import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * A Certificate corresponds to a signed X.509 certificate issued by a Certificate. * * > **Note:** The Certificate Authority that is referenced by this resource **must** be * `tier = "ENTERPRISE"` * * ## Example Usage * * ### Privateca Certificate Generated Key * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as std from "@pulumi/std"; * import * as tls from "@pulumi/tls"; * * const _default = new gcp.certificateauthority.CaPool("default", { * location: "us-central1", * name: "default", * tier: "ENTERPRISE", * }); * const defaultAuthority = new gcp.certificateauthority.Authority("default", { * location: "us-central1", * pool: _default.name, * certificateAuthorityId: "my-authority", * config: { * subjectConfig: { * subject: { * organization: "HashiCorp", * commonName: "my-certificate-authority", * }, * subjectAltName: { * dnsNames: ["hashicorp.com"], * }, * }, * x509Config: { * caOptions: { * isCa: true, * }, * keyUsage: { * baseKeyUsage: { * certSign: true, * crlSign: true, * }, * extendedKeyUsage: { * serverAuth: true, * }, * }, * }, * }, * keySpec: { * algorithm: "RSA_PKCS1_4096_SHA256", * }, * deletionProtection: false, * skipGracePeriod: true, * ignoreActiveCertificatesOnDeletion: true, * }); * const certKey = new tls.PrivateKey("cert_key", {algorithm: "RSA"}); * const defaultCertificate = new gcp.certificateauthority.Certificate("default", { * location: "us-central1", * pool: _default.name, * certificateAuthority: defaultAuthority.certificateAuthorityId, * lifetime: "86000s", * name: "cert-1", * config: { * subjectConfig: { * subject: { * commonName: "san1.example.com", * countryCode: "us", * organization: "google", * organizationalUnit: "enterprise", * locality: "mountain view", * province: "california", * streetAddress: "1600 amphitheatre parkway", * }, * subjectAltName: { * emailAddresses: ["email@example.com"], * ipAddresses: ["127.0.0.1"], * uris: ["http://www.ietf.org/rfc/rfc3986.txt"], * }, * }, * x509Config: { * caOptions: { * isCa: true, * }, * keyUsage: { * baseKeyUsage: { * certSign: true, * crlSign: true, * }, * extendedKeyUsage: { * serverAuth: false, * }, * }, * nameConstraints: { * critical: true, * permittedDnsNames: ["*.example.com"], * excludedDnsNames: ["*.deny.example.com"], * permittedIpRanges: ["10.0.0.0/8"], * excludedIpRanges: ["10.1.1.0/24"], * permittedEmailAddresses: [".example.com"], * excludedEmailAddresses: [".deny.example.com"], * permittedUris: [".example.com"], * excludedUris: [".deny.example.com"], * }, * }, * publicKey: { * format: "PEM", * key: std.base64encodeOutput({ * input: certKey.publicKeyPem, * }).apply(invoke => invoke.result), * }, * }, * }); * ``` * ### Privateca Certificate With Template * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as std from "@pulumi/std"; * * const _default = new gcp.certificateauthority.CaPool("default", { * location: "us-central1", * name: "my-pool", * tier: "ENTERPRISE", * }); * const defaultCertificateTemplate = new gcp.certificateauthority.CertificateTemplate("default", { * location: "us-central1", * name: "my-certificate-template", * description: "An updated sample certificate template", * identityConstraints: { * allowSubjectAltNamesPassthrough: true, * allowSubjectPassthrough: true, * celExpression: { * description: "Always true", * expression: "true", * location: "any.file.anywhere", * title: "Sample expression", * }, * }, * passthroughExtensions: { * additionalExtensions: [{ * objectIdPaths: [ * 1, * 6, * ], * }], * knownExtensions: ["EXTENDED_KEY_USAGE"], * }, * predefinedValues: { * additionalExtensions: [{ * objectId: { * objectIdPaths: [ * 1, * 6, * ], * }, * value: "c3RyaW5nCg==", * critical: true, * }], * aiaOcspServers: ["string"], * caOptions: { * isCa: false, * maxIssuerPathLength: 6, * }, * keyUsage: { * baseKeyUsage: { * certSign: false, * contentCommitment: true, * crlSign: false, * dataEncipherment: true, * decipherOnly: true, * digitalSignature: true, * encipherOnly: true, * keyAgreement: true, * keyEncipherment: true, * }, * extendedKeyUsage: { * clientAuth: true, * codeSigning: true, * emailProtection: true, * ocspSigning: true, * serverAuth: true, * timeStamping: true, * }, * unknownExtendedKeyUsages: [{ * objectIdPaths: [ * 1, * 6, * ], * }], * }, * policyIds: [{ * objectIdPaths: [ * 1, * 6, * ], * }], * }, * }); * const defaultAuthority = new gcp.certificateauthority.Authority("default", { * location: "us-central1", * pool: _default.name, * certificateAuthorityId: "my-authority", * config: { * subjectConfig: { * subject: { * organization: "HashiCorp", * commonName: "my-certificate-authority", * }, * subjectAltName: { * dnsNames: ["hashicorp.com"], * }, * }, * x509Config: { * caOptions: { * isCa: true, * }, * keyUsage: { * baseKeyUsage: { * certSign: true, * crlSign: true, * }, * extendedKeyUsage: { * serverAuth: false, * }, * }, * }, * }, * keySpec: { * algorithm: "RSA_PKCS1_4096_SHA256", * }, * deletionProtection: false, * skipGracePeriod: true, * ignoreActiveCertificatesOnDeletion: true, * }); * const defaultCertificate = new gcp.certificateauthority.Certificate("default", { * location: "us-central1", * pool: _default.name, * certificateAuthority: defaultAuthority.certificateAuthorityId, * name: "my-certificate", * lifetime: "860s", * pemCsr: std.file({ * input: "test-fixtures/rsa_csr.pem", * }).then(invoke => invoke.result), * certificateTemplate: defaultCertificateTemplate.id, * }); * ``` * ### Privateca Certificate Csr * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as std from "@pulumi/std"; * * const _default = new gcp.certificateauthority.CaPool("default", { * location: "us-central1", * name: "my-pool", * tier: "ENTERPRISE", * }); * const defaultAuthority = new gcp.certificateauthority.Authority("default", { * location: "us-central1", * pool: _default.name, * certificateAuthorityId: "my-authority", * config: { * subjectConfig: { * subject: { * organization: "HashiCorp", * commonName: "my-certificate-authority", * }, * subjectAltName: { * dnsNames: ["hashicorp.com"], * }, * }, * x509Config: { * caOptions: { * isCa: true, * }, * keyUsage: { * baseKeyUsage: { * certSign: true, * crlSign: true, * }, * extendedKeyUsage: { * serverAuth: false, * }, * }, * }, * }, * keySpec: { * algorithm: "RSA_PKCS1_4096_SHA256", * }, * deletionProtection: false, * skipGracePeriod: true, * ignoreActiveCertificatesOnDeletion: true, * }); * const defaultCertificate = new gcp.certificateauthority.Certificate("default", { * location: "us-central1", * pool: _default.name, * certificateAuthority: defaultAuthority.certificateAuthorityId, * name: "my-certificate", * lifetime: "860s", * pemCsr: std.file({ * input: "test-fixtures/rsa_csr.pem", * }).then(invoke => invoke.result), * }); * ``` * ### Privateca Certificate No Authority * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as std from "@pulumi/std"; * * const _default = new gcp.certificateauthority.CaPool("default", { * location: "us-central1", * name: "my-pool", * tier: "ENTERPRISE", * }); * const defaultAuthority = new gcp.certificateauthority.Authority("default", { * location: "us-central1", * pool: _default.name, * certificateAuthorityId: "my-authority", * config: { * subjectConfig: { * subject: { * organization: "HashiCorp", * commonName: "my-certificate-authority", * }, * subjectAltName: { * dnsNames: ["hashicorp.com"], * }, * }, * x509Config: { * caOptions: { * isCa: true, * }, * keyUsage: { * baseKeyUsage: { * digitalSignature: true, * certSign: true, * crlSign: true, * }, * extendedKeyUsage: { * serverAuth: true, * }, * }, * }, * }, * lifetime: "86400s", * keySpec: { * algorithm: "RSA_PKCS1_4096_SHA256", * }, * deletionProtection: false, * skipGracePeriod: true, * ignoreActiveCertificatesOnDeletion: true, * }); * const defaultCertificate = new gcp.certificateauthority.Certificate("default", { * location: "us-central1", * pool: _default.name, * name: "my-certificate", * lifetime: "860s", * config: { * subjectConfig: { * subject: { * commonName: "san1.example.com", * countryCode: "us", * organization: "google", * organizationalUnit: "enterprise", * locality: "mountain view", * province: "california", * streetAddress: "1600 amphitheatre parkway", * postalCode: "94109", * }, * }, * x509Config: { * caOptions: { * isCa: false, * }, * keyUsage: { * baseKeyUsage: { * crlSign: true, * }, * extendedKeyUsage: { * serverAuth: true, * }, * }, * }, * publicKey: { * format: "PEM", * key: std.filebase64({ * input: "test-fixtures/rsa_public.pem", * }).then(invoke => invoke.result), * }, * }, * }, { * dependsOn: [defaultAuthority], * }); * ``` * ### Privateca Certificate Custom Ski * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as std from "@pulumi/std"; * * const _default = new gcp.certificateauthority.CaPool("default", { * location: "us-central1", * name: "my-pool", * tier: "ENTERPRISE", * }); * const defaultAuthority = new gcp.certificateauthority.Authority("default", { * location: "us-central1", * pool: _default.name, * certificateAuthorityId: "my-authority", * config: { * subjectConfig: { * subject: { * organization: "HashiCorp", * commonName: "my-certificate-authority", * }, * subjectAltName: { * dnsNames: ["hashicorp.com"], * }, * }, * x509Config: { * caOptions: { * isCa: true, * }, * keyUsage: { * baseKeyUsage: { * digitalSignature: true, * certSign: true, * crlSign: true, * }, * extendedKeyUsage: { * serverAuth: true, * }, * }, * }, * }, * lifetime: "86400s", * keySpec: { * algorithm: "RSA_PKCS1_4096_SHA256", * }, * deletionProtection: false, * skipGracePeriod: true, * ignoreActiveCertificatesOnDeletion: true, * }); * const defaultCertificate = new gcp.certificateauthority.Certificate("default", { * location: "us-central1", * pool: _default.name, * name: "my-certificate", * lifetime: "860s", * config: { * subjectConfig: { * subject: { * commonName: "san1.example.com", * countryCode: "us", * organization: "google", * organizationalUnit: "enterprise", * locality: "mountain view", * province: "california", * streetAddress: "1600 amphitheatre parkway", * postalCode: "94109", * }, * }, * subjectKeyId: { * keyId: "4cf3372289b1d411b999dbb9ebcd44744b6b2fca", * }, * x509Config: { * caOptions: { * isCa: false, * }, * keyUsage: { * baseKeyUsage: { * crlSign: true, * }, * extendedKeyUsage: { * serverAuth: true, * }, * }, * }, * publicKey: { * format: "PEM", * key: std.filebase64({ * input: "test-fixtures/rsa_public.pem", * }).then(invoke => invoke.result), * }, * }, * }, { * dependsOn: [defaultAuthority], * }); * ``` * * ## Import * * Certificate can be imported using any of these accepted formats: * * * `projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificates/{{name}}` * * `{{project}}/{{location}}/{{pool}}/{{name}}` * * `{{location}}/{{pool}}/{{name}}` * * When using the `pulumi import` command, Certificate can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:certificateauthority/certificate:Certificate default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificates/{{name}} * $ pulumi import gcp:certificateauthority/certificate:Certificate default {{project}}/{{location}}/{{pool}}/{{name}} * $ pulumi import gcp:certificateauthority/certificate:Certificate default {{location}}/{{pool}}/{{name}} * ``` */ export declare class Certificate extends pulumi.CustomResource { /** * Get an existing Certificate resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: CertificateState, opts?: pulumi.CustomResourceOptions): Certificate; /** * Returns true if the given object is an instance of Certificate. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Certificate; /** * The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from * a Certificate Authority with resource name `projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca`, * argument `pool` should be set to `projects/my-project/locations/us-central1/caPools/my-pool`, argument `certificateAuthority` * should be set to `my-ca`. */ readonly certificateAuthority: pulumi.Output; /** * Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. * Structure is documented below. */ readonly certificateDescriptions: pulumi.Output; /** * The resource name for a CertificateTemplate used to issue this certificate, * in the format `projects/*/locations/*/certificateTemplates/*`. If this is specified, * the caller must have the necessary permission to use this template. If this is * omitted, no template will be used. This template must be in the same location * as the Certificate. */ readonly certificateTemplate: pulumi.Output; /** * The config used to create a self-signed X.509 certificate or CSR. * Structure is documented below. */ readonly config: pulumi.Output; /** * The time that this resource was created on the server. * This is in RFC3339 text format. */ readonly createTime: pulumi.Output; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ readonly effectiveLabels: pulumi.Output<{ [key: string]: string; }>; /** * The resource name of the issuing CertificateAuthority in the format `projects/*/locations/*/caPools/*/certificateAuthorities/*`. */ readonly issuerCertificateAuthority: pulumi.Output; /** * Labels with user-defined metadata to apply to this resource. * * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ readonly labels: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and * "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine * fractional digits, terminated by 's'. Example: "3.5s". */ readonly lifetime: pulumi.Output; /** * Location of the Certificate. A full list of valid locations can be found by * running `gcloud privateca locations list`. */ readonly location: pulumi.Output; /** * The name for this Certificate. */ readonly name: pulumi.Output; /** * Output only. The pem-encoded, signed X.509 certificate. */ readonly pemCertificate: pulumi.Output; /** * The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246. */ readonly pemCertificateChains: pulumi.Output; /** * Immutable. A pem-encoded X.509 certificate signing request (CSR). */ readonly pemCsr: pulumi.Output; /** * The name of the CaPool this Certificate belongs to. */ readonly pool: pulumi.Output; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ readonly pulumiLabels: pulumi.Output<{ [key: string]: string; }>; /** * Output only. Details regarding the revocation of this Certificate. This Certificate is * considered revoked if and only if this field is present. * Structure is documented below. */ readonly revocationDetails: pulumi.Output; /** * Output only. The time at which this CertificateAuthority was updated. * This is in RFC3339 text format. */ readonly updateTime: pulumi.Output; /** * Create a Certificate resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: CertificateArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Certificate resources. */ export interface CertificateState { /** * The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from * a Certificate Authority with resource name `projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca`, * argument `pool` should be set to `projects/my-project/locations/us-central1/caPools/my-pool`, argument `certificateAuthority` * should be set to `my-ca`. */ certificateAuthority?: pulumi.Input; /** * Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. * Structure is documented below. */ certificateDescriptions?: pulumi.Input[]>; /** * The resource name for a CertificateTemplate used to issue this certificate, * in the format `projects/*/locations/*/certificateTemplates/*`. If this is specified, * the caller must have the necessary permission to use this template. If this is * omitted, no template will be used. This template must be in the same location * as the Certificate. */ certificateTemplate?: pulumi.Input; /** * The config used to create a self-signed X.509 certificate or CSR. * Structure is documented below. */ config?: pulumi.Input; /** * The time that this resource was created on the server. * This is in RFC3339 text format. */ createTime?: pulumi.Input; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ effectiveLabels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The resource name of the issuing CertificateAuthority in the format `projects/*/locations/*/caPools/*/certificateAuthorities/*`. */ issuerCertificateAuthority?: pulumi.Input; /** * Labels with user-defined metadata to apply to this resource. * * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and * "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine * fractional digits, terminated by 's'. Example: "3.5s". */ lifetime?: pulumi.Input; /** * Location of the Certificate. A full list of valid locations can be found by * running `gcloud privateca locations list`. */ location?: pulumi.Input; /** * The name for this Certificate. */ name?: pulumi.Input; /** * Output only. The pem-encoded, signed X.509 certificate. */ pemCertificate?: pulumi.Input; /** * The chain that may be used to verify the X.509 certificate. Expected to be in issuer-to-root order according to RFC 5246. */ pemCertificateChains?: pulumi.Input[]>; /** * Immutable. A pem-encoded X.509 certificate signing request (CSR). */ pemCsr?: pulumi.Input; /** * The name of the CaPool this Certificate belongs to. */ pool?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ pulumiLabels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Output only. Details regarding the revocation of this Certificate. This Certificate is * considered revoked if and only if this field is present. * Structure is documented below. */ revocationDetails?: pulumi.Input[]>; /** * Output only. The time at which this CertificateAuthority was updated. * This is in RFC3339 text format. */ updateTime?: pulumi.Input; } /** * The set of arguments for constructing a Certificate resource. */ export interface CertificateArgs { /** * The Certificate Authority ID that should issue the certificate. For example, to issue a Certificate from * a Certificate Authority with resource name `projects/my-project/locations/us-central1/caPools/my-pool/certificateAuthorities/my-ca`, * argument `pool` should be set to `projects/my-project/locations/us-central1/caPools/my-pool`, argument `certificateAuthority` * should be set to `my-ca`. */ certificateAuthority?: pulumi.Input; /** * The resource name for a CertificateTemplate used to issue this certificate, * in the format `projects/*/locations/*/certificateTemplates/*`. If this is specified, * the caller must have the necessary permission to use this template. If this is * omitted, no template will be used. This template must be in the same location * as the Certificate. */ certificateTemplate?: pulumi.Input; /** * The config used to create a self-signed X.509 certificate or CSR. * Structure is documented below. */ config?: pulumi.Input; /** * Labels with user-defined metadata to apply to this resource. * * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and * "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine * fractional digits, terminated by 's'. Example: "3.5s". */ lifetime?: pulumi.Input; /** * Location of the Certificate. A full list of valid locations can be found by * running `gcloud privateca locations list`. */ location: pulumi.Input; /** * The name for this Certificate. */ name?: pulumi.Input; /** * Immutable. A pem-encoded X.509 certificate signing request (CSR). */ pemCsr?: pulumi.Input; /** * The name of the CaPool this Certificate belongs to. */ pool: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; }