import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * A CaPool represents a group of CertificateAuthorities that form a trust anchor. A CaPool can be used to manage * issuance policies for one or more CertificateAuthority resources and to rotate CA certificates in and out of the * trust anchor. * * To get more information about CaPool, see: * * * [API documentation](https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1/projects.locations.caPools) * * How-to Guides * * [Certificate Authority Service Overview](https://cloud.google.com/certificate-authority-service/docs/overview) * * ## Example Usage * * ### Privateca Capool Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.certificateauthority.CaPool("default", { * name: "my-pool", * location: "us-central1", * tier: "ENTERPRISE", * publishingOptions: { * publishCaCert: true, * publishCrl: true, * }, * labels: { * foo: "bar", * }, * }); * ``` * ### Privateca Capool All Fields * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const privatecaSa = new gcp.projects.ServiceIdentity("privateca_sa", {service: "privateca.googleapis.com"}); * const privatecaSaKeyuserEncrypterdecrypter = new gcp.kms.CryptoKeyIAMMember("privateca_sa_keyuser_encrypterdecrypter", { * cryptoKeyId: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key", * role: "roles/cloudkms.cryptoKeyEncrypterDecrypter", * member: privatecaSa.member, * }); * const _default = new gcp.certificateauthority.CaPool("default", { * name: "my-pool", * location: "us-central1", * tier: "ENTERPRISE", * publishingOptions: { * publishCaCert: false, * publishCrl: true, * encodingFormat: "PEM", * }, * labels: { * foo: "bar", * }, * encryptionSpec: { * cloudKmsKey: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key", * }, * issuancePolicy: { * allowedKeyTypes: [ * { * ellipticCurve: { * signatureAlgorithm: "ECDSA_P256", * }, * }, * { * rsa: { * minModulusSize: "5", * maxModulusSize: "10", * }, * }, * ], * backdateDuration: "3600s", * maximumLifetime: "50000s", * allowedIssuanceModes: { * allowCsrBasedIssuance: true, * allowConfigBasedIssuance: true, * }, * identityConstraints: { * allowSubjectPassthrough: true, * allowSubjectAltNamesPassthrough: true, * celExpression: { * expression: "subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )", * title: "My title", * }, * }, * baselineValues: { * aiaOcspServers: ["example.com"], * additionalExtensions: [{ * critical: true, * value: "asdf", * objectId: { * objectIdPaths: [ * 1, * 7, * ], * }, * }], * policyIds: [ * { * objectIdPaths: [ * 1, * 5, * ], * }, * { * objectIdPaths: [ * 1, * 5, * 7, * ], * }, * ], * caOptions: { * isCa: true, * maxIssuerPathLength: 10, * }, * keyUsage: { * baseKeyUsage: { * digitalSignature: true, * contentCommitment: true, * keyEncipherment: false, * dataEncipherment: true, * keyAgreement: true, * certSign: false, * crlSign: true, * decipherOnly: true, * }, * extendedKeyUsage: { * serverAuth: true, * clientAuth: false, * emailProtection: true, * codeSigning: true, * timeStamping: true, * }, * }, * nameConstraints: { * critical: true, * permittedDnsNames: [ * "*.example1.com", * "*.example2.com", * ], * excludedDnsNames: [ * "*.deny.example1.com", * "*.deny.example2.com", * ], * permittedIpRanges: [ * "10.0.0.0/8", * "11.0.0.0/8", * ], * excludedIpRanges: [ * "10.1.1.0/24", * "11.1.1.0/24", * ], * permittedEmailAddresses: [ * ".example1.com", * ".example2.com", * ], * excludedEmailAddresses: [ * ".deny.example1.com", * ".deny.example2.com", * ], * permittedUris: [ * ".example1.com", * ".example2.com", * ], * excludedUris: [ * ".deny.example1.com", * ".deny.example2.com", * ], * }, * }, * }, * }, { * dependsOn: [privatecaSaKeyuserEncrypterdecrypter], * }); * ``` * * ## Import * * CaPool can be imported using any of these accepted formats: * * * `projects/{{project}}/locations/{{location}}/caPools/{{name}}` * * `{{project}}/{{location}}/{{name}}` * * `{{location}}/{{name}}` * * When using the `pulumi import` command, CaPool can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:certificateauthority/caPool:CaPool default projects/{{project}}/locations/{{location}}/caPools/{{name}} * $ pulumi import gcp:certificateauthority/caPool:CaPool default {{project}}/{{location}}/{{name}} * $ pulumi import gcp:certificateauthority/caPool:CaPool default {{location}}/{{name}} * ``` */ export declare class CaPool extends pulumi.CustomResource { /** * Get an existing CaPool resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: CaPoolState, opts?: pulumi.CustomResourceOptions): CaPool; /** * Returns true if the given object is an instance of CaPool. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is CaPool; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ readonly effectiveLabels: pulumi.Output<{ [key: string]: string; }>; /** * Used when customer would like to encrypt data at rest. The customer-provided key will be used * to encrypt the Subject, SubjectAltNames and PEM-encoded certificate fields. When unspecified, * customer data will remain unencrypted. * Structure is documented below. */ readonly encryptionSpec: pulumi.Output; /** * The IssuancePolicy to control how Certificates will be issued from this CaPool. * Structure is documented below. */ readonly issuancePolicy: pulumi.Output; /** * Labels with user-defined metadata. * An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": * "1.3kg", "count": "3" }. * * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ readonly labels: pulumi.Output<{ [key: string]: string; } | undefined>; /** * Location of the CaPool. A full list of valid locations can be found by * running `gcloud privateca locations list`. */ readonly location: pulumi.Output; /** * The name for this CaPool. */ readonly name: pulumi.Output; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output; /** * The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. * Structure is documented below. */ readonly publishingOptions: pulumi.Output; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ readonly pulumiLabels: pulumi.Output<{ [key: string]: string; }>; /** * The Tier of this CaPool. * Possible values are: `ENTERPRISE`, `DEVOPS`. */ readonly tier: pulumi.Output; /** * Create a CaPool resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: CaPoolArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering CaPool resources. */ export interface CaPoolState { /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ effectiveLabels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Used when customer would like to encrypt data at rest. The customer-provided key will be used * to encrypt the Subject, SubjectAltNames and PEM-encoded certificate fields. When unspecified, * customer data will remain unencrypted. * Structure is documented below. */ encryptionSpec?: pulumi.Input; /** * The IssuancePolicy to control how Certificates will be issued from this CaPool. * Structure is documented below. */ issuancePolicy?: pulumi.Input; /** * Labels with user-defined metadata. * An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": * "1.3kg", "count": "3" }. * * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Location of the CaPool. A full list of valid locations can be found by * running `gcloud privateca locations list`. */ location?: pulumi.Input; /** * The name for this CaPool. */ name?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. * Structure is documented below. */ publishingOptions?: pulumi.Input; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ pulumiLabels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The Tier of this CaPool. * Possible values are: `ENTERPRISE`, `DEVOPS`. */ tier?: pulumi.Input; } /** * The set of arguments for constructing a CaPool resource. */ export interface CaPoolArgs { /** * Used when customer would like to encrypt data at rest. The customer-provided key will be used * to encrypt the Subject, SubjectAltNames and PEM-encoded certificate fields. When unspecified, * customer data will remain unencrypted. * Structure is documented below. */ encryptionSpec?: pulumi.Input; /** * The IssuancePolicy to control how Certificates will be issued from this CaPool. * Structure is documented below. */ issuancePolicy?: pulumi.Input; /** * Labels with user-defined metadata. * An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": * "1.3kg", "count": "3" }. * * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Location of the CaPool. A full list of valid locations can be found by * running `gcloud privateca locations list`. */ location: pulumi.Input; /** * The name for this CaPool. */ name?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. * Structure is documented below. */ publishingOptions?: pulumi.Input; /** * The Tier of this CaPool. * Possible values are: `ENTERPRISE`, `DEVOPS`. */ tier: pulumi.Input; }