import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Certificate represents a HTTP-reachable backend for a Certificate. * * To get more information about Certificate, see: * * * [API documentation](https://docs.cloud.google.com/certificate-manager/docs/reference/certificate-manager/rest/v1/projects.locations.certificates) * * How-to Guides * * [Official Documentation](https://docs.cloud.google.com/certificate-manager/docs/certificates) * * ## Example Usage * * ### Certificate Manager Google Managed Certificate Dns * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const instance = new gcp.certificatemanager.DnsAuthorization("instance", { * name: "dns-auth", * description: "The default dnss", * domain: "subdomain.hashicorptest.com", * }); * const instance2 = new gcp.certificatemanager.DnsAuthorization("instance2", { * name: "dns-auth2", * description: "The default dnss", * domain: "subdomain2.hashicorptest.com", * }); * const _default = new gcp.certificatemanager.Certificate("default", { * name: "dns-cert", * description: "The default cert", * scope: "EDGE_CACHE", * labels: { * env: "test", * }, * managed: { * domains: [ * instance.domain, * instance2.domain, * ], * dnsAuthorizations: [ * instance.id, * instance2.id, * ], * }, * }); * ``` * ### Certificate Manager Google Managed Certificate Issuance Config * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const pool = new gcp.certificateauthority.CaPool("pool", { * name: "ca-pool", * location: "us-central1", * tier: "ENTERPRISE", * }); * const caAuthority = new gcp.certificateauthority.Authority("ca_authority", { * location: "us-central1", * pool: pool.name, * certificateAuthorityId: "ca-authority", * config: { * subjectConfig: { * subject: { * organization: "HashiCorp", * commonName: "my-certificate-authority", * }, * subjectAltName: { * dnsNames: ["hashicorp.com"], * }, * }, * x509Config: { * caOptions: { * isCa: true, * }, * keyUsage: { * baseKeyUsage: { * certSign: true, * crlSign: true, * }, * extendedKeyUsage: { * serverAuth: true, * }, * }, * }, * }, * keySpec: { * algorithm: "RSA_PKCS1_4096_SHA256", * }, * deletionProtection: false, * skipGracePeriod: true, * ignoreActiveCertificatesOnDeletion: true, * }); * // creating certificate_issuance_config to use it in the managed certificate * const issuanceconfig = new gcp.certificatemanager.CertificateIssuanceConfig("issuanceconfig", { * name: "issuance-config", * description: "sample description for the certificate issuanceConfigs", * certificateAuthorityConfig: { * certificateAuthorityServiceConfig: { * caPool: pool.id, * }, * }, * lifetime: "1814400s", * rotationWindowPercentage: 34, * keyAlgorithm: "ECDSA_P256", * }, { * dependsOn: [caAuthority], * }); * const _default = new gcp.certificatemanager.Certificate("default", { * name: "issuance-config-cert", * description: "The default cert", * scope: "EDGE_CACHE", * managed: { * domains: ["terraform.subdomain1.com"], * issuanceConfig: issuanceconfig.id, * }, * }); * ``` * ### Certificate Manager Certificate Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const instance = new gcp.certificatemanager.DnsAuthorization("instance", { * name: "dns-auth", * description: "The default dnss", * domain: "subdomain.hashicorptest.com", * }); * const instance2 = new gcp.certificatemanager.DnsAuthorization("instance2", { * name: "dns-auth2", * description: "The default dnss", * domain: "subdomain2.hashicorptest.com", * }); * const _default = new gcp.certificatemanager.Certificate("default", { * name: "self-managed-cert", * description: "Global cert", * scope: "EDGE_CACHE", * managed: { * domains: [ * instance.domain, * instance2.domain, * ], * dnsAuthorizations: [ * instance.id, * instance2.id, * ], * }, * }); * ``` * ### Certificate Manager Self Managed Certificate Regional * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as std from "@pulumi/std"; * * const _default = new gcp.certificatemanager.Certificate("default", { * name: "self-managed-cert", * description: "Regional cert", * location: "us-central1", * selfManaged: { * pemCertificate: std.file({ * input: "test-fixtures/cert.pem", * }).then(invoke => invoke.result), * pemPrivateKey: std.file({ * input: "test-fixtures/private-key.pem", * }).then(invoke => invoke.result), * }, * }); * ``` * ### Certificate Manager Google Managed Certificate Issuance Config All Regions * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const pool = new gcp.certificateauthority.CaPool("pool", { * name: "ca-pool", * location: "us-central1", * tier: "ENTERPRISE", * }); * const caAuthority = new gcp.certificateauthority.Authority("ca_authority", { * location: "us-central1", * pool: pool.name, * certificateAuthorityId: "ca-authority", * config: { * subjectConfig: { * subject: { * organization: "HashiCorp", * commonName: "my-certificate-authority", * }, * subjectAltName: { * dnsNames: ["hashicorp.com"], * }, * }, * x509Config: { * caOptions: { * isCa: true, * }, * keyUsage: { * baseKeyUsage: { * certSign: true, * crlSign: true, * }, * extendedKeyUsage: { * serverAuth: true, * }, * }, * }, * }, * keySpec: { * algorithm: "RSA_PKCS1_4096_SHA256", * }, * deletionProtection: false, * skipGracePeriod: true, * ignoreActiveCertificatesOnDeletion: true, * }); * // creating certificate_issuance_config to use it in the managed certificate * const issuanceconfig = new gcp.certificatemanager.CertificateIssuanceConfig("issuanceconfig", { * name: "issuance-config", * description: "sample description for the certificate issuanceConfigs", * certificateAuthorityConfig: { * certificateAuthorityServiceConfig: { * caPool: pool.id, * }, * }, * lifetime: "1814400s", * rotationWindowPercentage: 34, * keyAlgorithm: "ECDSA_P256", * }, { * dependsOn: [caAuthority], * }); * const _default = new gcp.certificatemanager.Certificate("default", { * name: "issuance-config-cert", * description: "sample google managed all_regions certificate with issuance config for terraform", * scope: "ALL_REGIONS", * managed: { * domains: ["terraform.subdomain1.com"], * issuanceConfig: issuanceconfig.id, * }, * }); * ``` * ### Certificate Manager Google Managed Certificate Dns All Regions * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const instance = new gcp.certificatemanager.DnsAuthorization("instance", { * name: "dns-auth", * description: "The default dnss", * domain: "subdomain.hashicorptest.com", * }); * const instance2 = new gcp.certificatemanager.DnsAuthorization("instance2", { * name: "dns-auth2", * description: "The default dnss", * domain: "subdomain2.hashicorptest.com", * }); * const _default = new gcp.certificatemanager.Certificate("default", { * name: "dns-cert", * description: "The default cert", * scope: "ALL_REGIONS", * managed: { * domains: [ * instance.domain, * instance2.domain, * ], * dnsAuthorizations: [ * instance.id, * instance2.id, * ], * }, * }); * ``` * ### Certificate Manager Google Managed Regional Certificate Dns Auth * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const instance = new gcp.certificatemanager.DnsAuthorization("instance", { * name: "dns-auth", * location: "us-central1", * description: "The default dnss", * domain: "subdomain.hashicorptest.com", * }); * const _default = new gcp.certificatemanager.Certificate("default", { * name: "dns-cert", * description: "regional managed certs", * location: "us-central1", * managed: { * domains: [instance.domain], * dnsAuthorizations: [instance.id], * }, * }); * ``` * ### Certificate Manager Client Auth Certificate * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as std from "@pulumi/std"; * * const _default = new gcp.certificatemanager.Certificate("default", { * name: "client-auth-cert", * description: "Global cert", * scope: "CLIENT_AUTH", * selfManaged: { * pemCertificate: std.file({ * input: "test-fixtures/cert.pem", * }).then(invoke => invoke.result), * pemPrivateKey: std.file({ * input: "test-fixtures/private-key.pem", * }).then(invoke => invoke.result), * }, * }); * ``` * * ## Import * * Certificate can be imported using any of these accepted formats: * * * `projects/{{project}}/locations/{{location}}/certificates/{{name}}` * * `{{project}}/{{location}}/{{name}}` * * `{{location}}/{{name}}` * * When using the `pulumi import` command, Certificate can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:certificatemanager/certificate:Certificate default projects/{{project}}/locations/{{location}}/certificates/{{name}} * $ pulumi import gcp:certificatemanager/certificate:Certificate default {{project}}/{{location}}/{{name}} * $ pulumi import gcp:certificatemanager/certificate:Certificate default {{location}}/{{name}} * ``` */ export declare class Certificate extends pulumi.CustomResource { /** * Get an existing Certificate resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: CertificateState, opts?: pulumi.CustomResourceOptions): Certificate; /** * Returns true if the given object is an instance of Certificate. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Certificate; /** * A human-readable description of the resource. */ readonly description: pulumi.Output; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ readonly effectiveLabels: pulumi.Output<{ [key: string]: string; }>; /** * Set of label tags associated with the Certificate resource. * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ readonly labels: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The Certificate Manager location. If not specified, "global" is used. */ readonly location: pulumi.Output; /** * Configuration and state of a Managed Certificate. * Certificate Manager provisions and renews Managed Certificates * automatically, for as long as it's authorized to do so. * Structure is documented below. */ readonly managed: pulumi.Output; /** * A user-defined name of the certificate. Certificate names must be unique * The name must be 1-64 characters long, and match the regular expression [a-zA-Z][a-zA-Z0-9_-]* which means the first character must be a letter, * and all following characters must be a dash, underscore, letter or digit. */ readonly name: pulumi.Output; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ readonly pulumiLabels: pulumi.Output<{ [key: string]: string; }>; /** * The list of Subject Alternative Names of dnsName type defined in the certificate (see RFC 5280 4.2.1.6) */ readonly sanDnsnames: pulumi.Output; /** * The scope of the certificate. * DEFAULT: Certificates with default scope are served from core Google data centers. * If unsure, choose this option. * EDGE_CACHE: Certificates with scope EDGE_CACHE are special-purposed certificates, served from Edge Points of Presence. * See https://cloud.google.com/vpc/docs/edge-locations. * ALL_REGIONS: Certificates with ALL_REGIONS scope are served from all GCP regions (You can only use ALL_REGIONS with global certs). * See https://cloud.google.com/compute/docs/regions-zones. * CLIENT_AUTH: Certificates with CLIENT_AUTH scope are used by a load balancer (TLS client) to be presented to the backend (TLS server) when backend mTLS is configured. * See https://cloud.google.com/load-balancing/docs/backend-authenticated-tls-backend-mtls#client-certificate. */ readonly scope: pulumi.Output; /** * Certificate data for a SelfManaged Certificate. * SelfManaged Certificates are uploaded by the user. Updating such * certificates before they expire remains the user's responsibility. * Structure is documented below. */ readonly selfManaged: pulumi.Output; /** * Create a Certificate resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args?: CertificateArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Certificate resources. */ export interface CertificateState { /** * A human-readable description of the resource. */ description?: pulumi.Input; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ effectiveLabels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Set of label tags associated with the Certificate resource. * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The Certificate Manager location. If not specified, "global" is used. */ location?: pulumi.Input; /** * Configuration and state of a Managed Certificate. * Certificate Manager provisions and renews Managed Certificates * automatically, for as long as it's authorized to do so. * Structure is documented below. */ managed?: pulumi.Input; /** * A user-defined name of the certificate. Certificate names must be unique * The name must be 1-64 characters long, and match the regular expression [a-zA-Z][a-zA-Z0-9_-]* which means the first character must be a letter, * and all following characters must be a dash, underscore, letter or digit. */ name?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ pulumiLabels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The list of Subject Alternative Names of dnsName type defined in the certificate (see RFC 5280 4.2.1.6) */ sanDnsnames?: pulumi.Input[]>; /** * The scope of the certificate. * DEFAULT: Certificates with default scope are served from core Google data centers. * If unsure, choose this option. * EDGE_CACHE: Certificates with scope EDGE_CACHE are special-purposed certificates, served from Edge Points of Presence. * See https://cloud.google.com/vpc/docs/edge-locations. * ALL_REGIONS: Certificates with ALL_REGIONS scope are served from all GCP regions (You can only use ALL_REGIONS with global certs). * See https://cloud.google.com/compute/docs/regions-zones. * CLIENT_AUTH: Certificates with CLIENT_AUTH scope are used by a load balancer (TLS client) to be presented to the backend (TLS server) when backend mTLS is configured. * See https://cloud.google.com/load-balancing/docs/backend-authenticated-tls-backend-mtls#client-certificate. */ scope?: pulumi.Input; /** * Certificate data for a SelfManaged Certificate. * SelfManaged Certificates are uploaded by the user. Updating such * certificates before they expire remains the user's responsibility. * Structure is documented below. */ selfManaged?: pulumi.Input; } /** * The set of arguments for constructing a Certificate resource. */ export interface CertificateArgs { /** * A human-readable description of the resource. */ description?: pulumi.Input; /** * Set of label tags associated with the Certificate resource. * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The Certificate Manager location. If not specified, "global" is used. */ location?: pulumi.Input; /** * Configuration and state of a Managed Certificate. * Certificate Manager provisions and renews Managed Certificates * automatically, for as long as it's authorized to do so. * Structure is documented below. */ managed?: pulumi.Input; /** * A user-defined name of the certificate. Certificate names must be unique * The name must be 1-64 characters long, and match the regular expression [a-zA-Z][a-zA-Z0-9_-]* which means the first character must be a letter, * and all following characters must be a dash, underscore, letter or digit. */ name?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * The scope of the certificate. * DEFAULT: Certificates with default scope are served from core Google data centers. * If unsure, choose this option. * EDGE_CACHE: Certificates with scope EDGE_CACHE are special-purposed certificates, served from Edge Points of Presence. * See https://cloud.google.com/vpc/docs/edge-locations. * ALL_REGIONS: Certificates with ALL_REGIONS scope are served from all GCP regions (You can only use ALL_REGIONS with global certs). * See https://cloud.google.com/compute/docs/regions-zones. * CLIENT_AUTH: Certificates with CLIENT_AUTH scope are used by a load balancer (TLS client) to be presented to the backend (TLS server) when backend mTLS is configured. * See https://cloud.google.com/load-balancing/docs/backend-authenticated-tls-backend-mtls#client-certificate. */ scope?: pulumi.Input; /** * Certificate data for a SelfManaged Certificate. * SelfManaged Certificates are uploaded by the user. Updating such * certificates before they expire remains the user's responsibility. * Structure is documented below. */ selfManaged?: pulumi.Input; }