Skip to content

Commit

Permalink
Add Certificate Authority Resource (Certificate Authority Service) (#…
Browse files Browse the repository at this point in the history 
…4382) (#8233)

* Add resource google_privateca_certificate_authority

In Certificate Authority Service (privateca).

See
https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1beta1/projects.locations.certificateAuthorities
for resource documentation.

Notes:
- This change doesn't implement support for subordinate CAs, which require
  additional customization because they must be activated.

Customizations:
- Use POST :scheduleDelete to delete the resource (delete is not supported)
- On pre_delete, POST :disable to disable the resources (required for scheduling
  deletd)
- Check resource deletion by checking that status is DELETION_PENDING

* Set key_spec input=true

Co-authored-by: Scott Suarez <[email protected]>

* Make algorithm required

Co-authored-by: Scott Suarez <[email protected]>

* Make include_ca_cert_url required.

Co-authored-by: Scott Suarez <[email protected]>

* Make include_crl_access_url required.

Co-authored-by: Scott Suarez <[email protected]>

* Mark additional required fields as required, and add createTime/updateTime.

* Fix tests by removing required markers where default_value is also set.

Co-authored-by: Scott Suarez <[email protected]>
Signed-off-by: Modular Magician <[email protected]>

Co-authored-by: Scott Suarez <[email protected]>
  • Loading branch information
@modular-magician @ScottSuarez
modular-magician and ScottSuarez authored Jan 15, 2021
1 parent a8ff070 commit 4cf5036
Show file tree
Hide file tree
Showing 3 changed files with 378 additions and 0 deletions.
3 changes: 3 additions & 0 deletions .changelog/4382.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:new-resource
`google_privateca_certificate_authority`
```
359 changes: 359 additions & 0 deletions website/docs/r/privateca_certificate_authority.html.markdown
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,359 @@
---
# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in
# .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
subcategory: "Certificate Authority"
layout: "google"
page_title: "Google: google_privateca_certificate_authority"
sidebar_current: "docs-google-privateca-certificate-authority"
description: |-
A CertificateAuthority represents an individual Certificate Authority.
---

# google\_privateca\_certificate\_authority

A CertificateAuthority represents an individual Certificate Authority. A
CertificateAuthority can be used to create Certificates.

~> **Warning:** This resource is in beta, and should be used with the terraform-provider-google-beta provider.
See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources.

To get more information about CertificateAuthority, see:

* [API documentation](https://https://cloud.google.com/certificate-authority-service/docs/reference/rest)
* How-to Guides
* [Official Documentation](https://cloud.google.com/certificate-authority-service)

<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=privateca_certificate_authority_basic&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Privateca Certificate Authority Basic


```hcl
resource "google_privateca_certificate_authority" "default" {
provider = google-beta
certificate_authority_id = "my-certificate-authority"
location = "us-central1"
config {
subject_config {
subject {
organization = "HashiCorp"
}
common_name = "my-certificate-authority"
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
reusable_config {
reusable_config = "projects/568668481468/locations/us-central1/reusableConfigs/root-unconstrained"
}
}
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=privateca_certificate_authority_full&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Privateca Certificate Authority Full


```hcl
resource "google_privateca_certificate_authority" "default" {
provider = google-beta
certificate_authority_id = "my-certificate-authority"
location = "us-central1"
tier = "DEVOPS"
config {
subject_config {
subject {
country_code = "US"
organization = "HashiCorp"
organizational_unit = "Terraform"
locality = "San Francisco"
province = "CA"
street_address = "101 2nd St #700"
postal_code = "94105"
}
common_name = "my-certificate-authority"
subject_alt_name {
dns_names = ["hashicorp.com"]
email_addresses = ["[email protected]"]
ip_addresses = ["127.0.0.1"]
uris = ["http://www.ietf.org/rfc/rfc3986.txt"]
}
}
reusable_config {
reusable_config = "projects/568668481468/locations/us-central1/reusableConfigs/root-unconstrained"
}
}
lifetime = "86400s"
issuing_options {
include_ca_cert_url = true
include_crl_access_url = false
}
key_spec {
algorithm = "EC_P256_SHA256"
}
}
```

## Argument Reference

The following arguments are supported:


* `location` -
(Required)
Location of the Certificate Authority.

* `certificate_authority_id` -
(Required)
GCP region of the Realm.

* `config` -
(Required)
The config used to create a self-signed X.509 certificate or CSR.
Structure is documented below.

* `key_spec` -
(Required)
Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority
is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA
certificate. Otherwise, it is used to sign a CSR.
Structure is documented below.


The `config` block supports:

* `subject_config` -
(Required)
Specifies some of the values in a certificate that are related to the subject.
Structure is documented below.

* `reusable_config` -
(Required)
Specifies some of the values in a certificate that are related to the subject.
Structure is documented below.


The `subject_config` block supports:

* `subject` -
(Required)
Contains distinguished name fields such as the location and organization.
Structure is documented below.

* `common_name` -
(Optional)
The common name of the distinguished name.

* `subject_alt_name` -
(Optional)
The subject alternative name fields.
Structure is documented below.


The `subject` block supports:

* `country_code` -
(Optional)
The country code of the subject.

* `organization` -
(Optional)
The organization of the subject.

* `organizational_unit` -
(Optional)
The organizational unit of the subject.

* `locality` -
(Optional)
The locality or city of the subject.

* `province` -
(Optional)
The province, territory, or regional state of the subject.

* `street_address` -
(Optional)
The street address of the subject.

* `postal_code` -
(Optional)
The postal code of the subject.

The `subject_alt_name` block supports:

* `dns_names` -
(Optional)
Contains only valid, fully-qualified host names.

* `uris` -
(Optional)
Contains only valid RFC 3986 URIs.

* `email_addresses` -
(Optional)
Contains only valid RFC 2822 E-mail addresses.

* `ip_addresses` -
(Optional)
Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.

The `reusable_config` block supports:

* `reusable_config` -
(Required)
A resource path to a ReusableConfig in the format
projects/*/locations/*/reusableConfigs/*.

The `key_spec` block supports:

* `algorithm` -
(Required)
The algorithm to use for creating a managed Cloud KMS key for a for a simplified
experience. All managed keys will be have their ProtectionLevel as HSM.
Possible values are `SIGN_HASH_ALGORITHM_UNSPECIFIED`, `RSA_PSS_2048_SHA256`, `RSA_PSS_3072_SHA256`, `RSA_PSS_4096_SHA256`, `RSA_PKCS1_2048_SHA256`, `RSA_PKCS1_3072_SHA256`, `RSA_PKCS1_4096_SHA256`, `EC_P256_SHA256`, and `EC_P384_SHA384`.

- - -


* `type` -
(Optional)
The Type of this CertificateAuthority.
Default value is `SELF_SIGNED`.
Possible values are `SELF_SIGNED`.

* `tier` -
(Optional)
The Tier of this CertificateAuthority.
Default value is `ENTERPRISE`.
Possible values are `ENTERPRISE` and `DEVOPS`.

* `lifetime` -
(Optional)
The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and
"notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine
fractional digits, terminated by 's'. Example: "3.5s".

* `issuing_options` -
(Optional)
Options that affect all certificates issued by a CertificateAuthority.
Structure is documented below.

* `gcs_bucket` -
(Optional)
The name of a Cloud Storage bucket where this CertificateAuthority will publish content,
such as the CA certificate and CRLs. This must be a bucket name, without any prefixes
(such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named
my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be
created.

* `labels` -
(Optional)
Labels with user-defined metadata.
An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass":
"1.3kg", "count": "3" }.

* `project` - (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.


The `issuing_options` block supports:

* `include_ca_cert_url` -
(Optional)
When true, includes a URL to the issuing CA certificate in the "authority
information access" X.509 extension.

* `include_crl_access_url` -
(Optional)
When true, includes a URL to the CRL corresponding to certificates issued from a
CertificateAuthority. CRLs will expire 7 days from their creation. However, we will
rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

## Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

* `id` - an identifier for the resource with format `projects/{{project}}/locations/{{location}}/certificateAuthorities/{{certificate_authority_id}}`

* `name` -
The resource name for this CertificateAuthority in the format
projects/*/locations/*/certificateAuthorities/*.

* `state` -
The State for this CertificateAuthority.

* `pem_ca_certificates` -
This CertificateAuthority's certificate chain, including the current
CertificateAuthority's certificate. Ordered such that the root issuer is the final
element (consistent with RFC 5246). For a self-signed CA, this will only list the current
CertificateAuthority's certificate.

* `access_urls` -
URLs for accessing content published by this CA, such as the CA certificate and CRLs.
Structure is documented below.

* `create_time` -
The time at which this CertificateAuthority was created.
A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine
fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

* `update_time` -
The time at which this CertificateAuthority was updated.
A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine
fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".


The `access_urls` block contains:

* `ca_certificate_access_url` -
The URL where this CertificateAuthority's CA certificate is published. This will only be
set for CAs that have been activated.

* `crl_access_url` -
The URL where this CertificateAuthority's CRLs are published. This will only be set for
CAs that have been activated.

## Timeouts

This resource provides the following
[Timeouts](/docs/configuration/resources.html#timeouts) configuration options:

- `create` - Default is 4 minutes.
- `update` - Default is 4 minutes.
- `delete` - Default is 4 minutes.

## Import


CertificateAuthority can be imported using any of these accepted formats:

```
$ terraform import google_privateca_certificate_authority.default projects/{{project}}/locations/{{location}}/certificateAuthorities/{{certificate_authority_id}}
$ terraform import google_privateca_certificate_authority.default {{project}}/{{location}}/{{certificate_authority_id}}
$ terraform import google_privateca_certificate_authority.default {{location}}/{{certificate_authority_id}}
```

## User Project Overrides

This resource supports [User Project Overrides](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#user_project_override).
16 changes: 16 additions & 0 deletions website/google.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -355,6 +355,22 @@
</ul>
</li>

<li>
<a href="#">Certificate Authority</a>
<ul class="nav">
<li>
<a href="#">Resources</a>
<ul class="nav nav-auto-expand">

<li>
<a href="/docs/providers/google/r/privateca_certificate_authority.html">google_privateca_certificate_authority</a>
</li>

</ul>
</li>
</ul>
</li>

<li>
<a href="#">Cloud (Stackdriver) Logging</a>
<ul class="nav">
Expand Down

0 comments on commit 4cf5036

Please sign in to comment.