This product is not supported for your selected
Datadog site. (
).
gcp_privateca_ca_pool
ancestors
Type: UNORDERED_LIST_STRING
issuance_policy
Type: STRUCT
Provider name: issuancePolicy
Description: Optional. The IssuancePolicy to control how Certificates will be issued from this CaPool.
allowed_issuance_modes
Type: STRUCT
Provider name: allowedIssuanceModes
Description: Optional. If specified, then only methods allowed in the IssuanceModes may be used to issue Certificates.
allow_config_based_issuance
Type: BOOLEAN
Provider name: allowConfigBasedIssuance
Description: Optional. When true, allows callers to create Certificates by specifying a CertificateConfig.
allow_csr_based_issuance
Type: BOOLEAN
Provider name: allowCsrBasedIssuance
Description: Optional. When true, allows callers to create Certificates by specifying a CSR.
allowed_key_types
Type: UNORDERED_LIST_STRUCT
Provider name: allowedKeyTypes
Description: Optional. If any AllowedKeyType is specified, then the certificate request’s public key must match one of the key types listed here. Otherwise, any key may be used.
elliptic_curve
Type: STRUCT
Provider name: ellipticCurve
Description: Represents an allowed Elliptic Curve key type.
signature_algorithm
Type: STRING
Provider name: signatureAlgorithm
Description: Optional. A signature algorithm that must be used. If this is omitted, any EC-based signature algorithm will be allowed.
Possible values:
EC_SIGNATURE_ALGORITHM_UNSPECIFIED - Not specified. Signifies that any signature algorithm may be used.
ECDSA_P256 - Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-256 curve.
ECDSA_P384 - Refers to the Elliptic Curve Digital Signature Algorithm over the NIST P-384 curve.
EDDSA_25519 - Refers to the Edwards-curve Digital Signature Algorithm over curve 25519, as described in RFC 8410.
rsa
Type: STRUCT
Provider name: rsa
Description: Represents an allowed RSA key type.
max_modulus_size
Type: INT64
Provider name: maxModulusSize
Description: Optional. The maximum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
min_modulus_size
Type: INT64
Provider name: minModulusSize
Description: Optional. The minimum allowed RSA modulus size (inclusive), in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.
backdate_duration
Type: STRING
Provider name: backdateDuration
Description: Optional. The duration to backdate all certificates issued from this CaPool. If not set, the certificates will be issued with a not_before_time of the issuance time (i.e. the current time). If set, the certificates will be issued with a not_before_time of the issuance time minus the backdate_duration. The not_after_time will be adjusted to preserve the requested lifetime. The backdate_duration must be less than or equal to 48 hours.
baseline_values
Type: STRUCT
Provider name: baselineValues
Description: Optional. A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefined_values for the same properties, the certificate issuance request will fail.
additional_extensions
Type: UNORDERED_LIST_STRUCT
Provider name: additionalExtensions
Description: Optional. Describes custom X.509 extensions.
critical
Type: BOOLEAN
Provider name: critical
Description: Optional. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
object_id
Type: STRUCT
Provider name: objectId
Description: Required. The OID for this X.509 extension.
object_id_path
Type: UNORDERED_LIST_INT32
Provider name: objectIdPath
Description: Required. The parts of an OID path. The most significant parts of the path come first.
aia_ocsp_servers
Type: UNORDERED_LIST_STRING
Provider name: aiaOcspServers
Description: Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the “Authority Information Access” extension in the certificate.
ca_options
Type: STRUCT
Provider name: caOptions
Description: Optional. Describes options in this X509Parameters that are relevant in a CA certificate. If not specified, a default basic constraints extension with is_ca=false will be added for leaf certificates.
is_ca
Type: BOOLEAN
Provider name: isCa
Description: Optional. Refers to the “CA” boolean field in the X.509 extension. When this value is missing, the basic constraints extension will be omitted from the certificate.
max_issuer_path_length
Type: INT32
Provider name: maxIssuerPathLength
Description: Optional. Refers to the path length constraint field in the X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the certificate.
key_usage
Type: STRUCT
Provider name: keyUsage
Description: Optional. Indicates the intended use for keys that correspond to a certificate.
base_key_usage
Type: STRUCT
Provider name: baseKeyUsage
Description: Describes high-level ways in which a key may be used.
cert_sign
Type: BOOLEAN
Provider name: certSign
Description: The key may be used to sign certificates.
content_commitment
Type: BOOLEAN
Provider name: contentCommitment
Description: The key may be used for cryptographic commitments. Note that this may also be referred to as “non-repudiation”.
crl_sign
Type: BOOLEAN
Provider name: crlSign
Description: The key may be used sign certificate revocation lists.
data_encipherment
Type: BOOLEAN
Provider name: dataEncipherment
Description: The key may be used to encipher data.
decipher_only
Type: BOOLEAN
Provider name: decipherOnly
Description: The key may be used to decipher only.
digital_signature
Type: BOOLEAN
Provider name: digitalSignature
Description: The key may be used for digital signatures.
encipher_only
Type: BOOLEAN
Provider name: encipherOnly
Description: The key may be used to encipher only.
key_agreement
Type: BOOLEAN
Provider name: keyAgreement
Description: The key may be used in a key agreement protocol.
key_encipherment
Type: BOOLEAN
Provider name: keyEncipherment
Description: The key may be used to encipher other keys.
extended_key_usage
Type: STRUCT
Provider name: extendedKeyUsage
Description: Detailed scenarios in which a key may be used.
client_auth
Type: BOOLEAN
Provider name: clientAuth
Description: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as “TLS WWW client authentication”, though regularly used for non-WWW TLS.
code_signing
Type: BOOLEAN
Provider name: codeSigning
Description: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as “Signing of downloadable executable code client authentication”.
email_protection
Type: BOOLEAN
Provider name: emailProtection
Description: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as “Email protection”.
ocsp_signing
Type: BOOLEAN
Provider name: ocspSigning
Description: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as “Signing OCSP responses”.
server_auth
Type: BOOLEAN
Provider name: serverAuth
Description: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as “TLS WWW server authentication”, though regularly used for non-WWW TLS.
time_stamping
Type: BOOLEAN
Provider name: timeStamping
Description: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as “Binding the hash of an object to a time”.
unknown_extended_key_usages
Type: UNORDERED_LIST_STRUCT
Provider name: unknownExtendedKeyUsages
Description: Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.
object_id_path
Type: UNORDERED_LIST_INT32
Provider name: objectIdPath
Description: Required. The parts of an OID path. The most significant parts of the path come first.
name_constraints
Type: STRUCT
Provider name: nameConstraints
Description: Optional. Describes the X.509 name constraints extension.
critical
Type: BOOLEAN
Provider name: critical
Description: Indicates whether or not the name constraints are marked critical.
excluded_dns_names
Type: UNORDERED_LIST_STRING
Provider name: excludedDnsNames
Description: Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
excluded_email_addresses
Type: UNORDERED_LIST_STRING
Provider name: excludedEmailAddresses
Description: Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
excluded_ip_ranges
Type: UNORDERED_LIST_STRING
Provider name: excludedIpRanges
Description: Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
excluded_uris
Type: UNORDERED_LIST_STRING
Provider name: excludedUris
Description: Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
permitted_dns_names
Type: UNORDERED_LIST_STRING
Provider name: permittedDnsNames
Description: Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
permitted_email_addresses
Type: UNORDERED_LIST_STRING
Provider name: permittedEmailAddresses
Description: Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
permitted_ip_ranges
Type: UNORDERED_LIST_STRING
Provider name: permittedIpRanges
Description: Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
permitted_uris
Type: UNORDERED_LIST_STRING
Provider name: permittedUris
Description: Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
policy_ids
Type: UNORDERED_LIST_STRUCT
Provider name: policyIds
Description: Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
object_id_path
Type: UNORDERED_LIST_INT32
Provider name: objectIdPath
Description: Required. The parts of an OID path. The most significant parts of the path come first.
identity_constraints
Type: STRUCT
Provider name: identityConstraints
Description: Optional. Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate’s identity.
allow_subject_alt_names_passthrough
Type: BOOLEAN
Provider name: allowSubjectAltNamesPassthrough
Description: Required. If this is true, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
allow_subject_passthrough
Type: BOOLEAN
Provider name: allowSubjectPassthrough
Description: Required. If this is true, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
cel_expression
Type: STRUCT
Provider name: celExpression
Description: Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel
description
Type: STRING
Provider name: description
Description: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
expression
Type: STRING
Provider name: expression
Description: Textual representation of an expression in Common Expression Language syntax.
location
Type: STRING
Provider name: location
Description: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
title
Type: STRING
Provider name: title
Description: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
maximum_lifetime
Type: STRING
Provider name: maximumLifetime
Description: Optional. The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate resource’s requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.
passthrough_extensions
Type: STRUCT
Provider name: passthroughExtensions
Description: Optional. Describes the set of X.509 extensions that may appear in a Certificate issued through this CaPool. If a certificate request sets extensions that don’t appear in the passthrough_extensions, those extensions will be dropped. If a certificate request uses a CertificateTemplate with predefined_values that don’t appear here, the certificate issuance request will fail. If this is omitted, then this CaPool will not add restrictions on a certificate’s X.509 extensions. These constraints do not apply to X.509 extensions set in this CaPool’s baseline_values.
additional_extensions
Type: UNORDERED_LIST_STRUCT
Provider name: additionalExtensions
Description: Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions.
object_id_path
Type: UNORDERED_LIST_INT32
Provider name: objectIdPath
Description: Required. The parts of an OID path. The most significant parts of the path come first.
known_extensions
Type: UNORDERED_LIST_STRING
Provider name: knownExtensions
Description: Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions.
labels
Type: UNORDERED_LIST_STRING
name
Type: STRING
Provider name: name
Description: Identifier. The resource name for this CaPool in the format projects/*/locations/*/caPools/*.
organization_id
Type: STRING
parent
Type: STRING
project_id
Type: STRING
project_number
Type: STRING
publishing_options
Type: STRUCT
Provider name: publishingOptions
Description: Optional. The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool.
encoding_format
Type: STRING
Provider name: encodingFormat
Description: Optional. Specifies the encoding format of each CertificateAuthority resource’s CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM.
Possible values:
ENCODING_FORMAT_UNSPECIFIED - Not specified. By default, PEM format will be used.
PEM - The CertificateAuthority’s CA certificate and CRLs will be published in PEM format.
DER - The CertificateAuthority’s CA certificate and CRLs will be published in DER format.
publish_ca_cert
Type: BOOLEAN
Provider name: publishCaCert
Description: Optional. When true, publishes each CertificateAuthority’s CA certificate and includes its URL in the “Authority Information Access” X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
publish_crl
Type: BOOLEAN
Provider name: publishCrl
Description: Optional. When true, publishes each CertificateAuthority’s CRL and includes its URL in the “CRL Distribution Points” X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.
resource_name
Type: STRING
Type: UNORDERED_LIST_STRING
tier
Type: STRING
Provider name: tier
Description: Required. Immutable. The Tier of this CaPool.
Possible values:
TIER_UNSPECIFIED - Not specified.
ENTERPRISE - Enterprise tier.
DEVOPS - DevOps tier.
