Google Certificate Authority Service Privateca CA Pool

This page shows how to write Terraform for Certificate Authority Service Privateca CA Pool and write them securely.

google_privateca_ca_pool (Terraform)

The Privateca CA Pool in Certificate Authority Service can be configured in Terraform with the resource name google_privateca_ca_pool. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Parameters

The following arguments are supported:

  • name - (Required) The name for this CaPool.

  • tier - (Required) The Tier of this CaPool. Possible values are ENTERPRISE and DEVOPS.

  • location - (Required) Location of the CaPool. A full list of valid locations can be found by running gcloud privateca locations list.


  • issuance_policy - (Optional) The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.

  • publishing_options - (Optional) The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.

  • labels - (Optional) Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: [ "name": "wrench", "mass": "1.3kg", "count": "3" ].

  • project - (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

The issuance_policy block supports:

  • allowed_key_types - (Optional) If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.

  • maximum_lifetime - (Optional) The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.

  • allowed_issuance_modes - (Optional) IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.

  • identity_constraints - (Optional) Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.

  • baseline_values - (Optional) A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.

The allowed_key_types block supports:

  • rsa - (Optional) Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.

  • elliptic_curve - (Optional) Represents an allowed Elliptic Curve key type. Structure is documented below.

The rsa block supports:

  • min_modulus_size - (Optional) The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

  • max_modulus_size - (Optional) The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.

The elliptic_curve block supports:

  • signature_algorithm - (Required) The algorithm used. Possible values are ECDSA_P256, ECDSA_P384, and EDDSA_25519.

The allowed_issuance_modes block supports:

  • allow_csr_based_issuance - (Required) When true, allows callers to create Certificates by specifying a CSR.

  • allow_config_based_issuance - (Required) When true, allows callers to create Certificates by specifying a CertificateConfig.

The identity_constraints block supports:

  • allow_subject_passthrough - (Required) If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.

  • allow_subject_alt_names_passthrough - (Required) If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.

  • cel_expression - (Optional) A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.

The cel_expression block supports:

  • expression - (Required) Textual representation of an expression in Common Expression Language syntax.

  • title - (Optional) Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

  • description - (Optional) Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

  • location - (Optional) String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.

The baseline_values block supports:

  • additional_extensions - (Optional) Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.

  • policy_ids - (Optional) Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

  • aia_ocsp_servers - (Optional) Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.

  • ca_options - (Required) Describes values that are relevant in a CA certificate. Structure is documented below.

  • key_usage - (Required) Indicates the intended use for keys that correspond to a certificate. Structure is documented below.

The additional_extensions block supports:

  • critical - (Required) Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).

  • value - (Required) The value of this X.509 extension. A base64-encoded string.

  • object_id - (Required) Describes values that are relevant in a CA certificate. Structure is documented below.

The object_id block supports:

  • object_id_path - (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

The policy_ids block supports:

  • object_id_path - (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

The ca_options block supports:

  • is_ca - (Optional) Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate.

  • max_issuer_path_length - (Optional) Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate.

The key_usage block supports:

  • base_key_usage - (Required) Describes high-level ways in which a key may be used. Structure is documented below.

  • extended_key_usage - (Required) Describes high-level ways in which a key may be used. Structure is documented below.

  • unknown_extended_key_usages - (Optional) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

The base_key_usage block supports:

  • digital_signature - (Optional) The key may be used for digital signatures.

  • content_commitment - (Optional) The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".

  • key_encipherment - (Optional) The key may be used to encipher other keys.

  • data_encipherment - (Optional) The key may be used to encipher data.

  • key_agreement - (Optional) The key may be used in a key agreement protocol.

  • cert_sign - (Optional) The key may be used to sign certificates.

  • crl_sign - (Optional) The key may be used sign certificate revocation lists.

  • encipher_only - (Optional) The key may be used to encipher only.

  • decipher_only - (Optional) The key may be used to decipher only.

The extended_key_usage block supports:

  • server_auth - (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.

  • client_auth - (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.

  • code_signing - (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".

  • email_protection - (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".

  • time_stamping - (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

  • ocsp_signing - (Optional) Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".

The unknown_extended_key_usages block supports:

  • object_id_path - (Required) An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

The publishing_options block supports:

  • publish_ca_cert - (Required) When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.

  • publish_crl - (Required) When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.

In addition to the arguments listed above, the following computed attributes are exported:

  • id - an identifier for the resource with format projects/[[project]]/locations/[[location]]/caPools/[[name]]

Explanation in Terraform Registry

A CaPool represents a group of CertificateAuthorities that form a trust anchor. A CaPool can be used to manage issuance policies for one or more CertificateAuthority resources and to rotate CA certificates in and out of the trust anchor.

Frequently asked questions

What is Google Certificate Authority Service Privateca CA Pool?

Google Certificate Authority Service Privateca CA Pool is a resource for Certificate Authority Service of Google Cloud Platform. Settings can be wrote in Terraform.

security-icon

Scan your IaC problem in 3 minutes for free

You can keep your IaC security for free. No credit card required.