Ca
data class CaPoolArgs(val issuancePolicy: Output<CaPoolIssuancePolicyArgs>? = null, val labels: Output<Map<String, String>>? = null, val location: Output<String>? = null, val name: Output<String>? = null, val project: Output<String>? = null, val publishingOptions: Output<CaPoolPublishingOptionsArgs>? = null, val tier: Output<String>? = null) : ConvertibleToJava<CaPoolArgs>
A CaPool represents a group of CertificateAuthorities that form a trust anchor. A CaPool can be used to manage issuance policies for one or more CertificateAuthority resources and to rotate CA certificates in and out of the trust anchor.
Example Usage
Privateca Capool Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const _default = new gcp.certificateauthority.CaPool("default", {
name: "my-pool",
location: "us-central1",
tier: "ENTERPRISE",
publishingOptions: {
publishCaCert: true,
publishCrl: true,
},
labels: {
foo: "bar",
},
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
default = gcp.certificateauthority.CaPool("default",
name="my-pool",
location="us-central1",
tier="ENTERPRISE",
publishing_options={
"publish_ca_cert": True,
"publish_crl": True,
},
labels={
"foo": "bar",
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CertificateAuthority.CaPool("default", new()
{
Name = "my-pool",
Location = "us-central1",
Tier = "ENTERPRISE",
PublishingOptions = new Gcp.CertificateAuthority.Inputs.CaPoolPublishingOptionsArgs
{
PublishCaCert = true,
PublishCrl = true,
},
Labels =
{
{ "foo", "bar" },
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/certificateauthority"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := certificateauthority.NewCaPool(ctx, "default", &certificateauthority.CaPoolArgs{
Name: pulumi.String("my-pool"),
Location: pulumi.String("us-central1"),
Tier: pulumi.String("ENTERPRISE"),
PublishingOptions: &certificateauthority.CaPoolPublishingOptionsArgs{
PublishCaCert: pulumi.Bool(true),
PublishCrl: pulumi.Bool(true),
},
Labels: pulumi.StringMap{
"foo": pulumi.String("bar"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPool;
import com.pulumi.gcp.certificateauthority.CaPoolArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolPublishingOptionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new CaPool("default", CaPoolArgs.builder()
.name("my-pool")
.location("us-central1")
.tier("ENTERPRISE")
.publishingOptions(CaPoolPublishingOptionsArgs.builder()
.publishCaCert(true)
.publishCrl(true)
.build())
.labels(Map.of("foo", "bar"))
.build());
}
}Content copied to clipboard
resources:
default:
type: gcp:certificateauthority:CaPool
properties:
name: my-pool
location: us-central1
tier: ENTERPRISE
publishingOptions:
publishCaCert: true
publishCrl: true
labels:
foo: barContent copied to clipboard
Privateca Capool All Fields
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const _default = new gcp.certificateauthority.CaPool("default", {
name: "my-pool",
location: "us-central1",
tier: "ENTERPRISE",
publishingOptions: {
publishCaCert: false,
publishCrl: true,
encodingFormat: "PEM",
},
labels: {
foo: "bar",
},
issuancePolicy: {
allowedKeyTypes: [
{
ellipticCurve: {
signatureAlgorithm: "ECDSA_P256",
},
},
{
rsa: {
minModulusSize: "5",
maxModulusSize: "10",
},
},
],
maximumLifetime: "50000s",
allowedIssuanceModes: {
allowCsrBasedIssuance: true,
allowConfigBasedIssuance: true,
},
identityConstraints: {
allowSubjectPassthrough: true,
allowSubjectAltNamesPassthrough: true,
celExpression: {
expression: "subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )",
title: "My title",
},
},
baselineValues: {
aiaOcspServers: ["example.com"],
additionalExtensions: [{
critical: true,
value: "asdf",
objectId: {
objectIdPaths: [
1,
7,
],
},
}],
policyIds: [
{
objectIdPaths: [
1,
5,
],
},
{
objectIdPaths: [
1,
5,
7,
],
},
],
caOptions: {
isCa: true,
maxIssuerPathLength: 10,
},
keyUsage: {
baseKeyUsage: {
digitalSignature: true,
contentCommitment: true,
keyEncipherment: false,
dataEncipherment: true,
keyAgreement: true,
certSign: false,
crlSign: true,
decipherOnly: true,
},
extendedKeyUsage: {
serverAuth: true,
clientAuth: false,
emailProtection: true,
codeSigning: true,
timeStamping: true,
},
},
nameConstraints: {
critical: true,
permittedDnsNames: [
"*.example1.com",
"*.example2.com",
],
excludedDnsNames: [
"*.deny.example1.com",
"*.deny.example2.com",
],
permittedIpRanges: [
"10.0.0.0/8",
"11.0.0.0/8",
],
excludedIpRanges: [
"10.1.1.0/24",
"11.1.1.0/24",
],
permittedEmailAddresses: [
".example1.com",
".example2.com",
],
excludedEmailAddresses: [
".deny.example1.com",
".deny.example2.com",
],
permittedUris: [
".example1.com",
".example2.com",
],
excludedUris: [
".deny.example1.com",
".deny.example2.com",
],
},
},
},
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
default = gcp.certificateauthority.CaPool("default",
name="my-pool",
location="us-central1",
tier="ENTERPRISE",
publishing_options={
"publish_ca_cert": False,
"publish_crl": True,
"encoding_format": "PEM",
},
labels={
"foo": "bar",
},
issuance_policy={
"allowed_key_types": [
{
"elliptic_curve": {
"signature_algorithm": "ECDSA_P256",
},
},
{
"rsa": {
"min_modulus_size": "5",
"max_modulus_size": "10",
},
},
],
"maximum_lifetime": "50000s",
"allowed_issuance_modes": {
"allow_csr_based_issuance": True,
"allow_config_based_issuance": True,
},
"identity_constraints": {
"allow_subject_passthrough": True,
"allow_subject_alt_names_passthrough": True,
"cel_expression": {
"expression": "subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )",
"title": "My title",
},
},
"baseline_values": {
"aia_ocsp_servers": ["example.com"],
"additional_extensions": [{
"critical": True,
"value": "asdf",
"object_id": {
"object_id_paths": [
1,
7,
],
},
}],
"policy_ids": [
{
"object_id_paths": [
1,
5,
],
},
{
"object_id_paths": [
1,
5,
7,
],
},
],
"ca_options": {
"is_ca": True,
"max_issuer_path_length": 10,
},
"key_usage": {
"base_key_usage": {
"digital_signature": True,
"content_commitment": True,
"key_encipherment": False,
"data_encipherment": True,
"key_agreement": True,
"cert_sign": False,
"crl_sign": True,
"decipher_only": True,
},
"extended_key_usage": {
"server_auth": True,
"client_auth": False,
"email_protection": True,
"code_signing": True,
"time_stamping": True,
},
},
"name_constraints": {
"critical": True,
"permitted_dns_names": [
"*.example1.com",
"*.example2.com",
],
"excluded_dns_names": [
"*.deny.example1.com",
"*.deny.example2.com",
],
"permitted_ip_ranges": [
"10.0.0.0/8",
"11.0.0.0/8",
],
"excluded_ip_ranges": [
"10.1.1.0/24",
"11.1.1.0/24",
],
"permitted_email_addresses": [
".example1.com",
".example2.com",
],
"excluded_email_addresses": [
".deny.example1.com",
".deny.example2.com",
],
"permitted_uris": [
".example1.com",
".example2.com",
],
"excluded_uris": [
".deny.example1.com",
".deny.example2.com",
],
},
},
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var @default = new Gcp.CertificateAuthority.CaPool("default", new()
{
Name = "my-pool",
Location = "us-central1",
Tier = "ENTERPRISE",
PublishingOptions = new Gcp.CertificateAuthority.Inputs.CaPoolPublishingOptionsArgs
{
PublishCaCert = false,
PublishCrl = true,
EncodingFormat = "PEM",
},
Labels =
{
{ "foo", "bar" },
},
IssuancePolicy = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyArgs
{
AllowedKeyTypes = new[]
{
new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeArgs
{
EllipticCurve = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeEllipticCurveArgs
{
SignatureAlgorithm = "ECDSA_P256",
},
},
new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeArgs
{
Rsa = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeRsaArgs
{
MinModulusSize = "5",
MaxModulusSize = "10",
},
},
},
MaximumLifetime = "50000s",
AllowedIssuanceModes = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedIssuanceModesArgs
{
AllowCsrBasedIssuance = true,
AllowConfigBasedIssuance = true,
},
IdentityConstraints = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyIdentityConstraintsArgs
{
AllowSubjectPassthrough = true,
AllowSubjectAltNamesPassthrough = true,
CelExpression = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs
{
Expression = "subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )",
Title = "My title",
},
},
BaselineValues = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesArgs
{
AiaOcspServers = new[]
{
"example.com",
},
AdditionalExtensions = new[]
{
new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArgs
{
Critical = true,
Value = "asdf",
ObjectId = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectIdArgs
{
ObjectIdPaths = new[]
{
1,
7,
},
},
},
},
PolicyIds = new[]
{
new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs
{
ObjectIdPaths = new[]
{
1,
5,
},
},
new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs
{
ObjectIdPaths = new[]
{
1,
5,
7,
},
},
},
CaOptions = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesCaOptionsArgs
{
IsCa = true,
MaxIssuerPathLength = 10,
},
KeyUsage = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageArgs
{
BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs
{
DigitalSignature = true,
ContentCommitment = true,
KeyEncipherment = false,
DataEncipherment = true,
KeyAgreement = true,
CertSign = false,
CrlSign = true,
DecipherOnly = true,
},
ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs
{
ServerAuth = true,
ClientAuth = false,
EmailProtection = true,
CodeSigning = true,
TimeStamping = true,
},
},
NameConstraints = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs
{
Critical = true,
PermittedDnsNames = new[]
{
"*.example1.com",
"*.example2.com",
},
ExcludedDnsNames = new[]
{
"*.deny.example1.com",
"*.deny.example2.com",
},
PermittedIpRanges = new[]
{
"10.0.0.0/8",
"11.0.0.0/8",
},
ExcludedIpRanges = new[]
{
"10.1.1.0/24",
"11.1.1.0/24",
},
PermittedEmailAddresses = new[]
{
".example1.com",
".example2.com",
},
ExcludedEmailAddresses = new[]
{
".deny.example1.com",
".deny.example2.com",
},
PermittedUris = new[]
{
".example1.com",
".example2.com",
},
ExcludedUris = new[]
{
".deny.example1.com",
".deny.example2.com",
},
},
},
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/certificateauthority"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := certificateauthority.NewCaPool(ctx, "default", &certificateauthority.CaPoolArgs{
Name: pulumi.String("my-pool"),
Location: pulumi.String("us-central1"),
Tier: pulumi.String("ENTERPRISE"),
PublishingOptions: &certificateauthority.CaPoolPublishingOptionsArgs{
PublishCaCert: pulumi.Bool(false),
PublishCrl: pulumi.Bool(true),
EncodingFormat: pulumi.String("PEM"),
},
Labels: pulumi.StringMap{
"foo": pulumi.String("bar"),
},
IssuancePolicy: &certificateauthority.CaPoolIssuancePolicyArgs{
AllowedKeyTypes: certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeArray{
&certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeArgs{
EllipticCurve: &certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeEllipticCurveArgs{
SignatureAlgorithm: pulumi.String("ECDSA_P256"),
},
},
&certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeArgs{
Rsa: &certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeRsaArgs{
MinModulusSize: pulumi.String("5"),
MaxModulusSize: pulumi.String("10"),
},
},
},
MaximumLifetime: pulumi.String("50000s"),
AllowedIssuanceModes: &certificateauthority.CaPoolIssuancePolicyAllowedIssuanceModesArgs{
AllowCsrBasedIssuance: pulumi.Bool(true),
AllowConfigBasedIssuance: pulumi.Bool(true),
},
IdentityConstraints: &certificateauthority.CaPoolIssuancePolicyIdentityConstraintsArgs{
AllowSubjectPassthrough: pulumi.Bool(true),
AllowSubjectAltNamesPassthrough: pulumi.Bool(true),
CelExpression: &certificateauthority.CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs{
Expression: pulumi.String("subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )"),
Title: pulumi.String("My title"),
},
},
BaselineValues: &certificateauthority.CaPoolIssuancePolicyBaselineValuesArgs{
AiaOcspServers: pulumi.StringArray{
pulumi.String("example.com"),
},
AdditionalExtensions: certificateauthority.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArray{
&certificateauthority.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArgs{
Critical: pulumi.Bool(true),
Value: pulumi.String("asdf"),
ObjectId: &certificateauthority.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectIdArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(1),
pulumi.Int(7),
},
},
},
},
PolicyIds: certificateauthority.CaPoolIssuancePolicyBaselineValuesPolicyIdArray{
&certificateauthority.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(1),
pulumi.Int(5),
},
},
&certificateauthority.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs{
ObjectIdPaths: pulumi.IntArray{
pulumi.Int(1),
pulumi.Int(5),
pulumi.Int(7),
},
},
},
CaOptions: &certificateauthority.CaPoolIssuancePolicyBaselineValuesCaOptionsArgs{
IsCa: pulumi.Bool(true),
MaxIssuerPathLength: pulumi.Int(10),
},
KeyUsage: &certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageArgs{
BaseKeyUsage: &certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs{
DigitalSignature: pulumi.Bool(true),
ContentCommitment: pulumi.Bool(true),
KeyEncipherment: pulumi.Bool(false),
DataEncipherment: pulumi.Bool(true),
KeyAgreement: pulumi.Bool(true),
CertSign: pulumi.Bool(false),
CrlSign: pulumi.Bool(true),
DecipherOnly: pulumi.Bool(true),
},
ExtendedKeyUsage: &certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs{
ServerAuth: pulumi.Bool(true),
ClientAuth: pulumi.Bool(false),
EmailProtection: pulumi.Bool(true),
CodeSigning: pulumi.Bool(true),
TimeStamping: pulumi.Bool(true),
},
},
NameConstraints: &certificateauthority.CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs{
Critical: pulumi.Bool(true),
PermittedDnsNames: pulumi.StringArray{
pulumi.String("*.example1.com"),
pulumi.String("*.example2.com"),
},
ExcludedDnsNames: pulumi.StringArray{
pulumi.String("*.deny.example1.com"),
pulumi.String("*.deny.example2.com"),
},
PermittedIpRanges: pulumi.StringArray{
pulumi.String("10.0.0.0/8"),
pulumi.String("11.0.0.0/8"),
},
ExcludedIpRanges: pulumi.StringArray{
pulumi.String("10.1.1.0/24"),
pulumi.String("11.1.1.0/24"),
},
PermittedEmailAddresses: pulumi.StringArray{
pulumi.String(".example1.com"),
pulumi.String(".example2.com"),
},
ExcludedEmailAddresses: pulumi.StringArray{
pulumi.String(".deny.example1.com"),
pulumi.String(".deny.example2.com"),
},
PermittedUris: pulumi.StringArray{
pulumi.String(".example1.com"),
pulumi.String(".example2.com"),
},
ExcludedUris: pulumi.StringArray{
pulumi.String(".deny.example1.com"),
pulumi.String(".deny.example2.com"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPool;
import com.pulumi.gcp.certificateauthority.CaPoolArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolPublishingOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyAllowedIssuanceModesArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyIdentityConstraintsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesCaOptionsArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var default_ = new CaPool("default", CaPoolArgs.builder()
.name("my-pool")
.location("us-central1")
.tier("ENTERPRISE")
.publishingOptions(CaPoolPublishingOptionsArgs.builder()
.publishCaCert(false)
.publishCrl(true)
.encodingFormat("PEM")
.build())
.labels(Map.of("foo", "bar"))
.issuancePolicy(CaPoolIssuancePolicyArgs.builder()
.allowedKeyTypes(
CaPoolIssuancePolicyAllowedKeyTypeArgs.builder()
.ellipticCurve(CaPoolIssuancePolicyAllowedKeyTypeEllipticCurveArgs.builder()
.signatureAlgorithm("ECDSA_P256")
.build())
.build(),
CaPoolIssuancePolicyAllowedKeyTypeArgs.builder()
.rsa(CaPoolIssuancePolicyAllowedKeyTypeRsaArgs.builder()
.minModulusSize(5)
.maxModulusSize(10)
.build())
.build())
.maximumLifetime("50000s")
.allowedIssuanceModes(CaPoolIssuancePolicyAllowedIssuanceModesArgs.builder()
.allowCsrBasedIssuance(true)
.allowConfigBasedIssuance(true)
.build())
.identityConstraints(CaPoolIssuancePolicyIdentityConstraintsArgs.builder()
.allowSubjectPassthrough(true)
.allowSubjectAltNamesPassthrough(true)
.celExpression(CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs.builder()
.expression("subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )")
.title("My title")
.build())
.build())
.baselineValues(CaPoolIssuancePolicyBaselineValuesArgs.builder()
.aiaOcspServers("example.com")
.additionalExtensions(CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArgs.builder()
.critical(true)
.value("asdf")
.objectId(CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectIdArgs.builder()
.objectIdPaths(
1,
7)
.build())
.build())
.policyIds(
CaPoolIssuancePolicyBaselineValuesPolicyIdArgs.builder()
.objectIdPaths(
1,
5)
.build(),
CaPoolIssuancePolicyBaselineValuesPolicyIdArgs.builder()
.objectIdPaths(
1,
5,
7)
.build())
.caOptions(CaPoolIssuancePolicyBaselineValuesCaOptionsArgs.builder()
.isCa(true)
.maxIssuerPathLength(10)
.build())
.keyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageArgs.builder()
.baseKeyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs.builder()
.digitalSignature(true)
.contentCommitment(true)
.keyEncipherment(false)
.dataEncipherment(true)
.keyAgreement(true)
.certSign(false)
.crlSign(true)
.decipherOnly(true)
.build())
.extendedKeyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs.builder()
.serverAuth(true)
.clientAuth(false)
.emailProtection(true)
.codeSigning(true)
.timeStamping(true)
.build())
.build())
.nameConstraints(CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs.builder()
.critical(true)
.permittedDnsNames(
"*.example1.com",
"*.example2.com")
.excludedDnsNames(
"*.deny.example1.com",
"*.deny.example2.com")
.permittedIpRanges(
"10.0.0.0/8",
"11.0.0.0/8")
.excludedIpRanges(
"10.1.1.0/24",
"11.1.1.0/24")
.permittedEmailAddresses(
".example1.com",
".example2.com")
.excludedEmailAddresses(
".deny.example1.com",
".deny.example2.com")
.permittedUris(
".example1.com",
".example2.com")
.excludedUris(
".deny.example1.com",
".deny.example2.com")
.build())
.build())
.build())
.build());
}
}Content copied to clipboard
resources:
default:
type: gcp:certificateauthority:CaPool
properties:
name: my-pool
location: us-central1
tier: ENTERPRISE
publishingOptions:
publishCaCert: false
publishCrl: true
encodingFormat: PEM
labels:
foo: bar
issuancePolicy:
allowedKeyTypes:
- ellipticCurve:
signatureAlgorithm: ECDSA_P256
- rsa:
minModulusSize: 5
maxModulusSize: 10
maximumLifetime: 50000s
allowedIssuanceModes:
allowCsrBasedIssuance: true
allowConfigBasedIssuance: true
identityConstraints:
allowSubjectPassthrough: true
allowSubjectAltNamesPassthrough: true
celExpression:
expression: subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )
title: My title
baselineValues:
aiaOcspServers:
- example.com
additionalExtensions:
- critical: true
value: asdf
objectId:
objectIdPaths:
- 1
- 7
policyIds:
- objectIdPaths:
- 1
- 5
- objectIdPaths:
- 1
- 5
- 7
caOptions:
isCa: true
maxIssuerPathLength: 10
keyUsage:
baseKeyUsage:
digitalSignature: true
contentCommitment: true
keyEncipherment: false
dataEncipherment: true
keyAgreement: true
certSign: false
crlSign: true
decipherOnly: true
extendedKeyUsage:
serverAuth: true
clientAuth: false
emailProtection: true
codeSigning: true
timeStamping: true
nameConstraints:
critical: true
permittedDnsNames:
- '*.example1.com'
- '*.example2.com'
excludedDnsNames:
- '*.deny.example1.com'
- '*.deny.example2.com'
permittedIpRanges:
- 10.0.0.0/8
- 11.0.0.0/8
excludedIpRanges:
- 10.1.1.0/24
- 11.1.1.0/24
permittedEmailAddresses:
- .example1.com
- .example2.com
excludedEmailAddresses:
- .deny.example1.com
- .deny.example2.com
permittedUris:
- .example1.com
- .example2.com
excludedUris:
- .deny.example1.com
- .deny.example2.comContent copied to clipboard
Import
CaPool can be imported using any of these accepted formats:
projects/{{project}}/locations/{{location}}/caPools/{{name}}{{project}}/{{location}}/{{name}}{{location}}/{{name}}When using thepulumi importcommand, CaPool can be imported using one of the formats above. For example:
$ pulumi import gcp:certificateauthority/caPool:CaPool default projects/{{project}}/locations/{{location}}/caPools/{{name}}Content copied to clipboard
$ pulumi import gcp:certificateauthority/caPool:CaPool default {{project}}/{{location}}/{{name}}Content copied to clipboard
$ pulumi import gcp:certificateauthority/caPool:CaPool default {{location}}/{{name}}Content copied to clipboard
Constructors
Link copied to clipboard
constructor(issuancePolicy: Output<CaPoolIssuancePolicyArgs>? = null, labels: Output<Map<String, String>>? = null, location: Output<String>? = null, name: Output<String>? = null, project: Output<String>? = null, publishingOptions: Output<CaPoolPublishingOptionsArgs>? = null, tier: Output<String>? = null)
Properties
Link copied to clipboard
The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
Link copied to clipboard
Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.
Link copied to clipboard
The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.