1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. certificateauthority
  5. CaPool
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

gcp.certificateauthority.CaPool

Explore with Pulumi AI

gcp logo
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

    A CaPool represents a group of CertificateAuthorities that form a trust anchor. A CaPool can be used to manage issuance policies for one or more CertificateAuthority resources and to rotate CA certificates in and out of the trust anchor.

    Example Usage

    Privateca Capool Basic

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const _default = new gcp.certificateauthority.CaPool("default", {
        name: "my-pool",
        location: "us-central1",
        tier: "ENTERPRISE",
        publishingOptions: {
            publishCaCert: true,
            publishCrl: true,
        },
        labels: {
            foo: "bar",
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    default = gcp.certificateauthority.CaPool("default",
        name="my-pool",
        location="us-central1",
        tier="ENTERPRISE",
        publishing_options={
            "publish_ca_cert": True,
            "publish_crl": True,
        },
        labels={
            "foo": "bar",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/certificateauthority"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := certificateauthority.NewCaPool(ctx, "default", &certificateauthority.CaPoolArgs{
    			Name:     pulumi.String("my-pool"),
    			Location: pulumi.String("us-central1"),
    			Tier:     pulumi.String("ENTERPRISE"),
    			PublishingOptions: &certificateauthority.CaPoolPublishingOptionsArgs{
    				PublishCaCert: pulumi.Bool(true),
    				PublishCrl:    pulumi.Bool(true),
    			},
    			Labels: pulumi.StringMap{
    				"foo": pulumi.String("bar"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var @default = new Gcp.CertificateAuthority.CaPool("default", new()
        {
            Name = "my-pool",
            Location = "us-central1",
            Tier = "ENTERPRISE",
            PublishingOptions = new Gcp.CertificateAuthority.Inputs.CaPoolPublishingOptionsArgs
            {
                PublishCaCert = true,
                PublishCrl = true,
            },
            Labels = 
            {
                { "foo", "bar" },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.certificateauthority.CaPool;
    import com.pulumi.gcp.certificateauthority.CaPoolArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CaPoolPublishingOptionsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var default_ = new CaPool("default", CaPoolArgs.builder()
                .name("my-pool")
                .location("us-central1")
                .tier("ENTERPRISE")
                .publishingOptions(CaPoolPublishingOptionsArgs.builder()
                    .publishCaCert(true)
                    .publishCrl(true)
                    .build())
                .labels(Map.of("foo", "bar"))
                .build());
    
        }
    }
    
    resources:
      default:
        type: gcp:certificateauthority:CaPool
        properties:
          name: my-pool
          location: us-central1
          tier: ENTERPRISE
          publishingOptions:
            publishCaCert: true
            publishCrl: true
          labels:
            foo: bar
    

    Privateca Capool All Fields

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const _default = new gcp.certificateauthority.CaPool("default", {
        name: "my-pool",
        location: "us-central1",
        tier: "ENTERPRISE",
        publishingOptions: {
            publishCaCert: false,
            publishCrl: true,
            encodingFormat: "PEM",
        },
        labels: {
            foo: "bar",
        },
        issuancePolicy: {
            allowedKeyTypes: [
                {
                    ellipticCurve: {
                        signatureAlgorithm: "ECDSA_P256",
                    },
                },
                {
                    rsa: {
                        minModulusSize: "5",
                        maxModulusSize: "10",
                    },
                },
            ],
            maximumLifetime: "50000s",
            allowedIssuanceModes: {
                allowCsrBasedIssuance: true,
                allowConfigBasedIssuance: true,
            },
            identityConstraints: {
                allowSubjectPassthrough: true,
                allowSubjectAltNamesPassthrough: true,
                celExpression: {
                    expression: "subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )",
                    title: "My title",
                },
            },
            baselineValues: {
                aiaOcspServers: ["example.com"],
                additionalExtensions: [{
                    critical: true,
                    value: "asdf",
                    objectId: {
                        objectIdPaths: [
                            1,
                            7,
                        ],
                    },
                }],
                policyIds: [
                    {
                        objectIdPaths: [
                            1,
                            5,
                        ],
                    },
                    {
                        objectIdPaths: [
                            1,
                            5,
                            7,
                        ],
                    },
                ],
                caOptions: {
                    isCa: true,
                    maxIssuerPathLength: 10,
                },
                keyUsage: {
                    baseKeyUsage: {
                        digitalSignature: true,
                        contentCommitment: true,
                        keyEncipherment: false,
                        dataEncipherment: true,
                        keyAgreement: true,
                        certSign: false,
                        crlSign: true,
                        decipherOnly: true,
                    },
                    extendedKeyUsage: {
                        serverAuth: true,
                        clientAuth: false,
                        emailProtection: true,
                        codeSigning: true,
                        timeStamping: true,
                    },
                },
                nameConstraints: {
                    critical: true,
                    permittedDnsNames: [
                        "*.example1.com",
                        "*.example2.com",
                    ],
                    excludedDnsNames: [
                        "*.deny.example1.com",
                        "*.deny.example2.com",
                    ],
                    permittedIpRanges: [
                        "10.0.0.0/8",
                        "11.0.0.0/8",
                    ],
                    excludedIpRanges: [
                        "10.1.1.0/24",
                        "11.1.1.0/24",
                    ],
                    permittedEmailAddresses: [
                        ".example1.com",
                        ".example2.com",
                    ],
                    excludedEmailAddresses: [
                        ".deny.example1.com",
                        ".deny.example2.com",
                    ],
                    permittedUris: [
                        ".example1.com",
                        ".example2.com",
                    ],
                    excludedUris: [
                        ".deny.example1.com",
                        ".deny.example2.com",
                    ],
                },
            },
        },
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    default = gcp.certificateauthority.CaPool("default",
        name="my-pool",
        location="us-central1",
        tier="ENTERPRISE",
        publishing_options={
            "publish_ca_cert": False,
            "publish_crl": True,
            "encoding_format": "PEM",
        },
        labels={
            "foo": "bar",
        },
        issuance_policy={
            "allowed_key_types": [
                {
                    "elliptic_curve": {
                        "signature_algorithm": "ECDSA_P256",
                    },
                },
                {
                    "rsa": {
                        "min_modulus_size": "5",
                        "max_modulus_size": "10",
                    },
                },
            ],
            "maximum_lifetime": "50000s",
            "allowed_issuance_modes": {
                "allow_csr_based_issuance": True,
                "allow_config_based_issuance": True,
            },
            "identity_constraints": {
                "allow_subject_passthrough": True,
                "allow_subject_alt_names_passthrough": True,
                "cel_expression": {
                    "expression": "subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )",
                    "title": "My title",
                },
            },
            "baseline_values": {
                "aia_ocsp_servers": ["example.com"],
                "additional_extensions": [{
                    "critical": True,
                    "value": "asdf",
                    "object_id": {
                        "object_id_paths": [
                            1,
                            7,
                        ],
                    },
                }],
                "policy_ids": [
                    {
                        "object_id_paths": [
                            1,
                            5,
                        ],
                    },
                    {
                        "object_id_paths": [
                            1,
                            5,
                            7,
                        ],
                    },
                ],
                "ca_options": {
                    "is_ca": True,
                    "max_issuer_path_length": 10,
                },
                "key_usage": {
                    "base_key_usage": {
                        "digital_signature": True,
                        "content_commitment": True,
                        "key_encipherment": False,
                        "data_encipherment": True,
                        "key_agreement": True,
                        "cert_sign": False,
                        "crl_sign": True,
                        "decipher_only": True,
                    },
                    "extended_key_usage": {
                        "server_auth": True,
                        "client_auth": False,
                        "email_protection": True,
                        "code_signing": True,
                        "time_stamping": True,
                    },
                },
                "name_constraints": {
                    "critical": True,
                    "permitted_dns_names": [
                        "*.example1.com",
                        "*.example2.com",
                    ],
                    "excluded_dns_names": [
                        "*.deny.example1.com",
                        "*.deny.example2.com",
                    ],
                    "permitted_ip_ranges": [
                        "10.0.0.0/8",
                        "11.0.0.0/8",
                    ],
                    "excluded_ip_ranges": [
                        "10.1.1.0/24",
                        "11.1.1.0/24",
                    ],
                    "permitted_email_addresses": [
                        ".example1.com",
                        ".example2.com",
                    ],
                    "excluded_email_addresses": [
                        ".deny.example1.com",
                        ".deny.example2.com",
                    ],
                    "permitted_uris": [
                        ".example1.com",
                        ".example2.com",
                    ],
                    "excluded_uris": [
                        ".deny.example1.com",
                        ".deny.example2.com",
                    ],
                },
            },
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/certificateauthority"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := certificateauthority.NewCaPool(ctx, "default", &certificateauthority.CaPoolArgs{
    			Name:     pulumi.String("my-pool"),
    			Location: pulumi.String("us-central1"),
    			Tier:     pulumi.String("ENTERPRISE"),
    			PublishingOptions: &certificateauthority.CaPoolPublishingOptionsArgs{
    				PublishCaCert:  pulumi.Bool(false),
    				PublishCrl:     pulumi.Bool(true),
    				EncodingFormat: pulumi.String("PEM"),
    			},
    			Labels: pulumi.StringMap{
    				"foo": pulumi.String("bar"),
    			},
    			IssuancePolicy: &certificateauthority.CaPoolIssuancePolicyArgs{
    				AllowedKeyTypes: certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeArray{
    					&certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeArgs{
    						EllipticCurve: &certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeEllipticCurveArgs{
    							SignatureAlgorithm: pulumi.String("ECDSA_P256"),
    						},
    					},
    					&certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeArgs{
    						Rsa: &certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeRsaArgs{
    							MinModulusSize: pulumi.String("5"),
    							MaxModulusSize: pulumi.String("10"),
    						},
    					},
    				},
    				MaximumLifetime: pulumi.String("50000s"),
    				AllowedIssuanceModes: &certificateauthority.CaPoolIssuancePolicyAllowedIssuanceModesArgs{
    					AllowCsrBasedIssuance:    pulumi.Bool(true),
    					AllowConfigBasedIssuance: pulumi.Bool(true),
    				},
    				IdentityConstraints: &certificateauthority.CaPoolIssuancePolicyIdentityConstraintsArgs{
    					AllowSubjectPassthrough:         pulumi.Bool(true),
    					AllowSubjectAltNamesPassthrough: pulumi.Bool(true),
    					CelExpression: &certificateauthority.CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs{
    						Expression: pulumi.String("subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )"),
    						Title:      pulumi.String("My title"),
    					},
    				},
    				BaselineValues: &certificateauthority.CaPoolIssuancePolicyBaselineValuesArgs{
    					AiaOcspServers: pulumi.StringArray{
    						pulumi.String("example.com"),
    					},
    					AdditionalExtensions: certificateauthority.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArray{
    						&certificateauthority.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArgs{
    							Critical: pulumi.Bool(true),
    							Value:    pulumi.String("asdf"),
    							ObjectId: &certificateauthority.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectIdArgs{
    								ObjectIdPaths: pulumi.IntArray{
    									pulumi.Int(1),
    									pulumi.Int(7),
    								},
    							},
    						},
    					},
    					PolicyIds: certificateauthority.CaPoolIssuancePolicyBaselineValuesPolicyIdArray{
    						&certificateauthority.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs{
    							ObjectIdPaths: pulumi.IntArray{
    								pulumi.Int(1),
    								pulumi.Int(5),
    							},
    						},
    						&certificateauthority.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs{
    							ObjectIdPaths: pulumi.IntArray{
    								pulumi.Int(1),
    								pulumi.Int(5),
    								pulumi.Int(7),
    							},
    						},
    					},
    					CaOptions: &certificateauthority.CaPoolIssuancePolicyBaselineValuesCaOptionsArgs{
    						IsCa:                pulumi.Bool(true),
    						MaxIssuerPathLength: pulumi.Int(10),
    					},
    					KeyUsage: &certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageArgs{
    						BaseKeyUsage: &certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs{
    							DigitalSignature:  pulumi.Bool(true),
    							ContentCommitment: pulumi.Bool(true),
    							KeyEncipherment:   pulumi.Bool(false),
    							DataEncipherment:  pulumi.Bool(true),
    							KeyAgreement:      pulumi.Bool(true),
    							CertSign:          pulumi.Bool(false),
    							CrlSign:           pulumi.Bool(true),
    							DecipherOnly:      pulumi.Bool(true),
    						},
    						ExtendedKeyUsage: &certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs{
    							ServerAuth:      pulumi.Bool(true),
    							ClientAuth:      pulumi.Bool(false),
    							EmailProtection: pulumi.Bool(true),
    							CodeSigning:     pulumi.Bool(true),
    							TimeStamping:    pulumi.Bool(true),
    						},
    					},
    					NameConstraints: &certificateauthority.CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs{
    						Critical: pulumi.Bool(true),
    						PermittedDnsNames: pulumi.StringArray{
    							pulumi.String("*.example1.com"),
    							pulumi.String("*.example2.com"),
    						},
    						ExcludedDnsNames: pulumi.StringArray{
    							pulumi.String("*.deny.example1.com"),
    							pulumi.String("*.deny.example2.com"),
    						},
    						PermittedIpRanges: pulumi.StringArray{
    							pulumi.String("10.0.0.0/8"),
    							pulumi.String("11.0.0.0/8"),
    						},
    						ExcludedIpRanges: pulumi.StringArray{
    							pulumi.String("10.1.1.0/24"),
    							pulumi.String("11.1.1.0/24"),
    						},
    						PermittedEmailAddresses: pulumi.StringArray{
    							pulumi.String(".example1.com"),
    							pulumi.String(".example2.com"),
    						},
    						ExcludedEmailAddresses: pulumi.StringArray{
    							pulumi.String(".deny.example1.com"),
    							pulumi.String(".deny.example2.com"),
    						},
    						PermittedUris: pulumi.StringArray{
    							pulumi.String(".example1.com"),
    							pulumi.String(".example2.com"),
    						},
    						ExcludedUris: pulumi.StringArray{
    							pulumi.String(".deny.example1.com"),
    							pulumi.String(".deny.example2.com"),
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var @default = new Gcp.CertificateAuthority.CaPool("default", new()
        {
            Name = "my-pool",
            Location = "us-central1",
            Tier = "ENTERPRISE",
            PublishingOptions = new Gcp.CertificateAuthority.Inputs.CaPoolPublishingOptionsArgs
            {
                PublishCaCert = false,
                PublishCrl = true,
                EncodingFormat = "PEM",
            },
            Labels = 
            {
                { "foo", "bar" },
            },
            IssuancePolicy = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyArgs
            {
                AllowedKeyTypes = new[]
                {
                    new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeArgs
                    {
                        EllipticCurve = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeEllipticCurveArgs
                        {
                            SignatureAlgorithm = "ECDSA_P256",
                        },
                    },
                    new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeArgs
                    {
                        Rsa = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeRsaArgs
                        {
                            MinModulusSize = "5",
                            MaxModulusSize = "10",
                        },
                    },
                },
                MaximumLifetime = "50000s",
                AllowedIssuanceModes = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedIssuanceModesArgs
                {
                    AllowCsrBasedIssuance = true,
                    AllowConfigBasedIssuance = true,
                },
                IdentityConstraints = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyIdentityConstraintsArgs
                {
                    AllowSubjectPassthrough = true,
                    AllowSubjectAltNamesPassthrough = true,
                    CelExpression = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs
                    {
                        Expression = "subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )",
                        Title = "My title",
                    },
                },
                BaselineValues = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesArgs
                {
                    AiaOcspServers = new[]
                    {
                        "example.com",
                    },
                    AdditionalExtensions = new[]
                    {
                        new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArgs
                        {
                            Critical = true,
                            Value = "asdf",
                            ObjectId = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectIdArgs
                            {
                                ObjectIdPaths = new[]
                                {
                                    1,
                                    7,
                                },
                            },
                        },
                    },
                    PolicyIds = new[]
                    {
                        new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs
                        {
                            ObjectIdPaths = new[]
                            {
                                1,
                                5,
                            },
                        },
                        new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs
                        {
                            ObjectIdPaths = new[]
                            {
                                1,
                                5,
                                7,
                            },
                        },
                    },
                    CaOptions = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesCaOptionsArgs
                    {
                        IsCa = true,
                        MaxIssuerPathLength = 10,
                    },
                    KeyUsage = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageArgs
                    {
                        BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs
                        {
                            DigitalSignature = true,
                            ContentCommitment = true,
                            KeyEncipherment = false,
                            DataEncipherment = true,
                            KeyAgreement = true,
                            CertSign = false,
                            CrlSign = true,
                            DecipherOnly = true,
                        },
                        ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs
                        {
                            ServerAuth = true,
                            ClientAuth = false,
                            EmailProtection = true,
                            CodeSigning = true,
                            TimeStamping = true,
                        },
                    },
                    NameConstraints = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs
                    {
                        Critical = true,
                        PermittedDnsNames = new[]
                        {
                            "*.example1.com",
                            "*.example2.com",
                        },
                        ExcludedDnsNames = new[]
                        {
                            "*.deny.example1.com",
                            "*.deny.example2.com",
                        },
                        PermittedIpRanges = new[]
                        {
                            "10.0.0.0/8",
                            "11.0.0.0/8",
                        },
                        ExcludedIpRanges = new[]
                        {
                            "10.1.1.0/24",
                            "11.1.1.0/24",
                        },
                        PermittedEmailAddresses = new[]
                        {
                            ".example1.com",
                            ".example2.com",
                        },
                        ExcludedEmailAddresses = new[]
                        {
                            ".deny.example1.com",
                            ".deny.example2.com",
                        },
                        PermittedUris = new[]
                        {
                            ".example1.com",
                            ".example2.com",
                        },
                        ExcludedUris = new[]
                        {
                            ".deny.example1.com",
                            ".deny.example2.com",
                        },
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.certificateauthority.CaPool;
    import com.pulumi.gcp.certificateauthority.CaPoolArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CaPoolPublishingOptionsArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyAllowedIssuanceModesArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyIdentityConstraintsArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesCaOptionsArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs;
    import com.pulumi.gcp.certificateauthority.inputs.CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var default_ = new CaPool("default", CaPoolArgs.builder()
                .name("my-pool")
                .location("us-central1")
                .tier("ENTERPRISE")
                .publishingOptions(CaPoolPublishingOptionsArgs.builder()
                    .publishCaCert(false)
                    .publishCrl(true)
                    .encodingFormat("PEM")
                    .build())
                .labels(Map.of("foo", "bar"))
                .issuancePolicy(CaPoolIssuancePolicyArgs.builder()
                    .allowedKeyTypes(                
                        CaPoolIssuancePolicyAllowedKeyTypeArgs.builder()
                            .ellipticCurve(CaPoolIssuancePolicyAllowedKeyTypeEllipticCurveArgs.builder()
                                .signatureAlgorithm("ECDSA_P256")
                                .build())
                            .build(),
                        CaPoolIssuancePolicyAllowedKeyTypeArgs.builder()
                            .rsa(CaPoolIssuancePolicyAllowedKeyTypeRsaArgs.builder()
                                .minModulusSize(5)
                                .maxModulusSize(10)
                                .build())
                            .build())
                    .maximumLifetime("50000s")
                    .allowedIssuanceModes(CaPoolIssuancePolicyAllowedIssuanceModesArgs.builder()
                        .allowCsrBasedIssuance(true)
                        .allowConfigBasedIssuance(true)
                        .build())
                    .identityConstraints(CaPoolIssuancePolicyIdentityConstraintsArgs.builder()
                        .allowSubjectPassthrough(true)
                        .allowSubjectAltNamesPassthrough(true)
                        .celExpression(CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs.builder()
                            .expression("subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )")
                            .title("My title")
                            .build())
                        .build())
                    .baselineValues(CaPoolIssuancePolicyBaselineValuesArgs.builder()
                        .aiaOcspServers("example.com")
                        .additionalExtensions(CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArgs.builder()
                            .critical(true)
                            .value("asdf")
                            .objectId(CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectIdArgs.builder()
                                .objectIdPaths(                            
                                    1,
                                    7)
                                .build())
                            .build())
                        .policyIds(                    
                            CaPoolIssuancePolicyBaselineValuesPolicyIdArgs.builder()
                                .objectIdPaths(                            
                                    1,
                                    5)
                                .build(),
                            CaPoolIssuancePolicyBaselineValuesPolicyIdArgs.builder()
                                .objectIdPaths(                            
                                    1,
                                    5,
                                    7)
                                .build())
                        .caOptions(CaPoolIssuancePolicyBaselineValuesCaOptionsArgs.builder()
                            .isCa(true)
                            .maxIssuerPathLength(10)
                            .build())
                        .keyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageArgs.builder()
                            .baseKeyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs.builder()
                                .digitalSignature(true)
                                .contentCommitment(true)
                                .keyEncipherment(false)
                                .dataEncipherment(true)
                                .keyAgreement(true)
                                .certSign(false)
                                .crlSign(true)
                                .decipherOnly(true)
                                .build())
                            .extendedKeyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs.builder()
                                .serverAuth(true)
                                .clientAuth(false)
                                .emailProtection(true)
                                .codeSigning(true)
                                .timeStamping(true)
                                .build())
                            .build())
                        .nameConstraints(CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs.builder()
                            .critical(true)
                            .permittedDnsNames(                        
                                "*.example1.com",
                                "*.example2.com")
                            .excludedDnsNames(                        
                                "*.deny.example1.com",
                                "*.deny.example2.com")
                            .permittedIpRanges(                        
                                "10.0.0.0/8",
                                "11.0.0.0/8")
                            .excludedIpRanges(                        
                                "10.1.1.0/24",
                                "11.1.1.0/24")
                            .permittedEmailAddresses(                        
                                ".example1.com",
                                ".example2.com")
                            .excludedEmailAddresses(                        
                                ".deny.example1.com",
                                ".deny.example2.com")
                            .permittedUris(                        
                                ".example1.com",
                                ".example2.com")
                            .excludedUris(                        
                                ".deny.example1.com",
                                ".deny.example2.com")
                            .build())
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      default:
        type: gcp:certificateauthority:CaPool
        properties:
          name: my-pool
          location: us-central1
          tier: ENTERPRISE
          publishingOptions:
            publishCaCert: false
            publishCrl: true
            encodingFormat: PEM
          labels:
            foo: bar
          issuancePolicy:
            allowedKeyTypes:
              - ellipticCurve:
                  signatureAlgorithm: ECDSA_P256
              - rsa:
                  minModulusSize: 5
                  maxModulusSize: 10
            maximumLifetime: 50000s
            allowedIssuanceModes:
              allowCsrBasedIssuance: true
              allowConfigBasedIssuance: true
            identityConstraints:
              allowSubjectPassthrough: true
              allowSubjectAltNamesPassthrough: true
              celExpression:
                expression: subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )
                title: My title
            baselineValues:
              aiaOcspServers:
                - example.com
              additionalExtensions:
                - critical: true
                  value: asdf
                  objectId:
                    objectIdPaths:
                      - 1
                      - 7
              policyIds:
                - objectIdPaths:
                    - 1
                    - 5
                - objectIdPaths:
                    - 1
                    - 5
                    - 7
              caOptions:
                isCa: true
                maxIssuerPathLength: 10
              keyUsage:
                baseKeyUsage:
                  digitalSignature: true
                  contentCommitment: true
                  keyEncipherment: false
                  dataEncipherment: true
                  keyAgreement: true
                  certSign: false
                  crlSign: true
                  decipherOnly: true
                extendedKeyUsage:
                  serverAuth: true
                  clientAuth: false
                  emailProtection: true
                  codeSigning: true
                  timeStamping: true
              nameConstraints:
                critical: true
                permittedDnsNames:
                  - '*.example1.com'
                  - '*.example2.com'
                excludedDnsNames:
                  - '*.deny.example1.com'
                  - '*.deny.example2.com'
                permittedIpRanges:
                  - 10.0.0.0/8
                  - 11.0.0.0/8
                excludedIpRanges:
                  - 10.1.1.0/24
                  - 11.1.1.0/24
                permittedEmailAddresses:
                  - .example1.com
                  - .example2.com
                excludedEmailAddresses:
                  - .deny.example1.com
                  - .deny.example2.com
                permittedUris:
                  - .example1.com
                  - .example2.com
                excludedUris:
                  - .deny.example1.com
                  - .deny.example2.com
    

    Create CaPool Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new CaPool(name: string, args: CaPoolArgs, opts?: CustomResourceOptions);
    @overload
    def CaPool(resource_name: str,
               args: CaPoolArgs,
               opts: Optional[ResourceOptions] = None)
    
    @overload
    def CaPool(resource_name: str,
               opts: Optional[ResourceOptions] = None,
               location: Optional[str] = None,
               tier: Optional[str] = None,
               issuance_policy: Optional[CaPoolIssuancePolicyArgs] = None,
               labels: Optional[Mapping[str, str]] = None,
               name: Optional[str] = None,
               project: Optional[str] = None,
               publishing_options: Optional[CaPoolPublishingOptionsArgs] = None)
    func NewCaPool(ctx *Context, name string, args CaPoolArgs, opts ...ResourceOption) (*CaPool, error)
    public CaPool(string name, CaPoolArgs args, CustomResourceOptions? opts = null)
    public CaPool(String name, CaPoolArgs args)
    public CaPool(String name, CaPoolArgs args, CustomResourceOptions options)
    
    type: gcp:certificateauthority:CaPool
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args CaPoolArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args CaPoolArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args CaPoolArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args CaPoolArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args CaPoolArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var caPoolResource = new Gcp.CertificateAuthority.CaPool("caPoolResource", new()
    {
        Location = "string",
        Tier = "string",
        IssuancePolicy = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyArgs
        {
            AllowedIssuanceModes = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedIssuanceModesArgs
            {
                AllowConfigBasedIssuance = false,
                AllowCsrBasedIssuance = false,
            },
            AllowedKeyTypes = new[]
            {
                new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeArgs
                {
                    EllipticCurve = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeEllipticCurveArgs
                    {
                        SignatureAlgorithm = "string",
                    },
                    Rsa = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyAllowedKeyTypeRsaArgs
                    {
                        MaxModulusSize = "string",
                        MinModulusSize = "string",
                    },
                },
            },
            BaselineValues = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesArgs
            {
                CaOptions = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesCaOptionsArgs
                {
                    IsCa = false,
                    MaxIssuerPathLength = 0,
                    NonCa = false,
                    ZeroMaxIssuerPathLength = false,
                },
                KeyUsage = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageArgs
                {
                    BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs
                    {
                        CertSign = false,
                        ContentCommitment = false,
                        CrlSign = false,
                        DataEncipherment = false,
                        DecipherOnly = false,
                        DigitalSignature = false,
                        EncipherOnly = false,
                        KeyAgreement = false,
                        KeyEncipherment = false,
                    },
                    ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs
                    {
                        ClientAuth = false,
                        CodeSigning = false,
                        EmailProtection = false,
                        OcspSigning = false,
                        ServerAuth = false,
                        TimeStamping = false,
                    },
                    UnknownExtendedKeyUsages = new[]
                    {
                        new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsageArgs
                        {
                            ObjectIdPaths = new[]
                            {
                                0,
                            },
                        },
                    },
                },
                AdditionalExtensions = new[]
                {
                    new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArgs
                    {
                        Critical = false,
                        ObjectId = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectIdArgs
                        {
                            ObjectIdPaths = new[]
                            {
                                0,
                            },
                        },
                        Value = "string",
                    },
                },
                AiaOcspServers = new[]
                {
                    "string",
                },
                NameConstraints = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs
                {
                    Critical = false,
                    ExcludedDnsNames = new[]
                    {
                        "string",
                    },
                    ExcludedEmailAddresses = new[]
                    {
                        "string",
                    },
                    ExcludedIpRanges = new[]
                    {
                        "string",
                    },
                    ExcludedUris = new[]
                    {
                        "string",
                    },
                    PermittedDnsNames = new[]
                    {
                        "string",
                    },
                    PermittedEmailAddresses = new[]
                    {
                        "string",
                    },
                    PermittedIpRanges = new[]
                    {
                        "string",
                    },
                    PermittedUris = new[]
                    {
                        "string",
                    },
                },
                PolicyIds = new[]
                {
                    new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs
                    {
                        ObjectIdPaths = new[]
                        {
                            0,
                        },
                    },
                },
            },
            IdentityConstraints = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyIdentityConstraintsArgs
            {
                AllowSubjectAltNamesPassthrough = false,
                AllowSubjectPassthrough = false,
                CelExpression = new Gcp.CertificateAuthority.Inputs.CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs
                {
                    Expression = "string",
                    Description = "string",
                    Location = "string",
                    Title = "string",
                },
            },
            MaximumLifetime = "string",
        },
        Labels = 
        {
            { "string", "string" },
        },
        Name = "string",
        Project = "string",
        PublishingOptions = new Gcp.CertificateAuthority.Inputs.CaPoolPublishingOptionsArgs
        {
            PublishCaCert = false,
            PublishCrl = false,
            EncodingFormat = "string",
        },
    });
    
    example, err := certificateauthority.NewCaPool(ctx, "caPoolResource", &certificateauthority.CaPoolArgs{
    	Location: pulumi.String("string"),
    	Tier:     pulumi.String("string"),
    	IssuancePolicy: &certificateauthority.CaPoolIssuancePolicyArgs{
    		AllowedIssuanceModes: &certificateauthority.CaPoolIssuancePolicyAllowedIssuanceModesArgs{
    			AllowConfigBasedIssuance: pulumi.Bool(false),
    			AllowCsrBasedIssuance:    pulumi.Bool(false),
    		},
    		AllowedKeyTypes: certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeArray{
    			&certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeArgs{
    				EllipticCurve: &certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeEllipticCurveArgs{
    					SignatureAlgorithm: pulumi.String("string"),
    				},
    				Rsa: &certificateauthority.CaPoolIssuancePolicyAllowedKeyTypeRsaArgs{
    					MaxModulusSize: pulumi.String("string"),
    					MinModulusSize: pulumi.String("string"),
    				},
    			},
    		},
    		BaselineValues: &certificateauthority.CaPoolIssuancePolicyBaselineValuesArgs{
    			CaOptions: &certificateauthority.CaPoolIssuancePolicyBaselineValuesCaOptionsArgs{
    				IsCa:                    pulumi.Bool(false),
    				MaxIssuerPathLength:     pulumi.Int(0),
    				NonCa:                   pulumi.Bool(false),
    				ZeroMaxIssuerPathLength: pulumi.Bool(false),
    			},
    			KeyUsage: &certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageArgs{
    				BaseKeyUsage: &certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs{
    					CertSign:          pulumi.Bool(false),
    					ContentCommitment: pulumi.Bool(false),
    					CrlSign:           pulumi.Bool(false),
    					DataEncipherment:  pulumi.Bool(false),
    					DecipherOnly:      pulumi.Bool(false),
    					DigitalSignature:  pulumi.Bool(false),
    					EncipherOnly:      pulumi.Bool(false),
    					KeyAgreement:      pulumi.Bool(false),
    					KeyEncipherment:   pulumi.Bool(false),
    				},
    				ExtendedKeyUsage: &certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs{
    					ClientAuth:      pulumi.Bool(false),
    					CodeSigning:     pulumi.Bool(false),
    					EmailProtection: pulumi.Bool(false),
    					OcspSigning:     pulumi.Bool(false),
    					ServerAuth:      pulumi.Bool(false),
    					TimeStamping:    pulumi.Bool(false),
    				},
    				UnknownExtendedKeyUsages: certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsageArray{
    					&certificateauthority.CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsageArgs{
    						ObjectIdPaths: pulumi.IntArray{
    							pulumi.Int(0),
    						},
    					},
    				},
    			},
    			AdditionalExtensions: certificateauthority.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArray{
    				&certificateauthority.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArgs{
    					Critical: pulumi.Bool(false),
    					ObjectId: &certificateauthority.CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectIdArgs{
    						ObjectIdPaths: pulumi.IntArray{
    							pulumi.Int(0),
    						},
    					},
    					Value: pulumi.String("string"),
    				},
    			},
    			AiaOcspServers: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			NameConstraints: &certificateauthority.CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs{
    				Critical: pulumi.Bool(false),
    				ExcludedDnsNames: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				ExcludedEmailAddresses: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				ExcludedIpRanges: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				ExcludedUris: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				PermittedDnsNames: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				PermittedEmailAddresses: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				PermittedIpRanges: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				PermittedUris: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    			PolicyIds: certificateauthority.CaPoolIssuancePolicyBaselineValuesPolicyIdArray{
    				&certificateauthority.CaPoolIssuancePolicyBaselineValuesPolicyIdArgs{
    					ObjectIdPaths: pulumi.IntArray{
    						pulumi.Int(0),
    					},
    				},
    			},
    		},
    		IdentityConstraints: &certificateauthority.CaPoolIssuancePolicyIdentityConstraintsArgs{
    			AllowSubjectAltNamesPassthrough: pulumi.Bool(false),
    			AllowSubjectPassthrough:         pulumi.Bool(false),
    			CelExpression: &certificateauthority.CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs{
    				Expression:  pulumi.String("string"),
    				Description: pulumi.String("string"),
    				Location:    pulumi.String("string"),
    				Title:       pulumi.String("string"),
    			},
    		},
    		MaximumLifetime: pulumi.String("string"),
    	},
    	Labels: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	Name:    pulumi.String("string"),
    	Project: pulumi.String("string"),
    	PublishingOptions: &certificateauthority.CaPoolPublishingOptionsArgs{
    		PublishCaCert:  pulumi.Bool(false),
    		PublishCrl:     pulumi.Bool(false),
    		EncodingFormat: pulumi.String("string"),
    	},
    })
    
    var caPoolResource = new CaPool("caPoolResource", CaPoolArgs.builder()
        .location("string")
        .tier("string")
        .issuancePolicy(CaPoolIssuancePolicyArgs.builder()
            .allowedIssuanceModes(CaPoolIssuancePolicyAllowedIssuanceModesArgs.builder()
                .allowConfigBasedIssuance(false)
                .allowCsrBasedIssuance(false)
                .build())
            .allowedKeyTypes(CaPoolIssuancePolicyAllowedKeyTypeArgs.builder()
                .ellipticCurve(CaPoolIssuancePolicyAllowedKeyTypeEllipticCurveArgs.builder()
                    .signatureAlgorithm("string")
                    .build())
                .rsa(CaPoolIssuancePolicyAllowedKeyTypeRsaArgs.builder()
                    .maxModulusSize("string")
                    .minModulusSize("string")
                    .build())
                .build())
            .baselineValues(CaPoolIssuancePolicyBaselineValuesArgs.builder()
                .caOptions(CaPoolIssuancePolicyBaselineValuesCaOptionsArgs.builder()
                    .isCa(false)
                    .maxIssuerPathLength(0)
                    .nonCa(false)
                    .zeroMaxIssuerPathLength(false)
                    .build())
                .keyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageArgs.builder()
                    .baseKeyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs.builder()
                        .certSign(false)
                        .contentCommitment(false)
                        .crlSign(false)
                        .dataEncipherment(false)
                        .decipherOnly(false)
                        .digitalSignature(false)
                        .encipherOnly(false)
                        .keyAgreement(false)
                        .keyEncipherment(false)
                        .build())
                    .extendedKeyUsage(CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs.builder()
                        .clientAuth(false)
                        .codeSigning(false)
                        .emailProtection(false)
                        .ocspSigning(false)
                        .serverAuth(false)
                        .timeStamping(false)
                        .build())
                    .unknownExtendedKeyUsages(CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsageArgs.builder()
                        .objectIdPaths(0)
                        .build())
                    .build())
                .additionalExtensions(CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArgs.builder()
                    .critical(false)
                    .objectId(CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectIdArgs.builder()
                        .objectIdPaths(0)
                        .build())
                    .value("string")
                    .build())
                .aiaOcspServers("string")
                .nameConstraints(CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs.builder()
                    .critical(false)
                    .excludedDnsNames("string")
                    .excludedEmailAddresses("string")
                    .excludedIpRanges("string")
                    .excludedUris("string")
                    .permittedDnsNames("string")
                    .permittedEmailAddresses("string")
                    .permittedIpRanges("string")
                    .permittedUris("string")
                    .build())
                .policyIds(CaPoolIssuancePolicyBaselineValuesPolicyIdArgs.builder()
                    .objectIdPaths(0)
                    .build())
                .build())
            .identityConstraints(CaPoolIssuancePolicyIdentityConstraintsArgs.builder()
                .allowSubjectAltNamesPassthrough(false)
                .allowSubjectPassthrough(false)
                .celExpression(CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs.builder()
                    .expression("string")
                    .description("string")
                    .location("string")
                    .title("string")
                    .build())
                .build())
            .maximumLifetime("string")
            .build())
        .labels(Map.of("string", "string"))
        .name("string")
        .project("string")
        .publishingOptions(CaPoolPublishingOptionsArgs.builder()
            .publishCaCert(false)
            .publishCrl(false)
            .encodingFormat("string")
            .build())
        .build());
    
    ca_pool_resource = gcp.certificateauthority.CaPool("caPoolResource",
        location="string",
        tier="string",
        issuance_policy={
            "allowed_issuance_modes": {
                "allow_config_based_issuance": False,
                "allow_csr_based_issuance": False,
            },
            "allowed_key_types": [{
                "elliptic_curve": {
                    "signature_algorithm": "string",
                },
                "rsa": {
                    "max_modulus_size": "string",
                    "min_modulus_size": "string",
                },
            }],
            "baseline_values": {
                "ca_options": {
                    "is_ca": False,
                    "max_issuer_path_length": 0,
                    "non_ca": False,
                    "zero_max_issuer_path_length": False,
                },
                "key_usage": {
                    "base_key_usage": {
                        "cert_sign": False,
                        "content_commitment": False,
                        "crl_sign": False,
                        "data_encipherment": False,
                        "decipher_only": False,
                        "digital_signature": False,
                        "encipher_only": False,
                        "key_agreement": False,
                        "key_encipherment": False,
                    },
                    "extended_key_usage": {
                        "client_auth": False,
                        "code_signing": False,
                        "email_protection": False,
                        "ocsp_signing": False,
                        "server_auth": False,
                        "time_stamping": False,
                    },
                    "unknown_extended_key_usages": [{
                        "object_id_paths": [0],
                    }],
                },
                "additional_extensions": [{
                    "critical": False,
                    "object_id": {
                        "object_id_paths": [0],
                    },
                    "value": "string",
                }],
                "aia_ocsp_servers": ["string"],
                "name_constraints": {
                    "critical": False,
                    "excluded_dns_names": ["string"],
                    "excluded_email_addresses": ["string"],
                    "excluded_ip_ranges": ["string"],
                    "excluded_uris": ["string"],
                    "permitted_dns_names": ["string"],
                    "permitted_email_addresses": ["string"],
                    "permitted_ip_ranges": ["string"],
                    "permitted_uris": ["string"],
                },
                "policy_ids": [{
                    "object_id_paths": [0],
                }],
            },
            "identity_constraints": {
                "allow_subject_alt_names_passthrough": False,
                "allow_subject_passthrough": False,
                "cel_expression": {
                    "expression": "string",
                    "description": "string",
                    "location": "string",
                    "title": "string",
                },
            },
            "maximum_lifetime": "string",
        },
        labels={
            "string": "string",
        },
        name="string",
        project="string",
        publishing_options={
            "publish_ca_cert": False,
            "publish_crl": False,
            "encoding_format": "string",
        })
    
    const caPoolResource = new gcp.certificateauthority.CaPool("caPoolResource", {
        location: "string",
        tier: "string",
        issuancePolicy: {
            allowedIssuanceModes: {
                allowConfigBasedIssuance: false,
                allowCsrBasedIssuance: false,
            },
            allowedKeyTypes: [{
                ellipticCurve: {
                    signatureAlgorithm: "string",
                },
                rsa: {
                    maxModulusSize: "string",
                    minModulusSize: "string",
                },
            }],
            baselineValues: {
                caOptions: {
                    isCa: false,
                    maxIssuerPathLength: 0,
                    nonCa: false,
                    zeroMaxIssuerPathLength: false,
                },
                keyUsage: {
                    baseKeyUsage: {
                        certSign: false,
                        contentCommitment: false,
                        crlSign: false,
                        dataEncipherment: false,
                        decipherOnly: false,
                        digitalSignature: false,
                        encipherOnly: false,
                        keyAgreement: false,
                        keyEncipherment: false,
                    },
                    extendedKeyUsage: {
                        clientAuth: false,
                        codeSigning: false,
                        emailProtection: false,
                        ocspSigning: false,
                        serverAuth: false,
                        timeStamping: false,
                    },
                    unknownExtendedKeyUsages: [{
                        objectIdPaths: [0],
                    }],
                },
                additionalExtensions: [{
                    critical: false,
                    objectId: {
                        objectIdPaths: [0],
                    },
                    value: "string",
                }],
                aiaOcspServers: ["string"],
                nameConstraints: {
                    critical: false,
                    excludedDnsNames: ["string"],
                    excludedEmailAddresses: ["string"],
                    excludedIpRanges: ["string"],
                    excludedUris: ["string"],
                    permittedDnsNames: ["string"],
                    permittedEmailAddresses: ["string"],
                    permittedIpRanges: ["string"],
                    permittedUris: ["string"],
                },
                policyIds: [{
                    objectIdPaths: [0],
                }],
            },
            identityConstraints: {
                allowSubjectAltNamesPassthrough: false,
                allowSubjectPassthrough: false,
                celExpression: {
                    expression: "string",
                    description: "string",
                    location: "string",
                    title: "string",
                },
            },
            maximumLifetime: "string",
        },
        labels: {
            string: "string",
        },
        name: "string",
        project: "string",
        publishingOptions: {
            publishCaCert: false,
            publishCrl: false,
            encodingFormat: "string",
        },
    });
    
    type: gcp:certificateauthority:CaPool
    properties:
        issuancePolicy:
            allowedIssuanceModes:
                allowConfigBasedIssuance: false
                allowCsrBasedIssuance: false
            allowedKeyTypes:
                - ellipticCurve:
                    signatureAlgorithm: string
                  rsa:
                    maxModulusSize: string
                    minModulusSize: string
            baselineValues:
                additionalExtensions:
                    - critical: false
                      objectId:
                        objectIdPaths:
                            - 0
                      value: string
                aiaOcspServers:
                    - string
                caOptions:
                    isCa: false
                    maxIssuerPathLength: 0
                    nonCa: false
                    zeroMaxIssuerPathLength: false
                keyUsage:
                    baseKeyUsage:
                        certSign: false
                        contentCommitment: false
                        crlSign: false
                        dataEncipherment: false
                        decipherOnly: false
                        digitalSignature: false
                        encipherOnly: false
                        keyAgreement: false
                        keyEncipherment: false
                    extendedKeyUsage:
                        clientAuth: false
                        codeSigning: false
                        emailProtection: false
                        ocspSigning: false
                        serverAuth: false
                        timeStamping: false
                    unknownExtendedKeyUsages:
                        - objectIdPaths:
                            - 0
                nameConstraints:
                    critical: false
                    excludedDnsNames:
                        - string
                    excludedEmailAddresses:
                        - string
                    excludedIpRanges:
                        - string
                    excludedUris:
                        - string
                    permittedDnsNames:
                        - string
                    permittedEmailAddresses:
                        - string
                    permittedIpRanges:
                        - string
                    permittedUris:
                        - string
                policyIds:
                    - objectIdPaths:
                        - 0
            identityConstraints:
                allowSubjectAltNamesPassthrough: false
                allowSubjectPassthrough: false
                celExpression:
                    description: string
                    expression: string
                    location: string
                    title: string
            maximumLifetime: string
        labels:
            string: string
        location: string
        name: string
        project: string
        publishingOptions:
            encodingFormat: string
            publishCaCert: false
            publishCrl: false
        tier: string
    

    CaPool Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The CaPool resource accepts the following input properties:

    Location string
    Location of the CaPool. A full list of valid locations can be found by running gcloud privateca locations list.


    Tier string
    The Tier of this CaPool. Possible values are: ENTERPRISE, DEVOPS.
    IssuancePolicy CaPoolIssuancePolicy
    The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
    Labels Dictionary<string, string>

    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    Name string
    The name for this CaPool.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    PublishingOptions CaPoolPublishingOptions
    The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
    Location string
    Location of the CaPool. A full list of valid locations can be found by running gcloud privateca locations list.


    Tier string
    The Tier of this CaPool. Possible values are: ENTERPRISE, DEVOPS.
    IssuancePolicy CaPoolIssuancePolicyArgs
    The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
    Labels map[string]string

    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    Name string
    The name for this CaPool.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    PublishingOptions CaPoolPublishingOptionsArgs
    The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
    location String
    Location of the CaPool. A full list of valid locations can be found by running gcloud privateca locations list.


    tier String
    The Tier of this CaPool. Possible values are: ENTERPRISE, DEVOPS.
    issuancePolicy CaPoolIssuancePolicy
    The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
    labels Map<String,String>

    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    name String
    The name for this CaPool.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    publishingOptions CaPoolPublishingOptions
    The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
    location string
    Location of the CaPool. A full list of valid locations can be found by running gcloud privateca locations list.


    tier string
    The Tier of this CaPool. Possible values are: ENTERPRISE, DEVOPS.
    issuancePolicy CaPoolIssuancePolicy
    The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
    labels {[key: string]: string}

    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    name string
    The name for this CaPool.
    project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    publishingOptions CaPoolPublishingOptions
    The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
    location str
    Location of the CaPool. A full list of valid locations can be found by running gcloud privateca locations list.


    tier str
    The Tier of this CaPool. Possible values are: ENTERPRISE, DEVOPS.
    issuance_policy CaPoolIssuancePolicyArgs
    The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
    labels Mapping[str, str]

    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    name str
    The name for this CaPool.
    project str
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    publishing_options CaPoolPublishingOptionsArgs
    The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
    location String
    Location of the CaPool. A full list of valid locations can be found by running gcloud privateca locations list.


    tier String
    The Tier of this CaPool. Possible values are: ENTERPRISE, DEVOPS.
    issuancePolicy Property Map
    The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
    labels Map<String>

    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    name String
    The name for this CaPool.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    publishingOptions Property Map
    The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the CaPool resource produces the following output properties:

    EffectiveLabels Dictionary<string, string>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    Id string
    The provider-assigned unique ID for this managed resource.
    PulumiLabels Dictionary<string, string>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    EffectiveLabels map[string]string
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    Id string
    The provider-assigned unique ID for this managed resource.
    PulumiLabels map[string]string
    The combination of labels configured directly on the resource and default labels configured on the provider.
    effectiveLabels Map<String,String>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    id String
    The provider-assigned unique ID for this managed resource.
    pulumiLabels Map<String,String>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    effectiveLabels {[key: string]: string}
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    id string
    The provider-assigned unique ID for this managed resource.
    pulumiLabels {[key: string]: string}
    The combination of labels configured directly on the resource and default labels configured on the provider.
    effective_labels Mapping[str, str]
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    id str
    The provider-assigned unique ID for this managed resource.
    pulumi_labels Mapping[str, str]
    The combination of labels configured directly on the resource and default labels configured on the provider.
    effectiveLabels Map<String>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    id String
    The provider-assigned unique ID for this managed resource.
    pulumiLabels Map<String>
    The combination of labels configured directly on the resource and default labels configured on the provider.

    Look up Existing CaPool Resource

    Get an existing CaPool resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: CaPoolState, opts?: CustomResourceOptions): CaPool
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            effective_labels: Optional[Mapping[str, str]] = None,
            issuance_policy: Optional[CaPoolIssuancePolicyArgs] = None,
            labels: Optional[Mapping[str, str]] = None,
            location: Optional[str] = None,
            name: Optional[str] = None,
            project: Optional[str] = None,
            publishing_options: Optional[CaPoolPublishingOptionsArgs] = None,
            pulumi_labels: Optional[Mapping[str, str]] = None,
            tier: Optional[str] = None) -> CaPool
    func GetCaPool(ctx *Context, name string, id IDInput, state *CaPoolState, opts ...ResourceOption) (*CaPool, error)
    public static CaPool Get(string name, Input<string> id, CaPoolState? state, CustomResourceOptions? opts = null)
    public static CaPool get(String name, Output<String> id, CaPoolState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    EffectiveLabels Dictionary<string, string>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    IssuancePolicy CaPoolIssuancePolicy
    The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
    Labels Dictionary<string, string>

    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    Location string
    Location of the CaPool. A full list of valid locations can be found by running gcloud privateca locations list.


    Name string
    The name for this CaPool.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    PublishingOptions CaPoolPublishingOptions
    The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
    PulumiLabels Dictionary<string, string>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    Tier string
    The Tier of this CaPool. Possible values are: ENTERPRISE, DEVOPS.
    EffectiveLabels map[string]string
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    IssuancePolicy CaPoolIssuancePolicyArgs
    The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
    Labels map[string]string

    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    Location string
    Location of the CaPool. A full list of valid locations can be found by running gcloud privateca locations list.


    Name string
    The name for this CaPool.
    Project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    PublishingOptions CaPoolPublishingOptionsArgs
    The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
    PulumiLabels map[string]string
    The combination of labels configured directly on the resource and default labels configured on the provider.
    Tier string
    The Tier of this CaPool. Possible values are: ENTERPRISE, DEVOPS.
    effectiveLabels Map<String,String>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    issuancePolicy CaPoolIssuancePolicy
    The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
    labels Map<String,String>

    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    location String
    Location of the CaPool. A full list of valid locations can be found by running gcloud privateca locations list.


    name String
    The name for this CaPool.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    publishingOptions CaPoolPublishingOptions
    The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
    pulumiLabels Map<String,String>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    tier String
    The Tier of this CaPool. Possible values are: ENTERPRISE, DEVOPS.
    effectiveLabels {[key: string]: string}
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    issuancePolicy CaPoolIssuancePolicy
    The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
    labels {[key: string]: string}

    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    location string
    Location of the CaPool. A full list of valid locations can be found by running gcloud privateca locations list.


    name string
    The name for this CaPool.
    project string
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    publishingOptions CaPoolPublishingOptions
    The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
    pulumiLabels {[key: string]: string}
    The combination of labels configured directly on the resource and default labels configured on the provider.
    tier string
    The Tier of this CaPool. Possible values are: ENTERPRISE, DEVOPS.
    effective_labels Mapping[str, str]
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    issuance_policy CaPoolIssuancePolicyArgs
    The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
    labels Mapping[str, str]

    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    location str
    Location of the CaPool. A full list of valid locations can be found by running gcloud privateca locations list.


    name str
    The name for this CaPool.
    project str
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    publishing_options CaPoolPublishingOptionsArgs
    The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
    pulumi_labels Mapping[str, str]
    The combination of labels configured directly on the resource and default labels configured on the provider.
    tier str
    The Tier of this CaPool. Possible values are: ENTERPRISE, DEVOPS.
    effectiveLabels Map<String>
    All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
    issuancePolicy Property Map
    The IssuancePolicy to control how Certificates will be issued from this CaPool. Structure is documented below.
    labels Map<String>

    Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

    Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.

    location String
    Location of the CaPool. A full list of valid locations can be found by running gcloud privateca locations list.


    name String
    The name for this CaPool.
    project String
    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
    publishingOptions Property Map
    The PublishingOptions to follow when issuing Certificates from any CertificateAuthority in this CaPool. Structure is documented below.
    pulumiLabels Map<String>
    The combination of labels configured directly on the resource and default labels configured on the provider.
    tier String
    The Tier of this CaPool. Possible values are: ENTERPRISE, DEVOPS.

    Supporting Types

    CaPoolIssuancePolicy, CaPoolIssuancePolicyArgs

    AllowedIssuanceModes CaPoolIssuancePolicyAllowedIssuanceModes
    IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.
    AllowedKeyTypes List<CaPoolIssuancePolicyAllowedKeyType>
    If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.
    BaselineValues CaPoolIssuancePolicyBaselineValues
    A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.
    IdentityConstraints CaPoolIssuancePolicyIdentityConstraints
    Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.
    MaximumLifetime string
    The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.
    AllowedIssuanceModes CaPoolIssuancePolicyAllowedIssuanceModes
    IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.
    AllowedKeyTypes []CaPoolIssuancePolicyAllowedKeyType
    If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.
    BaselineValues CaPoolIssuancePolicyBaselineValues
    A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.
    IdentityConstraints CaPoolIssuancePolicyIdentityConstraints
    Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.
    MaximumLifetime string
    The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.
    allowedIssuanceModes CaPoolIssuancePolicyAllowedIssuanceModes
    IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.
    allowedKeyTypes List<CaPoolIssuancePolicyAllowedKeyType>
    If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.
    baselineValues CaPoolIssuancePolicyBaselineValues
    A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.
    identityConstraints CaPoolIssuancePolicyIdentityConstraints
    Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.
    maximumLifetime String
    The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.
    allowedIssuanceModes CaPoolIssuancePolicyAllowedIssuanceModes
    IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.
    allowedKeyTypes CaPoolIssuancePolicyAllowedKeyType[]
    If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.
    baselineValues CaPoolIssuancePolicyBaselineValues
    A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.
    identityConstraints CaPoolIssuancePolicyIdentityConstraints
    Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.
    maximumLifetime string
    The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.
    allowed_issuance_modes CaPoolIssuancePolicyAllowedIssuanceModes
    IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.
    allowed_key_types Sequence[CaPoolIssuancePolicyAllowedKeyType]
    If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.
    baseline_values CaPoolIssuancePolicyBaselineValues
    A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.
    identity_constraints CaPoolIssuancePolicyIdentityConstraints
    Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.
    maximum_lifetime str
    The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.
    allowedIssuanceModes Property Map
    IssuanceModes specifies the allowed ways in which Certificates may be requested from this CaPool. Structure is documented below.
    allowedKeyTypes List<Property Map>
    If any AllowedKeyType is specified, then the certificate request's public key must match one of the key types listed here. Otherwise, any key may be used. Structure is documented below.
    baselineValues Property Map
    A set of X.509 values that will be applied to all certificates issued through this CaPool. If a certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If a certificate request uses a CertificateTemplate that defines conflicting predefinedValues for the same properties, the certificate issuance request will fail. Structure is documented below.
    identityConstraints Property Map
    Describes constraints on identities that may appear in Certificates issued through this CaPool. If this is omitted, then this CaPool will not add restrictions on a certificate's identity. Structure is documented below.
    maximumLifetime String
    The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximumLifetime, the effective lifetime will be explicitly truncated to match it.

    CaPoolIssuancePolicyAllowedIssuanceModes, CaPoolIssuancePolicyAllowedIssuanceModesArgs

    AllowConfigBasedIssuance bool
    When true, allows callers to create Certificates by specifying a CertificateConfig.
    AllowCsrBasedIssuance bool
    When true, allows callers to create Certificates by specifying a CSR.
    AllowConfigBasedIssuance bool
    When true, allows callers to create Certificates by specifying a CertificateConfig.
    AllowCsrBasedIssuance bool
    When true, allows callers to create Certificates by specifying a CSR.
    allowConfigBasedIssuance Boolean
    When true, allows callers to create Certificates by specifying a CertificateConfig.
    allowCsrBasedIssuance Boolean
    When true, allows callers to create Certificates by specifying a CSR.
    allowConfigBasedIssuance boolean
    When true, allows callers to create Certificates by specifying a CertificateConfig.
    allowCsrBasedIssuance boolean
    When true, allows callers to create Certificates by specifying a CSR.
    allow_config_based_issuance bool
    When true, allows callers to create Certificates by specifying a CertificateConfig.
    allow_csr_based_issuance bool
    When true, allows callers to create Certificates by specifying a CSR.
    allowConfigBasedIssuance Boolean
    When true, allows callers to create Certificates by specifying a CertificateConfig.
    allowCsrBasedIssuance Boolean
    When true, allows callers to create Certificates by specifying a CSR.

    CaPoolIssuancePolicyAllowedKeyType, CaPoolIssuancePolicyAllowedKeyTypeArgs

    EllipticCurve CaPoolIssuancePolicyAllowedKeyTypeEllipticCurve
    Represents an allowed Elliptic Curve key type. Structure is documented below.
    Rsa CaPoolIssuancePolicyAllowedKeyTypeRsa
    Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.
    EllipticCurve CaPoolIssuancePolicyAllowedKeyTypeEllipticCurve
    Represents an allowed Elliptic Curve key type. Structure is documented below.
    Rsa CaPoolIssuancePolicyAllowedKeyTypeRsa
    Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.
    ellipticCurve CaPoolIssuancePolicyAllowedKeyTypeEllipticCurve
    Represents an allowed Elliptic Curve key type. Structure is documented below.
    rsa CaPoolIssuancePolicyAllowedKeyTypeRsa
    Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.
    ellipticCurve CaPoolIssuancePolicyAllowedKeyTypeEllipticCurve
    Represents an allowed Elliptic Curve key type. Structure is documented below.
    rsa CaPoolIssuancePolicyAllowedKeyTypeRsa
    Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.
    elliptic_curve CaPoolIssuancePolicyAllowedKeyTypeEllipticCurve
    Represents an allowed Elliptic Curve key type. Structure is documented below.
    rsa CaPoolIssuancePolicyAllowedKeyTypeRsa
    Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.
    ellipticCurve Property Map
    Represents an allowed Elliptic Curve key type. Structure is documented below.
    rsa Property Map
    Describes an RSA key that may be used in a Certificate issued from a CaPool. Structure is documented below.

    CaPoolIssuancePolicyAllowedKeyTypeEllipticCurve, CaPoolIssuancePolicyAllowedKeyTypeEllipticCurveArgs

    SignatureAlgorithm string
    The algorithm used. Possible values are: ECDSA_P256, ECDSA_P384, EDDSA_25519.
    SignatureAlgorithm string
    The algorithm used. Possible values are: ECDSA_P256, ECDSA_P384, EDDSA_25519.
    signatureAlgorithm String
    The algorithm used. Possible values are: ECDSA_P256, ECDSA_P384, EDDSA_25519.
    signatureAlgorithm string
    The algorithm used. Possible values are: ECDSA_P256, ECDSA_P384, EDDSA_25519.
    signature_algorithm str
    The algorithm used. Possible values are: ECDSA_P256, ECDSA_P384, EDDSA_25519.
    signatureAlgorithm String
    The algorithm used. Possible values are: ECDSA_P256, ECDSA_P384, EDDSA_25519.

    CaPoolIssuancePolicyAllowedKeyTypeRsa, CaPoolIssuancePolicyAllowedKeyTypeRsaArgs

    MaxModulusSize string
    The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
    MinModulusSize string
    The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.
    MaxModulusSize string
    The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
    MinModulusSize string
    The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.
    maxModulusSize String
    The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
    minModulusSize String
    The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.
    maxModulusSize string
    The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
    minModulusSize string
    The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.
    max_modulus_size str
    The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
    min_modulus_size str
    The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.
    maxModulusSize String
    The maximum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service will not enforce an explicit upper bound on RSA modulus sizes.
    minModulusSize String
    The minimum allowed RSA modulus size, in bits. If this is not set, or if set to zero, the service-level min RSA modulus size will continue to apply.

    CaPoolIssuancePolicyBaselineValues, CaPoolIssuancePolicyBaselineValuesArgs

    CaOptions CaPoolIssuancePolicyBaselineValuesCaOptions
    Describes values that are relevant in a CA certificate. Structure is documented below.
    KeyUsage CaPoolIssuancePolicyBaselineValuesKeyUsage
    Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
    AdditionalExtensions List<CaPoolIssuancePolicyBaselineValuesAdditionalExtension>
    Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
    AiaOcspServers List<string>
    Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    NameConstraints CaPoolIssuancePolicyBaselineValuesNameConstraints
    Describes the X.509 name constraints extension. Structure is documented below.
    PolicyIds List<CaPoolIssuancePolicyBaselineValuesPolicyId>
    Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
    CaOptions CaPoolIssuancePolicyBaselineValuesCaOptions
    Describes values that are relevant in a CA certificate. Structure is documented below.
    KeyUsage CaPoolIssuancePolicyBaselineValuesKeyUsage
    Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
    AdditionalExtensions []CaPoolIssuancePolicyBaselineValuesAdditionalExtension
    Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
    AiaOcspServers []string
    Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    NameConstraints CaPoolIssuancePolicyBaselineValuesNameConstraints
    Describes the X.509 name constraints extension. Structure is documented below.
    PolicyIds []CaPoolIssuancePolicyBaselineValuesPolicyId
    Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
    caOptions CaPoolIssuancePolicyBaselineValuesCaOptions
    Describes values that are relevant in a CA certificate. Structure is documented below.
    keyUsage CaPoolIssuancePolicyBaselineValuesKeyUsage
    Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
    additionalExtensions List<CaPoolIssuancePolicyBaselineValuesAdditionalExtension>
    Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
    aiaOcspServers List<String>
    Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    nameConstraints CaPoolIssuancePolicyBaselineValuesNameConstraints
    Describes the X.509 name constraints extension. Structure is documented below.
    policyIds List<CaPoolIssuancePolicyBaselineValuesPolicyId>
    Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
    caOptions CaPoolIssuancePolicyBaselineValuesCaOptions
    Describes values that are relevant in a CA certificate. Structure is documented below.
    keyUsage CaPoolIssuancePolicyBaselineValuesKeyUsage
    Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
    additionalExtensions CaPoolIssuancePolicyBaselineValuesAdditionalExtension[]
    Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
    aiaOcspServers string[]
    Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    nameConstraints CaPoolIssuancePolicyBaselineValuesNameConstraints
    Describes the X.509 name constraints extension. Structure is documented below.
    policyIds CaPoolIssuancePolicyBaselineValuesPolicyId[]
    Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
    ca_options CaPoolIssuancePolicyBaselineValuesCaOptions
    Describes values that are relevant in a CA certificate. Structure is documented below.
    key_usage CaPoolIssuancePolicyBaselineValuesKeyUsage
    Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
    additional_extensions Sequence[CaPoolIssuancePolicyBaselineValuesAdditionalExtension]
    Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
    aia_ocsp_servers Sequence[str]
    Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    name_constraints CaPoolIssuancePolicyBaselineValuesNameConstraints
    Describes the X.509 name constraints extension. Structure is documented below.
    policy_ids Sequence[CaPoolIssuancePolicyBaselineValuesPolicyId]
    Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.
    caOptions Property Map
    Describes values that are relevant in a CA certificate. Structure is documented below.
    keyUsage Property Map
    Indicates the intended use for keys that correspond to a certificate. Structure is documented below.
    additionalExtensions List<Property Map>
    Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs. Structure is documented below.
    aiaOcspServers List<String>
    Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
    nameConstraints Property Map
    Describes the X.509 name constraints extension. Structure is documented below.
    policyIds List<Property Map>
    Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. Structure is documented below.

    CaPoolIssuancePolicyBaselineValuesAdditionalExtension, CaPoolIssuancePolicyBaselineValuesAdditionalExtensionArgs

    Critical bool
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    ObjectId CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectId
    Describes values that are relevant in a CA certificate. Structure is documented below.
    Value string
    The value of this X.509 extension. A base64-encoded string.
    Critical bool
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    ObjectId CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectId
    Describes values that are relevant in a CA certificate. Structure is documented below.
    Value string
    The value of this X.509 extension. A base64-encoded string.
    critical Boolean
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    objectId CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectId
    Describes values that are relevant in a CA certificate. Structure is documented below.
    value String
    The value of this X.509 extension. A base64-encoded string.
    critical boolean
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    objectId CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectId
    Describes values that are relevant in a CA certificate. Structure is documented below.
    value string
    The value of this X.509 extension. A base64-encoded string.
    critical bool
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    object_id CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectId
    Describes values that are relevant in a CA certificate. Structure is documented below.
    value str
    The value of this X.509 extension. A base64-encoded string.
    critical Boolean
    Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error).
    objectId Property Map
    Describes values that are relevant in a CA certificate. Structure is documented below.
    value String
    The value of this X.509 extension. A base64-encoded string.

    CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectId, CaPoolIssuancePolicyBaselineValuesAdditionalExtensionObjectIdArgs

    ObjectIdPaths List<int>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    ObjectIdPaths []int
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Integer>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths number[]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    object_id_paths Sequence[int]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Number>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

    CaPoolIssuancePolicyBaselineValuesCaOptions, CaPoolIssuancePolicyBaselineValuesCaOptionsArgs

    IsCa bool
    When true, the "CA" in Basic Constraints extension will be set to true.
    MaxIssuerPathLength int
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
    NonCa bool
    When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.
    ZeroMaxIssuerPathLength bool
    When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.
    IsCa bool
    When true, the "CA" in Basic Constraints extension will be set to true.
    MaxIssuerPathLength int
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
    NonCa bool
    When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.
    ZeroMaxIssuerPathLength bool
    When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.
    isCa Boolean
    When true, the "CA" in Basic Constraints extension will be set to true.
    maxIssuerPathLength Integer
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
    nonCa Boolean
    When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.
    zeroMaxIssuerPathLength Boolean
    When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.
    isCa boolean
    When true, the "CA" in Basic Constraints extension will be set to true.
    maxIssuerPathLength number
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
    nonCa boolean
    When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.
    zeroMaxIssuerPathLength boolean
    When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.
    is_ca bool
    When true, the "CA" in Basic Constraints extension will be set to true.
    max_issuer_path_length int
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
    non_ca bool
    When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.
    zero_max_issuer_path_length bool
    When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.
    isCa Boolean
    When true, the "CA" in Basic Constraints extension will be set to true.
    maxIssuerPathLength Number
    Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail.
    nonCa Boolean
    When true, the "CA" in Basic Constraints extension will be set to false. If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.
    zeroMaxIssuerPathLength Boolean
    When true, the "path length constraint" in Basic Constraints extension will be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length are unset, the max path length will be omitted from the CA certificate.

    CaPoolIssuancePolicyBaselineValuesKeyUsage, CaPoolIssuancePolicyBaselineValuesKeyUsageArgs

    BaseKeyUsage CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    ExtendedKeyUsage CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    UnknownExtendedKeyUsages List<CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsage>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
    BaseKeyUsage CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    ExtendedKeyUsage CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    UnknownExtendedKeyUsages []CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsage
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
    baseKeyUsage CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    extendedKeyUsage CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    unknownExtendedKeyUsages List<CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsage>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
    baseKeyUsage CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    extendedKeyUsage CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    unknownExtendedKeyUsages CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsage[]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
    base_key_usage CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    extended_key_usage CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsage
    Describes high-level ways in which a key may be used. Structure is documented below.
    unknown_extended_key_usages Sequence[CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsage]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.
    baseKeyUsage Property Map
    Describes high-level ways in which a key may be used. Structure is documented below.
    extendedKeyUsage Property Map
    Describes high-level ways in which a key may be used. Structure is documented below.
    unknownExtendedKeyUsages List<Property Map>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. Structure is documented below.

    CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsage, CaPoolIssuancePolicyBaselineValuesKeyUsageBaseKeyUsageArgs

    CertSign bool
    The key may be used to sign certificates.
    ContentCommitment bool
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    CrlSign bool
    The key may be used sign certificate revocation lists.
    DataEncipherment bool
    The key may be used to encipher data.
    DecipherOnly bool
    The key may be used to decipher only.
    DigitalSignature bool
    The key may be used for digital signatures.
    EncipherOnly bool
    The key may be used to encipher only.
    KeyAgreement bool
    The key may be used in a key agreement protocol.
    KeyEncipherment bool
    The key may be used to encipher other keys.
    CertSign bool
    The key may be used to sign certificates.
    ContentCommitment bool
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    CrlSign bool
    The key may be used sign certificate revocation lists.
    DataEncipherment bool
    The key may be used to encipher data.
    DecipherOnly bool
    The key may be used to decipher only.
    DigitalSignature bool
    The key may be used for digital signatures.
    EncipherOnly bool
    The key may be used to encipher only.
    KeyAgreement bool
    The key may be used in a key agreement protocol.
    KeyEncipherment bool
    The key may be used to encipher other keys.
    certSign Boolean
    The key may be used to sign certificates.
    contentCommitment Boolean
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    crlSign Boolean
    The key may be used sign certificate revocation lists.
    dataEncipherment Boolean
    The key may be used to encipher data.
    decipherOnly Boolean
    The key may be used to decipher only.
    digitalSignature Boolean
    The key may be used for digital signatures.
    encipherOnly Boolean
    The key may be used to encipher only.
    keyAgreement Boolean
    The key may be used in a key agreement protocol.
    keyEncipherment Boolean
    The key may be used to encipher other keys.
    certSign boolean
    The key may be used to sign certificates.
    contentCommitment boolean
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    crlSign boolean
    The key may be used sign certificate revocation lists.
    dataEncipherment boolean
    The key may be used to encipher data.
    decipherOnly boolean
    The key may be used to decipher only.
    digitalSignature boolean
    The key may be used for digital signatures.
    encipherOnly boolean
    The key may be used to encipher only.
    keyAgreement boolean
    The key may be used in a key agreement protocol.
    keyEncipherment boolean
    The key may be used to encipher other keys.
    cert_sign bool
    The key may be used to sign certificates.
    content_commitment bool
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    crl_sign bool
    The key may be used sign certificate revocation lists.
    data_encipherment bool
    The key may be used to encipher data.
    decipher_only bool
    The key may be used to decipher only.
    digital_signature bool
    The key may be used for digital signatures.
    encipher_only bool
    The key may be used to encipher only.
    key_agreement bool
    The key may be used in a key agreement protocol.
    key_encipherment bool
    The key may be used to encipher other keys.
    certSign Boolean
    The key may be used to sign certificates.
    contentCommitment Boolean
    The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
    crlSign Boolean
    The key may be used sign certificate revocation lists.
    dataEncipherment Boolean
    The key may be used to encipher data.
    decipherOnly Boolean
    The key may be used to decipher only.
    digitalSignature Boolean
    The key may be used for digital signatures.
    encipherOnly Boolean
    The key may be used to encipher only.
    keyAgreement Boolean
    The key may be used in a key agreement protocol.
    keyEncipherment Boolean
    The key may be used to encipher other keys.

    CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsage, CaPoolIssuancePolicyBaselineValuesKeyUsageExtendedKeyUsageArgs

    ClientAuth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    CodeSigning bool
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    EmailProtection bool
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    OcspSigning bool
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    ServerAuth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    TimeStamping bool
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
    ClientAuth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    CodeSigning bool
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    EmailProtection bool
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    OcspSigning bool
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    ServerAuth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    TimeStamping bool
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
    clientAuth Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    codeSigning Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    emailProtection Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    ocspSigning Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    serverAuth Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    timeStamping Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
    clientAuth boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    codeSigning boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    emailProtection boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    ocspSigning boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    serverAuth boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    timeStamping boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
    client_auth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    code_signing bool
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    email_protection bool
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    ocsp_signing bool
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    server_auth bool
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    time_stamping bool
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
    clientAuth Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
    codeSigning Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
    emailProtection Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
    ocspSigning Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
    serverAuth Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
    timeStamping Boolean
    Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".

    CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsage, CaPoolIssuancePolicyBaselineValuesKeyUsageUnknownExtendedKeyUsageArgs

    ObjectIdPaths List<int>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    ObjectIdPaths []int
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Integer>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths number[]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    object_id_paths Sequence[int]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Number>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

    CaPoolIssuancePolicyBaselineValuesNameConstraints, CaPoolIssuancePolicyBaselineValuesNameConstraintsArgs

    Critical bool
    Indicates whether or not the name constraints are marked critical.
    ExcludedDnsNames List<string>
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    ExcludedEmailAddresses List<string>
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    ExcludedIpRanges List<string>
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    ExcludedUris List<string>
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    PermittedDnsNames List<string>
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    PermittedEmailAddresses List<string>
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    PermittedIpRanges List<string>
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    PermittedUris List<string>
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    Critical bool
    Indicates whether or not the name constraints are marked critical.
    ExcludedDnsNames []string
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    ExcludedEmailAddresses []string
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    ExcludedIpRanges []string
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    ExcludedUris []string
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    PermittedDnsNames []string
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    PermittedEmailAddresses []string
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    PermittedIpRanges []string
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    PermittedUris []string
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    critical Boolean
    Indicates whether or not the name constraints are marked critical.
    excludedDnsNames List<String>
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    excludedEmailAddresses List<String>
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    excludedIpRanges List<String>
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    excludedUris List<String>
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    permittedDnsNames List<String>
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    permittedEmailAddresses List<String>
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    permittedIpRanges List<String>
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    permittedUris List<String>
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    critical boolean
    Indicates whether or not the name constraints are marked critical.
    excludedDnsNames string[]
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    excludedEmailAddresses string[]
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    excludedIpRanges string[]
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    excludedUris string[]
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    permittedDnsNames string[]
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    permittedEmailAddresses string[]
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    permittedIpRanges string[]
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    permittedUris string[]
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    critical bool
    Indicates whether or not the name constraints are marked critical.
    excluded_dns_names Sequence[str]
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    excluded_email_addresses Sequence[str]
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    excluded_ip_ranges Sequence[str]
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    excluded_uris Sequence[str]
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    permitted_dns_names Sequence[str]
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    permitted_email_addresses Sequence[str]
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    permitted_ip_ranges Sequence[str]
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    permitted_uris Sequence[str]
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    critical Boolean
    Indicates whether or not the name constraints are marked critical.
    excludedDnsNames List<String>
    Contains excluded DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    excludedEmailAddresses List<String>
    Contains the excluded email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    excludedIpRanges List<String>
    Contains the excluded IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    excludedUris List<String>
    Contains the excluded URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)
    permittedDnsNames List<String>
    Contains permitted DNS names. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, example.com, www.example.com, www.sub.example.com would satisfy example.com while example1.com does not.
    permittedEmailAddresses List<String>
    Contains the permitted email addresses. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. .example.com) to indicate all email addresses in that domain.
    permittedIpRanges List<String>
    Contains the permitted IP ranges. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4 addresses.
    permittedUris List<String>
    Contains the permitted URIs that apply to the host part of the name. The value can be a hostname or a domain with a leading period (like .example.com)

    CaPoolIssuancePolicyBaselineValuesPolicyId, CaPoolIssuancePolicyBaselineValuesPolicyIdArgs

    ObjectIdPaths List<int>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    ObjectIdPaths []int
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Integer>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths number[]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    object_id_paths Sequence[int]
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
    objectIdPaths List<Number>
    An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.

    CaPoolIssuancePolicyIdentityConstraints, CaPoolIssuancePolicyIdentityConstraintsArgs

    AllowSubjectAltNamesPassthrough bool
    If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
    AllowSubjectPassthrough bool
    If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
    CelExpression CaPoolIssuancePolicyIdentityConstraintsCelExpression
    A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.
    AllowSubjectAltNamesPassthrough bool
    If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
    AllowSubjectPassthrough bool
    If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
    CelExpression CaPoolIssuancePolicyIdentityConstraintsCelExpression
    A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.
    allowSubjectAltNamesPassthrough Boolean
    If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
    allowSubjectPassthrough Boolean
    If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
    celExpression CaPoolIssuancePolicyIdentityConstraintsCelExpression
    A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.
    allowSubjectAltNamesPassthrough boolean
    If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
    allowSubjectPassthrough boolean
    If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
    celExpression CaPoolIssuancePolicyIdentityConstraintsCelExpression
    A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.
    allow_subject_alt_names_passthrough bool
    If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
    allow_subject_passthrough bool
    If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
    cel_expression CaPoolIssuancePolicyIdentityConstraintsCelExpression
    A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.
    allowSubjectAltNamesPassthrough Boolean
    If this is set, the SubjectAltNames extension may be copied from a certificate request into the signed certificate. Otherwise, the requested SubjectAltNames will be discarded.
    allowSubjectPassthrough Boolean
    If this is set, the Subject field may be copied from a certificate request into the signed certificate. Otherwise, the requested Subject will be discarded.
    celExpression Property Map
    A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/cel-guide Structure is documented below.

    CaPoolIssuancePolicyIdentityConstraintsCelExpression, CaPoolIssuancePolicyIdentityConstraintsCelExpressionArgs

    Expression string
    Textual representation of an expression in Common Expression Language syntax.
    Description string
    Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    Location string
    String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    Title string
    Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    Expression string
    Textual representation of an expression in Common Expression Language syntax.
    Description string
    Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    Location string
    String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    Title string
    Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    expression String
    Textual representation of an expression in Common Expression Language syntax.
    description String
    Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    location String
    String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    title String
    Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    expression string
    Textual representation of an expression in Common Expression Language syntax.
    description string
    Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    location string
    String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    title string
    Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    expression str
    Textual representation of an expression in Common Expression Language syntax.
    description str
    Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    location str
    String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    title str
    Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
    expression String
    Textual representation of an expression in Common Expression Language syntax.
    description String
    Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
    location String
    String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
    title String
    Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.

    CaPoolPublishingOptions, CaPoolPublishingOptionsArgs

    PublishCaCert bool
    When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
    PublishCrl bool
    When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.
    EncodingFormat string
    Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM. Possible values are: PEM, DER.
    PublishCaCert bool
    When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
    PublishCrl bool
    When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.
    EncodingFormat string
    Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM. Possible values are: PEM, DER.
    publishCaCert Boolean
    When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
    publishCrl Boolean
    When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.
    encodingFormat String
    Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM. Possible values are: PEM, DER.
    publishCaCert boolean
    When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
    publishCrl boolean
    When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.
    encodingFormat string
    Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM. Possible values are: PEM, DER.
    publish_ca_cert bool
    When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
    publish_crl bool
    When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.
    encoding_format str
    Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM. Possible values are: PEM, DER.
    publishCaCert Boolean
    When true, publishes each CertificateAuthority's CA certificate and includes its URL in the "Authority Information Access" X.509 extension in all issued Certificates. If this is false, the CA certificate will not be published and the corresponding X.509 extension will not be written in issued certificates.
    publishCrl Boolean
    When true, publishes each CertificateAuthority's CRL and includes its URL in the "CRL Distribution Points" X.509 extension in all issued Certificates. If this is false, CRLs will not be published and the corresponding X.509 extension will not be written in issued certificates. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked.
    encodingFormat String
    Specifies the encoding format of each CertificateAuthority's CA certificate and CRLs. If this is omitted, CA certificates and CRLs will be published in PEM. Possible values are: PEM, DER.

    Import

    CaPool can be imported using any of these accepted formats:

    • projects/{{project}}/locations/{{location}}/caPools/{{name}}

    • {{project}}/{{location}}/{{name}}

    • {{location}}/{{name}}

    When using the pulumi import command, CaPool can be imported using one of the formats above. For example:

    $ pulumi import gcp:certificateauthority/caPool:CaPool default projects/{{project}}/locations/{{location}}/caPools/{{name}}
    
    $ pulumi import gcp:certificateauthority/caPool:CaPool default {{project}}/{{location}}/{{name}}
    
    $ pulumi import gcp:certificateauthority/caPool:CaPool default {{location}}/{{name}}
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi