1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. certificateauthority
  5. Authority
Google Cloud Classic v7.29.0 published on Wednesday, Jun 26, 2024 by Pulumi

gcp.certificateauthority.Authority

Explore with Pulumi AI

gcp logo
Google Cloud Classic v7.29.0 published on Wednesday, Jun 26, 2024 by Pulumi

    A CertificateAuthority represents an individual Certificate Authority. A CertificateAuthority can be used to create Certificates.

    To get more information about CertificateAuthority, see:

    Warning: On newer versions of the provider, you must explicitly set deletion_protection=false (and run pulumi up to write the field to state) in order to destroy a CertificateAuthority. It is recommended to not set this field (or set it to true) until you’re ready to destroy.

    Example Usage

    Privateca Certificate Authority Basic

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const _default = new gcp.certificateauthority.Authority("default", {
        pool: "ca-pool",
        certificateAuthorityId: "my-certificate-authority",
        location: "us-central1",
        deletionProtection: true,
        config: {
            subjectConfig: {
                subject: {
                    organization: "HashiCorp",
                    commonName: "my-certificate-authority",
                },
                subjectAltName: {
                    dnsNames: ["hashicorp.com"],
                },
            },
            x509Config: {
                caOptions: {
                    isCa: true,
                    maxIssuerPathLength: 10,
                },
                keyUsage: {
                    baseKeyUsage: {
                        digitalSignature: true,
                        contentCommitment: true,
                        keyEncipherment: false,
                        dataEncipherment: true,
                        keyAgreement: true,
                        certSign: true,
                        crlSign: true,
                        decipherOnly: true,
                    },
                    extendedKeyUsage: {
                        serverAuth: true,
                        clientAuth: false,
                        emailProtection: true,
                        codeSigning: true,
                        timeStamping: true,
                    },
                },
            },
        },
        lifetime: "86400s",
        keySpec: {
            algorithm: "RSA_PKCS1_4096_SHA256",
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    default = gcp.certificateauthority.Authority("default",
        pool="ca-pool",
        certificate_authority_id="my-certificate-authority",
        location="us-central1",
        deletion_protection=True,
        config=gcp.certificateauthority.AuthorityConfigArgs(
            subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
                subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                    organization="HashiCorp",
                    common_name="my-certificate-authority",
                ),
                subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
                    dns_names=["hashicorp.com"],
                ),
            ),
            x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
                ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                    is_ca=True,
                    max_issuer_path_length=10,
                ),
                key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                    base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                        digital_signature=True,
                        content_commitment=True,
                        key_encipherment=False,
                        data_encipherment=True,
                        key_agreement=True,
                        cert_sign=True,
                        crl_sign=True,
                        decipher_only=True,
                    ),
                    extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                        server_auth=True,
                        client_auth=False,
                        email_protection=True,
                        code_signing=True,
                        time_stamping=True,
                    ),
                ),
            ),
        ),
        lifetime="86400s",
        key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
            algorithm="RSA_PKCS1_4096_SHA256",
        ))
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/certificateauthority"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
    			Pool:                   pulumi.String("ca-pool"),
    			CertificateAuthorityId: pulumi.String("my-certificate-authority"),
    			Location:               pulumi.String("us-central1"),
    			DeletionProtection:     pulumi.Bool(true),
    			Config: &certificateauthority.AuthorityConfigArgs{
    				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
    					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
    						Organization: pulumi.String("HashiCorp"),
    						CommonName:   pulumi.String("my-certificate-authority"),
    					},
    					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
    						DnsNames: pulumi.StringArray{
    							pulumi.String("hashicorp.com"),
    						},
    					},
    				},
    				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
    					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
    						IsCa:                pulumi.Bool(true),
    						MaxIssuerPathLength: pulumi.Int(10),
    					},
    					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
    						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
    							DigitalSignature:  pulumi.Bool(true),
    							ContentCommitment: pulumi.Bool(true),
    							KeyEncipherment:   pulumi.Bool(false),
    							DataEncipherment:  pulumi.Bool(true),
    							KeyAgreement:      pulumi.Bool(true),
    							CertSign:          pulumi.Bool(true),
    							CrlSign:           pulumi.Bool(true),
    							DecipherOnly:      pulumi.Bool(true),
    						},
    						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
    							ServerAuth:      pulumi.Bool(true),
    							ClientAuth:      pulumi.Bool(false),
    							EmailProtection: pulumi.Bool(true),
    							CodeSigning:     pulumi.Bool(true),
    							TimeStamping:    pulumi.Bool(true),
    						},
    					},
    				},
    			},
    			Lifetime: pulumi.String("86400s"),
    			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
    				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var @default = new Gcp.CertificateAuthority.Authority("default", new()
        {
            Pool = "ca-pool",
            CertificateAuthorityId = "my-certificate-authority",
            Location = "us-central1",
            DeletionProtection = true,
            Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                    {
                        Organization = "HashiCorp",
                        CommonName = "my-certificate-authority",
                    },
                    SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                    {
                        DnsNames = new[]
                        {
                            "hashicorp.com",
                        },
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = true,
                        MaxIssuerPathLength = 10,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            DigitalSignature = true,
                            ContentCommitment = true,
                            KeyEncipherment = false,
                            DataEncipherment = true,
                            KeyAgreement = true,
                            CertSign = true,
                            CrlSign = true,
                            DecipherOnly = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = true,
                            ClientAuth = false,
                            EmailProtection = true,
                            CodeSigning = true,
                            TimeStamping = true,
                        },
                    },
                },
            },
            Lifetime = "86400s",
            KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
            {
                Algorithm = "RSA_PKCS1_4096_SHA256",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.certificateauthority.Authority;
    import com.pulumi.gcp.certificateauthority.AuthorityArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var default_ = new Authority("default", AuthorityArgs.builder()
                .pool("ca-pool")
                .certificateAuthorityId("my-certificate-authority")
                .location("us-central1")
                .deletionProtection("true")
                .config(AuthorityConfigArgs.builder()
                    .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                        .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                            .organization("HashiCorp")
                            .commonName("my-certificate-authority")
                            .build())
                        .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                            .dnsNames("hashicorp.com")
                            .build())
                        .build())
                    .x509Config(AuthorityConfigX509ConfigArgs.builder()
                        .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                            .isCa(true)
                            .maxIssuerPathLength(10)
                            .build())
                        .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                            .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                                .digitalSignature(true)
                                .contentCommitment(true)
                                .keyEncipherment(false)
                                .dataEncipherment(true)
                                .keyAgreement(true)
                                .certSign(true)
                                .crlSign(true)
                                .decipherOnly(true)
                                .build())
                            .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                                .serverAuth(true)
                                .clientAuth(false)
                                .emailProtection(true)
                                .codeSigning(true)
                                .timeStamping(true)
                                .build())
                            .build())
                        .build())
                    .build())
                .lifetime("86400s")
                .keySpec(AuthorityKeySpecArgs.builder()
                    .algorithm("RSA_PKCS1_4096_SHA256")
                    .build())
                .build());
    
        }
    }
    
    resources:
      default:
        type: gcp:certificateauthority:Authority
        properties:
          pool: ca-pool
          certificateAuthorityId: my-certificate-authority
          location: us-central1
          deletionProtection: 'true'
          config:
            subjectConfig:
              subject:
                organization: HashiCorp
                commonName: my-certificate-authority
              subjectAltName:
                dnsNames:
                  - hashicorp.com
            x509Config:
              caOptions:
                isCa: true
                maxIssuerPathLength: 10
              keyUsage:
                baseKeyUsage:
                  digitalSignature: true
                  contentCommitment: true
                  keyEncipherment: false
                  dataEncipherment: true
                  keyAgreement: true
                  certSign: true
                  crlSign: true
                  decipherOnly: true
                extendedKeyUsage:
                  serverAuth: true
                  clientAuth: false
                  emailProtection: true
                  codeSigning: true
                  timeStamping: true
          lifetime: 86400s
          keySpec:
            algorithm: RSA_PKCS1_4096_SHA256
    

    Privateca Certificate Authority Subordinate

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const root_ca = new gcp.certificateauthority.Authority("root-ca", {
        pool: "ca-pool",
        certificateAuthorityId: "my-certificate-authority-root",
        location: "us-central1",
        config: {
            subjectConfig: {
                subject: {
                    organization: "HashiCorp",
                    commonName: "my-certificate-authority",
                },
                subjectAltName: {
                    dnsNames: ["hashicorp.com"],
                },
            },
            x509Config: {
                caOptions: {
                    isCa: true,
                },
                keyUsage: {
                    baseKeyUsage: {
                        certSign: true,
                        crlSign: true,
                    },
                    extendedKeyUsage: {
                        serverAuth: false,
                    },
                },
            },
        },
        keySpec: {
            algorithm: "RSA_PKCS1_4096_SHA256",
        },
        deletionProtection: false,
        skipGracePeriod: true,
        ignoreActiveCertificatesOnDeletion: true,
    });
    const _default = new gcp.certificateauthority.Authority("default", {
        pool: "ca-pool",
        certificateAuthorityId: "my-certificate-authority-sub",
        location: "us-central1",
        deletionProtection: true,
        subordinateConfig: {
            certificateAuthority: root_ca.name,
        },
        config: {
            subjectConfig: {
                subject: {
                    organization: "HashiCorp",
                    commonName: "my-subordinate-authority",
                },
                subjectAltName: {
                    dnsNames: ["hashicorp.com"],
                },
            },
            x509Config: {
                caOptions: {
                    isCa: true,
                    maxIssuerPathLength: 0,
                },
                keyUsage: {
                    baseKeyUsage: {
                        digitalSignature: true,
                        contentCommitment: true,
                        keyEncipherment: false,
                        dataEncipherment: true,
                        keyAgreement: true,
                        certSign: true,
                        crlSign: true,
                        decipherOnly: true,
                    },
                    extendedKeyUsage: {
                        serverAuth: true,
                        clientAuth: false,
                        emailProtection: true,
                        codeSigning: true,
                        timeStamping: true,
                    },
                },
            },
        },
        lifetime: "86400s",
        keySpec: {
            algorithm: "RSA_PKCS1_4096_SHA256",
        },
        type: "SUBORDINATE",
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    root_ca = gcp.certificateauthority.Authority("root-ca",
        pool="ca-pool",
        certificate_authority_id="my-certificate-authority-root",
        location="us-central1",
        config=gcp.certificateauthority.AuthorityConfigArgs(
            subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
                subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                    organization="HashiCorp",
                    common_name="my-certificate-authority",
                ),
                subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
                    dns_names=["hashicorp.com"],
                ),
            ),
            x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
                ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                    is_ca=True,
                ),
                key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                    base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                        cert_sign=True,
                        crl_sign=True,
                    ),
                    extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                        server_auth=False,
                    ),
                ),
            ),
        ),
        key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
            algorithm="RSA_PKCS1_4096_SHA256",
        ),
        deletion_protection=False,
        skip_grace_period=True,
        ignore_active_certificates_on_deletion=True)
    default = gcp.certificateauthority.Authority("default",
        pool="ca-pool",
        certificate_authority_id="my-certificate-authority-sub",
        location="us-central1",
        deletion_protection=True,
        subordinate_config=gcp.certificateauthority.AuthoritySubordinateConfigArgs(
            certificate_authority=root_ca.name,
        ),
        config=gcp.certificateauthority.AuthorityConfigArgs(
            subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
                subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                    organization="HashiCorp",
                    common_name="my-subordinate-authority",
                ),
                subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
                    dns_names=["hashicorp.com"],
                ),
            ),
            x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
                ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                    is_ca=True,
                    max_issuer_path_length=0,
                ),
                key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                    base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                        digital_signature=True,
                        content_commitment=True,
                        key_encipherment=False,
                        data_encipherment=True,
                        key_agreement=True,
                        cert_sign=True,
                        crl_sign=True,
                        decipher_only=True,
                    ),
                    extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                        server_auth=True,
                        client_auth=False,
                        email_protection=True,
                        code_signing=True,
                        time_stamping=True,
                    ),
                ),
            ),
        ),
        lifetime="86400s",
        key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
            algorithm="RSA_PKCS1_4096_SHA256",
        ),
        type="SUBORDINATE")
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/certificateauthority"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := certificateauthority.NewAuthority(ctx, "root-ca", &certificateauthority.AuthorityArgs{
    			Pool:                   pulumi.String("ca-pool"),
    			CertificateAuthorityId: pulumi.String("my-certificate-authority-root"),
    			Location:               pulumi.String("us-central1"),
    			Config: &certificateauthority.AuthorityConfigArgs{
    				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
    					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
    						Organization: pulumi.String("HashiCorp"),
    						CommonName:   pulumi.String("my-certificate-authority"),
    					},
    					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
    						DnsNames: pulumi.StringArray{
    							pulumi.String("hashicorp.com"),
    						},
    					},
    				},
    				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
    					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
    						IsCa: pulumi.Bool(true),
    					},
    					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
    						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
    							CertSign: pulumi.Bool(true),
    							CrlSign:  pulumi.Bool(true),
    						},
    						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
    							ServerAuth: pulumi.Bool(false),
    						},
    					},
    				},
    			},
    			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
    				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
    			},
    			DeletionProtection:                 pulumi.Bool(false),
    			SkipGracePeriod:                    pulumi.Bool(true),
    			IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
    			Pool:                   pulumi.String("ca-pool"),
    			CertificateAuthorityId: pulumi.String("my-certificate-authority-sub"),
    			Location:               pulumi.String("us-central1"),
    			DeletionProtection:     pulumi.Bool(true),
    			SubordinateConfig: &certificateauthority.AuthoritySubordinateConfigArgs{
    				CertificateAuthority: root_ca.Name,
    			},
    			Config: &certificateauthority.AuthorityConfigArgs{
    				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
    					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
    						Organization: pulumi.String("HashiCorp"),
    						CommonName:   pulumi.String("my-subordinate-authority"),
    					},
    					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
    						DnsNames: pulumi.StringArray{
    							pulumi.String("hashicorp.com"),
    						},
    					},
    				},
    				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
    					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
    						IsCa:                pulumi.Bool(true),
    						MaxIssuerPathLength: pulumi.Int(0),
    					},
    					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
    						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
    							DigitalSignature:  pulumi.Bool(true),
    							ContentCommitment: pulumi.Bool(true),
    							KeyEncipherment:   pulumi.Bool(false),
    							DataEncipherment:  pulumi.Bool(true),
    							KeyAgreement:      pulumi.Bool(true),
    							CertSign:          pulumi.Bool(true),
    							CrlSign:           pulumi.Bool(true),
    							DecipherOnly:      pulumi.Bool(true),
    						},
    						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
    							ServerAuth:      pulumi.Bool(true),
    							ClientAuth:      pulumi.Bool(false),
    							EmailProtection: pulumi.Bool(true),
    							CodeSigning:     pulumi.Bool(true),
    							TimeStamping:    pulumi.Bool(true),
    						},
    					},
    				},
    			},
    			Lifetime: pulumi.String("86400s"),
    			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
    				Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
    			},
    			Type: pulumi.String("SUBORDINATE"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var root_ca = new Gcp.CertificateAuthority.Authority("root-ca", new()
        {
            Pool = "ca-pool",
            CertificateAuthorityId = "my-certificate-authority-root",
            Location = "us-central1",
            Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                    {
                        Organization = "HashiCorp",
                        CommonName = "my-certificate-authority",
                    },
                    SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                    {
                        DnsNames = new[]
                        {
                            "hashicorp.com",
                        },
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = true,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            CertSign = true,
                            CrlSign = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = false,
                        },
                    },
                },
            },
            KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
            {
                Algorithm = "RSA_PKCS1_4096_SHA256",
            },
            DeletionProtection = false,
            SkipGracePeriod = true,
            IgnoreActiveCertificatesOnDeletion = true,
        });
    
        var @default = new Gcp.CertificateAuthority.Authority("default", new()
        {
            Pool = "ca-pool",
            CertificateAuthorityId = "my-certificate-authority-sub",
            Location = "us-central1",
            DeletionProtection = true,
            SubordinateConfig = new Gcp.CertificateAuthority.Inputs.AuthoritySubordinateConfigArgs
            {
                CertificateAuthority = root_ca.Name,
            },
            Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                    {
                        Organization = "HashiCorp",
                        CommonName = "my-subordinate-authority",
                    },
                    SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                    {
                        DnsNames = new[]
                        {
                            "hashicorp.com",
                        },
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = true,
                        MaxIssuerPathLength = 0,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            DigitalSignature = true,
                            ContentCommitment = true,
                            KeyEncipherment = false,
                            DataEncipherment = true,
                            KeyAgreement = true,
                            CertSign = true,
                            CrlSign = true,
                            DecipherOnly = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = true,
                            ClientAuth = false,
                            EmailProtection = true,
                            CodeSigning = true,
                            TimeStamping = true,
                        },
                    },
                },
            },
            Lifetime = "86400s",
            KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
            {
                Algorithm = "RSA_PKCS1_4096_SHA256",
            },
            Type = "SUBORDINATE",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.certificateauthority.Authority;
    import com.pulumi.gcp.certificateauthority.AuthorityArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthoritySubordinateConfigArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var root_ca = new Authority("root-ca", AuthorityArgs.builder()
                .pool("ca-pool")
                .certificateAuthorityId("my-certificate-authority-root")
                .location("us-central1")
                .config(AuthorityConfigArgs.builder()
                    .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                        .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                            .organization("HashiCorp")
                            .commonName("my-certificate-authority")
                            .build())
                        .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                            .dnsNames("hashicorp.com")
                            .build())
                        .build())
                    .x509Config(AuthorityConfigX509ConfigArgs.builder()
                        .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                            .isCa(true)
                            .build())
                        .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                            .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                                .certSign(true)
                                .crlSign(true)
                                .build())
                            .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                                .serverAuth(false)
                                .build())
                            .build())
                        .build())
                    .build())
                .keySpec(AuthorityKeySpecArgs.builder()
                    .algorithm("RSA_PKCS1_4096_SHA256")
                    .build())
                .deletionProtection(false)
                .skipGracePeriod(true)
                .ignoreActiveCertificatesOnDeletion(true)
                .build());
    
            var default_ = new Authority("default", AuthorityArgs.builder()
                .pool("ca-pool")
                .certificateAuthorityId("my-certificate-authority-sub")
                .location("us-central1")
                .deletionProtection("true")
                .subordinateConfig(AuthoritySubordinateConfigArgs.builder()
                    .certificateAuthority(root_ca.name())
                    .build())
                .config(AuthorityConfigArgs.builder()
                    .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                        .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                            .organization("HashiCorp")
                            .commonName("my-subordinate-authority")
                            .build())
                        .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                            .dnsNames("hashicorp.com")
                            .build())
                        .build())
                    .x509Config(AuthorityConfigX509ConfigArgs.builder()
                        .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                            .isCa(true)
                            .maxIssuerPathLength(0)
                            .build())
                        .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                            .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                                .digitalSignature(true)
                                .contentCommitment(true)
                                .keyEncipherment(false)
                                .dataEncipherment(true)
                                .keyAgreement(true)
                                .certSign(true)
                                .crlSign(true)
                                .decipherOnly(true)
                                .build())
                            .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                                .serverAuth(true)
                                .clientAuth(false)
                                .emailProtection(true)
                                .codeSigning(true)
                                .timeStamping(true)
                                .build())
                            .build())
                        .build())
                    .build())
                .lifetime("86400s")
                .keySpec(AuthorityKeySpecArgs.builder()
                    .algorithm("RSA_PKCS1_4096_SHA256")
                    .build())
                .type("SUBORDINATE")
                .build());
    
        }
    }
    
    resources:
      root-ca:
        type: gcp:certificateauthority:Authority
        properties:
          pool: ca-pool
          certificateAuthorityId: my-certificate-authority-root
          location: us-central1
          config:
            subjectConfig:
              subject:
                organization: HashiCorp
                commonName: my-certificate-authority
              subjectAltName:
                dnsNames:
                  - hashicorp.com
            x509Config:
              caOptions:
                isCa: true
              keyUsage:
                baseKeyUsage:
                  certSign: true
                  crlSign: true
                extendedKeyUsage:
                  serverAuth: false
          keySpec:
            algorithm: RSA_PKCS1_4096_SHA256
          deletionProtection: false
          skipGracePeriod: true
          ignoreActiveCertificatesOnDeletion: true
      default:
        type: gcp:certificateauthority:Authority
        properties:
          pool: ca-pool
          certificateAuthorityId: my-certificate-authority-sub
          location: us-central1
          deletionProtection: 'true'
          subordinateConfig:
            certificateAuthority: ${["root-ca"].name}
          config:
            subjectConfig:
              subject:
                organization: HashiCorp
                commonName: my-subordinate-authority
              subjectAltName:
                dnsNames:
                  - hashicorp.com
            x509Config:
              caOptions:
                isCa: true
                maxIssuerPathLength: 0
              keyUsage:
                baseKeyUsage:
                  digitalSignature: true
                  contentCommitment: true
                  keyEncipherment: false
                  dataEncipherment: true
                  keyAgreement: true
                  certSign: true
                  crlSign: true
                  decipherOnly: true
                extendedKeyUsage:
                  serverAuth: true
                  clientAuth: false
                  emailProtection: true
                  codeSigning: true
                  timeStamping: true
          lifetime: 86400s
          keySpec:
            algorithm: RSA_PKCS1_4096_SHA256
          type: SUBORDINATE
    

    Privateca Certificate Authority Byo Key

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const privatecaSa = new gcp.projects.ServiceIdentity("privateca_sa", {service: "privateca.googleapis.com"});
    const privatecaSaKeyuserSignerverifier = new gcp.kms.CryptoKeyIAMMember("privateca_sa_keyuser_signerverifier", {
        cryptoKeyId: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
        role: "roles/cloudkms.signerVerifier",
        member: pulumi.interpolate`serviceAccount:${privatecaSa.email}`,
    });
    const privatecaSaKeyuserViewer = new gcp.kms.CryptoKeyIAMMember("privateca_sa_keyuser_viewer", {
        cryptoKeyId: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
        role: "roles/viewer",
        member: pulumi.interpolate`serviceAccount:${privatecaSa.email}`,
    });
    const _default = new gcp.certificateauthority.Authority("default", {
        pool: "ca-pool",
        certificateAuthorityId: "my-certificate-authority",
        location: "us-central1",
        deletionProtection: true,
        keySpec: {
            cloudKmsKeyVersion: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1",
        },
        config: {
            subjectConfig: {
                subject: {
                    organization: "Example, Org.",
                    commonName: "Example Authority",
                },
            },
            x509Config: {
                caOptions: {
                    isCa: true,
                    maxIssuerPathLength: 10,
                },
                keyUsage: {
                    baseKeyUsage: {
                        certSign: true,
                        crlSign: true,
                    },
                    extendedKeyUsage: {
                        serverAuth: false,
                    },
                },
                nameConstraints: {
                    critical: true,
                    permittedDnsNames: ["*.example.com"],
                    excludedDnsNames: ["*.deny.example.com"],
                    permittedIpRanges: ["10.0.0.0/8"],
                    excludedIpRanges: ["10.1.1.0/24"],
                    permittedEmailAddresses: [".example.com"],
                    excludedEmailAddresses: [".deny.example.com"],
                    permittedUris: [".example.com"],
                    excludedUris: [".deny.example.com"],
                },
            },
        },
    }, {
        dependsOn: [
            privatecaSaKeyuserSignerverifier,
            privatecaSaKeyuserViewer,
        ],
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    privateca_sa = gcp.projects.ServiceIdentity("privateca_sa", service="privateca.googleapis.com")
    privateca_sa_keyuser_signerverifier = gcp.kms.CryptoKeyIAMMember("privateca_sa_keyuser_signerverifier",
        crypto_key_id="projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
        role="roles/cloudkms.signerVerifier",
        member=privateca_sa.email.apply(lambda email: f"serviceAccount:{email}"))
    privateca_sa_keyuser_viewer = gcp.kms.CryptoKeyIAMMember("privateca_sa_keyuser_viewer",
        crypto_key_id="projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
        role="roles/viewer",
        member=privateca_sa.email.apply(lambda email: f"serviceAccount:{email}"))
    default = gcp.certificateauthority.Authority("default",
        pool="ca-pool",
        certificate_authority_id="my-certificate-authority",
        location="us-central1",
        deletion_protection=True,
        key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
            cloud_kms_key_version="projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1",
        ),
        config=gcp.certificateauthority.AuthorityConfigArgs(
            subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
                subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                    organization="Example, Org.",
                    common_name="Example Authority",
                ),
            ),
            x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
                ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                    is_ca=True,
                    max_issuer_path_length=10,
                ),
                key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                    base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                        cert_sign=True,
                        crl_sign=True,
                    ),
                    extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                        server_auth=False,
                    ),
                ),
                name_constraints=gcp.certificateauthority.AuthorityConfigX509ConfigNameConstraintsArgs(
                    critical=True,
                    permitted_dns_names=["*.example.com"],
                    excluded_dns_names=["*.deny.example.com"],
                    permitted_ip_ranges=["10.0.0.0/8"],
                    excluded_ip_ranges=["10.1.1.0/24"],
                    permitted_email_addresses=[".example.com"],
                    excluded_email_addresses=[".deny.example.com"],
                    permitted_uris=[".example.com"],
                    excluded_uris=[".deny.example.com"],
                ),
            ),
        ),
        opts = pulumi.ResourceOptions(depends_on=[
                privateca_sa_keyuser_signerverifier,
                privateca_sa_keyuser_viewer,
            ]))
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/certificateauthority"
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/kms"
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/projects"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		privatecaSa, err := projects.NewServiceIdentity(ctx, "privateca_sa", &projects.ServiceIdentityArgs{
    			Service: pulumi.String("privateca.googleapis.com"),
    		})
    		if err != nil {
    			return err
    		}
    		privatecaSaKeyuserSignerverifier, err := kms.NewCryptoKeyIAMMember(ctx, "privateca_sa_keyuser_signerverifier", &kms.CryptoKeyIAMMemberArgs{
    			CryptoKeyId: pulumi.String("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"),
    			Role:        pulumi.String("roles/cloudkms.signerVerifier"),
    			Member: privatecaSa.Email.ApplyT(func(email string) (string, error) {
    				return fmt.Sprintf("serviceAccount:%v", email), nil
    			}).(pulumi.StringOutput),
    		})
    		if err != nil {
    			return err
    		}
    		privatecaSaKeyuserViewer, err := kms.NewCryptoKeyIAMMember(ctx, "privateca_sa_keyuser_viewer", &kms.CryptoKeyIAMMemberArgs{
    			CryptoKeyId: pulumi.String("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key"),
    			Role:        pulumi.String("roles/viewer"),
    			Member: privatecaSa.Email.ApplyT(func(email string) (string, error) {
    				return fmt.Sprintf("serviceAccount:%v", email), nil
    			}).(pulumi.StringOutput),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
    			Pool:                   pulumi.String("ca-pool"),
    			CertificateAuthorityId: pulumi.String("my-certificate-authority"),
    			Location:               pulumi.String("us-central1"),
    			DeletionProtection:     pulumi.Bool(true),
    			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
    				CloudKmsKeyVersion: pulumi.String("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1"),
    			},
    			Config: &certificateauthority.AuthorityConfigArgs{
    				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
    					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
    						Organization: pulumi.String("Example, Org."),
    						CommonName:   pulumi.String("Example Authority"),
    					},
    				},
    				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
    					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
    						IsCa:                pulumi.Bool(true),
    						MaxIssuerPathLength: pulumi.Int(10),
    					},
    					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
    						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
    							CertSign: pulumi.Bool(true),
    							CrlSign:  pulumi.Bool(true),
    						},
    						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
    							ServerAuth: pulumi.Bool(false),
    						},
    					},
    					NameConstraints: &certificateauthority.AuthorityConfigX509ConfigNameConstraintsArgs{
    						Critical: pulumi.Bool(true),
    						PermittedDnsNames: pulumi.StringArray{
    							pulumi.String("*.example.com"),
    						},
    						ExcludedDnsNames: pulumi.StringArray{
    							pulumi.String("*.deny.example.com"),
    						},
    						PermittedIpRanges: pulumi.StringArray{
    							pulumi.String("10.0.0.0/8"),
    						},
    						ExcludedIpRanges: pulumi.StringArray{
    							pulumi.String("10.1.1.0/24"),
    						},
    						PermittedEmailAddresses: pulumi.StringArray{
    							pulumi.String(".example.com"),
    						},
    						ExcludedEmailAddresses: pulumi.StringArray{
    							pulumi.String(".deny.example.com"),
    						},
    						PermittedUris: pulumi.StringArray{
    							pulumi.String(".example.com"),
    						},
    						ExcludedUris: pulumi.StringArray{
    							pulumi.String(".deny.example.com"),
    						},
    					},
    				},
    			},
    		}, pulumi.DependsOn([]pulumi.Resource{
    			privatecaSaKeyuserSignerverifier,
    			privatecaSaKeyuserViewer,
    		}))
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var privatecaSa = new Gcp.Projects.ServiceIdentity("privateca_sa", new()
        {
            Service = "privateca.googleapis.com",
        });
    
        var privatecaSaKeyuserSignerverifier = new Gcp.Kms.CryptoKeyIAMMember("privateca_sa_keyuser_signerverifier", new()
        {
            CryptoKeyId = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
            Role = "roles/cloudkms.signerVerifier",
            Member = privatecaSa.Email.Apply(email => $"serviceAccount:{email}"),
        });
    
        var privatecaSaKeyuserViewer = new Gcp.Kms.CryptoKeyIAMMember("privateca_sa_keyuser_viewer", new()
        {
            CryptoKeyId = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
            Role = "roles/viewer",
            Member = privatecaSa.Email.Apply(email => $"serviceAccount:{email}"),
        });
    
        var @default = new Gcp.CertificateAuthority.Authority("default", new()
        {
            Pool = "ca-pool",
            CertificateAuthorityId = "my-certificate-authority",
            Location = "us-central1",
            DeletionProtection = true,
            KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
            {
                CloudKmsKeyVersion = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1",
            },
            Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                    {
                        Organization = "Example, Org.",
                        CommonName = "Example Authority",
                    },
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = true,
                        MaxIssuerPathLength = 10,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            CertSign = true,
                            CrlSign = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = false,
                        },
                    },
                    NameConstraints = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigNameConstraintsArgs
                    {
                        Critical = true,
                        PermittedDnsNames = new[]
                        {
                            "*.example.com",
                        },
                        ExcludedDnsNames = new[]
                        {
                            "*.deny.example.com",
                        },
                        PermittedIpRanges = new[]
                        {
                            "10.0.0.0/8",
                        },
                        ExcludedIpRanges = new[]
                        {
                            "10.1.1.0/24",
                        },
                        PermittedEmailAddresses = new[]
                        {
                            ".example.com",
                        },
                        ExcludedEmailAddresses = new[]
                        {
                            ".deny.example.com",
                        },
                        PermittedUris = new[]
                        {
                            ".example.com",
                        },
                        ExcludedUris = new[]
                        {
                            ".deny.example.com",
                        },
                    },
                },
            },
        }, new CustomResourceOptions
        {
            DependsOn =
            {
                privatecaSaKeyuserSignerverifier,
                privatecaSaKeyuserViewer,
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.projects.ServiceIdentity;
    import com.pulumi.gcp.projects.ServiceIdentityArgs;
    import com.pulumi.gcp.kms.CryptoKeyIAMMember;
    import com.pulumi.gcp.kms.CryptoKeyIAMMemberArgs;
    import com.pulumi.gcp.certificateauthority.Authority;
    import com.pulumi.gcp.certificateauthority.AuthorityArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigNameConstraintsArgs;
    import com.pulumi.resources.CustomResourceOptions;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var privatecaSa = new ServiceIdentity("privatecaSa", ServiceIdentityArgs.builder()
                .service("privateca.googleapis.com")
                .build());
    
            var privatecaSaKeyuserSignerverifier = new CryptoKeyIAMMember("privatecaSaKeyuserSignerverifier", CryptoKeyIAMMemberArgs.builder()
                .cryptoKeyId("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key")
                .role("roles/cloudkms.signerVerifier")
                .member(privatecaSa.email().applyValue(email -> String.format("serviceAccount:%s", email)))
                .build());
    
            var privatecaSaKeyuserViewer = new CryptoKeyIAMMember("privatecaSaKeyuserViewer", CryptoKeyIAMMemberArgs.builder()
                .cryptoKeyId("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key")
                .role("roles/viewer")
                .member(privatecaSa.email().applyValue(email -> String.format("serviceAccount:%s", email)))
                .build());
    
            var default_ = new Authority("default", AuthorityArgs.builder()
                .pool("ca-pool")
                .certificateAuthorityId("my-certificate-authority")
                .location("us-central1")
                .deletionProtection("true")
                .keySpec(AuthorityKeySpecArgs.builder()
                    .cloudKmsKeyVersion("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1")
                    .build())
                .config(AuthorityConfigArgs.builder()
                    .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                        .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                            .organization("Example, Org.")
                            .commonName("Example Authority")
                            .build())
                        .build())
                    .x509Config(AuthorityConfigX509ConfigArgs.builder()
                        .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                            .isCa(true)
                            .maxIssuerPathLength(10)
                            .build())
                        .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                            .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                                .certSign(true)
                                .crlSign(true)
                                .build())
                            .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                                .serverAuth(false)
                                .build())
                            .build())
                        .nameConstraints(AuthorityConfigX509ConfigNameConstraintsArgs.builder()
                            .critical(true)
                            .permittedDnsNames("*.example.com")
                            .excludedDnsNames("*.deny.example.com")
                            .permittedIpRanges("10.0.0.0/8")
                            .excludedIpRanges("10.1.1.0/24")
                            .permittedEmailAddresses(".example.com")
                            .excludedEmailAddresses(".deny.example.com")
                            .permittedUris(".example.com")
                            .excludedUris(".deny.example.com")
                            .build())
                        .build())
                    .build())
                .build(), CustomResourceOptions.builder()
                    .dependsOn(                
                        privatecaSaKeyuserSignerverifier,
                        privatecaSaKeyuserViewer)
                    .build());
    
        }
    }
    
    resources:
      privatecaSa:
        type: gcp:projects:ServiceIdentity
        name: privateca_sa
        properties:
          service: privateca.googleapis.com
      privatecaSaKeyuserSignerverifier:
        type: gcp:kms:CryptoKeyIAMMember
        name: privateca_sa_keyuser_signerverifier
        properties:
          cryptoKeyId: projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key
          role: roles/cloudkms.signerVerifier
          member: serviceAccount:${privatecaSa.email}
      privatecaSaKeyuserViewer:
        type: gcp:kms:CryptoKeyIAMMember
        name: privateca_sa_keyuser_viewer
        properties:
          cryptoKeyId: projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key
          role: roles/viewer
          member: serviceAccount:${privatecaSa.email}
      default:
        type: gcp:certificateauthority:Authority
        properties:
          pool: ca-pool
          certificateAuthorityId: my-certificate-authority
          location: us-central1
          deletionProtection: 'true'
          keySpec:
            cloudKmsKeyVersion: projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1
          config:
            subjectConfig:
              subject:
                organization: Example, Org.
                commonName: Example Authority
            x509Config:
              caOptions:
                isCa: true
                maxIssuerPathLength: 10
              keyUsage:
                baseKeyUsage:
                  certSign: true
                  crlSign: true
                extendedKeyUsage:
                  serverAuth: false
              nameConstraints:
                critical: true
                permittedDnsNames:
                  - '*.example.com'
                excludedDnsNames:
                  - '*.deny.example.com'
                permittedIpRanges:
                  - 10.0.0.0/8
                excludedIpRanges:
                  - 10.1.1.0/24
                permittedEmailAddresses:
                  - .example.com
                excludedEmailAddresses:
                  - .deny.example.com
                permittedUris:
                  - .example.com
                excludedUris:
                  - .deny.example.com
        options:
          dependson:
            - ${privatecaSaKeyuserSignerverifier}
            - ${privatecaSaKeyuserViewer}
    

    Privateca Certificate Authority Custom Ski

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const _default = new gcp.certificateauthority.Authority("default", {
        pool: "ca-pool",
        certificateAuthorityId: "my-certificate-authority",
        location: "us-central1",
        deletionProtection: true,
        config: {
            subjectConfig: {
                subject: {
                    organization: "HashiCorp",
                    commonName: "my-certificate-authority",
                },
                subjectAltName: {
                    dnsNames: ["hashicorp.com"],
                },
            },
            subjectKeyId: {
                keyId: "4cf3372289b1d411b999dbb9ebcd44744b6b2fca",
            },
            x509Config: {
                caOptions: {
                    isCa: true,
                    maxIssuerPathLength: 10,
                },
                keyUsage: {
                    baseKeyUsage: {
                        digitalSignature: true,
                        contentCommitment: true,
                        keyEncipherment: false,
                        dataEncipherment: true,
                        keyAgreement: true,
                        certSign: true,
                        crlSign: true,
                        decipherOnly: true,
                    },
                    extendedKeyUsage: {
                        serverAuth: true,
                        clientAuth: false,
                        emailProtection: true,
                        codeSigning: true,
                        timeStamping: true,
                    },
                },
            },
        },
        lifetime: "86400s",
        keySpec: {
            cloudKmsKeyVersion: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1",
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    default = gcp.certificateauthority.Authority("default",
        pool="ca-pool",
        certificate_authority_id="my-certificate-authority",
        location="us-central1",
        deletion_protection=True,
        config=gcp.certificateauthority.AuthorityConfigArgs(
            subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
                subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                    organization="HashiCorp",
                    common_name="my-certificate-authority",
                ),
                subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
                    dns_names=["hashicorp.com"],
                ),
            ),
            subject_key_id=gcp.certificateauthority.AuthorityConfigSubjectKeyIdArgs(
                key_id="4cf3372289b1d411b999dbb9ebcd44744b6b2fca",
            ),
            x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
                ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                    is_ca=True,
                    max_issuer_path_length=10,
                ),
                key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                    base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                        digital_signature=True,
                        content_commitment=True,
                        key_encipherment=False,
                        data_encipherment=True,
                        key_agreement=True,
                        cert_sign=True,
                        crl_sign=True,
                        decipher_only=True,
                    ),
                    extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                        server_auth=True,
                        client_auth=False,
                        email_protection=True,
                        code_signing=True,
                        time_stamping=True,
                    ),
                ),
            ),
        ),
        lifetime="86400s",
        key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
            cloud_kms_key_version="projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1",
        ))
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/certificateauthority"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := certificateauthority.NewAuthority(ctx, "default", &certificateauthority.AuthorityArgs{
    			Pool:                   pulumi.String("ca-pool"),
    			CertificateAuthorityId: pulumi.String("my-certificate-authority"),
    			Location:               pulumi.String("us-central1"),
    			DeletionProtection:     pulumi.Bool(true),
    			Config: &certificateauthority.AuthorityConfigArgs{
    				SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
    					Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
    						Organization: pulumi.String("HashiCorp"),
    						CommonName:   pulumi.String("my-certificate-authority"),
    					},
    					SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
    						DnsNames: pulumi.StringArray{
    							pulumi.String("hashicorp.com"),
    						},
    					},
    				},
    				SubjectKeyId: &certificateauthority.AuthorityConfigSubjectKeyIdArgs{
    					KeyId: pulumi.String("4cf3372289b1d411b999dbb9ebcd44744b6b2fca"),
    				},
    				X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
    					CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
    						IsCa:                pulumi.Bool(true),
    						MaxIssuerPathLength: pulumi.Int(10),
    					},
    					KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
    						BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
    							DigitalSignature:  pulumi.Bool(true),
    							ContentCommitment: pulumi.Bool(true),
    							KeyEncipherment:   pulumi.Bool(false),
    							DataEncipherment:  pulumi.Bool(true),
    							KeyAgreement:      pulumi.Bool(true),
    							CertSign:          pulumi.Bool(true),
    							CrlSign:           pulumi.Bool(true),
    							DecipherOnly:      pulumi.Bool(true),
    						},
    						ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
    							ServerAuth:      pulumi.Bool(true),
    							ClientAuth:      pulumi.Bool(false),
    							EmailProtection: pulumi.Bool(true),
    							CodeSigning:     pulumi.Bool(true),
    							TimeStamping:    pulumi.Bool(true),
    						},
    					},
    				},
    			},
    			Lifetime: pulumi.String("86400s"),
    			KeySpec: &certificateauthority.AuthorityKeySpecArgs{
    				CloudKmsKeyVersion: pulumi.String("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var @default = new Gcp.CertificateAuthority.Authority("default", new()
        {
            Pool = "ca-pool",
            CertificateAuthorityId = "my-certificate-authority",
            Location = "us-central1",
            DeletionProtection = true,
            Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
            {
                SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
                {
                    Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                    {
                        Organization = "HashiCorp",
                        CommonName = "my-certificate-authority",
                    },
                    SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                    {
                        DnsNames = new[]
                        {
                            "hashicorp.com",
                        },
                    },
                },
                SubjectKeyId = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectKeyIdArgs
                {
                    KeyId = "4cf3372289b1d411b999dbb9ebcd44744b6b2fca",
                },
                X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
                {
                    CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                    {
                        IsCa = true,
                        MaxIssuerPathLength = 10,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                        {
                            DigitalSignature = true,
                            ContentCommitment = true,
                            KeyEncipherment = false,
                            DataEncipherment = true,
                            KeyAgreement = true,
                            CertSign = true,
                            CrlSign = true,
                            DecipherOnly = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = true,
                            ClientAuth = false,
                            EmailProtection = true,
                            CodeSigning = true,
                            TimeStamping = true,
                        },
                    },
                },
            },
            Lifetime = "86400s",
            KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
            {
                CloudKmsKeyVersion = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.certificateauthority.Authority;
    import com.pulumi.gcp.certificateauthority.AuthorityArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectKeyIdArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var default_ = new Authority("default", AuthorityArgs.builder()
                .pool("ca-pool")
                .certificateAuthorityId("my-certificate-authority")
                .location("us-central1")
                .deletionProtection("true")
                .config(AuthorityConfigArgs.builder()
                    .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                        .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                            .organization("HashiCorp")
                            .commonName("my-certificate-authority")
                            .build())
                        .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                            .dnsNames("hashicorp.com")
                            .build())
                        .build())
                    .subjectKeyId(AuthorityConfigSubjectKeyIdArgs.builder()
                        .keyId("4cf3372289b1d411b999dbb9ebcd44744b6b2fca")
                        .build())
                    .x509Config(AuthorityConfigX509ConfigArgs.builder()
                        .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                            .isCa(true)
                            .maxIssuerPathLength(10)
                            .build())
                        .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                            .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                                .digitalSignature(true)
                                .contentCommitment(true)
                                .keyEncipherment(false)
                                .dataEncipherment(true)
                                .keyAgreement(true)
                                .certSign(true)
                                .crlSign(true)
                                .decipherOnly(true)
                                .build())
                            .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                                .serverAuth(true)
                                .clientAuth(false)
                                .emailProtection(true)
                                .codeSigning(true)
                                .timeStamping(true)
                                .build())
                            .build())
                        .build())
                    .build())
                .lifetime("86400s")
                .keySpec(AuthorityKeySpecArgs.builder()
                    .cloudKmsKeyVersion("projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1")
                    .build())
                .build());
    
        }
    }
    
    resources:
      default:
        type: gcp:certificateauthority:Authority
        properties:
          pool: ca-pool
          certificateAuthorityId: my-certificate-authority
          location: us-central1
          deletionProtection: 'true'
          config:
            subjectConfig:
              subject:
                organization: HashiCorp
                commonName: my-certificate-authority
              subjectAltName:
                dnsNames:
                  - hashicorp.com
            subjectKeyId:
              keyId: 4cf3372289b1d411b999dbb9ebcd44744b6b2fca
            x509Config:
              caOptions:
                isCa: true
                maxIssuerPathLength: 10
              keyUsage:
                baseKeyUsage:
                  digitalSignature: true
                  contentCommitment: true
                  keyEncipherment: false
                  dataEncipherment: true
                  keyAgreement: true
                  certSign: true
                  crlSign: true
                  decipherOnly: true
                extendedKeyUsage:
                  serverAuth: true
                  clientAuth: false
                  emailProtection: true
                  codeSigning: true
                  timeStamping: true
          lifetime: 86400s
          keySpec:
            cloudKmsKeyVersion: projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1
    

    Create Authority Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Authority(name: string, args: AuthorityArgs, opts?: CustomResourceOptions);
    @overload
    def Authority(resource_name: str,
                  args: AuthorityArgs,
                  opts: Optional[ResourceOptions] = None)
    
    @overload
    def Authority(resource_name: str,
                  opts: Optional[ResourceOptions] = None,
                  key_spec: Optional[AuthorityKeySpecArgs] = None,
                  config: Optional[AuthorityConfigArgs] = None,
                  pool: Optional[str] = None,
                  location: Optional[str] = None,
                  certificate_authority_id: Optional[str] = None,
                  lifetime: Optional[str] = None,
                  ignore_active_certificates_on_deletion: Optional[bool] = None,
                  labels: Optional[Mapping[str, str]] = None,
                  gcs_bucket: Optional[str] = None,
                  desired_state: Optional[str] = None,
                  pem_ca_certificate: Optional[str] = None,
                  deletion_protection: Optional[bool] = None,
                  project: Optional[str] = None,
                  skip_grace_period: Optional[bool] = None,
                  subordinate_config: Optional[AuthoritySubordinateConfigArgs] = None,
                  type: Optional[str] = None)
    func NewAuthority(ctx *Context, name string, args AuthorityArgs, opts ...ResourceOption) (*Authority, error)
    public Authority(string name, AuthorityArgs args, CustomResourceOptions? opts = null)
    public Authority(String name, AuthorityArgs args)
    public Authority(String name, AuthorityArgs args, CustomResourceOptions options)
    
    type: gcp:certificateauthority:Authority
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args AuthorityArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args AuthorityArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args AuthorityArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args AuthorityArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args AuthorityArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var authorityResource = new Gcp.CertificateAuthority.Authority("authorityResource", new()
    {
        KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
        {
            Algorithm = "string",
            CloudKmsKeyVersion = "string",
        },
        Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
        {
            SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
            {
                Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
                {
                    CommonName = "string",
                    Organization = "string",
                    CountryCode = "string",
                    Locality = "string",
                    OrganizationalUnit = "string",
                    PostalCode = "string",
                    Province = "string",
                    StreetAddress = "string",
                },
                SubjectAltName = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectAltNameArgs
                {
                    DnsNames = new[]
                    {
                        "string",
                    },
                    EmailAddresses = new[]
                    {
                        "string",
                    },
                    IpAddresses = new[]
                    {
                        "string",
                    },
                    Uris = new[]
                    {
                        "string",
                    },
                },
            },
            X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
            {
                CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
                {
                    IsCa = false,
                    MaxIssuerPathLength = 0,
                    NonCa = false,
                    ZeroMaxIssuerPathLength = false,
                },
                KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
                {
                    BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
                    {
                        CertSign = false,
                        ContentCommitment = false,
                        CrlSign = false,
                        DataEncipherment = false,
                        DecipherOnly = false,
                        DigitalSignature = false,
                        EncipherOnly = false,
                        KeyAgreement = false,
                        KeyEncipherment = false,
                    },
                    ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
                    {
                        ClientAuth = false,
                        CodeSigning = false,
                        EmailProtection = false,
                        OcspSigning = false,
                        ServerAuth = false,
                        TimeStamping = false,
                    },
                    UnknownExtendedKeyUsages = new[]
                    {
                        new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArgs
                        {
                            ObjectIdPaths = new[]
                            {
                                0,
                            },
                        },
                    },
                },
                AdditionalExtensions = new[]
                {
                    new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigAdditionalExtensionArgs
                    {
                        Critical = false,
                        ObjectId = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigAdditionalExtensionObjectIdArgs
                        {
                            ObjectIdPaths = new[]
                            {
                                0,
                            },
                        },
                        Value = "string",
                    },
                },
                AiaOcspServers = new[]
                {
                    "string",
                },
                NameConstraints = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigNameConstraintsArgs
                {
                    Critical = false,
                    ExcludedDnsNames = new[]
                    {
                        "string",
                    },
                    ExcludedEmailAddresses = new[]
                    {
                        "string",
                    },
                    ExcludedIpRanges = new[]
                    {
                        "string",
                    },
                    ExcludedUris = new[]
                    {
                        "string",
                    },
                    PermittedDnsNames = new[]
                    {
                        "string",
                    },
                    PermittedEmailAddresses = new[]
                    {
                        "string",
                    },
                    PermittedIpRanges = new[]
                    {
                        "string",
                    },
                    PermittedUris = new[]
                    {
                        "string",
                    },
                },
                PolicyIds = new[]
                {
                    new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigPolicyIdArgs
                    {
                        ObjectIdPaths = new[]
                        {
                            0,
                        },
                    },
                },
            },
            SubjectKeyId = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectKeyIdArgs
            {
                KeyId = "string",
            },
        },
        Pool = "string",
        Location = "string",
        CertificateAuthorityId = "string",
        Lifetime = "string",
        IgnoreActiveCertificatesOnDeletion = false,
        Labels = 
        {
            { "string", "string" },
        },
        GcsBucket = "string",
        DesiredState = "string",
        PemCaCertificate = "string",
        DeletionProtection = false,
        Project = "string",
        SkipGracePeriod = false,
        SubordinateConfig = new Gcp.CertificateAuthority.Inputs.AuthoritySubordinateConfigArgs
        {
            CertificateAuthority = "string",
            PemIssuerChain = new Gcp.CertificateAuthority.Inputs.AuthoritySubordinateConfigPemIssuerChainArgs
            {
                PemCertificates = new[]
                {
                    "string",
                },
            },
        },
        Type = "string",
    });
    
    example, err := certificateauthority.NewAuthority(ctx, "authorityResource", &certificateauthority.AuthorityArgs{
    	KeySpec: &certificateauthority.AuthorityKeySpecArgs{
    		Algorithm:          pulumi.String("string"),
    		CloudKmsKeyVersion: pulumi.String("string"),
    	},
    	Config: &certificateauthority.AuthorityConfigArgs{
    		SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
    			Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
    				CommonName:         pulumi.String("string"),
    				Organization:       pulumi.String("string"),
    				CountryCode:        pulumi.String("string"),
    				Locality:           pulumi.String("string"),
    				OrganizationalUnit: pulumi.String("string"),
    				PostalCode:         pulumi.String("string"),
    				Province:           pulumi.String("string"),
    				StreetAddress:      pulumi.String("string"),
    			},
    			SubjectAltName: &certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs{
    				DnsNames: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				EmailAddresses: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				IpAddresses: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				Uris: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    		},
    		X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
    			CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
    				IsCa:                    pulumi.Bool(false),
    				MaxIssuerPathLength:     pulumi.Int(0),
    				NonCa:                   pulumi.Bool(false),
    				ZeroMaxIssuerPathLength: pulumi.Bool(false),
    			},
    			KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
    				BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
    					CertSign:          pulumi.Bool(false),
    					ContentCommitment: pulumi.Bool(false),
    					CrlSign:           pulumi.Bool(false),
    					DataEncipherment:  pulumi.Bool(false),
    					DecipherOnly:      pulumi.Bool(false),
    					DigitalSignature:  pulumi.Bool(false),
    					EncipherOnly:      pulumi.Bool(false),
    					KeyAgreement:      pulumi.Bool(false),
    					KeyEncipherment:   pulumi.Bool(false),
    				},
    				ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
    					ClientAuth:      pulumi.Bool(false),
    					CodeSigning:     pulumi.Bool(false),
    					EmailProtection: pulumi.Bool(false),
    					OcspSigning:     pulumi.Bool(false),
    					ServerAuth:      pulumi.Bool(false),
    					TimeStamping:    pulumi.Bool(false),
    				},
    				UnknownExtendedKeyUsages: certificateauthority.AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArray{
    					&certificateauthority.AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArgs{
    						ObjectIdPaths: pulumi.IntArray{
    							pulumi.Int(0),
    						},
    					},
    				},
    			},
    			AdditionalExtensions: certificateauthority.AuthorityConfigX509ConfigAdditionalExtensionArray{
    				&certificateauthority.AuthorityConfigX509ConfigAdditionalExtensionArgs{
    					Critical: pulumi.Bool(false),
    					ObjectId: &certificateauthority.AuthorityConfigX509ConfigAdditionalExtensionObjectIdArgs{
    						ObjectIdPaths: pulumi.IntArray{
    							pulumi.Int(0),
    						},
    					},
    					Value: pulumi.String("string"),
    				},
    			},
    			AiaOcspServers: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			NameConstraints: &certificateauthority.AuthorityConfigX509ConfigNameConstraintsArgs{
    				Critical: pulumi.Bool(false),
    				ExcludedDnsNames: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				ExcludedEmailAddresses: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				ExcludedIpRanges: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				ExcludedUris: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				PermittedDnsNames: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				PermittedEmailAddresses: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				PermittedIpRanges: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				PermittedUris: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    			PolicyIds: certificateauthority.AuthorityConfigX509ConfigPolicyIdArray{
    				&certificateauthority.AuthorityConfigX509ConfigPolicyIdArgs{
    					ObjectIdPaths: pulumi.IntArray{
    						pulumi.Int(0),
    					},
    				},
    			},
    		},
    		SubjectKeyId: &certificateauthority.AuthorityConfigSubjectKeyIdArgs{
    			KeyId: pulumi.String("string"),
    		},
    	},
    	Pool:                               pulumi.String("string"),
    	Location:                           pulumi.String("string"),
    	CertificateAuthorityId:             pulumi.String("string"),
    	Lifetime:                           pulumi.String("string"),
    	IgnoreActiveCertificatesOnDeletion: pulumi.Bool(false),
    	Labels: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	GcsBucket:          pulumi.String("string"),
    	DesiredState:       pulumi.String("string"),
    	PemCaCertificate:   pulumi.String("string"),
    	DeletionProtection: pulumi.Bool(false),
    	Project:            pulumi.String("string"),
    	SkipGracePeriod:    pulumi.Bool(false),
    	SubordinateConfig: &certificateauthority.AuthoritySubordinateConfigArgs{
    		CertificateAuthority: pulumi.String("string"),
    		PemIssuerChain: &certificateauthority.AuthoritySubordinateConfigPemIssuerChainArgs{
    			PemCertificates: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    	},
    	Type: pulumi.String("string"),
    })
    
    var authorityResource = new Authority("authorityResource", AuthorityArgs.builder()
        .keySpec(AuthorityKeySpecArgs.builder()
            .algorithm("string")
            .cloudKmsKeyVersion("string")
            .build())
        .config(AuthorityConfigArgs.builder()
            .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
                .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
                    .commonName("string")
                    .organization("string")
                    .countryCode("string")
                    .locality("string")
                    .organizationalUnit("string")
                    .postalCode("string")
                    .province("string")
                    .streetAddress("string")
                    .build())
                .subjectAltName(AuthorityConfigSubjectConfigSubjectAltNameArgs.builder()
                    .dnsNames("string")
                    .emailAddresses("string")
                    .ipAddresses("string")
                    .uris("string")
                    .build())
                .build())
            .x509Config(AuthorityConfigX509ConfigArgs.builder()
                .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
                    .isCa(false)
                    .maxIssuerPathLength(0)
                    .nonCa(false)
                    .zeroMaxIssuerPathLength(false)
                    .build())
                .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
                    .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
                        .certSign(false)
                        .contentCommitment(false)
                        .crlSign(false)
                        .dataEncipherment(false)
                        .decipherOnly(false)
                        .digitalSignature(false)
                        .encipherOnly(false)
                        .keyAgreement(false)
                        .keyEncipherment(false)
                        .build())
                    .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
                        .clientAuth(false)
                        .codeSigning(false)
                        .emailProtection(false)
                        .ocspSigning(false)
                        .serverAuth(false)
                        .timeStamping(false)
                        .build())
                    .unknownExtendedKeyUsages(AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArgs.builder()
                        .objectIdPaths(0)
                        .build())
                    .build())
                .additionalExtensions(AuthorityConfigX509ConfigAdditionalExtensionArgs.builder()
                    .critical(false)
                    .objectId(AuthorityConfigX509ConfigAdditionalExtensionObjectIdArgs.builder()
                        .objectIdPaths(0)
                        .build())
                    .value("string")
                    .build())
                .aiaOcspServers("string")
                .nameConstraints(AuthorityConfigX509ConfigNameConstraintsArgs.builder()
                    .critical(false)
                    .excludedDnsNames("string")
                    .excludedEmailAddresses("string")
                    .excludedIpRanges("string")
                    .excludedUris("string")
                    .permittedDnsNames("string")
                    .permittedEmailAddresses("string")
                    .permittedIpRanges("string")
                    .permittedUris("string")
                    .build())
                .policyIds(AuthorityConfigX509ConfigPolicyIdArgs.builder()
                    .objectIdPaths(0)
                    .build())
                .build())
            .subjectKeyId(AuthorityConfigSubjectKeyIdArgs.builder()
                .keyId("string")
                .build())
            .build())
        .pool("string")
        .location("string")
        .certificateAuthorityId("string")
        .lifetime("string")
        .ignoreActiveCertificatesOnDeletion(false)
        .labels(Map.of("string", "string"))
        .gcsBucket("string")
        .desiredState("string")
        .pemCaCertificate("string")
        .deletionProtection(false)
        .project("string")
        .skipGracePeriod(false)
        .subordinateConfig(AuthoritySubordinateConfigArgs.builder()
            .certificateAuthority("string")
            .pemIssuerChain(AuthoritySubordinateConfigPemIssuerChainArgs.builder()
                .pemCertificates("string")
                .build())
            .build())
        .type("string")
        .build());
    
    authority_resource = gcp.certificateauthority.Authority("authorityResource",
        key_spec=gcp.certificateauthority.AuthorityKeySpecArgs(
            algorithm="string",
            cloud_kms_key_version="string",
        ),
        config=gcp.certificateauthority.AuthorityConfigArgs(
            subject_config=gcp.certificateauthority.AuthorityConfigSubjectConfigArgs(
                subject=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectArgs(
                    common_name="string",
                    organization="string",
                    country_code="string",
                    locality="string",
                    organizational_unit="string",
                    postal_code="string",
                    province="string",
                    street_address="string",
                ),
                subject_alt_name=gcp.certificateauthority.AuthorityConfigSubjectConfigSubjectAltNameArgs(
                    dns_names=["string"],
                    email_addresses=["string"],
                    ip_addresses=["string"],
                    uris=["string"],
                ),
            ),
            x509_config=gcp.certificateauthority.AuthorityConfigX509ConfigArgs(
                ca_options=gcp.certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs(
                    is_ca=False,
                    max_issuer_path_length=0,
                    non_ca=False,
                    zero_max_issuer_path_length=False,
                ),
                key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs(
                    base_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs(
                        cert_sign=False,
                        content_commitment=False,
                        crl_sign=False,
                        data_encipherment=False,
                        decipher_only=False,
                        digital_signature=False,
                        encipher_only=False,
                        key_agreement=False,
                        key_encipherment=False,
                    ),
                    extended_key_usage=gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs(
                        client_auth=False,
                        code_signing=False,
                        email_protection=False,
                        ocsp_signing=False,
                        server_auth=False,
                        time_stamping=False,
                    ),
                    unknown_extended_key_usages=[gcp.certificateauthority.AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArgs(
                        object_id_paths=[0],
                    )],
                ),
                additional_extensions=[gcp.certificateauthority.AuthorityConfigX509ConfigAdditionalExtensionArgs(
                    critical=False,
                    object_id=gcp.certificateauthority.AuthorityConfigX509ConfigAdditionalExtensionObjectIdArgs(
                        object_id_paths=[0],
                    ),
                    value="string",
                )],
                aia_ocsp_servers=["string"],
                name_constraints=gcp.certificateauthority.AuthorityConfigX509ConfigNameConstraintsArgs(
                    critical=False,
                    excluded_dns_names=["string"],
                    excluded_email_addresses=["string"],
                    excluded_ip_ranges=["string"],
                    excluded_uris=["string"],
                    permitted_dns_names=["string"],
                    permitted_email_addresses=["string"],
                    permitted_ip_ranges=["string"],
                    permitted_uris=["string"],
                ),
                policy_ids=[gcp.certificateauthority.AuthorityConfigX509ConfigPolicyIdArgs(
                    object_id_paths=[0],
                )],
            ),
            subject_key_id=gcp.certificateauthority.AuthorityConfigSubjectKeyIdArgs(
                key_id="string",
            ),
        ),
        pool="string",
        location="string",
        certificate_authority_id="string",
        lifetime="string",
        ignore_active_certificates_on_deletion=False,
        labels={
            "string": "string",
        },
        gcs_bucket="string",
        desired_state="string",
        pem_ca_certificate="string",
        deletion_protection=False,
        project="string",
        skip_grace_period=False,
        subordinate_config=gcp.certificateauthority.AuthoritySubordinateConfigArgs(
            certificate_authority="string",
            pem_issuer_chain=gcp.certificateauthority.AuthoritySubordinateConfigPemIssuerChainArgs(
                pem_certificates=["string"],
            ),
        ),
        type="string")
    
    const authorityResource = new gcp.certificateauthority.Authority("authorityResource", {
        keySpec: {
            algorithm: "string",
            cloudKmsKeyVersion: "string",
        },
        config: {
            subjectConfig: {
                subject: {
                    commonName: "string",
                    organization: "string",
                    countryCode: "string",
                    locality: "string",
                    organizationalUnit: "string",
                    postalCode: "string",
                    province: "string",
                    streetAddress: "string",
                },
                subjectAltName: {
                    dnsNames: ["string"],
                    emailAddresses: ["string"],
                    ipAddresses: ["string"],
                    uris: ["string"],
                },
            },
            x509Config: {
                caOptions: {
                    isCa: false,
                    maxIssuerPathLength: 0,
                    nonCa: false,
                    zeroMaxIssuerPathLength: false,
                },
                keyUsage: {
                    baseKeyUsage: {
                        certSign: false,
                        contentCommitment: false,
                        crlSign: false,
                        dataEncipherment: false,
                        decipherOnly: false,
                        digitalSignature: false,
                        encipherOnly: false,
                        keyAgreement: false,
                        keyEncipherment: false,
                    },
                    extendedKeyUsage: {
                        clientAuth: false,
                        codeSigning: false,
                        emailProtection: false,
                        ocspSigning: false,
                        serverAuth: false,
                        timeStamping: false,
                    },
                    unknownExtendedKeyUsages: [{
                        objectIdPaths: [0],
                    }],
                },
                additionalExtensions: [{
                    critical: false,
                    objectId: {
                        objectIdPaths: [0],
                    },
                    value: "string",
                }],
                aiaOcspServers: ["string"],
                nameConstraints: {
                    critical: false,
                    excludedDnsNames: ["string"],
                    excludedEmailAddresses: ["string"],
                    excludedIpRanges: ["string"],
                    excludedUris: ["string"],
                    permittedDnsNames: ["string"],
                    permittedEmailAddresses: ["string"],
                    permittedIpRanges: ["string"],
                    permittedUris: ["string"],
                },
                policyIds: [{
                    objectIdPaths: [0],
                }],
            },
            subjectKeyId: {
                keyId: "string",
            },
        },
        pool: "string",
        location: "string",
        certificateAuthorityId: "string",
        lifetime: "string",
        ignoreActiveCertificatesOnDeletion: false,
        labels: {
            string: "string",
        },
        gcsBucket: "string",
        desiredState: "string",
        pemCaCertificate: "string",
        deletionProtection: false,
        project: "string",
        skipGracePeriod: false,
        subordinateConfig: {
            certificateAuthority: "string",
            pemIssuerChain: {
                pemCertificates: ["string"],
            },
        },
        type: "string",
    });
    
    type: gcp:certificateauthority:Authority
    properties:
        certificateAuthorityId: string
        config:
            subjectConfig:
                subject:
                    commonName: string
                    countryCode: string
                    locality: string
                    organization: string
                    organizationalUnit: string
                    postalCode: string
                    province: string
                    streetAddress: string
                subjectAltName:
                    dnsNames:
                        - string
                    emailAddresses:
                        - string
                    ipAddresses:
                        - string
                    uris:
                        - string
            subjectKeyId:
                keyId: string
            x509Config:
                additionalExtensions:
                    - critical: false
                      objectId:
                        objectIdPaths:
                            - 0
                      value: string
                aiaOcspServers:
                    - string
                caOptions:
                    isCa: false
                    maxIssuerPathLength: 0
                    nonCa: false
                    zeroMaxIssuerPathLength: false
                keyUsage:
                    baseKeyUsage:
                        certSign: false
                        contentCommitment: false
                        crlSign: false
                        dataEncipherment: false
                        decipherOnly: false
                        digitalSignature: false
                        encipherOnly: false
                        keyAgreement: false
                        keyEncipherment: false
                    extendedKeyUsage:
                        clientAuth: false
                        codeSigning: false
                        emailProtection: false
                        ocspSigning: false
                        serverAuth: false
                        timeStamping: false
                    unknownExtendedKeyUsages:
                        - objectIdPaths:
                            - 0
                nameConstraints:
                    critical: false
                    excludedDnsNames:
                        - string
                    excludedEmailAddresses:
                        - string
                    excludedIpRanges:
                        - string
                    excludedUris:
                        - string
                    permittedDnsNames:
                        - string
                    permittedEmailAddresses:
                        - string
                    permittedIpRanges:
                        - string
                    permittedUris:
                        - string
                policyIds:
                    - objectIdPaths:
                        - 0
        deletionProtection: false
        desiredState: string
        gcsBucket: string
        ignoreActiveCertificatesOnDeletion: false
        keySpec:
            algorithm: string
            cloudKmsKeyVersion: string
        labels:
            string: string
        lifetime: string
        location: string
        pemCaCertificate: string
        pool: string
        project: string
        skipGracePeriod: false
        subordinateConfig:
            certificateAuthority: string
            pemIssuerChain:
                pemCertificates:
                    - string
        type: string
    

    Authority Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Authority resource accepts the following input properties:

    CertificateAuthorityId string
    The user provided Resource ID for this Certificate Authority.
    Config AuthorityConfig
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    KeySpec AuthorityKeySpec
    Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
    Location string
    Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.
    Pool string
    The name of the CaPool this Certificate Authority belongs to.
    DeletionProtection bool
    DesiredState string
    Desired state of the CertificateAuthority. Set this field to 'STAGED' to create a 'STAGED' root CA.
    GcsBucket string
    The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as 'gs://') or suffixes (such as '.googleapis.com'). For example, to use a bucket named my-bucket, you would simply specify 'my-bucket'. If not specified, a managed bucket will be created.
    IgnoreActiveCertificatesOnDeletion bool
    This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to 'false'.
    Labels Dictionary<string, string>
    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
    Lifetime string
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    PemCaCertificate string
    The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
    Project string
    SkipGracePeriod bool
    If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to 'false'.
    SubordinateConfig AuthoritySubordinateConfig
    If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers.
    Type string
    The Type of this CertificateAuthority. > Note: For 'SUBORDINATE' Certificate Authorities, they need to be activated before they can issue certificates. Default value: "SELF_SIGNED" Possible values: ["SELF_SIGNED", "SUBORDINATE"]
    CertificateAuthorityId string
    The user provided Resource ID for this Certificate Authority.
    Config AuthorityConfigArgs
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    KeySpec AuthorityKeySpecArgs
    Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
    Location string
    Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.
    Pool string
    The name of the CaPool this Certificate Authority belongs to.
    DeletionProtection bool
    DesiredState string
    Desired state of the CertificateAuthority. Set this field to 'STAGED' to create a 'STAGED' root CA.
    GcsBucket string
    The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as 'gs://') or suffixes (such as '.googleapis.com'). For example, to use a bucket named my-bucket, you would simply specify 'my-bucket'. If not specified, a managed bucket will be created.
    IgnoreActiveCertificatesOnDeletion bool
    This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to 'false'.
    Labels map[string]string
    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
    Lifetime string
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    PemCaCertificate string
    The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
    Project string
    SkipGracePeriod bool
    If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to 'false'.
    SubordinateConfig AuthoritySubordinateConfigArgs
    If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers.
    Type string
    The Type of this CertificateAuthority. > Note: For 'SUBORDINATE' Certificate Authorities, they need to be activated before they can issue certificates. Default value: "SELF_SIGNED" Possible values: ["SELF_SIGNED", "SUBORDINATE"]
    certificateAuthorityId String
    The user provided Resource ID for this Certificate Authority.
    config AuthorityConfig
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    keySpec AuthorityKeySpec
    Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
    location String
    Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.
    pool String
    The name of the CaPool this Certificate Authority belongs to.
    deletionProtection Boolean
    desiredState String
    Desired state of the CertificateAuthority. Set this field to 'STAGED' to create a 'STAGED' root CA.
    gcsBucket String
    The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as 'gs://') or suffixes (such as '.googleapis.com'). For example, to use a bucket named my-bucket, you would simply specify 'my-bucket'. If not specified, a managed bucket will be created.
    ignoreActiveCertificatesOnDeletion Boolean
    This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to 'false'.
    labels Map<String,String>
    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
    lifetime String
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    pemCaCertificate String
    The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
    project String
    skipGracePeriod Boolean
    If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to 'false'.
    subordinateConfig AuthoritySubordinateConfig
    If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers.
    type String
    The Type of this CertificateAuthority. > Note: For 'SUBORDINATE' Certificate Authorities, they need to be activated before they can issue certificates. Default value: "SELF_SIGNED" Possible values: ["SELF_SIGNED", "SUBORDINATE"]
    certificateAuthorityId string
    The user provided Resource ID for this Certificate Authority.
    config AuthorityConfig
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    keySpec AuthorityKeySpec
    Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
    location string
    Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.
    pool string
    The name of the CaPool this Certificate Authority belongs to.
    deletionProtection boolean
    desiredState string
    Desired state of the CertificateAuthority. Set this field to 'STAGED' to create a 'STAGED' root CA.
    gcsBucket string
    The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as 'gs://') or suffixes (such as '.googleapis.com'). For example, to use a bucket named my-bucket, you would simply specify 'my-bucket'. If not specified, a managed bucket will be created.
    ignoreActiveCertificatesOnDeletion boolean
    This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to 'false'.
    labels {[key: string]: string}
    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
    lifetime string
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    pemCaCertificate string
    The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
    project string
    skipGracePeriod boolean
    If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to 'false'.
    subordinateConfig AuthoritySubordinateConfig
    If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers.
    type string
    The Type of this CertificateAuthority. > Note: For 'SUBORDINATE' Certificate Authorities, they need to be activated before they can issue certificates. Default value: "SELF_SIGNED" Possible values: ["SELF_SIGNED", "SUBORDINATE"]
    certificate_authority_id str
    The user provided Resource ID for this Certificate Authority.
    config AuthorityConfigArgs
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    key_spec AuthorityKeySpecArgs
    Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
    location str
    Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.
    pool str
    The name of the CaPool this Certificate Authority belongs to.
    deletion_protection bool
    desired_state str
    Desired state of the CertificateAuthority. Set this field to 'STAGED' to create a 'STAGED' root CA.
    gcs_bucket str
    The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as 'gs://') or suffixes (such as '.googleapis.com'). For example, to use a bucket named my-bucket, you would simply specify 'my-bucket'. If not specified, a managed bucket will be created.
    ignore_active_certificates_on_deletion bool
    This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to 'false'.
    labels Mapping[str, str]
    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
    lifetime str
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    pem_ca_certificate str
    The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
    project str
    skip_grace_period bool
    If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to 'false'.
    subordinate_config AuthoritySubordinateConfigArgs
    If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers.
    type str
    The Type of this CertificateAuthority. > Note: For 'SUBORDINATE' Certificate Authorities, they need to be activated before they can issue certificates. Default value: "SELF_SIGNED" Possible values: ["SELF_SIGNED", "SUBORDINATE"]
    certificateAuthorityId String
    The user provided Resource ID for this Certificate Authority.
    config Property Map
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    keySpec Property Map
    Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
    location String
    Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.
    pool String
    The name of the CaPool this Certificate Authority belongs to.
    deletionProtection Boolean
    desiredState String
    Desired state of the CertificateAuthority. Set this field to 'STAGED' to create a 'STAGED' root CA.
    gcsBucket String
    The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as 'gs://') or suffixes (such as '.googleapis.com'). For example, to use a bucket named my-bucket, you would simply specify 'my-bucket'. If not specified, a managed bucket will be created.
    ignoreActiveCertificatesOnDeletion Boolean
    This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to 'false'.
    labels Map<String>
    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
    lifetime String
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    pemCaCertificate String
    The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
    project String
    skipGracePeriod Boolean
    If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to 'false'.
    subordinateConfig Property Map
    If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers.
    type String
    The Type of this CertificateAuthority. > Note: For 'SUBORDINATE' Certificate Authorities, they need to be activated before they can issue certificates. Default value: "SELF_SIGNED" Possible values: ["SELF_SIGNED", "SUBORDINATE"]

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Authority resource produces the following output properties:

    AccessUrls List<AuthorityAccessUrl>
    URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
    CreateTime string
    The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    EffectiveLabels Dictionary<string, string>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
    PemCaCertificates List<string>
    This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
    PulumiLabels Dictionary<string, string>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    State string
    The State for this CertificateAuthority.
    UpdateTime string
    The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    AccessUrls []AuthorityAccessUrl
    URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
    CreateTime string
    The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    EffectiveLabels map[string]string
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
    PemCaCertificates []string
    This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
    PulumiLabels map[string]string
    The combination of labels configured directly on the resource and default labels configured on the provider.
    State string
    The State for this CertificateAuthority.
    UpdateTime string
    The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    accessUrls List<AuthorityAccessUrl>
    URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
    createTime String
    The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    effectiveLabels Map<String,String>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
    pemCaCertificates List<String>
    This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
    pulumiLabels Map<String,String>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    state String
    The State for this CertificateAuthority.
    updateTime String
    The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    accessUrls AuthorityAccessUrl[]
    URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
    createTime string
    The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    effectiveLabels {[key: string]: string}
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    id string
    The provider-assigned unique ID for this managed resource.
    name string
    The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
    pemCaCertificates string[]
    This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
    pulumiLabels {[key: string]: string}
    The combination of labels configured directly on the resource and default labels configured on the provider.
    state string
    The State for this CertificateAuthority.
    updateTime string
    The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    access_urls Sequence[AuthorityAccessUrl]
    URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
    create_time str
    The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    effective_labels Mapping[str, str]
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    id str
    The provider-assigned unique ID for this managed resource.
    name str
    The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
    pem_ca_certificates Sequence[str]
    This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
    pulumi_labels Mapping[str, str]
    The combination of labels configured directly on the resource and default labels configured on the provider.
    state str
    The State for this CertificateAuthority.
    update_time str
    The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    accessUrls List<Property Map>
    URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
    createTime String
    The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    effectiveLabels Map<String>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
    pemCaCertificates List<String>
    This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
    pulumiLabels Map<String>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    state String
    The State for this CertificateAuthority.
    updateTime String
    The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

    Look up Existing Authority Resource

    Get an existing Authority resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: AuthorityState, opts?: CustomResourceOptions): Authority
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            access_urls: Optional[Sequence[AuthorityAccessUrlArgs]] = None,
            certificate_authority_id: Optional[str] = None,
            config: Optional[AuthorityConfigArgs] = None,
            create_time: Optional[str] = None,
            deletion_protection: Optional[bool] = None,
            desired_state: Optional[str] = None,
            effective_labels: Optional[Mapping[str, str]] = None,
            gcs_bucket: Optional[str] = None,
            ignore_active_certificates_on_deletion: Optional[bool] = None,
            key_spec: Optional[AuthorityKeySpecArgs] = None,
            labels: Optional[Mapping[str, str]] = None,
            lifetime: Optional[str] = None,
            location: Optional[str] = None,
            name: Optional[str] = None,
            pem_ca_certificate: Optional[str] = None,
            pem_ca_certificates: Optional[Sequence[str]] = None,
            pool: Optional[str] = None,
            project: Optional[str] = None,
            pulumi_labels: Optional[Mapping[str, str]] = None,
            skip_grace_period: Optional[bool] = None,
            state: Optional[str] = None,
            subordinate_config: Optional[AuthoritySubordinateConfigArgs] = None,
            type: Optional[str] = None,
            update_time: Optional[str] = None) -> Authority
    func GetAuthority(ctx *Context, name string, id IDInput, state *AuthorityState, opts ...ResourceOption) (*Authority, error)
    public static Authority Get(string name, Input<string> id, AuthorityState? state, CustomResourceOptions? opts = null)
    public static Authority get(String name, Output<String> id, AuthorityState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AccessUrls List<AuthorityAccessUrl>
    URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
    CertificateAuthorityId string
    The user provided Resource ID for this Certificate Authority.
    Config AuthorityConfig
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    CreateTime string
    The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    DeletionProtection bool
    DesiredState string
    Desired state of the CertificateAuthority. Set this field to 'STAGED' to create a 'STAGED' root CA.
    EffectiveLabels Dictionary<string, string>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    GcsBucket string
    The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as 'gs://') or suffixes (such as '.googleapis.com'). For example, to use a bucket named my-bucket, you would simply specify 'my-bucket'. If not specified, a managed bucket will be created.
    IgnoreActiveCertificatesOnDeletion bool
    This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to 'false'.
    KeySpec AuthorityKeySpec
    Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
    Labels Dictionary<string, string>
    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
    Lifetime string
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    Location string
    Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.
    Name string
    The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
    PemCaCertificate string
    The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
    PemCaCertificates List<string>
    This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
    Pool string
    The name of the CaPool this Certificate Authority belongs to.
    Project string
    PulumiLabels Dictionary<string, string>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    SkipGracePeriod bool
    If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to 'false'.
    State string
    The State for this CertificateAuthority.
    SubordinateConfig AuthoritySubordinateConfig
    If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers.
    Type string
    The Type of this CertificateAuthority. > Note: For 'SUBORDINATE' Certificate Authorities, they need to be activated before they can issue certificates. Default value: "SELF_SIGNED" Possible values: ["SELF_SIGNED", "SUBORDINATE"]
    UpdateTime string
    The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    AccessUrls []AuthorityAccessUrlArgs
    URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
    CertificateAuthorityId string
    The user provided Resource ID for this Certificate Authority.
    Config AuthorityConfigArgs
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    CreateTime string
    The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    DeletionProtection bool
    DesiredState string
    Desired state of the CertificateAuthority. Set this field to 'STAGED' to create a 'STAGED' root CA.
    EffectiveLabels map[string]string
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    GcsBucket string
    The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as 'gs://') or suffixes (such as '.googleapis.com'). For example, to use a bucket named my-bucket, you would simply specify 'my-bucket'. If not specified, a managed bucket will be created.
    IgnoreActiveCertificatesOnDeletion bool
    This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to 'false'.
    KeySpec AuthorityKeySpecArgs
    Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
    Labels map[string]string
    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
    Lifetime string
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    Location string
    Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.
    Name string
    The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
    PemCaCertificate string
    The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
    PemCaCertificates []string
    This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
    Pool string
    The name of the CaPool this Certificate Authority belongs to.
    Project string
    PulumiLabels map[string]string
    The combination of labels configured directly on the resource and default labels configured on the provider.
    SkipGracePeriod bool
    If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to 'false'.
    State string
    The State for this CertificateAuthority.
    SubordinateConfig AuthoritySubordinateConfigArgs
    If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers.
    Type string
    The Type of this CertificateAuthority. > Note: For 'SUBORDINATE' Certificate Authorities, they need to be activated before they can issue certificates. Default value: "SELF_SIGNED" Possible values: ["SELF_SIGNED", "SUBORDINATE"]
    UpdateTime string
    The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    accessUrls List<AuthorityAccessUrl>
    URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
    certificateAuthorityId String
    The user provided Resource ID for this Certificate Authority.
    config AuthorityConfig
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    createTime String
    The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    deletionProtection Boolean
    desiredState String
    Desired state of the CertificateAuthority. Set this field to 'STAGED' to create a 'STAGED' root CA.
    effectiveLabels Map<String,String>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    gcsBucket String
    The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as 'gs://') or suffixes (such as '.googleapis.com'). For example, to use a bucket named my-bucket, you would simply specify 'my-bucket'. If not specified, a managed bucket will be created.
    ignoreActiveCertificatesOnDeletion Boolean
    This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to 'false'.
    keySpec AuthorityKeySpec
    Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
    labels Map<String,String>
    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
    lifetime String
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    location String
    Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.
    name String
    The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
    pemCaCertificate String
    The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
    pemCaCertificates List<String>
    This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
    pool String
    The name of the CaPool this Certificate Authority belongs to.
    project String
    pulumiLabels Map<String,String>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    skipGracePeriod Boolean
    If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to 'false'.
    state String
    The State for this CertificateAuthority.
    subordinateConfig AuthoritySubordinateConfig
    If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers.
    type String
    The Type of this CertificateAuthority. > Note: For 'SUBORDINATE' Certificate Authorities, they need to be activated before they can issue certificates. Default value: "SELF_SIGNED" Possible values: ["SELF_SIGNED", "SUBORDINATE"]
    updateTime String
    The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    accessUrls AuthorityAccessUrl[]
    URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
    certificateAuthorityId string
    The user provided Resource ID for this Certificate Authority.
    config AuthorityConfig
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    createTime string
    The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    deletionProtection boolean
    desiredState string
    Desired state of the CertificateAuthority. Set this field to 'STAGED' to create a 'STAGED' root CA.
    effectiveLabels {[key: string]: string}
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    gcsBucket string
    The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as 'gs://') or suffixes (such as '.googleapis.com'). For example, to use a bucket named my-bucket, you would simply specify 'my-bucket'. If not specified, a managed bucket will be created.
    ignoreActiveCertificatesOnDeletion boolean
    This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to 'false'.
    keySpec AuthorityKeySpec
    Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
    labels {[key: string]: string}
    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
    lifetime string
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    location string
    Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.
    name string
    The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
    pemCaCertificate string
    The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
    pemCaCertificates string[]
    This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
    pool string
    The name of the CaPool this Certificate Authority belongs to.
    project string
    pulumiLabels {[key: string]: string}
    The combination of labels configured directly on the resource and default labels configured on the provider.
    skipGracePeriod boolean
    If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to 'false'.
    state string
    The State for this CertificateAuthority.
    subordinateConfig AuthoritySubordinateConfig
    If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers.
    type string
    The Type of this CertificateAuthority. > Note: For 'SUBORDINATE' Certificate Authorities, they need to be activated before they can issue certificates. Default value: "SELF_SIGNED" Possible values: ["SELF_SIGNED", "SUBORDINATE"]
    updateTime string
    The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    access_urls Sequence[AuthorityAccessUrlArgs]
    URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
    certificate_authority_id str
    The user provided Resource ID for this Certificate Authority.
    config AuthorityConfigArgs
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    create_time str
    The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    deletion_protection bool
    desired_state str
    Desired state of the CertificateAuthority. Set this field to 'STAGED' to create a 'STAGED' root CA.
    effective_labels Mapping[str, str]
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    gcs_bucket str
    The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as 'gs://') or suffixes (such as '.googleapis.com'). For example, to use a bucket named my-bucket, you would simply specify 'my-bucket'. If not specified, a managed bucket will be created.
    ignore_active_certificates_on_deletion bool
    This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to 'false'.
    key_spec AuthorityKeySpecArgs
    Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
    labels Mapping[str, str]
    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
    lifetime str
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    location str
    Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.
    name str
    The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
    pem_ca_certificate str
    The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
    pem_ca_certificates Sequence[str]
    This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
    pool str
    The name of the CaPool this Certificate Authority belongs to.
    project str
    pulumi_labels Mapping[str, str]
    The combination of labels configured directly on the resource and default labels configured on the provider.
    skip_grace_period bool
    If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to 'false'.
    state str
    The State for this CertificateAuthority.
    subordinate_config AuthoritySubordinateConfigArgs
    If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers.
    type str
    The Type of this CertificateAuthority. > Note: For 'SUBORDINATE' Certificate Authorities, they need to be activated before they can issue certificates. Default value: "SELF_SIGNED" Possible values: ["SELF_SIGNED", "SUBORDINATE"]
    update_time str
    The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    accessUrls List<Property Map>
    URLs for accessing content published by this CA, such as the CA certificate and CRLs. Structure is documented below.
    certificateAuthorityId String
    The user provided Resource ID for this Certificate Authority.
    config Property Map
    The config used to create a self-signed X.509 certificate or CSR. Structure is documented below.
    createTime String
    The time at which this CertificateAuthority was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
    deletionProtection Boolean
    desiredState String
    Desired state of the CertificateAuthority. Set this field to 'STAGED' to create a 'STAGED' root CA.
    effectiveLabels Map<String>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    gcsBucket String
    The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as 'gs://') or suffixes (such as '.googleapis.com'). For example, to use a bucket named my-bucket, you would simply specify 'my-bucket'. If not specified, a managed bucket will be created.
    ignoreActiveCertificatesOnDeletion Boolean
    This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs. Use with care. Defaults to 'false'.
    keySpec Property Map
    Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. Structure is documented below.
    labels Map<String>
    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
    lifetime String
    The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
    location String
    Location of the CertificateAuthority. A full list of valid locations can be found by running gcloud privateca locations list.
    name String
    The resource name for this CertificateAuthority in the format projects//locations//certificateAuthorities/*.
    pemCaCertificate String
    The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
    pemCaCertificates List<String>
    This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate.
    pool String
    The name of the CaPool this Certificate Authority belongs to.
    project String
    pulumiLabels Map<String>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    skipGracePeriod Boolean
    If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to 'false'.
    state String
    The State for this CertificateAuthority.
    subordinateConfig Property Map
    If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers.
    type String
    The Type of this CertificateAuthority. > Note: For 'SUBORDINATE' Certificate Authorities, they need to be activated before they can issue certificates. Default value: "SELF_SIGNED" Possible values: ["SELF_SIGNED", "SUBORDINATE"]
    updateTime String
    The time at which this CertificateAuthority was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

    Supporting Types

    AuthorityAccessUrl, AuthorityAccessUrlArgs

    CaCertificateAccessUrl string
    (Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.
    CrlAccessUrls List<string>
    (Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.
    CaCertificateAccessUrl string
    (Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.
    CrlAccessUrls []string
    (Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.
    caCertificateAccessUrl String
    (Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.
    crlAccessUrls List<String>
    (Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.
    caCertificateAccessUrl string
    (Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.
    crlAccessUrls string[]
    (Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.
    ca_certificate_access_url str
    (Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.
    crl_access_urls Sequence[str]
    (Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.
    caCertificateAccessUrl String
    (Output) The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated.
    crlAccessUrls List<String>
    (Output) The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated.

    AuthorityConfig, AuthorityConfigArgs

    SubjectConfig AuthorityConfigSubjectConfig
    Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
    X509Config AuthorityConfigX509Config
    Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
    SubjectKeyId AuthorityConfigSubjectKeyId
    When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.. Structure is documented below.
    SubjectConfig AuthorityConfigSubjectConfig
    Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
    X509Config AuthorityConfigX509Config
    Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
    SubjectKeyId AuthorityConfigSubjectKeyId
    When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.. Structure is documented below.
    subjectConfig AuthorityConfigSubjectConfig
    Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
    x509Config AuthorityConfigX509Config
    Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
    subjectKeyId AuthorityConfigSubjectKeyId
    When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.. Structure is documented below.
    subjectConfig AuthorityConfigSubjectConfig
    Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
    x509Config AuthorityConfigX509Config
    Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
    subjectKeyId AuthorityConfigSubjectKeyId
    When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.. Structure is documented below.
    subject_config AuthorityConfigSubjectConfig
    Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
    x509_config AuthorityConfigX509Config
    Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
    subject_key_id AuthorityConfigSubjectKeyId
    When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.. Structure is documented below.
    subjectConfig Property Map
    Specifies some of the values in a certificate that are related to the subject. Structure is documented below.
    x509Config Property Map
    Describes how some of the technical X.509 fields in a certificate should be populated. Structure is documented below.
    subjectKeyId Property Map
    When specified this provides a custom SKI to be used in the certificate. This should only be used to maintain a SKI of an existing CA originally created outside CA service, which was not generated using method (1) described in RFC 5280 section 4.2.1.2.. Structure is documented below.

    AuthorityConfigSubjectConfig, AuthorityConfigSubjectConfigArgs

    Subject AuthorityConfigSubjectConfigSubject
    Contains distinguished name fields such as the location and organization. Structure is documented below.
    SubjectAltName AuthorityConfigSubjectConfigSubjectAltName
    The subject alternative name fields. Structure is documented below.
    Subject AuthorityConfigSubjectConfigSubject
    Contains distinguished name fields such as the location and organization. Structure is documented below.
    SubjectAltName AuthorityConfigSubjectConfigSubjectAltName
    The subject alternative name fields. Structure is documented below.
    subject AuthorityConfigSubjectConfigSubject
    Contains distinguished name fields such as the location and organization. Structure is documented below.
    subjectAltName AuthorityConfigSubjectConfigSubjectAltName
    The subject alternative name fields. Structure is documented below.
    subject AuthorityConfigSubjectConfigSubject
    Contains distinguished name fields such as the location and organization. Structure is documented below.
    subjectAltName AuthorityConfigSubjectConfigSubjectAltName
    The subject alternative name fields. Structure is documented below.
    subject AuthorityConfigSubjectConfigSubject
    Contains distinguished name fields such as the location and organization. Structure is documented below.
    subject_alt_name AuthorityConfigSubjectConfigSubjectAltName
    The subject alternative name fields. Structure is documented below.
    subject Property Map
    Contains distinguished name fields such as the location and organization. Structure is documented below.
    subjectAltName Property Map
    The subject alternative name fields. Structure is documented below.

    AuthorityConfigSubjectConfigSubject, AuthorityConfigSubjectConfigSubjectArgs

    CommonName string
    The common name of the distinguished name.
    Organization string
    The organization of the subject.
    CountryCode string
    The country code of the subject.
    Locality string
    The locality or city of the subject.
    OrganizationalUnit string
    The organizational unit of the subject.
    PostalCode string
    The postal code of the subject.
    Province string
    The province, territory, or regional state of the subject.
    StreetAddress string
    The street address of the subject.
    CommonName string
    The common name of the distinguished name.
    Organization string
    The organization of the subject.
    CountryCode string
    The country code of the subject.
    Locality string
    The locality or city of the subject.
    OrganizationalUnit string
    The organizational unit of the subject.
    PostalCode string
    The postal code of the subject.
    Province string
    The province, territory, or regional state of the subject.
    StreetAddress string
    The street address of the subject.
    commonName String
    The common name of the distinguished name.
    organization String
    The organization of the subject.
    countryCode String
    The country code of the subject.
    locality String
    The locality or city of the subject.
    organizationalUnit String
    The organizational unit of the subject.
    postalCode String
    The postal code of the subject.
    province String
    The province, territory, or regional state of the subject.
    streetAddress String
    The street address of the subject.
    commonName string
    The common name of the distinguished name.
    organization string
    The organization of the subject.
    countryCode string
    The country code of the subject.
    locality string
    The locality or city of the subject.
    organizationalUnit string
    The organizational unit of the subject.
    postalCode string
    The postal code of the subject.
    province string
    The province, territory, or regional state of the subject.
    streetAddress string
    The street address of the subject.
    common_name str
    The common name of the distinguished name.
    organization str
    The organization of the subject.
    country_code str
    The country code of the subject.
    locality str
    The locality or city of the subject.
    organizational_unit str
    The organizational unit of the subject.
    postal_code str
    The postal code of the subject.
    province str
    The province, territory, or regional state of the subject.
    street_address str
    The street address of the subject.
    commonName String
    The common name of the distinguished name.
    organization String
    The organization of the subject.
    countryCode String
    The country code of the subject.
    locality String
    The locality or city of the subject.
    organizationalUnit String
    The organizational unit of the subject.
    postalCode String
    The postal code of the subject.
    province String
    The province, territory, or regional state of the subject.
    streetAddress String
    The street address of the subject.

    AuthorityConfigSubjectConfigSubjectAltName, AuthorityConfigSubjectConfigSubjectAltNameArgs

    DnsNames List<string>
    Contains only valid, fully-qualified host names.
    EmailAddresses List<string>
    Contains only valid RFC 2822 E-mail addresses.
    IpAddresses List<string>
    Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
    Uris List<string>
    Contains only valid RFC 3986 URIs.
    DnsNames []string
    Contains only valid, fully-qualified host names.
    EmailAddresses []string
    Contains only valid RFC 2822 E-mail addresses.
    IpAddresses []string
    Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
    Uris []string
    Contains only valid RFC 3986 URIs.
    dnsNames List<String>
    Contains only valid, fully-qualified host names.
    emailAddresses List<String>
    Contains only valid RFC 2822 E-mail addresses.
    ipAddresses List<String>
    Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
    uris List<String>
    Contains only valid RFC 3986 URIs.
    dnsNames string[]
    Contains only valid, fully-qualified host names.
    emailAddresses string[]
    Contains only valid RFC 2822 E-mail addresses.
    ipAddresses string[]
    Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
    uris string[]
    Contains only valid RFC 3986 URIs.
    dns_names Sequence[str]
    Contains only valid, fully-qualified host names.
    email_addresses Sequence[str]
    Contains only valid RFC 2822 E-mail addresses.
    ip_addresses Sequence[str]
    Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
    uris Sequence[str]
    Contains only valid RFC 3986 URIs.
    dnsNames List<String>
    Contains only valid, fully-qualified host names.
    emailAddresses List<String>
    Contains only valid RFC 2822 E-mail addresses.
    ipAddresses List<String>
    Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
    uris List<String>
    Contains only valid RFC 3986 URIs.

    AuthorityConfigSubjectKeyId, AuthorityConfigSubjectKeyIdArgs

    KeyId string

    The value of the KeyId in lowercase hexidecimal.

    The x509_config block supports:

    KeyId string

    The value of the KeyId in lowercase hexidecimal.

    The x509_config block supports:

    keyId String

    The value of the KeyId in lowercase hexidecimal.

    The x509_config block supports:

    keyId string

    The value of the KeyId in lowercase hexidecimal.

    The x509_config block supports:

    key_id str

    The value of the KeyId in lowercase hexidecimal.

    The x509_config block supports:

    keyId String

    The value of the KeyId in lowercase hexidecimal.

    The x509_config block supports:

    AuthorityConfigX509Config, AuthorityConfigX509ConfigArgs

    CaOptions AuthorityConfigX509ConfigCaOptions
    Describes values that are relevant in a CA certificate.
    KeyUsage AuthorityConfigX509ConfigKeyUsage
    Indicates the intended use for keys that correspond to a certificate.
    AdditionalExtensions List<AuthorityConfigX509ConfigAdditionalExtension>
    Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs.
    AiaOcspServers List<string>
    Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    NameConstraints AuthorityConfigX509ConfigNameConstraints
    Describes the X.509 name constraints extension.
    PolicyIds List<AuthorityConfigX509ConfigPolicyId>
    Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
    CaOptions AuthorityConfigX509ConfigCaOptions
    Describes values that are relevant in a CA certificate.
    KeyUsage AuthorityConfigX509ConfigKeyUsage
    Indicates the intended use for keys that correspond to a certificate.
    AdditionalExtensions []AuthorityConfigX509ConfigAdditionalExtension
    Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs.
    AiaOcspServers []string
    Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    NameConstraints AuthorityConfigX509ConfigNameConstraints
    Describes the X.509 name constraints extension.
    PolicyIds []AuthorityConfigX509ConfigPolicyId
    Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
    caOptions AuthorityConfigX509ConfigCaOptions
    Describes values that are relevant in a CA certificate.
    keyUsage AuthorityConfigX509ConfigKeyUsage
    Indicates the intended use for keys that correspond to a certificate.
    additionalExtensions List<AuthorityConfigX509ConfigAdditionalExtension>
    Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs.
    aiaOcspServers List<String>
    Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    nameConstraints AuthorityConfigX509ConfigNameConstraints
    Describes the X.509 name constraints extension.
    policyIds List<AuthorityConfigX509ConfigPolicyId>
    Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
    caOptions AuthorityConfigX509ConfigCaOptions
    Describes values that are relevant in a CA certificate.
    keyUsage AuthorityConfigX509ConfigKeyUsage
    Indicates the intended use for keys that correspond to a certificate.
    additionalExtensions AuthorityConfigX509ConfigAdditionalExtension[]
    Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs.
    aiaOcspServers string[]
    Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    nameConstraints AuthorityConfigX509ConfigNameConstraints
    Describes the X.509 name constraints extension.
    policyIds AuthorityConfigX509ConfigPolicyId[]
    Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
    ca_options AuthorityConfigX509ConfigCaOptions
    Describes values that are relevant in a CA certificate.
    key_usage AuthorityConfigX509ConfigKeyUsage
    Indicates the intended use for keys that correspond to a certificate.
    additional_extensions Sequence[AuthorityConfigX509ConfigAdditionalExtension]
    Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs.
    aia_ocsp_servers Sequence[str]
    Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    name_constraints AuthorityConfigX509ConfigNameConstraints
    Describes the X.509 name constraints extension.
    policy_ids Sequence[AuthorityConfigX509ConfigPolicyId]
    Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
    caOptions Property Map
    Describes values that are relevant in a CA certificate.
    keyUsage Property Map
    Indicates the intended use for keys that correspond to a certificate.
    additionalExtensions List<Property Map>
    Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs.
    aiaOcspServers List<String>
    Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    nameConstraints Property Map
    Describes the X.509 name constraints extension.
    policyIds List<Property Map>
    Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.

    AuthorityConfigX509ConfigAdditionalExtension, AuthorityConfigX509ConfigAdditionalExtensionArgs

    Critical bool
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    ObjectId AuthorityConfigX509ConfigAdditionalExtensionObjectId
    Describes values that are relevant in a CA certificate. Structure is documented below.
    Value string
    The value of this X.509 extension. A base64-encoded string.
    Critical bool
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    ObjectId AuthorityConfigX509ConfigAdditionalExtensionObjectId
    Describes values that are relevant in a CA certificate. Structure is documented below.
    Value string
    The value of this X.509 extension. A base64-encoded string.
    critical Boolean
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    objectId AuthorityConfigX509ConfigAdditionalExtensionObjectId
    Describes values that are relevant in a CA certificate. Structure is documented below.
    value String
    The value of this X.509 extension. A base64-encoded string.
    critical boolean
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    objectId AuthorityConfigX509ConfigAdditionalExtensionObjectId
    Describes values that are relevant in a CA certificate. Structure is documented below.
    value string
    The value of this X.509 extension. A base64-encoded string.
    critical bool
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    object_id AuthorityConfigX509ConfigAdditionalExtensionObjectId
    Describes values that are relevant in a CA certificate. Structure is documented below.
    value str
    The value of this X.509 extension. A base64-encoded string.
    critical Boolean
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    objectId Property Map
    Describes values that are relevant in a CA certificate. Structure is documented below.
    value String
    The value of this X.509 extension. A base64-encoded string.

    AuthorityConfigX509ConfigAdditionalExtensionObjectId, AuthorityConfigX509ConfigAdditionalExtensionObjectIdArgs

    ObjectIdPaths List<int>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    ObjectIdPaths []int
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Integer>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths number[]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    object_id_paths Sequence[int]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Number>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

    AuthorityConfigX509ConfigCaOptions, AuthorityConfigX509ConfigCaOptionsArgs

    IsCa bool
    When true, the "CA" in Basic Constraints extension will be set to true.
    MaxIssuerPathLength int
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0 requires setting zero_max_issuer_path_length = true.
    NonCa bool
    When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.
    ZeroMaxIssuerPathLength bool
    When true, the "path length constraint" in Basic Constraints extension will be set to 0. If both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.
    IsCa bool
    When true, the "CA" in Basic Constraints extension will be set to true.
    MaxIssuerPathLength int
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0 requires setting zero_max_issuer_path_length = true.
    NonCa bool
    When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.
    ZeroMaxIssuerPathLength bool
    When true, the "path length constraint" in Basic Constraints extension will be set to 0. If both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.
    isCa Boolean
    When true, the "CA" in Basic Constraints extension will be set to true.
    maxIssuerPathLength Integer
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0 requires setting zero_max_issuer_path_length = true.
    nonCa Boolean
    When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.
    zeroMaxIssuerPathLength Boolean
    When true, the "path length constraint" in Basic Constraints extension will be set to 0. If both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.
    isCa boolean
    When true, the "CA" in Basic Constraints extension will be set to true.
    maxIssuerPathLength number
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0 requires setting zero_max_issuer_path_length = true.
    nonCa boolean
    When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.
    zeroMaxIssuerPathLength boolean
    When true, the "path length constraint" in Basic Constraints extension will be set to 0. If both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.
    is_ca bool
    When true, the "CA" in Basic Constraints extension will be set to true.
    max_issuer_path_length int
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0 requires setting zero_max_issuer_path_length = true.
    non_ca bool
    When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.
    zero_max_issuer_path_length bool
    When true, the "path length constraint" in Basic Constraints extension will be set to 0. If both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.
    isCa Boolean
    When true, the "CA" in Basic Constraints extension will be set to true.
    maxIssuerPathLength Number
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0 requires setting zero_max_issuer_path_length = true.
    nonCa Boolean
    When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.
    zeroMaxIssuerPathLength Boolean
    When true, the "path length constraint" in Basic Constraints extension will be set to 0. If both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

    AuthorityConfigX509ConfigKeyUsage, AuthorityConfigX509ConfigKeyUsageArgs

    BaseKeyUsage AuthorityConfigX509ConfigKeyUsageBaseKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    ExtendedKeyUsage AuthorityConfigX509ConfigKeyUsageExtendedKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    UnknownExtendedKeyUsages List<AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsage>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
    BaseKeyUsage AuthorityConfigX509ConfigKeyUsageBaseKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    ExtendedKeyUsage AuthorityConfigX509ConfigKeyUsageExtendedKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    UnknownExtendedKeyUsages []AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsage
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
    baseKeyUsage AuthorityConfigX509ConfigKeyUsageBaseKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    extendedKeyUsage AuthorityConfigX509ConfigKeyUsageExtendedKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    unknownExtendedKeyUsages List<AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsage>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
    baseKeyUsage AuthorityConfigX509ConfigKeyUsageBaseKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    extendedKeyUsage AuthorityConfigX509ConfigKeyUsageExtendedKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    unknownExtendedKeyUsages AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsage[]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
    base_key_usage AuthorityConfigX509ConfigKeyUsageBaseKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    extended_key_usage AuthorityConfigX509ConfigKeyUsageExtendedKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    unknown_extended_key_usages Sequence[AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsage]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
    baseKeyUsage Property Map
    Describes high-level ways in which a key may be used. Structure is documented below.
    extendedKeyUsage Property Map
    Describes high-level ways in which a key may be used. Structure is documented below.
    unknownExtendedKeyUsages List<Property Map>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

    AuthorityConfigX509ConfigKeyUsageBaseKeyUsage, AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs

    CertSign bool
    The key may be used to sign certificates.
    ContentCommitment bool
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    CrlSign bool
    The key may be used sign certificate revocation lists.
    DataEncipherment bool
    The key may be used to encipher data.
    DecipherOnly bool
    The key may be used to decipher only.
    DigitalSignature bool
    The key may be used for digital signatures.
    EncipherOnly bool
    The key may be used to encipher only.
    KeyAgreement bool
    The key may be used in a key agreement protocol.
    KeyEncipherment bool
    The key may be used to encipher other keys.
    CertSign bool
    The key may be used to sign certificates.
    ContentCommitment bool
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    CrlSign bool
    The key may be used sign certificate revocation lists.
    DataEncipherment bool
    The key may be used to encipher data.
    DecipherOnly bool
    The key may be used to decipher only.
    DigitalSignature bool
    The key may be used for digital signatures.
    EncipherOnly bool
    The key may be used to encipher only.
    KeyAgreement bool
    The key may be used in a key agreement protocol.
    KeyEncipherment bool
    The key may be used to encipher other keys.
    certSign Boolean
    The key may be used to sign certificates.
    contentCommitment Boolean
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    crlSign Boolean
    The key may be used sign certificate revocation lists.
    dataEncipherment Boolean
    The key may be used to encipher data.
    decipherOnly Boolean
    The key may be used to decipher only.
    digitalSignature Boolean
    The key may be used for digital signatures.
    encipherOnly Boolean
    The key may be used to encipher only.
    keyAgreement Boolean
    The key may be used in a key agreement protocol.
    keyEncipherment Boolean
    The key may be used to encipher other keys.
    certSign boolean
    The key may be used to sign certificates.
    contentCommitment boolean
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    crlSign boolean
    The key may be used sign certificate revocation lists.
    dataEncipherment boolean
    The key may be used to encipher data.
    decipherOnly boolean
    The key may be used to decipher only.
    digitalSignature boolean
    The key may be used for digital signatures.
    encipherOnly boolean
    The key may be used to encipher only.
    keyAgreement boolean
    The key may be used in a key agreement protocol.
    keyEncipherment boolean
    The key may be used to encipher other keys.
    cert_sign bool
    The key may be used to sign certificates.
    content_commitment bool
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    crl_sign bool
    The key may be used sign certificate revocation lists.
    data_encipherment bool
    The key may be used to encipher data.
    decipher_only bool
    The key may be used to decipher only.
    digital_signature bool
    The key may be used for digital signatures.
    encipher_only bool
    The key may be used to encipher only.
    key_agreement bool
    The key may be used in a key agreement protocol.
    key_encipherment bool
    The key may be used to encipher other keys.
    certSign Boolean
    The key may be used to sign certificates.
    contentCommitment Boolean
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    crlSign Boolean
    The key may be used sign certificate revocation lists.
    dataEncipherment Boolean
    The key may be used to encipher data.
    decipherOnly Boolean
    The key may be used to decipher only.
    digitalSignature Boolean
    The key may be used for digital signatures.
    encipherOnly Boolean
    The key may be used to encipher only.
    keyAgreement Boolean
    The key may be used in a key agreement protocol.
    keyEncipherment Boolean
    The key may be used to encipher other keys.

    AuthorityConfigX509ConfigKeyUsageExtendedKeyUsage, AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs

    ClientAuth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    CodeSigning bool
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    EmailProtection bool
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    OcspSigning bool
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    ServerAuth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    TimeStamping bool
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
    ClientAuth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    CodeSigning bool
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    EmailProtection bool
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    OcspSigning bool
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    ServerAuth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    TimeStamping bool
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
    clientAuth Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    codeSigning Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    emailProtection Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    ocspSigning Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    serverAuth Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    timeStamping Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
    clientAuth boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    codeSigning boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    emailProtection boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    ocspSigning boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    serverAuth boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    timeStamping boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
    client_auth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    code_signing bool
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    email_protection bool
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    ocsp_signing bool
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    server_auth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    time_stamping bool
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
    clientAuth Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    codeSigning Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    emailProtection Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    ocspSigning Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    serverAuth Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    timeStamping Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

    AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsage, AuthorityConfigX509ConfigKeyUsageUnknownExtendedKeyUsageArgs

    ObjectIdPaths List<int>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    ObjectIdPaths []int
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Integer>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths number[]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    object_id_paths Sequence[int]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Number>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

    AuthorityConfigX509ConfigNameConstraints, AuthorityConfigX509ConfigNameConstraintsArgs

    Critical bool
    Indicates whether or not the name constraints are marked critical.
    ExcludedDnsNames List<string>
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    ExcludedEmailAddresses List<string>
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    ExcludedIpRanges List<string>
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    ExcludedUris List<string>
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    PermittedDnsNames List<string>
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    PermittedEmailAddresses List<string>
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    PermittedIpRanges List<string>
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    PermittedUris List<string>
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    Critical bool
    Indicates whether or not the name constraints are marked critical.
    ExcludedDnsNames []string
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    ExcludedEmailAddresses []string
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    ExcludedIpRanges []string
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    ExcludedUris []string
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    PermittedDnsNames []string
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    PermittedEmailAddresses []string
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    PermittedIpRanges []string
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    PermittedUris []string
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    critical Boolean
    Indicates whether or not the name constraints are marked critical.
    excludedDnsNames List<String>
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    excludedEmailAddresses List<String>
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    excludedIpRanges List<String>
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    excludedUris List<String>
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    permittedDnsNames List<String>
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    permittedEmailAddresses List<String>
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    permittedIpRanges List<String>
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    permittedUris List<String>
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    critical boolean
    Indicates whether or not the name constraints are marked critical.
    excludedDnsNames string[]
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    excludedEmailAddresses string[]
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    excludedIpRanges string[]
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    excludedUris string[]
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    permittedDnsNames string[]
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    permittedEmailAddresses string[]
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    permittedIpRanges string[]
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    permittedUris string[]
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    critical bool
    Indicates whether or not the name constraints are marked critical.
    excluded_dns_names Sequence[str]
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    excluded_email_addresses Sequence[str]
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    excluded_ip_ranges Sequence[str]
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    excluded_uris Sequence[str]
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    permitted_dns_names Sequence[str]
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    permitted_email_addresses Sequence[str]
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    permitted_ip_ranges Sequence[str]
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    permitted_uris Sequence[str]
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    critical Boolean
    Indicates whether or not the name constraints are marked critical.
    excludedDnsNames List<String>
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    excludedEmailAddresses List<String>
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    excludedIpRanges List<String>
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    excludedUris List<String>
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    permittedDnsNames List<String>
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    permittedEmailAddresses List<String>
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    permittedIpRanges List<String>
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    permittedUris List<String>
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

    AuthorityConfigX509ConfigPolicyId, AuthorityConfigX509ConfigPolicyIdArgs

    ObjectIdPaths List<int>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    ObjectIdPaths []int
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Integer>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths number[]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    object_id_paths Sequence[int]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Number>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

    AuthorityKeySpec, AuthorityKeySpecArgs

    Algorithm string
    The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are: SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, EC_P384_SHA384.


    CloudKmsKeyVersion string
    The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
    Algorithm string
    The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are: SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, EC_P384_SHA384.


    CloudKmsKeyVersion string
    The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
    algorithm String
    The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are: SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, EC_P384_SHA384.


    cloudKmsKeyVersion String
    The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
    algorithm string
    The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are: SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, EC_P384_SHA384.


    cloudKmsKeyVersion string
    The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
    algorithm str
    The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are: SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, EC_P384_SHA384.


    cloud_kms_key_version str
    The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
    algorithm String
    The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their ProtectionLevel as HSM. Possible values are: SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, EC_P384_SHA384.


    cloudKmsKeyVersion String
    The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.

    AuthoritySubordinateConfig, AuthoritySubordinateConfigArgs

    CertificateAuthority string
    This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.
    PemIssuerChain AuthoritySubordinateConfigPemIssuerChain
    Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.
    CertificateAuthority string
    This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.
    PemIssuerChain AuthoritySubordinateConfigPemIssuerChain
    Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.
    certificateAuthority String
    This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.
    pemIssuerChain AuthoritySubordinateConfigPemIssuerChain
    Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.
    certificateAuthority string
    This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.
    pemIssuerChain AuthoritySubordinateConfigPemIssuerChain
    Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.
    certificate_authority str
    This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.
    pem_issuer_chain AuthoritySubordinateConfigPemIssuerChain
    Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.
    certificateAuthority String
    This can refer to a CertificateAuthority that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/caPools/*/certificateAuthorities/*.
    pemIssuerChain Property Map
    Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. Structure is documented below.

    AuthoritySubordinateConfigPemIssuerChain, AuthoritySubordinateConfigPemIssuerChainArgs

    PemCertificates List<string>
    Expected to be in leaf-to-root order according to RFC 5246.
    PemCertificates []string
    Expected to be in leaf-to-root order according to RFC 5246.
    pemCertificates List<String>
    Expected to be in leaf-to-root order according to RFC 5246.
    pemCertificates string[]
    Expected to be in leaf-to-root order according to RFC 5246.
    pem_certificates Sequence[str]
    Expected to be in leaf-to-root order according to RFC 5246.
    pemCertificates List<String>
    Expected to be in leaf-to-root order according to RFC 5246.

    Import

    CertificateAuthority can be imported using any of these accepted formats:

    • projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}

    • {{project}}/{{location}}/{{pool}}/{{certificate_authority_id}}

    • {{location}}/{{pool}}/{{certificate_authority_id}}

    When using the pulumi import command, CertificateAuthority can be imported using one of the formats above. For example:

    $ pulumi import gcp:certificateauthority/authority:Authority default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}
    
    $ pulumi import gcp:certificateauthority/authority:Authority default {{project}}/{{location}}/{{pool}}/{{certificate_authority_id}}
    
    $ pulumi import gcp:certificateauthority/authority:Authority default {{location}}/{{pool}}/{{certificate_authority_id}}
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v7.29.0 published on Wednesday, Jun 26, 2024 by Pulumi