import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * A CertificateAuthority represents an individual Certificate Authority. A * CertificateAuthority can be used to create Certificates. * * To get more information about CertificateAuthority, see: * * * [API documentation](https://cloud.google.com/certificate-authority-service/docs/reference/rest) * * How-to Guides * * [Official Documentation](https://cloud.google.com/certificate-authority-service) * * > **Warning:** On newer versions of the provider, you must explicitly set `deletion_protection=false` * (and run `pulumi up` to write the field to state) in order to destroy a CertificateAuthority. * It is recommended to not set this field (or set it to true) until you're ready to destroy. * * ## Example Usage * * ### Privateca Certificate Authority Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.certificateauthority.Authority("default", { * pool: "ca-pool", * certificateAuthorityId: "my-certificate-authority", * location: "us-central1", * deletionProtection: true, * config: { * subjectConfig: { * subject: { * organization: "ACME", * commonName: "my-certificate-authority", * }, * }, * x509Config: { * caOptions: { * isCa: true, * }, * keyUsage: { * baseKeyUsage: { * certSign: true, * crlSign: true, * }, * extendedKeyUsage: {}, * }, * }, * }, * lifetime: `${10 * 365 * 24 * 3600}s`, * keySpec: { * algorithm: "RSA_PKCS1_4096_SHA256", * }, * }); * ``` * ### Privateca Certificate Authority Subordinate * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const root_ca = new gcp.certificateauthority.Authority("root-ca", { * pool: "ca-pool", * certificateAuthorityId: "my-certificate-authority-root", * location: "us-central1", * config: { * subjectConfig: { * subject: { * organization: "ACME", * commonName: "my-certificate-authority", * }, * }, * x509Config: { * caOptions: { * isCa: true, * }, * keyUsage: { * baseKeyUsage: { * certSign: true, * crlSign: true, * }, * extendedKeyUsage: {}, * }, * }, * }, * keySpec: { * algorithm: "RSA_PKCS1_4096_SHA256", * }, * deletionProtection: false, * skipGracePeriod: true, * ignoreActiveCertificatesOnDeletion: true, * }); * const _default = new gcp.certificateauthority.Authority("default", { * pool: "ca-pool", * certificateAuthorityId: "my-certificate-authority-sub", * location: "us-central1", * deletionProtection: true, * subordinateConfig: { * certificateAuthority: root_ca.name, * }, * config: { * subjectConfig: { * subject: { * organization: "ACME", * commonName: "my-subordinate-authority", * }, * }, * x509Config: { * caOptions: { * isCa: true, * zeroMaxIssuerPathLength: true, * }, * keyUsage: { * baseKeyUsage: { * certSign: true, * crlSign: true, * }, * extendedKeyUsage: {}, * }, * }, * }, * lifetime: `${5 * 365 * 24 * 3600}s`, * keySpec: { * algorithm: "RSA_PKCS1_2048_SHA256", * }, * type: "SUBORDINATE", * }); * ``` * ### Privateca Certificate Authority Byo Key * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const privatecaSa = new gcp.projects.ServiceIdentity("privateca_sa", {service: "privateca.googleapis.com"}); * const privatecaSaKeyuserSignerverifier = new gcp.kms.CryptoKeyIAMMember("privateca_sa_keyuser_signerverifier", { * cryptoKeyId: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key", * role: "roles/cloudkms.signerVerifier", * member: privatecaSa.member, * }); * const privatecaSaKeyuserViewer = new gcp.kms.CryptoKeyIAMMember("privateca_sa_keyuser_viewer", { * cryptoKeyId: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key", * role: "roles/viewer", * member: privatecaSa.member, * }); * const _default = new gcp.certificateauthority.Authority("default", { * pool: "ca-pool", * certificateAuthorityId: "my-certificate-authority", * location: "us-central1", * deletionProtection: true, * keySpec: { * cloudKmsKeyVersion: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1", * }, * config: { * subjectConfig: { * subject: { * organization: "Example, Org.", * commonName: "Example Authority", * }, * }, * x509Config: { * caOptions: { * isCa: true, * }, * keyUsage: { * baseKeyUsage: { * certSign: true, * crlSign: true, * }, * extendedKeyUsage: {}, * }, * nameConstraints: { * critical: true, * permittedDnsNames: ["*.example.com"], * excludedDnsNames: ["*.deny.example.com"], * permittedIpRanges: ["10.0.0.0/8"], * excludedIpRanges: ["10.1.1.0/24"], * permittedEmailAddresses: [".example.com"], * excludedEmailAddresses: [".deny.example.com"], * permittedUris: [".example.com"], * excludedUris: [".deny.example.com"], * }, * }, * }, * }, { * dependsOn: [ * privatecaSaKeyuserSignerverifier, * privatecaSaKeyuserViewer, * ], * }); * ``` * ### Privateca Certificate Authority Custom Ski * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.certificateauthority.Authority("default", { * pool: "ca-pool", * certificateAuthorityId: "my-certificate-authority", * location: "us-central1", * deletionProtection: true, * config: { * subjectConfig: { * subject: { * organization: "ACME", * commonName: "my-certificate-authority", * }, * }, * subjectKeyId: { * keyId: "4cf3372289b1d411b999dbb9ebcd44744b6b2fca", * }, * x509Config: { * caOptions: { * isCa: true, * }, * keyUsage: { * baseKeyUsage: { * certSign: true, * crlSign: true, * }, * extendedKeyUsage: {}, * }, * }, * }, * lifetime: `${10 * 365 * 24 * 3600}s`, * keySpec: { * cloudKmsKeyVersion: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1", * }, * }); * ``` * ### Privateca Certificate Authority Basic With Custom Cdp Aia Urls * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.certificateauthority.Authority("default", { * pool: "ca-pool", * certificateAuthorityId: "my-certificate-authority", * location: "us-central1", * deletionProtection: true, * config: { * subjectConfig: { * subject: { * organization: "ACME", * commonName: "my-certificate-authority", * }, * }, * x509Config: { * caOptions: { * isCa: true, * }, * keyUsage: { * baseKeyUsage: { * certSign: true, * crlSign: true, * }, * extendedKeyUsage: {}, * }, * }, * }, * lifetime: `${10 * 365 * 24 * 3600}s`, * keySpec: { * algorithm: "RSA_PKCS1_4096_SHA256", * }, * userDefinedAccessUrls: { * aiaIssuingCertificateUrls: [ * "http://example.com/ca.crt", * "http://example.com/anotherca.crt", * ], * crlAccessUrls: [ * "http://example.com/crl1.crt", * "http://example.com/crl2.crt", * ], * }, * }); * ``` * * ## Import * * CertificateAuthority can be imported using any of these accepted formats: * * * `projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}` * * * `{{project}}/{{location}}/{{pool}}/{{certificate_authority_id}}` * * * `{{location}}/{{pool}}/{{certificate_authority_id}}` * * When using the `pulumi import` command, CertificateAuthority can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:certificateauthority/authority:Authority default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}} * ``` * * ```sh * $ pulumi import gcp:certificateauthority/authority:Authority default {{project}}/{{location}}/{{pool}}/{{certificate_authority_id}} * ``` * * ```sh * $ pulumi import gcp:certificateauthority/authority:Authority default {{location}}/{{pool}}/{{certificate_authority_id}} * ``` */ export declare class Authority extends pulumi.CustomResource { /** * Get an existing Authority resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: AuthorityState, opts?: pulumi.CustomResourceOptions): Authority; /** * Returns true if the given object is an instance of Authority. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Authority; /** * URLs for accessing content published by this CA, such as the CA certificate and CRLs. * Structure is documented below. */ readonly accessUrls: pulumi.Output; /** * The user provided Resource ID for this Certificate Authority. */ readonly certificateAuthorityId: pulumi.Output; /** * The config used to create a self-signed X.509 certificate or CSR. * Structure is documented below. */ readonly config: pulumi.Output; /** * The time at which this CertificateAuthority was created. * A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine * fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". */ readonly createTime: pulumi.Output; readonly deletionProtection: pulumi.Output; /** * Desired state of the CertificateAuthority. Set this field to 'STAGED' to create a 'STAGED' root CA. Possible values: * ENABLED, DISABLED, STAGED. */ readonly desiredState: pulumi.Output; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ readonly effectiveLabels: pulumi.Output<{ [key: string]: string; }>; /** * The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and * CRLs. This must be a bucket name, without any prefixes (such as 'gs://') or suffixes (such as '.googleapis.com'). For * example, to use a bucket named my-bucket, you would simply specify 'my-bucket'. If not specified, a managed bucket will * be created. */ readonly gcsBucket: pulumi.Output; /** * This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and * unexpired certs. Use with care. Defaults to 'false'. */ readonly ignoreActiveCertificatesOnDeletion: pulumi.Output; /** * Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority * is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA * certificate. Otherwise, it is used to sign a CSR. * Structure is documented below. */ readonly keySpec: pulumi.Output; /** * Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", * "mass": "1.3kg", "count": "3" }. **Note**: This field is non-authoritative, and will only manage the labels present in * your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource. */ readonly labels: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 * certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". */ readonly lifetime: pulumi.Output; /** * Location of the CertificateAuthority. A full list of valid locations can be found by * running `gcloud privateca locations list`. */ readonly location: pulumi.Output; /** * The resource name for this CertificateAuthority in the format * projects/*/locations/*/certificateAuthorities/*. */ readonly name: pulumi.Output; /** * The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with * a third party issuer. */ readonly pemCaCertificate: pulumi.Output; /** * This CertificateAuthority's certificate chain, including the current * CertificateAuthority's certificate. Ordered such that the root issuer is the final * element (consistent with RFC 5246). For a self-signed CA, this will only list the current * CertificateAuthority's certificate. */ readonly pemCaCertificates: pulumi.Output; /** * The name of the CaPool this Certificate Authority belongs to. */ readonly pool: pulumi.Output; readonly project: pulumi.Output; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ readonly pulumiLabels: pulumi.Output<{ [key: string]: string; }>; /** * If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where * undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to * 'false'. */ readonly skipGracePeriod: pulumi.Output; /** * The State for this CertificateAuthority. */ readonly state: pulumi.Output; /** * If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which * describes its issuers. */ readonly subordinateConfig: pulumi.Output; /** * The Type of this CertificateAuthority. > **Note:** For 'SUBORDINATE' Certificate Authorities, they need to be activated * before they can issue certificates. Default value: "SELF_SIGNED" Possible values: ["SELF_SIGNED", "SUBORDINATE"] */ readonly type: pulumi.Output; /** * The time at which this CertificateAuthority was updated. * A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine * fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". */ readonly updateTime: pulumi.Output; /** * Custom URLs for accessing content published by this CA, such as the CA certificate and CRLs, that can be specified by * users. */ readonly userDefinedAccessUrls: pulumi.Output; /** * Create a Authority resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: AuthorityArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Authority resources. */ export interface AuthorityState { /** * URLs for accessing content published by this CA, such as the CA certificate and CRLs. * Structure is documented below. */ accessUrls?: pulumi.Input[]>; /** * The user provided Resource ID for this Certificate Authority. */ certificateAuthorityId?: pulumi.Input; /** * The config used to create a self-signed X.509 certificate or CSR. * Structure is documented below. */ config?: pulumi.Input; /** * The time at which this CertificateAuthority was created. * A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine * fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". */ createTime?: pulumi.Input; deletionProtection?: pulumi.Input; /** * Desired state of the CertificateAuthority. Set this field to 'STAGED' to create a 'STAGED' root CA. Possible values: * ENABLED, DISABLED, STAGED. */ desiredState?: pulumi.Input; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ effectiveLabels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and * CRLs. This must be a bucket name, without any prefixes (such as 'gs://') or suffixes (such as '.googleapis.com'). For * example, to use a bucket named my-bucket, you would simply specify 'my-bucket'. If not specified, a managed bucket will * be created. */ gcsBucket?: pulumi.Input; /** * This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and * unexpired certs. Use with care. Defaults to 'false'. */ ignoreActiveCertificatesOnDeletion?: pulumi.Input; /** * Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority * is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA * certificate. Otherwise, it is used to sign a CSR. * Structure is documented below. */ keySpec?: pulumi.Input; /** * Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", * "mass": "1.3kg", "count": "3" }. **Note**: This field is non-authoritative, and will only manage the labels present in * your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 * certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". */ lifetime?: pulumi.Input; /** * Location of the CertificateAuthority. A full list of valid locations can be found by * running `gcloud privateca locations list`. */ location?: pulumi.Input; /** * The resource name for this CertificateAuthority in the format * projects/*/locations/*/certificateAuthorities/*. */ name?: pulumi.Input; /** * The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with * a third party issuer. */ pemCaCertificate?: pulumi.Input; /** * This CertificateAuthority's certificate chain, including the current * CertificateAuthority's certificate. Ordered such that the root issuer is the final * element (consistent with RFC 5246). For a self-signed CA, this will only list the current * CertificateAuthority's certificate. */ pemCaCertificates?: pulumi.Input[]>; /** * The name of the CaPool this Certificate Authority belongs to. */ pool?: pulumi.Input; project?: pulumi.Input; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ pulumiLabels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where * undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to * 'false'. */ skipGracePeriod?: pulumi.Input; /** * The State for this CertificateAuthority. */ state?: pulumi.Input; /** * If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which * describes its issuers. */ subordinateConfig?: pulumi.Input; /** * The Type of this CertificateAuthority. > **Note:** For 'SUBORDINATE' Certificate Authorities, they need to be activated * before they can issue certificates. Default value: "SELF_SIGNED" Possible values: ["SELF_SIGNED", "SUBORDINATE"] */ type?: pulumi.Input; /** * The time at which this CertificateAuthority was updated. * A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine * fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". */ updateTime?: pulumi.Input; /** * Custom URLs for accessing content published by this CA, such as the CA certificate and CRLs, that can be specified by * users. */ userDefinedAccessUrls?: pulumi.Input; } /** * The set of arguments for constructing a Authority resource. */ export interface AuthorityArgs { /** * The user provided Resource ID for this Certificate Authority. */ certificateAuthorityId: pulumi.Input; /** * The config used to create a self-signed X.509 certificate or CSR. * Structure is documented below. */ config: pulumi.Input; deletionProtection?: pulumi.Input; /** * Desired state of the CertificateAuthority. Set this field to 'STAGED' to create a 'STAGED' root CA. Possible values: * ENABLED, DISABLED, STAGED. */ desiredState?: pulumi.Input; /** * The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and * CRLs. This must be a bucket name, without any prefixes (such as 'gs://') or suffixes (such as '.googleapis.com'). For * example, to use a bucket named my-bucket, you would simply specify 'my-bucket'. If not specified, a managed bucket will * be created. */ gcsBucket?: pulumi.Input; /** * This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and * unexpired certs. Use with care. Defaults to 'false'. */ ignoreActiveCertificatesOnDeletion?: pulumi.Input; /** * Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority * is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA * certificate. Otherwise, it is used to sign a CSR. * Structure is documented below. */ keySpec: pulumi.Input; /** * Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", * "mass": "1.3kg", "count": "3" }. **Note**: This field is non-authoritative, and will only manage the labels present in * your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 * certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". */ lifetime?: pulumi.Input; /** * Location of the CertificateAuthority. A full list of valid locations can be found by * running `gcloud privateca locations list`. */ location: pulumi.Input; /** * The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with * a third party issuer. */ pemCaCertificate?: pulumi.Input; /** * The name of the CaPool this Certificate Authority belongs to. */ pool: pulumi.Input; project?: pulumi.Input; /** * If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where * undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to * 'false'. */ skipGracePeriod?: pulumi.Input; /** * If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which * describes its issuers. */ subordinateConfig?: pulumi.Input; /** * The Type of this CertificateAuthority. > **Note:** For 'SUBORDINATE' Certificate Authorities, they need to be activated * before they can issue certificates. Default value: "SELF_SIGNED" Possible values: ["SELF_SIGNED", "SUBORDINATE"] */ type?: pulumi.Input; /** * Custom URLs for accessing content published by this CA, such as the CA certificate and CRLs, that can be specified by * users. */ userDefinedAccessUrls?: pulumi.Input; }