--- title: Getting Started with Datadog description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Infrastructure > Datadog Resource Catalog --- # gcp_privateca_ca_pool{% #gcp_privateca_ca_pool %} ## `ancestors`{% #ancestors %} **Type**: `UNORDERED_LIST_STRING` ## `issuance_policy`{% #issuance_policy %} **Type**: `STRUCT`**Provider name**: `issuancePolicy`**Description**: Optional. The IssuancePolicy to control how Certificates will be issued from this CaPool. - `allowed_issuance_modes`**Type**: `STRUCT`**Provider name**: `allowedIssuanceModes`**Description**: Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates. - `allow_config_based_issuance`**Type**: `BOOLEAN`**Provider name**: `allowConfigBasedIssuance`**Description**: Optional. When true, allows callers to create Certificates by specifying a CertificateConfig. - `allow_csr_based_issuance`**Type**: `BOOLEAN`**Provider name**: `allowCsrBasedIssuance`**Description**: Optional. When true, allows callers to create Certificates by specifying a CSR. - `allowed_key_types`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `allowedKeyTypes`**Description**: Optional. If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. - `elliptic_curve`**Type**: `STRUCT`**Provider name**: `ellipticCurve`**Description**: Represents an allowed Elliptic Curve key type. - `signature_algorithm`**Type**: `STRING`**Provider name**: `signatureAlgorithm`**Description**: Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed.**Possible values**: - `EC_SIGNATURE_ALGORITHM_UNSPECIFIED` - Not specified. Signifies that any signature algorithm may be used. - `ECDSA_P256` - Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-256 curve. - `ECDSA_P384` - Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-384 curve. - `EDDSA_25519` - Refers to the Edwards-curve Digital Signature Algorithm over curve 25519, as described in RFC 8410. - `rsa`**Type**: `STRUCT`**Provider name**: `rsa`**Description**: Represents an allowed RSA key type. - `max_modulus_size`**Type**: `INT64`**Provider name**: `maxModulusSize`**Description**: Optional. The maximum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes. - `min_modulus_size`**Type**: `INT64`**Provider name**: `minModulusSize`**Description**: Optional. The minimum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply. - `backdate_duration`**Type**: `STRING`**Provider name**: `backdateDuration`**Description**: Optional. The duration to backdate all certificates issued from this CaPool. If not set, the certificates will be issued with a not_before_time of the issuance time (i.e. the current time). If set, the certificates will be issued with a not_before_time of the issuance time minus the backdate_duration. The not_after_time will be adjusted to preserve the requested lifetime. The backdate_duration must be less than or equal to 48 hours. - `baseline_values`**Type**: `STRUCT`**Provider name**: `baselineValues`**Description**: Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail. - `additional_extensions`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `additionalExtensions`**Description**: Optional. Describes custom X.509 extensions. - `critical`**Type**: `BOOLEAN`**Provider name**: `critical`**Description**: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). - `object_id`**Type**: `STRUCT`**Provider name**: `objectId`**Description**: Required. The OID for this X.509 extension. - `object_id_path`**Type**: `UNORDERED_LIST_INT32`**Provider name**: `objectIdPath`**Description**: Required. The parts of an OID path. The most significant parts of the path come first. - `aia_ocsp_servers`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `aiaOcspServers`**Description**: Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate. - `ca_options`**Type**: `STRUCT`**Provider name**: `caOptions`**Description**: Optional. Describes options in this X509Parameters that are relevant in a CA certificate. If not specified, a default basic constraints extension with `is_ca=false` will be added for leaf certificates. - `is_ca`**Type**: `BOOLEAN`**Provider name**: `isCa`**Description**: Optional. Refers to the "CA" boolean field in the X.509 extension. When this value is missing, the basic constraints extension will be omitted from the certificate. - `max_issuer_path_length`**Type**: `INT32`**Provider name**: `maxIssuerPathLength`**Description**: Optional. Refers to the path length constraint field in the X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the certificate. - `key_usage`**Type**: `STRUCT`**Provider name**: `keyUsage`**Description**: Optional. Indicates the intended use for keys that correspond to a certificate. - `base_key_usage`**Type**: `STRUCT`**Provider name**: `baseKeyUsage`**Description**: Describes high-level ways in which a key may be used. - `cert_sign`**Type**: `BOOLEAN`**Provider name**: `certSign`**Description**: The key may be used to sign certificates. - `content_commitment`**Type**: `BOOLEAN`**Provider name**: `contentCommitment`**Description**: The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation". - `crl_sign`**Type**: `BOOLEAN`**Provider name**: `crlSign`**Description**: The key may be used sign certificate revocation lists. - `data_encipherment`**Type**: `BOOLEAN`**Provider name**: `dataEncipherment`**Description**: The key may be used to encipher data. - `decipher_only`**Type**: `BOOLEAN`**Provider name**: `decipherOnly`**Description**: The key may be used to decipher only. - `digital_signature`**Type**: `BOOLEAN`**Provider name**: `digitalSignature`**Description**: The key may be used for digital signatures. - `encipher_only`**Type**: `BOOLEAN`**Provider name**: `encipherOnly`**Description**: The key may be used to encipher only. - `key_agreement`**Type**: `BOOLEAN`**Provider name**: `keyAgreement`**Description**: The key may be used in a key agreement protocol. - `key_encipherment`**Type**: `BOOLEAN`**Provider name**: `keyEncipherment`**Description**: The key may be used to encipher other keys. - `extended_key_usage`**Type**: `STRUCT`**Provider name**: `extendedKeyUsage`**Description**: Detailed scenarios in which a key may be used. - `client_auth`**Type**: `BOOLEAN`**Provider name**: `clientAuth`**Description**: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS. - `code_signing`**Type**: `BOOLEAN`**Provider name**: `codeSigning`**Description**: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication". - `email_protection`**Type**: `BOOLEAN`**Provider name**: `emailProtection`**Description**: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection". - `ocsp_signing`**Type**: `BOOLEAN`**Provider name**: `ocspSigning`**Description**: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses". - `server_auth`**Type**: `BOOLEAN`**Provider name**: `serverAuth`**Description**: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS. - `time_stamping`**Type**: `BOOLEAN`**Provider name**: `timeStamping`**Description**: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time". - `unknown_extended_key_usages`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `unknownExtendedKeyUsages`**Description**: Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message. - `object_id_path`**Type**: `UNORDERED_LIST_INT32`**Provider name**: `objectIdPath`**Description**: Required. The parts of an OID path. The most significant parts of the path come first. - `name_constraints`**Type**: `STRUCT`**Provider name**: `nameConstraints`**Description**: Optional. Describes the X.509 name constraints extension. - `critical`**Type**: `BOOLEAN`**Provider name**: `critical`**Description**: Indicates whether or not the name constraints are marked critical. - `excluded_dns_names`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `excludedDnsNames`**Description**: Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, `example.com`, `www.example.com`, `www.sub.example.com` would satisfy `example.com` while `example1.com` does not. - `excluded_email_addresses`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `excludedEmailAddresses`**Description**: Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. `.example.com`) to indicate all email addresses in that domain. - `excluded_ip_ranges`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `excludedIpRanges`**Description**: Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses. - `excluded_uris`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `excludedUris`**Description**: Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like `.example.com`) - `permitted_dns_names`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `permittedDnsNames`**Description**: Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, `example.com`, `www.example.com`, `www.sub.example.com` would satisfy `example.com` while `example1.com` does not. - `permitted_email_addresses`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `permittedEmailAddresses`**Description**: Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. `.example.com`) to indicate all email addresses in that domain. - `permitted_ip_ranges`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `permittedIpRanges`**Description**: Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses. - `permitted_uris`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `permittedUris`**Description**: Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like `.example.com`) - `policy_ids`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `policyIds`**Description**: Optional. Describes the X.509 certificate policy object identifiers, per [https://tools.ietf.org/html/rfc5280#section-4.2.1.4](https://tools.ietf.org/html/rfc5280#section-4.2.1.4). - `object_id_path`**Type**: `UNORDERED_LIST_INT32`**Provider name**: `objectIdPath`**Description**: Required. The parts of an OID path. The most significant parts of the path come first. - `identity_constraints`**Type**: `STRUCT`**Provider name**: `identityConstraints`**Description**: Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. - `allow_subject_alt_names_passthrough`**Type**: `BOOLEAN`**Provider name**: `allowSubjectAltNamesPassthrough`**Description**: Required. If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded. - `allow_subject_passthrough`**Type**: `BOOLEAN`**Provider name**: `allowSubjectPassthrough`**Description**: Required. If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded. - `cel_expression`**Type**: `STRUCT`**Provider name**: `celExpression`**Description**: Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see [https://cloud.google.com/certificate-authority-service/docs/using-cel](https://cloud.google.com/certificate-authority-service/docs/using-cel) - `description`**Type**: `STRING`**Provider name**: `description`**Description**: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. - `expression`**Type**: `STRING`**Provider name**: `expression`**Description**: Textual representation of an expression in Common Expression Language syntax. - `location`**Type**: `STRING`**Provider name**: `location`**Description**: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. - `title`**Type**: `STRING`**Provider name**: `title`**Description**: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. - `maximum_lifetime`**Type**: `STRING`**Provider name**: `maximumLifetime`**Description**: Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate resource's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it. - `passthrough_extensions`**Type**: `STRUCT`**Provider name**: `passthroughExtensions`**Description**: Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool's baseline_values. - `additional_extensions`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `additionalExtensions`**Description**: Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions. - `object_id_path`**Type**: `UNORDERED_LIST_INT32`**Provider name**: `objectIdPath`**Description**: Required. The parts of an OID path. The most significant parts of the path come first. - `known_extensions`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `knownExtensions`**Description**: Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions. ## `labels`{% #labels %} **Type**: `UNORDERED_LIST_STRING` ## `name`{% #name %} **Type**: `STRING`**Provider name**: `name`**Description**: Identifier. The resource name for this CaPool in the format `projects/*/locations/*/caPools/*`. ## `organization_id`{% #organization_id %} **Type**: `STRING` ## `parent`{% #parent %} **Type**: `STRING` ## `project_id`{% #project_id %} **Type**: `STRING` ## `project_number`{% #project_number %} **Type**: `STRING` ## `publishing_options`{% #publishing_options %} **Type**: `STRUCT`**Provider name**: `publishingOptions`**Description**: Optional. The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. - `encoding_format`**Type**: `STRING`**Provider name**: `encodingFormat`**Description**: Optional. Specifies the encoding format of each CertificateAuthority resource's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM.**Possible values**: - `ENCODING_FORMAT_UNSPECIFIED` - Not specified. By default, PEM format will be used. - `PEM` - The CertificateAuthority's CA certificate and CRLs will be published in PEM format. - `DER` - The CertificateAuthority's CA certificate and CRLs will be published in DER format. - `publish_ca_cert`**Type**: `BOOLEAN`**Provider name**: `publishCaCert`**Description**: Optional. When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates. - `publish_crl`**Type**: `BOOLEAN`**Provider name**: `publishCrl`**Description**: Optional. When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked. ## `region_id`{% #region_id %} **Type**: `STRING` ## `resource_name`{% #resource_name %} **Type**: `STRING` ## `tags`{% #tags %} **Type**: `UNORDERED_LIST_STRING` ## `tier`{% #tier %} **Type**: `STRING`**Provider name**: `tier`**Description**: Required. Immutable. The Tier of this CaPool.**Possible values**: - `TIER_UNSPECIFIED` - Not specified. - `ENTERPRISE` - Enterprise tier. - `DEVOPS` - DevOps tier. ## `zone_id`{% #zone_id %} **Type**: `STRING`