google_privateca_certificate_authority

A CertificateAuthority represents an individual Certificate Authority. A CertificateAuthority can be used to create Certificates.

To get more information about CertificateAuthority, see:

Open in Cloud Shell

Example Usage - Privateca Certificate Authority Basic

resource "google_privateca_certificate_authority" "default" {
  // This example assumes this pool already exists.
  // Pools cannot be deleted in normal test circumstances, so we depend on static pools
  pool = "ca-pool"
  certificate_authority_id = "my-certificate-authority"
  location = "us-central1"
  deletion_protection = "true"
  config {
    subject_config {
      subject {
        organization = "HashiCorp"
        common_name = "my-certificate-authority"
      }
      subject_alt_name {
        dns_names = ["hashicorp.com"]
      }
    }
    x509_config {
      ca_options {
        is_ca = true
        max_issuer_path_length = 10
      }
      key_usage {
        base_key_usage {
          digital_signature = true
          content_commitment = true
          key_encipherment = false
          data_encipherment = true
          key_agreement = true
          cert_sign = true
          crl_sign = true
          decipher_only = true
        }
        extended_key_usage {
          server_auth = true
          client_auth = false
          email_protection = true
          code_signing = true
          time_stamping = true
        }
      }
    }
  }
  lifetime = "86400s"
  key_spec {
    algorithm = "RSA_PKCS1_4096_SHA256"
  }
}
Open in Cloud Shell

Example Usage - Privateca Certificate Authority Subordinate

resource "google_privateca_certificate_authority" "root-ca" {
  pool = "ca-pool"
  certificate_authority_id = "my-certificate-authority-root"
  location = "us-central1"
  config {
    subject_config {
      subject {
        organization = "HashiCorp"
        common_name = "my-certificate-authority"
      }
      subject_alt_name {
        dns_names = ["hashicorp.com"]
      }
    }
    x509_config {
      ca_options {
        # is_ca *MUST* be true for certificate authorities
        is_ca = true
      }
      key_usage {
        base_key_usage {
          # cert_sign and crl_sign *MUST* be true for certificate authorities
          cert_sign = true
          crl_sign = true
        }
        extended_key_usage {
          server_auth = false
        }
      }
    }
  }
  key_spec {
    algorithm = "RSA_PKCS1_4096_SHA256"
  }

  // Disable CA deletion related safe checks for easier cleanup.
  deletion_protection                    = false
  skip_grace_period                      = true
  ignore_active_certificates_on_deletion = true
}

resource "google_privateca_certificate_authority" "default" {
  // This example assumes this pool already exists.
  // Pools cannot be deleted in normal test circumstances, so we depend on static pools
  pool = "ca-pool"
  certificate_authority_id = "my-certificate-authority-sub"
  location = "us-central1"
  deletion_protection = "true"
  subordinate_config {
    certificate_authority = google_privateca_certificate_authority.root-ca.name
  }
  config {
    subject_config {
      subject {
        organization = "HashiCorp"
        common_name = "my-subordinate-authority"
      }
      subject_alt_name {
        dns_names = ["hashicorp.com"]
      }
    }
    x509_config {
      ca_options {
        is_ca = true
        # Force the sub CA to only issue leaf certs
        max_issuer_path_length = 0
      }
      key_usage {
        base_key_usage {
          digital_signature = true
          content_commitment = true
          key_encipherment = false
          data_encipherment = true
          key_agreement = true
          cert_sign = true
          crl_sign = true
          decipher_only = true
        }
        extended_key_usage {
          server_auth = true
          client_auth = false
          email_protection = true
          code_signing = true
          time_stamping = true
        }
      }
    }
  }
  lifetime = "86400s"
  key_spec {
    algorithm = "RSA_PKCS1_4096_SHA256"
  }
  type = "SUBORDINATE"
}
## Example Usage - Privateca Certificate Authority Byo Key
resource "google_project_service_identity" "privateca_sa" {
  service = "privateca.googleapis.com"
}

resource "google_kms_crypto_key_iam_member" "privateca_sa_keyuser_signerverifier" {
  crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"
  role          = "roles/cloudkms.signerVerifier"

  member = "serviceAccount:${google_project_service_identity.privateca_sa.email}"
}

resource "google_kms_crypto_key_iam_member" "privateca_sa_keyuser_viewer" {
  crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"
  role          = "roles/viewer"
  member = "serviceAccount:${google_project_service_identity.privateca_sa.email}"
}

resource "google_privateca_certificate_authority" "default" {
  // This example assumes this pool already exists.
  // Pools cannot be deleted in normal test circumstances, so we depend on static pools
  pool = "ca-pool"
  certificate_authority_id = "my-certificate-authority"
  location = "us-central1"
  deletion_protection = "true"
  key_spec {
    cloud_kms_key_version = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1"
  }

  config  {
    subject_config  {
      subject {
        organization = "Example, Org."
        common_name  = "Example Authority"
      }
    }
    x509_config {
      ca_options {
        # is_ca *MUST* be true for certificate authorities
        is_ca = true
        max_issuer_path_length = 10
      }
      key_usage {
        base_key_usage {
          # cert_sign and crl_sign *MUST* be true for certificate authorities
          cert_sign = true
          crl_sign = true
        }
        extended_key_usage {
          server_auth = false
        }
      }
      name_constraints {
        critical                  = true
        permitted_dns_names       = ["*.example.com"]
        excluded_dns_names        = ["*.deny.example.com"]
        permitted_ip_ranges       = ["10.0.0.0/8"]
        excluded_ip_ranges        = ["10.1.1.0/24"]
        permitted_email_addresses = [".example.com"]
        excluded_email_addresses  = [".deny.example.com"]
        permitted_uris            = [".example.com"]
        excluded_uris             = [".deny.example.com"]
      }
    }
  }

  depends_on = [
    google_kms_crypto_key_iam_member.privateca_sa_keyuser_signerverifier,
    google_kms_crypto_key_iam_member.privateca_sa_keyuser_viewer,
  ]
}
Open in Cloud Shell

Example Usage - Privateca Certificate Authority Custom Ski

resource "google_privateca_certificate_authority" "default" {
 // This example assumes this pool already exists.
 // Pools cannot be deleted in normal test circumstances, so we depend on static pools
  pool = "ca-pool"
  certificate_authority_id = "my-certificate-authority"
  location = "us-central1"
  deletion_protection = "true"
  config {
    subject_config {
      subject {
        organization = "HashiCorp"
        common_name = "my-certificate-authority"
      }
      subject_alt_name {
        dns_names = ["hashicorp.com"]
      }
    }
    subject_key_id {
        key_id = "4cf3372289b1d411b999dbb9ebcd44744b6b2fca"
    }
    x509_config {
      ca_options {
        is_ca = true
        max_issuer_path_length = 10
      }
      key_usage {
        base_key_usage {
          digital_signature = true
          content_commitment = true
          key_encipherment = false
          data_encipherment = true
          key_agreement = true
          cert_sign = true
          crl_sign = true
          decipher_only = true
        }
        extended_key_usage {
          server_auth = true
          client_auth = false
          email_protection = true
          code_signing = true
          time_stamping = true
        }
      }
    }
  }
  lifetime = "86400s"
  key_spec {
    cloud_kms_key_version = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1"
  }
}

Argument Reference

The following arguments are supported:

The config block supports:

The subject_key_id block supports:

The x509_config block supports:

The additional_extensions block supports:

The object_id block supports:

The policy_ids block supports:

The ca_options block supports:

The key_usage block supports:

The base_key_usage block supports:

The extended_key_usage block supports:

The unknown_extended_key_usages block supports:

The name_constraints block supports:

The subject_config block supports:

The subject block supports:

The subject_alt_name block supports:

The key_spec block supports:


The subordinate_config block supports:

The pem_issuer_chain block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

The access_urls block contains:

Timeouts

This resource provides the following Timeouts configuration options:

Import

CertificateAuthority can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import CertificateAuthority using one of the formats above. For example:

import {
  id = "projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}"
  to = google_privateca_certificate_authority.default
}

When using the terraform import command, CertificateAuthority can be imported using one of the formats above. For example:

$ terraform import google_privateca_certificate_authority.default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}
$ terraform import google_privateca_certificate_authority.default {{project}}/{{location}}/{{pool}}/{{certificate_authority_id}}
$ terraform import google_privateca_certificate_authority.default {{location}}/{{pool}}/{{certificate_authority_id}}

User Project Overrides

This resource supports User Project Overrides.