Certificate represents a HTTP-reachable backend for a Certificate.
To get more information about CertificateIssuanceConfig, see:
resource "google_certificate_manager_certificate_issuance_config" "default" {
name = "issuance-config"
description = "sample description for the certificate issuanceConfigs"
certificate_authority_config {
certificate_authority_service_config {
ca_pool = google_privateca_ca_pool.pool.id
}
}
lifetime = "1814400s"
rotation_window_percentage = 34
key_algorithm = "ECDSA_P256"
labels = { "name": "wrench", "count": "3" }
depends_on=[google_privateca_certificate_authority.ca_authority]
}
resource "google_privateca_ca_pool" "pool" {
name = "ca-pool"
location = "us-central1"
tier = "ENTERPRISE"
}
resource "google_privateca_certificate_authority" "ca_authority" {
location = "us-central1"
pool = google_privateca_ca_pool.pool.name
certificate_authority_id = "ca-authority"
config {
subject_config {
subject {
organization = "HashiCorp"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
is_ca = true
}
key_usage {
base_key_usage {
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = true
}
}
}
}
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
// Disable CA deletion related safe checks for easier cleanup.
deletion_protection = false
skip_grace_period = true
ignore_active_certificates_on_deletion = true
}
The following arguments are supported:
rotation_window_percentage
-
(Required)
It specifies the percentage of elapsed time of the certificate lifetime to wait before renewing the certificate.
Must be a number between 1-99, inclusive.
You must set the rotation window percentage in relation to the certificate lifetime so that certificate renewal occurs at least 7 days after
the certificate has been issued and at least 7 days before it expires.
key_algorithm
-
(Required)
Key algorithm to use when generating the private key.
Possible values are: RSA_2048
, ECDSA_P256
.
lifetime
-
(Required)
Lifetime of issued certificates. A duration in seconds with up to nine fractional digits, ending with 's'.
Example: "1814400s". Valid values are from 21 days (1814400s) to 30 days (2592000s)
certificate_authority_config
-
(Required)
The CA that issues the workload certificate. It includes the CA address, type, authentication to CA service, etc.
Structure is documented below.
name
-
(Required)
A user-defined name of the certificate issuance config.
CertificateIssuanceConfig names must be unique globally.
The certificate_authority_config
block supports:
certificate_authority_service_config
-
(Optional)
Defines a CertificateAuthorityServiceConfig.
Structure is documented below.The certificate_authority_service_config
block supports:
ca_pool
-
(Required)
A CA pool resource used to issue a certificate.
The CA pool string has a relative resource path following the form
"projects/{project}/locations/{location}/caPools/{caPool}".description
-
(Optional)
One or more paragraphs of text description of a CertificateIssuanceConfig.
labels
-
(Optional)
'Set of label tags associated with the CertificateIssuanceConfig resource.
An object containing a list of "key": value pairs. Example: { "name": "wrench", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration.
Please refer to the field effective_labels
for all of the labels present on the resource.
location
-
(Optional)
The Certificate Manager location. If not specified, "global" is used.
project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/locations/{{location}}/certificateIssuanceConfigs/{{name}}
create_time
-
The creation timestamp of a CertificateIssuanceConfig. Timestamp is in RFC3339 UTC "Zulu" format,
accurate to nanoseconds with up to nine fractional digits.
Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
update_time
-
The last update timestamp of a CertificateIssuanceConfig. Timestamp is in RFC3339 UTC "Zulu" format,
accurate to nanoseconds with up to nine fractional digits.
Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
terraform_labels
-
The combination of labels configured directly on the resource
and default labels configured on the provider.
effective_labels
-
All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.CertificateIssuanceConfig can be imported using any of these accepted formats:
projects/{{project}}/locations/{{location}}/certificateIssuanceConfigs/{{name}}
{{project}}/{{location}}/{{name}}
{{location}}/{{name}}
In Terraform v1.5.0 and later, use an import
block to import CertificateIssuanceConfig using one of the formats above. For example:
import {
id = "projects/{{project}}/locations/{{location}}/certificateIssuanceConfigs/{{name}}"
to = google_certificate_manager_certificate_issuance_config.default
}
When using the terraform import
command, CertificateIssuanceConfig can be imported using one of the formats above. For example:
$ terraform import google_certificate_manager_certificate_issuance_config.default projects/{{project}}/locations/{{location}}/certificateIssuanceConfigs/{{name}}
$ terraform import google_certificate_manager_certificate_issuance_config.default {{project}}/{{location}}/{{name}}
$ terraform import google_certificate_manager_certificate_issuance_config.default {{location}}/{{name}}
This resource supports User Project Overrides.