diff --git a/README.md b/README.md
index 63be229308..942ebdb25c 100644
--- a/README.md
+++ b/README.md
@@ -35,7 +35,7 @@ Currently available modules:
- **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [COS container](./modules/cloud-config-container/cos-generic-metadata/) (coredns, mysql, onprem, squid), [GKE cluster](./modules/gke-cluster-standard), [GKE hub](./modules/gke-hub), [GKE nodepool](./modules/gke-nodepool), [GCVE private cloud](./modules/gcve-private-cloud)
- **data** - [Analytics Hub](./modules/analytics-hub), [BigQuery dataset](./modules/bigquery-dataset), [Bigtable instance](./modules/bigtable-instance), [Dataplex](./modules/dataplex), [Dataplex DataScan](./modules/dataplex-datascan), [Cloud SQL instance](./modules/cloudsql-instance), [Spanner instance](./modules/spanner-instance), [Firestore](./modules/firestore), [Data Catalog Policy Tag](./modules/data-catalog-policy-tag), [Data Catalog Tag](./modules/data-catalog-tag), [Data Catalog Tag Template](./modules/data-catalog-tag-template), [Datafusion](./modules/datafusion), [Dataproc](./modules/dataproc), [GCS](./modules/gcs), [Pub/Sub](./modules/pubsub), [Dataform Repository](./modules/dataform-repository/)
- **development** - [API Gateway](./modules/api-gateway), [Apigee](./modules/apigee), [Artifact Registry](./modules/artifact-registry), [Container Registry](./modules/container-registry), [Cloud Source Repository](./modules/source-repository), [Workstation cluster](./modules/workstation-cluster)
-- **security** - [Binauthz](./modules/binauthz/), [KMS](./modules/kms), [SecretManager](./modules/secret-manager), [VPC Service Control](./modules/vpc-sc)
+- **security** - [Binauthz](./modules/binauthz/), [KMS](./modules/kms), [SecretManager](./modules/secret-manager), [VPC Service Control](./modules/vpc-sc), [Certificate Manager](./modules/certificate-manager/)
- **serverless** - [Cloud Function v1](./modules/cloud-function-v1), [Cloud Function v2](./modules/cloud-function-v2), [Cloud Run](./modules/cloud-run), [Cloud Run v2](./modules/cloud-run-v2)
For more information and usage examples see each module's README file.
diff --git a/modules/README.md b/modules/README.md
index b5f5a9b151..8f21a90ca4 100644
--- a/modules/README.md
+++ b/modules/README.md
@@ -113,6 +113,7 @@ These modules are used in the examples included in this repository. If you are u
- [SecretManager](./secret-manager)
- [VPC Service Control](./vpc-sc)
- [Secure Web Proxy](./net-swp)
+- [Certificate Manager](./certificate-manager)
## Serverless
diff --git a/modules/certificate-manager/README.md b/modules/certificate-manager/README.md
new file mode 100644
index 0000000000..e878609f97
--- /dev/null
+++ b/modules/certificate-manager/README.md
@@ -0,0 +1,263 @@
+# Certificate manager
+
+This module allows you to create a certificate manager map and associated entries, certificates, DNS authorizations and issueance configs. Map and associated entries creation is optional.
+
+## Examples
+
+### Self-managed certificate
+
+```hcl
+resource "tls_private_key" "private_key" {
+ algorithm = "RSA"
+ rsa_bits = 2048
+}
+
+resource "tls_self_signed_cert" "cert" {
+ private_key_pem = tls_private_key.private_key.private_key_pem
+ subject {
+ common_name = "example.com"
+ organization = "ACME Examples, Inc"
+ }
+ validity_period_hours = 720
+ allowed_uses = [
+ "key_encipherment",
+ "digital_signature",
+ "server_auth",
+ ]
+}
+
+module "certificate-manager" {
+ source = "./fabric/modules/certificate-manager"
+ project_id = var.project_id
+ certificates = {
+ my-certificate-1 = {
+ self_managed = {
+ pem_certificate = tls_self_signed_cert.cert.cert_pem
+ pem_private_key = tls_private_key.private_key.private_key_pem
+ }
+ }
+ }
+}
+# tftest modules=1 resources=3 inventory=self-managed-cert.yaml
+```
+
+### Certificate map with 1 entry with 1 self-managed certificate
+
+```hcl
+resource "tls_private_key" "private_key" {
+ algorithm = "RSA"
+ rsa_bits = 2048
+}
+
+resource "tls_self_signed_cert" "cert" {
+ private_key_pem = tls_private_key.private_key.private_key_pem
+ subject {
+ common_name = "example.com"
+ organization = "ACME Examples, Inc"
+ }
+ validity_period_hours = 720
+ allowed_uses = [
+ "key_encipherment",
+ "digital_signature",
+ "server_auth",
+ ]
+}
+
+module "certificate-manager" {
+ source = "./fabric/modules/certificate-manager"
+ project_id = var.project_id
+ map = {
+ name = "my-certificate-map"
+ description = "My certificate map"
+ entries = {
+ mydomain-mycompany-org = {
+ certificates = [
+ "my-certificate-1"
+ ]
+ hostname = "mydomain.mycompany.org"
+ }
+ }
+ }
+ certificates = {
+ my-certificate-1 = {
+ self_managed = {
+ pem_certificate = tls_self_signed_cert.cert.cert_pem
+ pem_private_key = tls_private_key.private_key.private_key_pem
+ }
+ }
+ }
+}
+# tftest modules=1 resources=5 inventory=map-with-self-managed-cert.yaml
+
+```
+
+### Certificate map with 1 entry with 1 managed certificate with load balancer authorization
+
+```hcl
+module "certificate-manager" {
+ source = "./fabric/modules/certificate-manager"
+ project_id = var.project_id
+ map = {
+ name = "my-certificate-map"
+ description = "My certificate map"
+ entries = {
+ mydomain-mycompany-org = {
+ certificates = [
+ "my-certificate-1"
+ ]
+ matcher = "PRIMARY"
+ }
+ }
+ }
+ certificates = {
+ my-certificate-1 = {
+ managed = {
+ domains = ["mydomain.mycompany.org"]
+ }
+ }
+ }
+}
+# tftest modules=1 resources=3 inventory=map-with-managed-cert-lb-authz.yaml
+```
+
+### Certificate map with 1 entry with 1 managed certificate with DNS authorization
+
+```hcl
+module "certificate-manager" {
+ source = "./fabric/modules/certificate-manager"
+ project_id = var.project_id
+ map = {
+ name = "my-certificate-map"
+ description = "My certificate map"
+ entries = {
+ mydomain-mycompany-org = {
+ certificates = [
+ "my-certificate-1"
+ ]
+ matcher = "PRIMARY"
+ }
+ }
+ }
+ certificates = {
+ my-certificate-1 = {
+ managed = {
+ domains = ["mydomain.mycompany.org"]
+ dns_authorizations = ["mydomain-mycompany-org"]
+ }
+ }
+ }
+ dns_authorizations = {
+ mydomain-mycompany-org = {
+ type = "PER_PROJECT_RECORD"
+ domain = "mydomain.mycompany.org"
+ }
+ }
+}
+# tftest modules=1 resources=4 inventory=map-with-managed-cert-dns-authz.yaml
+```
+
+### Certificate map with 1 entry with 1 managed certificate with issued by a CA Service instance
+
+```hcl
+resource "google_privateca_ca_pool" "pool" {
+ name = "ca-pool"
+ project = var.project_id
+ location = "us-central1"
+ tier = "ENTERPRISE"
+}
+
+resource "google_privateca_certificate_authority" "ca_authority" {
+ project = var.project_id
+ location = "us-central1"
+ pool = google_privateca_ca_pool.pool.name
+ certificate_authority_id = "ca-authority"
+ config {
+ subject_config {
+ subject {
+ organization = "My Company"
+ common_name = "my-company-authority"
+ }
+ subject_alt_name {
+ dns_names = ["mycompany.org"]
+ }
+ }
+ x509_config {
+ ca_options {
+ is_ca = true
+ }
+ key_usage {
+ base_key_usage {
+ cert_sign = true
+ crl_sign = true
+ }
+ extended_key_usage {
+ server_auth = true
+ }
+ }
+ }
+ }
+ key_spec {
+ algorithm = "RSA_PKCS1_4096_SHA256"
+ }
+ deletion_protection = false
+ skip_grace_period = true
+ ignore_active_certificates_on_deletion = true
+}
+
+module "certificate-manager" {
+ source = "./fabric/modules/certificate-manager"
+ project_id = var.project_id
+ map = {
+ name = "my-certificate-map"
+ description = "My certificate map"
+ entries = {
+ mydomain-mycompany-org = {
+ certificates = [
+ "my-certificate-1"
+ ]
+ matcher = "PRIMARY"
+ }
+ }
+ }
+ certificates = {
+ my-certificate-1 = {
+ managed = {
+ domains = ["mydomain.mycompany.org"]
+ issuance_config = "my-issuance-config"
+ }
+ }
+ }
+ issuance_configs = {
+ my-issuance-config = {
+ ca_pool = google_privateca_ca_pool.pool.id
+ key_algorithm = "ECDSA_P256"
+ lifetime = "1814400s"
+ rotation_window_percentage = 34
+ }
+ }
+ depends_on = [
+ google_privateca_certificate_authority.ca_authority
+ ]
+}
+# tftest modules=1 resources=6 inventory=map-with-managed-cert-ca-service.yaml
+```
+
+## Variables
+
+| name | description | type | required | default |
+|---|---|:---:|:---:|:---:|
+| [project_id](variables.tf#L102) | Project id. | string | ✓ | |
+| [certificates](variables.tf#L17) | Certificates. | map(object({…})) | | {} |
+| [dns_authorizations](variables.tf#L53) | DNS authorizations. | map(object({…})) | | {} |
+| [issuance_configs](variables.tf#L66) | Issuance configs. | map(object({…})) | | {} |
+| [map](variables.tf#L80) | Map attributes. | object({…}) | | null |
+
+## Outputs
+
+| name | description | sensitive |
+|---|---|:---:|
+| [certificate_ids](outputs.tf#L17) | Certificate ids. | |
+| [certificates](outputs.tf#L22) | Certificates. | |
+| [map](outputs.tf#L27) | Map. | |
+| [map_id](outputs.tf#L32) | Map id. | |
+
diff --git a/modules/certificate-manager/main.tf b/modules/certificate-manager/main.tf
new file mode 100644
index 0000000000..e5bb5b594d
--- /dev/null
+++ b/modules/certificate-manager/main.tf
@@ -0,0 +1,85 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_certificate_manager_certificate_map" "map" {
+ count = var.map == null ? 0 : 1
+ project = var.project_id
+ name = var.map.name
+ description = var.map.description
+ labels = var.map.labels
+}
+
+resource "google_certificate_manager_certificate_map_entry" "entries" {
+ for_each = try(var.map.entries, {})
+ project = google_certificate_manager_certificate_map.map[0].project
+ name = each.key
+ description = each.value.description
+ map = google_certificate_manager_certificate_map.map[0].name
+ labels = each.value.labels
+ certificates = [for v in each.value.certificates : google_certificate_manager_certificate.certificates[v].id]
+ hostname = each.value.hostname
+ matcher = each.value.matcher
+}
+
+resource "google_certificate_manager_certificate" "certificates" {
+ for_each = var.certificates
+ project = var.project_id
+ name = each.key
+ description = each.value.description
+ scope = each.value.scope
+ labels = each.value.labels
+ dynamic "managed" {
+ for_each = each.value.managed == null ? [] : [""]
+ content {
+ domains = each.value.managed.domains
+ dns_authorizations = each.value.managed.dns_authorizations
+ issuance_config = each.value.managed.issuance_config
+ }
+ }
+ dynamic "self_managed" {
+ for_each = each.value.self_managed == null ? [] : [""]
+ content {
+ pem_certificate = each.value.self_managed.pem_certificate
+ pem_private_key = each.value.self_managed.pem_private_key
+ }
+ }
+}
+
+resource "google_certificate_manager_dns_authorization" "dns_authorizations" {
+ for_each = var.dns_authorizations
+ project = var.project_id
+ name = each.key
+ location = each.value.location
+ description = each.value.description
+ type = each.value.type
+ domain = each.value.domain
+}
+
+resource "google_certificate_manager_certificate_issuance_config" "default" {
+ for_each = var.issuance_configs
+ project = var.project_id
+ name = each.key
+ description = each.value.description
+ certificate_authority_config {
+ certificate_authority_service_config {
+ ca_pool = each.value.ca_pool
+ }
+ }
+ lifetime = each.value.lifetime
+ rotation_window_percentage = each.value.rotation_window_percentage
+ key_algorithm = each.value.key_algorithm
+ labels = each.value.labels
+}
diff --git a/modules/certificate-manager/outputs.tf b/modules/certificate-manager/outputs.tf
new file mode 100644
index 0000000000..43eb9f3fdf
--- /dev/null
+++ b/modules/certificate-manager/outputs.tf
@@ -0,0 +1,38 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "certificate_ids" {
+ description = "Certificate ids."
+ value = { for k, v in google_certificate_manager_certificate.certificates : k => v.id }
+}
+
+output "certificates" {
+ description = "Certificates."
+ value = google_certificate_manager_certificate.certificates
+}
+
+output "map" {
+ description = "Map."
+ value = var.map == null ? null : google_certificate_manager_certificate_map.map[0]
+}
+
+output "map_id" {
+ description = "Map id."
+ value = var.map == null ? null : google_certificate_manager_certificate_map.map[0].id
+}
+
+
+
diff --git a/modules/certificate-manager/variables.tf b/modules/certificate-manager/variables.tf
new file mode 100644
index 0000000000..05a8f5148a
--- /dev/null
+++ b/modules/certificate-manager/variables.tf
@@ -0,0 +1,106 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "certificates" {
+ description = "Certificates."
+ type = map(object({
+ description = optional(string)
+ labels = optional(map(string), {})
+ location = optional(string)
+ scope = optional(string)
+ self_managed = optional(object({
+ pem_certificate = string
+ pem_private_key = string
+ }))
+ managed = optional(object({
+ domains = list(string)
+ dns_authorizations = optional(list(string))
+ issuance_config = optional(string)
+ }))
+ }))
+ default = {}
+ nullable = false
+
+ validation {
+ condition = alltrue([for k, v in var.certificates : (
+ v.self_managed != null && v.managed == null
+ || v.self_managed == null && v.managed != null
+ )])
+ error_message = "Either a self-managed or a managed configuration must be specified for a certificate."
+ }
+ validation {
+ condition = alltrue([for k, v in var.certificates : v.managed == null ? true :
+ !(v.managed.dns_authorizations != null
+ && v.managed.issuance_config != null)
+ ])
+ error_message = "Both DNS authorizations and issuance cannot be specified."
+ }
+}
+
+variable "dns_authorizations" {
+ description = "DNS authorizations."
+ type = map(object({
+ domain = string
+ description = optional(string)
+ location = optional(string)
+ type = optional(string)
+ labels = optional(map(string))
+ }))
+ default = {}
+ nullable = false
+}
+
+variable "issuance_configs" {
+ description = "Issuance configs."
+ type = map(object({
+ ca_pool = string
+ description = optional(string)
+ key_algorithm = string
+ labels = optional(map(string), {})
+ lifetime = string
+ rotation_window_percentage = number
+ }))
+ default = {}
+ nullable = false
+}
+
+variable "map" {
+ description = "Map attributes."
+ type = object({
+ name = string
+ description = optional(string)
+ labels = optional(map(string), {})
+ entries = optional(map(object({
+ description = optional(string)
+ hostname = optional(string)
+ labels = optional(map(string), {})
+ matcher = optional(string)
+ certificates = list(string)
+ })), {})
+ })
+ default = null
+
+ validation {
+ condition = var.map == null ? true : alltrue([for k, v in var.map.entries : v.hostname == null && v.matcher != null || v.hostname != null && v.matcher == null])
+ error_message = "Either hostname or matcher must be specified for an entry."
+ }
+}
+
+variable "project_id" {
+ description = "Project id."
+ type = string
+}
+
diff --git a/modules/certificate-manager/versions.tf b/modules/certificate-manager/versions.tf
new file mode 100644
index 0000000000..d1f29b96bb
--- /dev/null
+++ b/modules/certificate-manager/versions.tf
@@ -0,0 +1,27 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+ required_version = ">= 1.7.4"
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = ">= 5.34.0, < 6.0.0" # tftest
+ }
+ google-beta = {
+ source = "hashicorp/google-beta"
+ version = ">= 5.34.0, < 6.0.0" # tftest
+ }
+ }
+}
diff --git a/tests/modules/certificate_manager/examples/map-with-managed-cert-ca-service.yaml b/tests/modules/certificate_manager/examples/map-with-managed-cert-ca-service.yaml
new file mode 100644
index 0000000000..2a5a075648
--- /dev/null
+++ b/tests/modules/certificate_manager/examples/map-with-managed-cert-ca-service.yaml
@@ -0,0 +1,142 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ google_privateca_ca_pool.pool:
+ issuance_policy: []
+ labels: null
+ location: us-central1
+ name: ca-pool
+ project: project-id
+ publishing_options: []
+ tier: ENTERPRISE
+ timeouts: null
+ google_privateca_certificate_authority.ca_authority:
+ certificate_authority_id: ca-authority
+ config:
+ - subject_config:
+ - subject:
+ - common_name: my-company-authority
+ country_code: null
+ locality: null
+ organization: My Company
+ organizational_unit: null
+ postal_code: null
+ province: null
+ street_address: null
+ subject_alt_name:
+ - dns_names:
+ - mycompany.org
+ email_addresses: null
+ ip_addresses: null
+ uris: null
+ subject_key_id: []
+ x509_config:
+ - additional_extensions: []
+ aia_ocsp_servers: null
+ ca_options:
+ - is_ca: true
+ max_issuer_path_length: null
+ non_ca: null
+ zero_max_issuer_path_length: null
+ key_usage:
+ - base_key_usage:
+ - cert_sign: true
+ content_commitment: null
+ crl_sign: true
+ data_encipherment: null
+ decipher_only: null
+ digital_signature: null
+ encipher_only: null
+ key_agreement: null
+ key_encipherment: null
+ extended_key_usage:
+ - client_auth: null
+ code_signing: null
+ email_protection: null
+ ocsp_signing: null
+ server_auth: true
+ time_stamping: null
+ unknown_extended_key_usages: []
+ name_constraints: []
+ policy_ids: []
+ deletion_protection: false
+ desired_state: null
+ gcs_bucket: null
+ ignore_active_certificates_on_deletion: true
+ key_spec:
+ - algorithm: RSA_PKCS1_4096_SHA256
+ cloud_kms_key_version: null
+ labels: null
+ lifetime: 315360000s
+ location: us-central1
+ pem_ca_certificate: null
+ pool: ca-pool
+ project: project-id
+ skip_grace_period: true
+ subordinate_config: []
+ timeouts: null
+ type: SELF_SIGNED
+ module.certificate-manager.google_certificate_manager_certificate.certificates["my-certificate-1"]:
+ description: null
+ labels: null
+ location: global
+ managed:
+ - dns_authorizations: null
+ domains:
+ - mydomain.mycompany.org
+ issuance_config: my-issuance-config
+ name: my-certificate-1
+ project: project-id
+ scope: null
+ self_managed: []
+ timeouts: null
+ module.certificate-manager.google_certificate_manager_certificate_issuance_config.default["my-issuance-config"]:
+ certificate_authority_config:
+ - certificate_authority_service_config:
+ - {}
+ description: null
+ key_algorithm: ECDSA_P256
+ labels: null
+ lifetime: 1814400s
+ location: global
+ name: my-issuance-config
+ project: project-id
+ rotation_window_percentage: 34
+ timeouts: null
+ module.certificate-manager.google_certificate_manager_certificate_map.map[0]:
+ description: My certificate map
+ labels: null
+ name: my-certificate-map
+ project: project-id
+ timeouts: null
+ module.certificate-manager.google_certificate_manager_certificate_map_entry.entries["mydomain-mycompany-org"]:
+ description: null
+ hostname: null
+ labels: null
+ map: my-certificate-map
+ matcher: PRIMARY
+ name: mydomain-mycompany-org
+ project: project-id
+ timeouts: null
+
+counts:
+ google_certificate_manager_certificate: 1
+ google_certificate_manager_certificate_issuance_config: 1
+ google_certificate_manager_certificate_map: 1
+ google_certificate_manager_certificate_map_entry: 1
+ google_privateca_ca_pool: 1
+ google_privateca_certificate_authority: 1
+ modules: 1
+ resources: 6
\ No newline at end of file
diff --git a/tests/modules/certificate_manager/examples/map-with-managed-cert-dns-authz.yaml b/tests/modules/certificate_manager/examples/map-with-managed-cert-dns-authz.yaml
new file mode 100644
index 0000000000..5864dd7f2c
--- /dev/null
+++ b/tests/modules/certificate_manager/examples/map-with-managed-cert-dns-authz.yaml
@@ -0,0 +1,62 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.certificate-manager.google_certificate_manager_certificate.certificates["my-certificate-1"]:
+ description: null
+ labels: null
+ location: global
+ managed:
+ - dns_authorizations:
+ - mydomain-mycompany-org
+ domains:
+ - mydomain.mycompany.org
+ issuance_config: null
+ name: my-certificate-1
+ project: project-id
+ scope: null
+ self_managed: []
+ timeouts: null
+ module.certificate-manager.google_certificate_manager_certificate_map.map[0]:
+ description: My certificate map
+ labels: null
+ name: my-certificate-map
+ project: project-id
+ timeouts: null
+ module.certificate-manager.google_certificate_manager_certificate_map_entry.entries["mydomain-mycompany-org"]:
+ description: null
+ hostname: null
+ labels: null
+ map: my-certificate-map
+ matcher: PRIMARY
+ name: mydomain-mycompany-org
+ project: project-id
+ timeouts: null
+ module.certificate-manager.google_certificate_manager_dns_authorization.dns_authorizations["mydomain-mycompany-org"]:
+ description: null
+ domain: mydomain.mycompany.org
+ labels: null
+ location: global
+ name: mydomain-mycompany-org
+ project: project-id
+ timeouts: null
+ type: PER_PROJECT_RECORD
+
+counts:
+ google_certificate_manager_certificate: 1
+ google_certificate_manager_certificate_map: 1
+ google_certificate_manager_certificate_map_entry: 1
+ google_certificate_manager_dns_authorization: 1
+ modules: 1
+ resources: 4
\ No newline at end of file
diff --git a/tests/modules/certificate_manager/examples/map-with-managed-cert-lb-authz.yaml b/tests/modules/certificate_manager/examples/map-with-managed-cert-lb-authz.yaml
new file mode 100644
index 0000000000..f153637aa7
--- /dev/null
+++ b/tests/modules/certificate_manager/examples/map-with-managed-cert-lb-authz.yaml
@@ -0,0 +1,51 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.certificate-manager.google_certificate_manager_certificate.certificates["my-certificate-1"]:
+ description: null
+ labels: null
+ location: global
+ managed:
+ - dns_authorizations: null
+ domains:
+ - mydomain.mycompany.org
+ issuance_config: null
+ name: my-certificate-1
+ project: project-id
+ scope: null
+ self_managed: []
+ timeouts: null
+ module.certificate-manager.google_certificate_manager_certificate_map.map[0]:
+ description: My certificate map
+ labels: null
+ name: my-certificate-map
+ project: project-id
+ timeouts: null
+ module.certificate-manager.google_certificate_manager_certificate_map_entry.entries["mydomain-mycompany-org"]:
+ description: null
+ hostname: null
+ labels: null
+ map: my-certificate-map
+ matcher: PRIMARY
+ name: mydomain-mycompany-org
+ project: project-id
+ timeouts: null
+
+counts:
+ google_certificate_manager_certificate: 1
+ google_certificate_manager_certificate_map: 1
+ google_certificate_manager_certificate_map_entry: 1
+ modules: 1
+ resources: 3
\ No newline at end of file
diff --git a/tests/modules/certificate_manager/examples/map-with-self-managed-cert.yaml b/tests/modules/certificate_manager/examples/map-with-self-managed-cert.yaml
new file mode 100644
index 0000000000..804cbaf093
--- /dev/null
+++ b/tests/modules/certificate_manager/examples/map-with-self-managed-cert.yaml
@@ -0,0 +1,79 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.certificate-manager.google_certificate_manager_certificate.certificates["my-certificate-1"]:
+ description: null
+ labels: null
+ location: global
+ managed: []
+ name: my-certificate-1
+ project: project-id
+ scope: null
+ self_managed:
+ - certificate_pem: null
+ private_key_pem: null
+ timeouts: null
+ module.certificate-manager.google_certificate_manager_certificate_map.map[0]:
+ description: My certificate map
+ labels: null
+ name: my-certificate-map
+ project: project-id
+ timeouts: null
+ module.certificate-manager.google_certificate_manager_certificate_map_entry.entries["mydomain-mycompany-org"]:
+ description: null
+ hostname: mydomain.mycompany.org
+ labels: null
+ map: my-certificate-map
+ matcher: null
+ name: mydomain-mycompany-org
+ project: project-id
+ timeouts: null
+ tls_private_key.private_key:
+ algorithm: RSA
+ ecdsa_curve: P224
+ rsa_bits: 2048
+ tls_self_signed_cert.cert:
+ allowed_uses:
+ - key_encipherment
+ - digital_signature
+ - server_auth
+ dns_names: null
+ early_renewal_hours: 0
+ ip_addresses: null
+ is_ca_certificate: false
+ ready_for_renewal: false
+ set_authority_key_id: false
+ set_subject_key_id: false
+ subject:
+ - common_name: example.com
+ country: null
+ locality: null
+ organization: ACME Examples, Inc
+ organizational_unit: null
+ postal_code: null
+ province: null
+ serial_number: null
+ street_address: null
+ uris: null
+ validity_period_hours: 720
+
+counts:
+ google_certificate_manager_certificate: 1
+ google_certificate_manager_certificate_map: 1
+ google_certificate_manager_certificate_map_entry: 1
+ modules: 1
+ resources: 5
+ tls_private_key: 1
+ tls_self_signed_cert: 1
\ No newline at end of file
diff --git a/tests/modules/certificate_manager/examples/self-managed-cert.yaml b/tests/modules/certificate_manager/examples/self-managed-cert.yaml
new file mode 100644
index 0000000000..a80aac794a
--- /dev/null
+++ b/tests/modules/certificate_manager/examples/self-managed-cert.yaml
@@ -0,0 +1,62 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.certificate-manager.google_certificate_manager_certificate.certificates["my-certificate-1"]:
+ description: null
+ labels: null
+ location: global
+ managed: []
+ name: my-certificate-1
+ project: project-id
+ scope: null
+ self_managed:
+ - certificate_pem: null
+ private_key_pem: null
+ timeouts: null
+ tls_private_key.private_key:
+ algorithm: RSA
+ ecdsa_curve: P224
+ rsa_bits: 2048
+ tls_self_signed_cert.cert:
+ allowed_uses:
+ - key_encipherment
+ - digital_signature
+ - server_auth
+ dns_names: null
+ early_renewal_hours: 0
+ ip_addresses: null
+ is_ca_certificate: false
+ ready_for_renewal: false
+ set_authority_key_id: false
+ set_subject_key_id: false
+ subject:
+ - common_name: example.com
+ country: null
+ locality: null
+ organization: ACME Examples, Inc
+ organizational_unit: null
+ postal_code: null
+ province: null
+ serial_number: null
+ street_address: null
+ uris: null
+ validity_period_hours: 720
+
+counts:
+ google_certificate_manager_certificate: 1
+ modules: 1
+ resources: 3
+ tls_private_key: 1
+ tls_self_signed_cert: 1
\ No newline at end of file