google_certificate_manager_certificate

Certificate represents a HTTP-reachable backend for a Certificate.

Open in Cloud Shell

Example Usage - Certificate Manager Google Managed Certificate Dns

resource "google_certificate_manager_certificate" "default" {
  name        = "dns-cert"
  description = "The default cert"
  scope       = "EDGE_CACHE"
  labels = {
    env = "test"
  }
  managed {
    domains = [
      google_certificate_manager_dns_authorization.instance.domain,
      google_certificate_manager_dns_authorization.instance2.domain,
      ]
    dns_authorizations = [
      google_certificate_manager_dns_authorization.instance.id,
      google_certificate_manager_dns_authorization.instance2.id,
      ]
  }
}


resource "google_certificate_manager_dns_authorization" "instance" {
  name        = "dns-auth"
  description = "The default dnss"
  domain      = "subdomain.hashicorptest.com"
}

resource "google_certificate_manager_dns_authorization" "instance2" {
  name        = "dns-auth2"
  description = "The default dnss"
  domain      = "subdomain2.hashicorptest.com"
}
Open in Cloud Shell

Example Usage - Certificate Manager Google Managed Certificate Issuance Config

resource "google_certificate_manager_certificate" "default" {
  name        = "issuance-config-cert"
  description = "The default cert"
  scope       = "EDGE_CACHE"
  managed {
    domains = [
        "terraform.subdomain1.com"
      ]
    issuance_config = google_certificate_manager_certificate_issuance_config.issuanceconfig.id
  }
}



# creating certificate_issuance_config to use it in the managed certificate
resource "google_certificate_manager_certificate_issuance_config" "issuanceconfig" {
  name    = "issuance-config"
  description = "sample description for the certificate issuanceConfigs"
  certificate_authority_config {
    certificate_authority_service_config {
        ca_pool = google_privateca_ca_pool.pool.id
    }
  }
  lifetime = "1814400s"
  rotation_window_percentage = 34
  key_algorithm = "ECDSA_P256"
  depends_on=[google_privateca_certificate_authority.ca_authority]
}

resource "google_privateca_ca_pool" "pool" {
  name     = "ca-pool"
  location = "us-central1"
  tier     = "ENTERPRISE"
}

resource "google_privateca_certificate_authority" "ca_authority" {
  location = "us-central1"
  pool = google_privateca_ca_pool.pool.name
  certificate_authority_id = "ca-authority"
  config {
    subject_config {
      subject {
        organization = "HashiCorp"
        common_name = "my-certificate-authority"
      }
      subject_alt_name {
        dns_names = ["hashicorp.com"]
      }
    }
    x509_config {
      ca_options {
        is_ca = true
      }
      key_usage {
        base_key_usage {
          cert_sign = true
          crl_sign = true
        }
        extended_key_usage {
          server_auth = true
        }
      }
    }
  }
  key_spec {
    algorithm = "RSA_PKCS1_4096_SHA256"
  }

  // Disable CA deletion related safe checks for easier cleanup.
  deletion_protection                    = false
  skip_grace_period                      = true
  ignore_active_certificates_on_deletion = true
}
Open in Cloud Shell

Example Usage - Certificate Manager Self Managed Certificate

resource "google_certificate_manager_certificate" "default" {
  name        = "self-managed-cert"
  description = "Global cert"
  scope       = "ALL_REGIONS"
  self_managed {
    pem_certificate = file("test-fixtures/cert.pem")
    pem_private_key = file("test-fixtures/private-key.pem")
  }
}
Open in Cloud Shell

Example Usage - Certificate Manager Self Managed Certificate Regional

resource "google_certificate_manager_certificate" "default" {
  name        = "self-managed-cert"
  description = "Regional cert"
  location    = "us-central1"
  self_managed {
    pem_certificate = file("test-fixtures/cert.pem")
    pem_private_key = file("test-fixtures/private-key.pem")
  }
}
Open in Cloud Shell

Example Usage - Certificate Manager Google Managed Certificate Issuance Config All Regions

resource "google_certificate_manager_certificate" "default" {
  name        = "issuance-config-cert"
  description = "sample google managed all_regions certificate with issuance config for terraform"
  scope       = "ALL_REGIONS" 
  managed {
    domains = [
        "terraform.subdomain1.com"
      ]
    issuance_config = google_certificate_manager_certificate_issuance_config.issuanceconfig.id
  }
}



# creating certificate_issuance_config to use it in the managed certificate
resource "google_certificate_manager_certificate_issuance_config" "issuanceconfig" {
  name    = "issuance-config"
  description = "sample description for the certificate issuanceConfigs"
  certificate_authority_config {
    certificate_authority_service_config {
        ca_pool = google_privateca_ca_pool.pool.id
    }
  }
  lifetime = "1814400s"
  rotation_window_percentage = 34
  key_algorithm = "ECDSA_P256"
  depends_on=[google_privateca_certificate_authority.ca_authority]
}

resource "google_privateca_ca_pool" "pool" {
  name     = "ca-pool"
  location = "us-central1"
  tier     = "ENTERPRISE"
}

resource "google_privateca_certificate_authority" "ca_authority" {
  location = "us-central1"
  pool = google_privateca_ca_pool.pool.name
  certificate_authority_id = "ca-authority"
  config {
    subject_config {
      subject {
        organization = "HashiCorp"
        common_name = "my-certificate-authority"
      }
      subject_alt_name {
        dns_names = ["hashicorp.com"]
      }
    }
    x509_config {
      ca_options {
        is_ca = true
      }
      key_usage {
        base_key_usage {
          cert_sign = true
          crl_sign = true
        }
        extended_key_usage {
          server_auth = true
        }
      }
    }
  }
  key_spec {
    algorithm = "RSA_PKCS1_4096_SHA256"
  }

  // Disable CA deletion related safe checks for easier cleanup.
  deletion_protection                    = false
  skip_grace_period                      = true
  ignore_active_certificates_on_deletion = true
}
Open in Cloud Shell

Example Usage - Certificate Manager Google Managed Certificate Dns All Regions

resource "google_certificate_manager_certificate" "default" {
  name        = "dns-cert"
  description = "The default cert"
  scope       = "ALL_REGIONS"
  managed {
    domains = [
      google_certificate_manager_dns_authorization.instance.domain,
      google_certificate_manager_dns_authorization.instance2.domain,
      ]
    dns_authorizations = [
      google_certificate_manager_dns_authorization.instance.id,
      google_certificate_manager_dns_authorization.instance2.id,
      ]
  }
}


resource "google_certificate_manager_dns_authorization" "instance" {
  name        = "dns-auth"
  description = "The default dnss"
  domain      = "subdomain.hashicorptest.com"
}

resource "google_certificate_manager_dns_authorization" "instance2" {
  name        = "dns-auth2"
  description = "The default dnss"
  domain      = "subdomain2.hashicorptest.com"
}
Open in Cloud Shell

Example Usage - Certificate Manager Google Managed Regional Certificate Dns Auth

resource "google_certificate_manager_certificate" "default" {
  name        = "dns-cert"
  description = "regional managed certs"
  location = "us-central1"
  managed {
    domains = [
      google_certificate_manager_dns_authorization.instance.domain,
      ]
    dns_authorizations = [
      google_certificate_manager_dns_authorization.instance.id,
      ]
  }
}
resource "google_certificate_manager_dns_authorization" "instance" {
  name        = "dns-auth"
  location    = "us-central1"
  description = "The default dnss"
  domain      = "subdomain.hashicorptest.com"
}

Argument Reference

The following arguments are supported:


The self_managed block supports:

The managed block supports:

The provisioning_issue block contains:

The authorization_attempt_info block contains:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Timeouts

This resource provides the following Timeouts configuration options:

Import

Certificate can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import Certificate using one of the formats above. For example:

import {
  id = "projects/{{project}}/locations/{{location}}/certificates/{{name}}"
  to = google_certificate_manager_certificate.default
}

When using the terraform import command, Certificate can be imported using one of the formats above. For example:

$ terraform import google_certificate_manager_certificate.default projects/{{project}}/locations/{{location}}/certificates/{{name}}
$ terraform import google_certificate_manager_certificate.default {{project}}/{{location}}/{{name}}
$ terraform import google_certificate_manager_certificate.default {{location}}/{{name}}

User Project Overrides

This resource supports User Project Overrides.