1/**
2 * Copyright 2022 Google LLC
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17```hcl
18resource "google_privateca_ca_pool" "default" {
19 location = "us-central1"
20 name = "my-pool"
21 tier = "ENTERPRISE"
22}
23
24resource "google_privateca_certificate_authority" "default" {
25 location = "us-central1"
26 pool = google_privateca_ca_pool.default.name
27 certificate_authority_id = "my-authority"
28 config {
29 subject_config {
30 subject {
31 organization = "HashiCorp"
32 common_name = "my-certificate-authority"
33 }
34 subject_alt_name {
35 dns_names = ["hashicorp.com"]
36 }
37 }
38 x509_config {
39 ca_options {
40 is_ca = true
41 }
42 key_usage {
43 base_key_usage {
44 cert_sign = true
45 crl_sign = true
46 }
47 extended_key_usage {
48 server_auth = true
49 }
50 }
51 }
52 }
53 key_spec {
54 algorithm = "RSA_PKCS1_4096_SHA256"
55 }
56
57 // Disable CA deletion related safe checks for easier cleanup.
58 deletion_protection = false
59 skip_grace_period = true
60 ignore_active_certificates_on_deletion = true
61}
62
63resource "google_privateca_certificate" "default" {
64 location = "us-central1"
65 pool = google_privateca_ca_pool.default.name
66 certificate_authority = google_privateca_certificate_authority.default.certificate_authority_id
67 lifetime = "86000s"
68 name = "my-certificate"
69 config {
70 subject_config {
71 subject {
72 common_name = "san1.example.com"
73 country_code = "us"
74 organization = "google"
75 organizational_unit = "enterprise"
76 locality = "mountain view"
77 province = "california"
78 street_address = "1600 amphitheatre parkway"
79 }
80 subject_alt_name {
81 email_addresses = ["email@example.com"]
82 ip_addresses = ["127.0.0.1"]
83 uris = ["http://www.ietf.org/rfc/rfc3986.txt"]
84 }
85 }
86 x509_config {
87 ca_options {
88 is_ca = true
89 }
90 key_usage {
91 base_key_usage {
92 crl_sign = false
93 decipher_only = false
94 }
95 extended_key_usage {
96 server_auth = false
97 }
98 }
99 name_constraints {
100 critical = true
101 permitted_dns_names = ["*.example.com"]
102 excluded_dns_names = ["*.deny.example.com"]
103 permitted_ip_ranges = ["10.0.0.0/8"]
104 excluded_ip_ranges = ["10.1.1.0/24"]
105 permitted_email_addresses = [".example.com"]
106 excluded_email_addresses = [".deny.example.com"]
107 permitted_uris = [".example.com"]
108 excluded_uris = [".deny.example.com"]
109 }
110 }
111 public_key {
112 format = "PEM"
113 key = filebase64("test-fixtures/rsa_public.pem")
114 }
115 }
116}
117```
View as plain text