google_privateca_ca_pool

A CaPool represents a group of CertificateAuthorities that form a trust anchor. A CaPool can be used to manage issuance policies for one or more CertificateAuthority resources and to rotate CA certificates in and out of the trust anchor.

Open in Cloud Shell

Example Usage - Privateca Capool Basic

resource "google_privateca_ca_pool" "default" {
  name = "my-pool"
  location = "us-central1"
  tier = "ENTERPRISE"
  publishing_options {
    publish_ca_cert = true
    publish_crl = true
  }
  labels = {
    foo = "bar"
  }
}
Open in Cloud Shell

Example Usage - Privateca Capool All Fields

resource "google_privateca_ca_pool" "default" {
  name = "my-pool"
  location = "us-central1"
  tier = "ENTERPRISE"
  publishing_options {
    publish_ca_cert = false
    publish_crl = true
    encoding_format = "PEM"
  }
  labels = {
    foo = "bar"
  }
  issuance_policy {
    allowed_key_types {
      elliptic_curve {
        signature_algorithm = "ECDSA_P256"
      }
    }
    allowed_key_types {
      rsa {
        min_modulus_size = 5
        max_modulus_size = 10
      }
    }
    maximum_lifetime = "50000s"
    allowed_issuance_modes {
      allow_csr_based_issuance = true
      allow_config_based_issuance = true
    }
    identity_constraints {
      allow_subject_passthrough = true
      allow_subject_alt_names_passthrough = true
      cel_expression {
        expression = "subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )"
        title = "My title"
      }
    }
    baseline_values {
      aia_ocsp_servers = ["example.com"]
      additional_extensions {
        critical = true
        value = "asdf"
        object_id {
          object_id_path = [1, 7]
        }
      }
      policy_ids {
        object_id_path = [1, 5]
      }
      policy_ids {
        object_id_path = [1, 5, 7]
      }
      ca_options {
        is_ca = true
        max_issuer_path_length = 10
      }
      key_usage {
        base_key_usage {
          digital_signature = true
          content_commitment = true
          key_encipherment = false
          data_encipherment = true
          key_agreement = true
          cert_sign = false
          crl_sign = true
          decipher_only = true
        }
        extended_key_usage {
          server_auth = true
          client_auth = false
          email_protection = true
          code_signing = true
          time_stamping = true
        }
      }
      name_constraints {
        critical                  = true
        permitted_dns_names       = ["*.example1.com", "*.example2.com"]
        excluded_dns_names        = ["*.deny.example1.com", "*.deny.example2.com"]
        permitted_ip_ranges       = ["10.0.0.0/8", "11.0.0.0/8"]
        excluded_ip_ranges        = ["10.1.1.0/24", "11.1.1.0/24"]
        permitted_email_addresses = [".example1.com", ".example2.com"]
        excluded_email_addresses  = [".deny.example1.com", ".deny.example2.com"]
        permitted_uris            = [".example1.com", ".example2.com"]
        excluded_uris             = [".deny.example1.com", ".deny.example2.com"]
      }
    }
  }
}

Argument Reference

The following arguments are supported:


The issuance_policy block supports:

The allowed_key_types block supports:

The rsa block supports:

The elliptic_curve block supports:

The allowed_issuance_modes block supports:

The identity_constraints block supports:

The cel_expression block supports:

The baseline_values block supports:

The additional_extensions block supports:

The object_id block supports:

The policy_ids block supports:

The ca_options block supports:

The key_usage block supports:

The base_key_usage block supports:

The extended_key_usage block supports:

The unknown_extended_key_usages block supports:

The name_constraints block supports:

The publishing_options block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Timeouts

This resource provides the following Timeouts configuration options:

Import

CaPool can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import CaPool using one of the formats above. For example:

import {
  id = "projects/{{project}}/locations/{{location}}/caPools/{{name}}"
  to = google_privateca_ca_pool.default
}

When using the terraform import command, CaPool can be imported using one of the formats above. For example:

$ terraform import google_privateca_ca_pool.default projects/{{project}}/locations/{{location}}/caPools/{{name}}
$ terraform import google_privateca_ca_pool.default {{project}}/{{location}}/{{name}}
$ terraform import google_privateca_ca_pool.default {{location}}/{{name}}

User Project Overrides

This resource supports User Project Overrides.