Certificate represents a HTTP-reachable backend for a Certificate.
resource "google_certificate_manager_certificate" "default" {
name = "dns-cert"
description = "The default cert"
scope = "EDGE_CACHE"
labels = {
env = "test"
}
managed {
domains = [
google_certificate_manager_dns_authorization.instance.domain,
google_certificate_manager_dns_authorization.instance2.domain,
]
dns_authorizations = [
google_certificate_manager_dns_authorization.instance.id,
google_certificate_manager_dns_authorization.instance2.id,
]
}
}
resource "google_certificate_manager_dns_authorization" "instance" {
name = "dns-auth"
description = "The default dnss"
domain = "subdomain.hashicorptest.com"
}
resource "google_certificate_manager_dns_authorization" "instance2" {
name = "dns-auth2"
description = "The default dnss"
domain = "subdomain2.hashicorptest.com"
}
resource "google_certificate_manager_certificate" "default" {
name = "issuance-config-cert"
description = "The default cert"
scope = "EDGE_CACHE"
managed {
domains = [
"terraform.subdomain1.com"
]
issuance_config = google_certificate_manager_certificate_issuance_config.issuanceconfig.id
}
}
# creating certificate_issuance_config to use it in the managed certificate
resource "google_certificate_manager_certificate_issuance_config" "issuanceconfig" {
name = "issuance-config"
description = "sample description for the certificate issuanceConfigs"
certificate_authority_config {
certificate_authority_service_config {
ca_pool = google_privateca_ca_pool.pool.id
}
}
lifetime = "1814400s"
rotation_window_percentage = 34
key_algorithm = "ECDSA_P256"
depends_on=[google_privateca_certificate_authority.ca_authority]
}
resource "google_privateca_ca_pool" "pool" {
name = "ca-pool"
location = "us-central1"
tier = "ENTERPRISE"
}
resource "google_privateca_certificate_authority" "ca_authority" {
location = "us-central1"
pool = google_privateca_ca_pool.pool.name
certificate_authority_id = "ca-authority"
config {
subject_config {
subject {
organization = "HashiCorp"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
is_ca = true
}
key_usage {
base_key_usage {
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = true
}
}
}
}
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
// Disable CA deletion related safe checks for easier cleanup.
deletion_protection = false
skip_grace_period = true
ignore_active_certificates_on_deletion = true
}
resource "google_certificate_manager_certificate" "default" {
name = "self-managed-cert"
description = "Global cert"
scope = "ALL_REGIONS"
self_managed {
pem_certificate = file("test-fixtures/cert.pem")
pem_private_key = file("test-fixtures/private-key.pem")
}
}
resource "google_certificate_manager_certificate" "default" {
name = "self-managed-cert"
description = "Regional cert"
location = "us-central1"
self_managed {
pem_certificate = file("test-fixtures/cert.pem")
pem_private_key = file("test-fixtures/private-key.pem")
}
}
resource "google_certificate_manager_certificate" "default" {
name = "issuance-config-cert"
description = "sample google managed all_regions certificate with issuance config for terraform"
scope = "ALL_REGIONS"
managed {
domains = [
"terraform.subdomain1.com"
]
issuance_config = google_certificate_manager_certificate_issuance_config.issuanceconfig.id
}
}
# creating certificate_issuance_config to use it in the managed certificate
resource "google_certificate_manager_certificate_issuance_config" "issuanceconfig" {
name = "issuance-config"
description = "sample description for the certificate issuanceConfigs"
certificate_authority_config {
certificate_authority_service_config {
ca_pool = google_privateca_ca_pool.pool.id
}
}
lifetime = "1814400s"
rotation_window_percentage = 34
key_algorithm = "ECDSA_P256"
depends_on=[google_privateca_certificate_authority.ca_authority]
}
resource "google_privateca_ca_pool" "pool" {
name = "ca-pool"
location = "us-central1"
tier = "ENTERPRISE"
}
resource "google_privateca_certificate_authority" "ca_authority" {
location = "us-central1"
pool = google_privateca_ca_pool.pool.name
certificate_authority_id = "ca-authority"
config {
subject_config {
subject {
organization = "HashiCorp"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
is_ca = true
}
key_usage {
base_key_usage {
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = true
}
}
}
}
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
// Disable CA deletion related safe checks for easier cleanup.
deletion_protection = false
skip_grace_period = true
ignore_active_certificates_on_deletion = true
}
resource "google_certificate_manager_certificate" "default" {
name = "dns-cert"
description = "The default cert"
scope = "ALL_REGIONS"
managed {
domains = [
google_certificate_manager_dns_authorization.instance.domain,
google_certificate_manager_dns_authorization.instance2.domain,
]
dns_authorizations = [
google_certificate_manager_dns_authorization.instance.id,
google_certificate_manager_dns_authorization.instance2.id,
]
}
}
resource "google_certificate_manager_dns_authorization" "instance" {
name = "dns-auth"
description = "The default dnss"
domain = "subdomain.hashicorptest.com"
}
resource "google_certificate_manager_dns_authorization" "instance2" {
name = "dns-auth2"
description = "The default dnss"
domain = "subdomain2.hashicorptest.com"
}
resource "google_certificate_manager_certificate" "default" {
name = "dns-cert"
description = "regional managed certs"
location = "us-central1"
managed {
domains = [
google_certificate_manager_dns_authorization.instance.domain,
]
dns_authorizations = [
google_certificate_manager_dns_authorization.instance.id,
]
}
}
resource "google_certificate_manager_dns_authorization" "instance" {
name = "dns-auth"
location = "us-central1"
description = "The default dnss"
domain = "subdomain.hashicorptest.com"
}
The following arguments are supported:
name
-
(Required)
A user-defined name of the certificate. Certificate names must be unique
The name must be 1-64 characters long, and match the regular expression [a-zA-Z][a-zA-Z0-9_-]* which means the first character must be a letter,
and all following characters must be a dash, underscore, letter or digit.description
-
(Optional)
A human-readable description of the resource.
labels
-
(Optional)
Set of label tags associated with the Certificate resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration.
Please refer to the field effective_labels
for all of the labels present on the resource.
scope
-
(Optional)
The scope of the certificate.
DEFAULT: Certificates with default scope are served from core Google data centers.
If unsure, choose this option.
EDGE_CACHE: Certificates with scope EDGE_CACHE are special-purposed certificates, served from Edge Points of Presence.
See https://cloud.google.com/vpc/docs/edge-locations.
ALL_REGIONS: Certificates with ALL_REGIONS scope are served from all GCP regions (You can only use ALL_REGIONS with global certs).
See https://cloud.google.com/compute/docs/regions-zones
self_managed
-
(Optional)
Certificate data for a SelfManaged Certificate.
SelfManaged Certificates are uploaded by the user. Updating such
certificates before they expire remains the user's responsibility.
Structure is documented below.
managed
-
(Optional)
Configuration and state of a Managed Certificate.
Certificate Manager provisions and renews Managed Certificates
automatically, for as long as it's authorized to do so.
Structure is documented below.
location
-
(Optional)
The Certificate Manager location. If not specified, "global" is used.
project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
The self_managed
block supports:
certificate_pem
-
(Optional, Deprecated)
The certificate chain in PEM-encoded form.
Leaf certificate comes first, followed by intermediate ones if any.
Note: This property is sensitive and will not be displayed in the plan.
~> Warning: certificate_pem
is deprecated and will be removed in a future major release. Use pem_certificate
instead.
private_key_pem
-
(Optional, Deprecated)
The private key of the leaf certificate in PEM-encoded form.
Note: This property is sensitive and will not be displayed in the plan.
~> Warning: private_key_pem
is deprecated and will be removed in a future major release. Use pem_private_key
instead.
pem_certificate
-
(Optional)
The certificate chain in PEM-encoded form.
Leaf certificate comes first, followed by intermediate ones if any.
pem_private_key
-
(Optional)
The private key of the leaf certificate in PEM-encoded form.
Note: This property is sensitive and will not be displayed in the plan.
domains
-
(Optional)
The domains for which a managed SSL certificate will be generated.
Wildcard domains are only supported with DNS challenge resolution
dns_authorizations
-
(Optional)
Authorizations that will be used for performing domain authorization. Either issuanceConfig or dnsAuthorizations should be specificed, but not both.
issuance_config
-
(Optional)
The resource name for a CertificateIssuanceConfig used to configure private PKI certificates in the format projects//locations//certificateIssuanceConfigs/*.
If this field is not set, the certificates will instead be publicly signed as documented at https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#caa.
Either issuanceConfig or dnsAuthorizations should be specificed, but not both.
state
-
(Output)
A state of this Managed Certificate.
provisioning_issue
-
(Output)
Information about issues with provisioning this Managed Certificate.
Structure is documented below.
authorization_attempt_info
-
(Output)
Detailed state of the latest authorization attempt for each domain
specified for this Managed Certificate.
Structure is documented below.
The provisioning_issue
block contains:
reason
-
(Output)
Reason for provisioning failures.
details
-
(Output)
Human readable explanation about the issue. Provided to help address
the configuration issues.
Not guaranteed to be stable. For programmatic access use reason
field.
The authorization_attempt_info
block contains:
domain
-
(Output)
Domain name of the authorization attempt.
state
-
(Output)
State of the domain for managed certificate issuance.
failure_reason
-
(Output)
Reason for failure of the authorization attempt for the domain.
details
-
(Output)
Human readable explanation for reaching the state. Provided to help
address the configuration issues.
Not guaranteed to be stable. For programmatic access use failure_reason
field.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/locations/{{location}}/certificates/{{name}}
terraform_labels
-
The combination of labels configured directly on the resource
and default labels configured on the provider.
effective_labels
-
All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.Certificate can be imported using any of these accepted formats:
projects/{{project}}/locations/{{location}}/certificates/{{name}}
{{project}}/{{location}}/{{name}}
{{location}}/{{name}}
In Terraform v1.5.0 and later, use an import
block to import Certificate using one of the formats above. For example:
import {
id = "projects/{{project}}/locations/{{location}}/certificates/{{name}}"
to = google_certificate_manager_certificate.default
}
When using the terraform import
command, Certificate can be imported using one of the formats above. For example:
$ terraform import google_certificate_manager_certificate.default projects/{{project}}/locations/{{location}}/certificates/{{name}}
$ terraform import google_certificate_manager_certificate.default {{project}}/{{location}}/{{name}}
$ terraform import google_certificate_manager_certificate.default {{location}}/{{name}}
This resource supports User Project Overrides.