Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Certificate Authority Resource (Certificate Authority Service) #8233

Merged
merged 1 commit into from
Jan 15, 2021
Merged

Add Certificate Authority Resource (Certificate Authority Service) #8233

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .changelog/4382.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:new-resource
`google_privateca_certificate_authority`
```
359 changes: 359 additions & 0 deletions website/docs/r/privateca_certificate_authority.html.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,359 @@
---
# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in
# .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
subcategory: "Certificate Authority"
layout: "google"
page_title: "Google: google_privateca_certificate_authority"
sidebar_current: "docs-google-privateca-certificate-authority"
description: |-
A CertificateAuthority represents an individual Certificate Authority.
---

# google\_privateca\_certificate\_authority

A CertificateAuthority represents an individual Certificate Authority. A
CertificateAuthority can be used to create Certificates.

~> **Warning:** This resource is in beta, and should be used with the terraform-provider-google-beta provider.
See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources.

To get more information about CertificateAuthority, see:

* [API documentation](https://https://cloud.google.com/certificate-authority-service/docs/reference/rest)
* How-to Guides
* [Official Documentation](https://cloud.google.com/certificate-authority-service)

<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=privateca_certificate_authority_basic&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Privateca Certificate Authority Basic


```hcl
resource "google_privateca_certificate_authority" "default" {
provider = google-beta
certificate_authority_id = "my-certificate-authority"
location = "us-central1"
config {
subject_config {
subject {
organization = "HashiCorp"
}
common_name = "my-certificate-authority"
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
reusable_config {
reusable_config = "projects/568668481468/locations/us-central1/reusableConfigs/root-unconstrained"
}
}
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=privateca_certificate_authority_full&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Privateca Certificate Authority Full


```hcl
resource "google_privateca_certificate_authority" "default" {
provider = google-beta
certificate_authority_id = "my-certificate-authority"
location = "us-central1"
tier = "DEVOPS"
config {
subject_config {
subject {
country_code = "US"
organization = "HashiCorp"
organizational_unit = "Terraform"
locality = "San Francisco"
province = "CA"
street_address = "101 2nd St #700"
postal_code = "94105"
}
common_name = "my-certificate-authority"
subject_alt_name {
dns_names = ["hashicorp.com"]
email_addresses = ["email@example.com"]
ip_addresses = ["127.0.0.1"]
uris = ["http://www.ietf.org/rfc/rfc3986.txt"]
}
}
reusable_config {
reusable_config = "projects/568668481468/locations/us-central1/reusableConfigs/root-unconstrained"
}
}
lifetime = "86400s"
issuing_options {
include_ca_cert_url = true
include_crl_access_url = false
}
key_spec {
algorithm = "EC_P256_SHA256"
}
}
```

## Argument Reference

The following arguments are supported:


* `location` -
(Required)
Location of the Certificate Authority.

* `certificate_authority_id` -
(Required)
GCP region of the Realm.

* `config` -
(Required)
The config used to create a self-signed X.509 certificate or CSR.
Structure is documented below.

* `key_spec` -
(Required)
Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority
is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA
certificate. Otherwise, it is used to sign a CSR.
Structure is documented below.


The `config` block supports:

* `subject_config` -
(Required)
Specifies some of the values in a certificate that are related to the subject.
Structure is documented below.

* `reusable_config` -
(Required)
Specifies some of the values in a certificate that are related to the subject.
Structure is documented below.


The `subject_config` block supports:

* `subject` -
(Required)
Contains distinguished name fields such as the location and organization.
Structure is documented below.

* `common_name` -
(Optional)
The common name of the distinguished name.

* `subject_alt_name` -
(Optional)
The subject alternative name fields.
Structure is documented below.


The `subject` block supports:

* `country_code` -
(Optional)
The country code of the subject.

* `organization` -
(Optional)
The organization of the subject.

* `organizational_unit` -
(Optional)
The organizational unit of the subject.

* `locality` -
(Optional)
The locality or city of the subject.

* `province` -
(Optional)
The province, territory, or regional state of the subject.

* `street_address` -
(Optional)
The street address of the subject.

* `postal_code` -
(Optional)
The postal code of the subject.

The `subject_alt_name` block supports:

* `dns_names` -
(Optional)
Contains only valid, fully-qualified host names.

* `uris` -
(Optional)
Contains only valid RFC 3986 URIs.

* `email_addresses` -
(Optional)
Contains only valid RFC 2822 E-mail addresses.

* `ip_addresses` -
(Optional)
Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

The `reusable_config` block supports:

* `reusable_config` -
(Required)
A resource path to a ReusableConfig in the format
projects/*/locations/*/reusableConfigs/*.

The `key_spec` block supports:

* `algorithm` -
(Required)
The algorithm to use for creating a managed Cloud KMS key for a for a simplified
experience. All managed keys will be have their ProtectionLevel as HSM.
Possible values are `SIGN_HASH_ALGORITHM_UNSPECIFIED`, `RSA_PSS_2048_SHA256`, `RSA_PSS_3072_SHA256`, `RSA_PSS_4096_SHA256`, `RSA_PKCS1_2048_SHA256`, `RSA_PKCS1_3072_SHA256`, `RSA_PKCS1_4096_SHA256`, `EC_P256_SHA256`, and `EC_P384_SHA384`.

- - -


* `type` -
(Optional)
The Type of this CertificateAuthority.
Default value is `SELF_SIGNED`.
Possible values are `SELF_SIGNED`.

* `tier` -
(Optional)
The Tier of this CertificateAuthority.
Default value is `ENTERPRISE`.
Possible values are `ENTERPRISE` and `DEVOPS`.

* `lifetime` -
(Optional)
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and
"notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine
fractional digits, terminated by 's'. Example: "3.5s".

* `issuing_options` -
(Optional)
Options that affect all certificates issued by a CertificateAuthority.
Structure is documented below.

* `gcs_bucket` -
(Optional)
The name of a Cloud Storage bucket where this CertificateAuthority will publish content,
such as the CA certificate and CRLs. This must be a bucket name, without any prefixes
(such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named
my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be
created.

* `labels` -
(Optional)
Labels with user-defined metadata.
An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass":
"1.3kg", "count": "3" }.

* `project` - (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.


The `issuing_options` block supports:

* `include_ca_cert_url` -
(Optional)
When true, includes a URL to the issuing CA certificate in the "authority
information access" X.509 extension.

* `include_crl_access_url` -
(Optional)
When true, includes a URL to the CRL corresponding to certificates issued from a
CertificateAuthority. CRLs will expire 7 days from their creation. However, we will
rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

## Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

* `id` - an identifier for the resource with format `projects/{{project}}/locations/{{location}}/certificateAuthorities/{{certificate_authority_id}}`

* `name` -
The resource name for this CertificateAuthority in the format
projects/*/locations/*/certificateAuthorities/*.

* `state` -
The State for this CertificateAuthority.

* `pem_ca_certificates` -
This CertificateAuthority's certificate chain, including the current
CertificateAuthority's certificate. Ordered such that the root issuer is the final
element (consistent with RFC 5246). For a self-signed CA, this will only list the current
CertificateAuthority's certificate.

* `access_urls` -
URLs for accessing content published by this CA, such as the CA certificate and CRLs.
Structure is documented below.

* `create_time` -
The time at which this CertificateAuthority was created.
A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine
fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

* `update_time` -
The time at which this CertificateAuthority was updated.
A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine
fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".


The `access_urls` block contains:

* `ca_certificate_access_url` -
The URL where this CertificateAuthority's CA certificate is published. This will only be
set for CAs that have been activated.

* `crl_access_url` -
The URL where this CertificateAuthority's CRLs are published. This will only be set for
CAs that have been activated.

## Timeouts

This resource provides the following
[Timeouts](/docs/configuration/resources.html#timeouts) configuration options:

- `create` - Default is 4 minutes.
- `update` - Default is 4 minutes.
- `delete` - Default is 4 minutes.

## Import


CertificateAuthority can be imported using any of these accepted formats:

```
$ terraform import google_privateca_certificate_authority.default projects/{{project}}/locations/{{location}}/certificateAuthorities/{{certificate_authority_id}}
$ terraform import google_privateca_certificate_authority.default {{project}}/{{location}}/{{certificate_authority_id}}
$ terraform import google_privateca_certificate_authority.default {{location}}/{{certificate_authority_id}}
```

## User Project Overrides

This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
16 changes: 16 additions & 0 deletions website/google.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -355,6 +355,22 @@
</ul>
</li>

<li>
<a href="#">Certificate Authority</a>
<ul class="nav">
<li>
<a href="#">Resources</a>
<ul class="nav nav-auto-expand">

<li>
<a href="/docs/providers/google/r/privateca_certificate_authority.html">google_privateca_certificate_authority</a>
</li>

</ul>
</li>
</ul>
</li>

<li>
<a href="#">Cloud (Stackdriver) Logging</a>
<ul class="nav">
Expand Down