentityArgs;
import com.pulumi.gcp.kms.CryptoKeyIAMBinding;
import com.pulumi.gcp.kms.CryptoKeyIAMBindingArgs;
import com.pulumi.gcp.certificateauthority.Authority;
import com.pulumi.gcp.certificateauthority.AuthorityArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigNameConstraintsArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var privatecaSa = new ServiceIdentity("privatecaSa", ServiceIdentityArgs.builder()
            .service("privateca.googleapis.com")
            .build());
        var privatecaSaKeyuserSignerverifier = new CryptoKeyIAMBinding("privatecaSaKeyuserSignerverifier", CryptoKeyIAMBindingArgs.builder()
            .cryptoKeyId("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key")
            .role("roles/cloudkms.signerVerifier")
            .members(privatecaSa.email().applyValue(email -> String.format("serviceAccount:%s", email)))
            .build());
        var privatecaSaKeyuserViewer = new CryptoKeyIAMBinding("privatecaSaKeyuserViewer", CryptoKeyIAMBindingArgs.builder()
            .cryptoKeyId("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key")
            .role("roles/viewer")
            .members(privatecaSa.email().applyValue(email -> String.format("serviceAccount:%s", email)))
            .build());
        var default_ = new Authority("default", AuthorityArgs.builder()
            .pool("ca-pool")
            .certificateAuthorityId("my-certificate-authority")
            .location("us-central1")
            .deletionProtection("true")
            .keySpec(AuthorityKeySpecArgs.builder()
                .cloudKmsKeyVersion("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1")
                .build())
            .config(AuthorityConfigArgs.builder()
                .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                    .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                        .organization("Example, Org.")
                        .commonName("Example Authority")
                        .build())
                    .build())
                .x509Config(AuthorityConfigX509ConfigArgs.builder()
                    .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                        .isCa(true)
                        .maxIssuerPathLength(10)
                        .build())
                    .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                        .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                            .certSign(true)
                            .crlSign(true)
                            .build())
                        .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                            .serverAuth(false)
                            .build())
                        .build())
                    .nameConstraints(AuthorityConfigX509ConfigNameConstraintsArgs.builder()
                        .critical(true)
                        .permittedDnsNames("*.example.com")
                        .excludedDnsNames("*.deny.example.com")
                        .permittedIpRanges("10.0.0.0/8")
                        .excludedIpRanges("10.1.1.0/24")
                        .permittedEmailAddresses(".example.com")
                        .excludedEmailAddresses(".deny.example.com")
                        .permittedUris(".example.com")
                        .excludedUris(".deny.example.com")
                        .build())
                    .build())
                .build())
            .build(), CustomResourceOptions.builder()
                .dependsOn(
                    privatecaSaKeyuserSignerverifier,
                    privatecaSaKeyuserViewer)
                .build());
    }
}
Content copied to clipboard

Import

CertificateAuthority can be imported using any of these accepted formats

$ pulumi import gcp:certificateauthority/authority:Authority default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}
Content copied to clipboard
$ pulumi import gcp:certificateauthority/authority:Authority default {{project}}/{{location}}/{{pool}}/{{certificate_authority_id}}
Content copied to clipboard
$ pulumi import gcp:certificateauthority/authority:Authority default {{location}}/{{pool}}/{{certificate_authority_id}}
Content copied to clipboard

Properties

Link copied to clipboard
val accessUrls: Output<List<AuthorityAccessUrl>>

URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.

Link copied to clipboard
val certificateAuthorityId: Output<String>

The user provided Resource ID for this Certificate Authority.

Link copied to clipboard
val config: Output<AuthorityConfig>

The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.

Link copied to clipboard
val createTime: Output<String>

The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Link copied to clipboard
val deletionProtection: Output<Boolean>?

Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false in Terraform state, a 'terraform destroy' or 'terraform apply' that would delete the instance will fail.

Link copied to clipboard
val desiredState: Output<String>?

Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.

Link copied to clipboard
val gcsBucket: Output<String>?

The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created.

Link copied to clipboard
val id: Output<String>
Link copied to clipboard
val ignoreActiveCertificatesOnDeletion: Output<Boolean>?

This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to false.

Link copied to clipboard
val keySpec: Output<AuthorityKeySpec>

Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.

Link copied to clipboard
val labels: Output<Map<String, String>>?

Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Link copied to clipboard
val lifetime: Output<String>?

The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

Link copied to clipboard
val location: Output<String>

Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.

Link copied to clipboard
val name: Output<String>

The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/. ///

Link copied to clipboard
val pemCaCertificate: Output<String>?

The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.

Link copied to clipboard
val pemCaCertificates: Output<List<String>>

This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.

Link copied to clipboard
val pool: Output<String>

The name of the CaPool this Certificate Authority belongs to.

Link copied to clipboard
val project: Output<String>

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Link copied to clipboard
val pulumiChildResources: Set<KotlinResource>
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
val skipGracePeriod: Output<Boolean>?

If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to false.

Link copied to clipboard
val state: Output<String>

The State for this CertificateAuthority.

Link copied to clipboard
val subordinateConfig: Output<AuthoritySubordinateConfig>?

If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. Structure is documented below.

Link copied to clipboard
val type: Output<String>?

The Type of this CertificateAuthority.

Link copied to clipboard
val updateTime: Output<String>

The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Link copied to clipboard
val urn: Output<String>