import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Certificate Authority Service provides reusable and parameterized templates that you can use for common certificate issuance scenarios. A certificate template represents a relatively static and well-defined certificate issuance schema within an organization. A certificate template can essentially become a full-fledged vertical certificate issuance framework. * * To get more information about CertificateTemplate, see: * * * [API documentation](https://cloud.google.com/certificate-authority-service/docs/reference/rest) * * How-to Guides * * [Common configurations and Certificate Profiles](https://cloud.google.com/certificate-authority-service/docs/certificate-profile) * * [Official Documentation](https://cloud.google.com/certificate-authority-service) * * [Understanding Certificate Templates](https://cloud.google.com/certificate-authority-service/docs/certificate-template) * * ## Example Usage * * ### Privateca Template Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.certificateauthority.CertificateTemplate("default", { * name: "my-template", * location: "us-central1", * description: "A sample certificate template", * identityConstraints: { * allowSubjectAltNamesPassthrough: true, * allowSubjectPassthrough: true, * celExpression: { * description: "Always true", * expression: "true", * location: "any.file.anywhere", * title: "Sample expression", * }, * }, * maximumLifetime: "86400s", * passthroughExtensions: { * additionalExtensions: [{ * objectIdPaths: [ * 1, * 6, * ], * }], * knownExtensions: ["EXTENDED_KEY_USAGE"], * }, * predefinedValues: { * additionalExtensions: [{ * objectId: { * objectIdPaths: [ * 1, * 6, * ], * }, * value: "c3RyaW5nCg==", * critical: true, * }], * aiaOcspServers: ["string"], * caOptions: { * isCa: false, * maxIssuerPathLength: 6, * }, * keyUsage: { * baseKeyUsage: { * certSign: false, * contentCommitment: true, * crlSign: false, * dataEncipherment: true, * decipherOnly: true, * digitalSignature: true, * encipherOnly: true, * keyAgreement: true, * keyEncipherment: true, * }, * extendedKeyUsage: { * clientAuth: true, * codeSigning: true, * emailProtection: true, * ocspSigning: true, * serverAuth: true, * timeStamping: true, * }, * unknownExtendedKeyUsages: [{ * objectIdPaths: [ * 1, * 6, * ], * }], * }, * policyIds: [{ * objectIdPaths: [ * 1, * 6, * ], * }], * }, * labels: { * "label-one": "value-one", * }, * }); * ``` * ### Privateca Template Zero Max Issuer Path Length Null Ca * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.certificateauthority.CertificateTemplate("default", { * name: "my-template", * location: "us-central1", * description: "A sample certificate template", * identityConstraints: { * allowSubjectAltNamesPassthrough: true, * allowSubjectPassthrough: true, * celExpression: { * description: "Always true", * expression: "true", * location: "any.file.anywhere", * title: "Sample expression", * }, * }, * maximumLifetime: "86400s", * passthroughExtensions: { * additionalExtensions: [{ * objectIdPaths: [ * 1, * 6, * ], * }], * knownExtensions: ["EXTENDED_KEY_USAGE"], * }, * predefinedValues: { * additionalExtensions: [{ * objectId: { * objectIdPaths: [ * 1, * 6, * ], * }, * value: "c3RyaW5nCg==", * critical: true, * }], * aiaOcspServers: ["string"], * caOptions: { * isCa: false, * nullCa: true, * zeroMaxIssuerPathLength: true, * maxIssuerPathLength: 0, * }, * keyUsage: { * baseKeyUsage: { * certSign: false, * contentCommitment: true, * crlSign: false, * dataEncipherment: true, * decipherOnly: true, * digitalSignature: true, * encipherOnly: true, * keyAgreement: true, * keyEncipherment: true, * }, * extendedKeyUsage: { * clientAuth: true, * codeSigning: true, * emailProtection: true, * ocspSigning: true, * serverAuth: true, * timeStamping: true, * }, * unknownExtendedKeyUsages: [{ * objectIdPaths: [ * 1, * 6, * ], * }], * }, * policyIds: [{ * objectIdPaths: [ * 1, * 6, * ], * }], * nameConstraints: { * critical: true, * permittedDnsNames: [ * "*.example1.com", * "*.example2.com", * ], * excludedDnsNames: [ * "*.deny.example1.com", * "*.deny.example2.com", * ], * permittedIpRanges: [ * "10.0.0.0/8", * "11.0.0.0/8", * ], * excludedIpRanges: [ * "10.1.1.0/24", * "11.1.1.0/24", * ], * permittedEmailAddresses: [ * ".example1.com", * ".example2.com", * ], * excludedEmailAddresses: [ * ".deny.example1.com", * ".deny.example2.com", * ], * permittedUris: [ * ".example1.com", * ".example2.com", * ], * excludedUris: [ * ".deny.example1.com", * ".deny.example2.com", * ], * }, * }, * labels: { * "label-one": "value-one", * }, * }); * ``` * * ## Import * * CertificateTemplate can be imported using any of these accepted formats: * * * `projects/{{project}}/locations/{{location}}/certificateTemplates/{{name}}` * * `{{project}}/{{location}}/{{name}}` * * `{{location}}/{{name}}` * * When using the `pulumi import` command, CertificateTemplate can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:certificateauthority/certificateTemplate:CertificateTemplate default projects/{{project}}/locations/{{location}}/certificateTemplates/{{name}} * $ pulumi import gcp:certificateauthority/certificateTemplate:CertificateTemplate default {{project}}/{{location}}/{{name}} * $ pulumi import gcp:certificateauthority/certificateTemplate:CertificateTemplate default {{location}}/{{name}} * ``` */ export declare class CertificateTemplate extends pulumi.CustomResource { /** * Get an existing CertificateTemplate resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: CertificateTemplateState, opts?: pulumi.CustomResourceOptions): CertificateTemplate; /** * Returns true if the given object is an instance of CertificateTemplate. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is CertificateTemplate; /** * Output only. The time at which this CertificateTemplate was created. */ readonly createTime: pulumi.Output; /** * Optional. A human-readable description of scenarios this template is intended for. */ readonly description: pulumi.Output; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ readonly effectiveLabels: pulumi.Output<{ [key: string]: string; }>; /** * Optional. Describes constraints on identities that may be appear in Certificates issued using this template. If this is omitted, then this template will not add restrictions on a certificate's identity. * Structure is documented below. */ readonly identityConstraints: pulumi.Output; /** * Optional. Labels with user-defined metadata. * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ readonly labels: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The location for the resource */ readonly location: pulumi.Output; /** * Optional. The maximum lifetime allowed for all issued certificates that use this template. If the issuing CaPool's IssuancePolicy specifies a maximum lifetime the minimum of the two durations will be the maximum lifetime for issued. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it. */ readonly maximumLifetime: pulumi.Output; /** * The resource name for this CertificateTemplate in the format `projects/*/locations/*/certificateTemplates/*`. */ readonly name: pulumi.Output; /** * Optional. Describes the set of X.509 extensions that may appear in a Certificate issued using this CertificateTemplate. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If the issuing CaPool's IssuancePolicy defines baselineValues that don't appear here, the certificate issuance request will fail. If this is omitted, then this template will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CertificateTemplate's predefined_values. * Structure is documented below. */ readonly passthroughExtensions: pulumi.Output; /** * Optional. A set of X.509 values that will be applied to all issued certificates that use this template. If the certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If the issuing CaPool's IssuancePolicy defines conflicting baselineValues for the same properties, the certificate issuance request will fail. * Structure is documented below. */ readonly predefinedValues: pulumi.Output; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ readonly pulumiLabels: pulumi.Output<{ [key: string]: string; }>; /** * Output only. The time at which this CertificateTemplate was updated. */ readonly updateTime: pulumi.Output; /** * Create a CertificateTemplate resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: CertificateTemplateArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering CertificateTemplate resources. */ export interface CertificateTemplateState { /** * Output only. The time at which this CertificateTemplate was created. */ createTime?: pulumi.Input; /** * Optional. A human-readable description of scenarios this template is intended for. */ description?: pulumi.Input; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ effectiveLabels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Optional. Describes constraints on identities that may be appear in Certificates issued using this template. If this is omitted, then this template will not add restrictions on a certificate's identity. * Structure is documented below. */ identityConstraints?: pulumi.Input; /** * Optional. Labels with user-defined metadata. * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The location for the resource */ location?: pulumi.Input; /** * Optional. The maximum lifetime allowed for all issued certificates that use this template. If the issuing CaPool's IssuancePolicy specifies a maximum lifetime the minimum of the two durations will be the maximum lifetime for issued. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it. */ maximumLifetime?: pulumi.Input; /** * The resource name for this CertificateTemplate in the format `projects/*/locations/*/certificateTemplates/*`. */ name?: pulumi.Input; /** * Optional. Describes the set of X.509 extensions that may appear in a Certificate issued using this CertificateTemplate. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If the issuing CaPool's IssuancePolicy defines baselineValues that don't appear here, the certificate issuance request will fail. If this is omitted, then this template will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CertificateTemplate's predefined_values. * Structure is documented below. */ passthroughExtensions?: pulumi.Input; /** * Optional. A set of X.509 values that will be applied to all issued certificates that use this template. If the certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If the issuing CaPool's IssuancePolicy defines conflicting baselineValues for the same properties, the certificate issuance request will fail. * Structure is documented below. */ predefinedValues?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ pulumiLabels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Output only. The time at which this CertificateTemplate was updated. */ updateTime?: pulumi.Input; } /** * The set of arguments for constructing a CertificateTemplate resource. */ export interface CertificateTemplateArgs { /** * Optional. A human-readable description of scenarios this template is intended for. */ description?: pulumi.Input; /** * Optional. Describes constraints on identities that may be appear in Certificates issued using this template. If this is omitted, then this template will not add restrictions on a certificate's identity. * Structure is documented below. */ identityConstraints?: pulumi.Input; /** * Optional. Labels with user-defined metadata. * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The location for the resource */ location: pulumi.Input; /** * Optional. The maximum lifetime allowed for all issued certificates that use this template. If the issuing CaPool's IssuancePolicy specifies a maximum lifetime the minimum of the two durations will be the maximum lifetime for issued. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it. */ maximumLifetime?: pulumi.Input; /** * The resource name for this CertificateTemplate in the format `projects/*/locations/*/certificateTemplates/*`. */ name?: pulumi.Input; /** * Optional. Describes the set of X.509 extensions that may appear in a Certificate issued using this CertificateTemplate. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If the issuing CaPool's IssuancePolicy defines baselineValues that don't appear here, the certificate issuance request will fail. If this is omitted, then this template will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CertificateTemplate's predefined_values. * Structure is documented below. */ passthroughExtensions?: pulumi.Input; /** * Optional. A set of X.509 values that will be applied to all issued certificates that use this template. If the certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If the issuing CaPool's IssuancePolicy defines conflicting baselineValues for the same properties, the certificate issuance request will fail. * Structure is documented below. */ predefinedValues?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; }