@pulumi/gcp
Version:
A Pulumi package for creating and managing Google Cloud Platform resources.
681 lines (680 loc) • 28.5 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
import * as inputs from "../types/input";
import * as outputs from "../types/output";
/**
* A CertificateAuthority represents an individual Certificate Authority. A
* CertificateAuthority can be used to create Certificates.
*
* To get more information about CertificateAuthority, see:
*
* * [API documentation](https://cloud.google.com/certificate-authority-service/docs/reference/rest)
* * How-to Guides
* * [Official Documentation](https://cloud.google.com/certificate-authority-service)
*
* > **Warning:** On newer versions of the provider, you must explicitly set `deletion_protection=false`
* (and run `pulumi up` to write the field to state) in order to destroy a CertificateAuthority.
* It is recommended to not set this field (or set it to true) until you're ready to destroy.
*
* ## Example Usage
*
* ### Privateca Certificate Authority Basic
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as gcp from "@pulumi/gcp";
*
* const _default = new gcp.certificateauthority.Authority("default", {
* pool: "ca-pool",
* certificateAuthorityId: "my-certificate-authority",
* location: "us-central1",
* deletionProtection: true,
* config: {
* subjectConfig: {
* subject: {
* organization: "ACME",
* commonName: "my-certificate-authority",
* },
* },
* x509Config: {
* caOptions: {
* isCa: true,
* },
* keyUsage: {
* baseKeyUsage: {
* certSign: true,
* crlSign: true,
* },
* extendedKeyUsage: {},
* },
* },
* },
* lifetime: `${10 * 365 * 24 * 3600}s`,
* keySpec: {
* algorithm: "RSA_PKCS1_4096_SHA256",
* },
* });
* ```
* ### Privateca Certificate Authority Subordinate
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as gcp from "@pulumi/gcp";
*
* const root_ca = new gcp.certificateauthority.Authority("root-ca", {
* pool: "ca-pool",
* certificateAuthorityId: "my-certificate-authority-root",
* location: "us-central1",
* config: {
* subjectConfig: {
* subject: {
* organization: "ACME",
* commonName: "my-certificate-authority",
* },
* },
* x509Config: {
* caOptions: {
* isCa: true,
* },
* keyUsage: {
* baseKeyUsage: {
* certSign: true,
* crlSign: true,
* },
* extendedKeyUsage: {},
* },
* },
* },
* keySpec: {
* algorithm: "RSA_PKCS1_4096_SHA256",
* },
* deletionProtection: false,
* skipGracePeriod: true,
* ignoreActiveCertificatesOnDeletion: true,
* });
* const _default = new gcp.certificateauthority.Authority("default", {
* pool: "ca-pool",
* certificateAuthorityId: "my-certificate-authority-sub",
* location: "us-central1",
* deletionProtection: true,
* subordinateConfig: {
* certificateAuthority: root_ca.name,
* },
* config: {
* subjectConfig: {
* subject: {
* organization: "ACME",
* commonName: "my-subordinate-authority",
* },
* },
* x509Config: {
* caOptions: {
* isCa: true,
* zeroMaxIssuerPathLength: true,
* },
* keyUsage: {
* baseKeyUsage: {
* certSign: true,
* crlSign: true,
* },
* extendedKeyUsage: {},
* },
* },
* },
* lifetime: `${5 * 365 * 24 * 3600}s`,
* keySpec: {
* algorithm: "RSA_PKCS1_2048_SHA256",
* },
* type: "SUBORDINATE",
* });
* ```
* ### Privateca Certificate Authority Byo Key
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as gcp from "@pulumi/gcp";
*
* const privatecaSa = new gcp.projects.ServiceIdentity("privateca_sa", {service: "privateca.googleapis.com"});
* const privatecaSaKeyuserSignerverifier = new gcp.kms.CryptoKeyIAMMember("privateca_sa_keyuser_signerverifier", {
* cryptoKeyId: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
* role: "roles/cloudkms.signerVerifier",
* member: privatecaSa.member,
* });
* const privatecaSaKeyuserViewer = new gcp.kms.CryptoKeyIAMMember("privateca_sa_keyuser_viewer", {
* cryptoKeyId: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key",
* role: "roles/viewer",
* member: privatecaSa.member,
* });
* const _default = new gcp.certificateauthority.Authority("default", {
* pool: "ca-pool",
* certificateAuthorityId: "my-certificate-authority",
* location: "us-central1",
* deletionProtection: true,
* keySpec: {
* cloudKmsKeyVersion: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1",
* },
* config: {
* subjectConfig: {
* subject: {
* organization: "Example, Org.",
* commonName: "Example Authority",
* },
* },
* x509Config: {
* caOptions: {
* isCa: true,
* },
* keyUsage: {
* baseKeyUsage: {
* certSign: true,
* crlSign: true,
* },
* extendedKeyUsage: {},
* },
* nameConstraints: {
* critical: true,
* permittedDnsNames: ["*.example.com"],
* excludedDnsNames: ["*.deny.example.com"],
* permittedIpRanges: ["10.0.0.0/8"],
* excludedIpRanges: ["10.1.1.0/24"],
* permittedEmailAddresses: [".example.com"],
* excludedEmailAddresses: [".deny.example.com"],
* permittedUris: [".example.com"],
* excludedUris: [".deny.example.com"],
* },
* },
* },
* }, {
* dependsOn: [
* privatecaSaKeyuserSignerverifier,
* privatecaSaKeyuserViewer,
* ],
* });
* ```
* ### Privateca Certificate Authority Custom Ski
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as gcp from "@pulumi/gcp";
*
* const _default = new gcp.certificateauthority.Authority("default", {
* pool: "ca-pool",
* certificateAuthorityId: "my-certificate-authority",
* location: "us-central1",
* deletionProtection: true,
* config: {
* subjectConfig: {
* subject: {
* organization: "ACME",
* commonName: "my-certificate-authority",
* },
* },
* subjectKeyId: {
* keyId: "4cf3372289b1d411b999dbb9ebcd44744b6b2fca",
* },
* x509Config: {
* caOptions: {
* isCa: true,
* },
* keyUsage: {
* baseKeyUsage: {
* certSign: true,
* crlSign: true,
* },
* extendedKeyUsage: {},
* },
* },
* },
* lifetime: `${10 * 365 * 24 * 3600}s`,
* keySpec: {
* cloudKmsKeyVersion: "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1",
* },
* });
* ```
* ### Privateca Certificate Authority Basic With Custom Cdp Aia Urls
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as gcp from "@pulumi/gcp";
*
* const _default = new gcp.certificateauthority.Authority("default", {
* pool: "ca-pool",
* certificateAuthorityId: "my-certificate-authority",
* location: "us-central1",
* deletionProtection: true,
* config: {
* subjectConfig: {
* subject: {
* organization: "ACME",
* commonName: "my-certificate-authority",
* },
* },
* x509Config: {
* caOptions: {
* isCa: true,
* },
* keyUsage: {
* baseKeyUsage: {
* certSign: true,
* crlSign: true,
* },
* extendedKeyUsage: {},
* },
* },
* },
* lifetime: `${10 * 365 * 24 * 3600}s`,
* keySpec: {
* algorithm: "RSA_PKCS1_4096_SHA256",
* },
* userDefinedAccessUrls: {
* aiaIssuingCertificateUrls: [
* "http://example.com/ca.crt",
* "http://example.com/anotherca.crt",
* ],
* crlAccessUrls: [
* "http://example.com/crl1.crt",
* "http://example.com/crl2.crt",
* ],
* },
* });
* ```
*
* ## Import
*
* CertificateAuthority can be imported using any of these accepted formats:
*
* * `projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}`
*
* * `{{project}}/{{location}}/{{pool}}/{{certificate_authority_id}}`
*
* * `{{location}}/{{pool}}/{{certificate_authority_id}}`
*
* When using the `pulumi import` command, CertificateAuthority can be imported using one of the formats above. For example:
*
* ```sh
* $ pulumi import gcp:certificateauthority/authority:Authority default projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}
* ```
*
* ```sh
* $ pulumi import gcp:certificateauthority/authority:Authority default {{project}}/{{location}}/{{pool}}/{{certificate_authority_id}}
* ```
*
* ```sh
* $ pulumi import gcp:certificateauthority/authority:Authority default {{location}}/{{pool}}/{{certificate_authority_id}}
* ```
*/
export declare class Authority extends pulumi.CustomResource {
/**
* Get an existing Authority resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthorityState, opts?: pulumi.CustomResourceOptions): Authority;
/**
* Returns true if the given object is an instance of Authority. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj: any): obj is Authority;
/**
* URLs for accessing content published by this CA, such as the CA certificate and CRLs.
* Structure is documented below.
*/
readonly accessUrls: pulumi.Output<outputs.certificateauthority.AuthorityAccessUrl[]>;
/**
* The user provided Resource ID for this Certificate Authority.
*/
readonly certificateAuthorityId: pulumi.Output<string>;
/**
* The config used to create a self-signed X.509 certificate or CSR.
* Structure is documented below.
*/
readonly config: pulumi.Output<outputs.certificateauthority.AuthorityConfig>;
/**
* The time at which this CertificateAuthority was created.
* A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine
* fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
*/
readonly createTime: pulumi.Output<string>;
readonly deletionProtection: pulumi.Output<boolean | undefined>;
/**
* Desired state of the CertificateAuthority. Set this field to 'STAGED' to create a 'STAGED' root CA. Possible values:
* ENABLED, DISABLED, STAGED.
*/
readonly desiredState: pulumi.Output<string | undefined>;
/**
* All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
*/
readonly effectiveLabels: pulumi.Output<{
[key: string]: string;
}>;
/**
* The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and
* CRLs. This must be a bucket name, without any prefixes (such as 'gs://') or suffixes (such as '.googleapis.com'). For
* example, to use a bucket named my-bucket, you would simply specify 'my-bucket'. If not specified, a managed bucket will
* be created.
*/
readonly gcsBucket: pulumi.Output<string | undefined>;
/**
* This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and
* unexpired certs. Use with care. Defaults to 'false'.
*/
readonly ignoreActiveCertificatesOnDeletion: pulumi.Output<boolean | undefined>;
/**
* Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority
* is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA
* certificate. Otherwise, it is used to sign a CSR.
* Structure is documented below.
*/
readonly keySpec: pulumi.Output<outputs.certificateauthority.AuthorityKeySpec>;
/**
* Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench",
* "mass": "1.3kg", "count": "3" }. **Note**: This field is non-authoritative, and will only manage the labels present in
* your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
*/
readonly labels: pulumi.Output<{
[key: string]: string;
} | undefined>;
/**
* The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509
* certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
*/
readonly lifetime: pulumi.Output<string | undefined>;
/**
* Location of the CertificateAuthority. A full list of valid locations can be found by
* running `gcloud privateca locations list`.
*/
readonly location: pulumi.Output<string>;
/**
* The resource name for this CertificateAuthority in the format
* projects/*/locations/*/certificateAuthorities/*.
*/
readonly name: pulumi.Output<string>;
/**
* The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with
* a third party issuer.
*/
readonly pemCaCertificate: pulumi.Output<string | undefined>;
/**
* This CertificateAuthority's certificate chain, including the current
* CertificateAuthority's certificate. Ordered such that the root issuer is the final
* element (consistent with RFC 5246). For a self-signed CA, this will only list the current
* CertificateAuthority's certificate.
*/
readonly pemCaCertificates: pulumi.Output<string[]>;
/**
* The name of the CaPool this Certificate Authority belongs to.
*/
readonly pool: pulumi.Output<string>;
readonly project: pulumi.Output<string>;
/**
* The combination of labels configured directly on the resource
* and default labels configured on the provider.
*/
readonly pulumiLabels: pulumi.Output<{
[key: string]: string;
}>;
/**
* If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where
* undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to
* 'false'.
*/
readonly skipGracePeriod: pulumi.Output<boolean | undefined>;
/**
* The State for this CertificateAuthority.
*/
readonly state: pulumi.Output<string>;
/**
* If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which
* describes its issuers.
*/
readonly subordinateConfig: pulumi.Output<outputs.certificateauthority.AuthoritySubordinateConfig | undefined>;
/**
* The Type of this CertificateAuthority. > **Note:** For 'SUBORDINATE' Certificate Authorities, they need to be activated
* before they can issue certificates. Default value: "SELF_SIGNED" Possible values: ["SELF_SIGNED", "SUBORDINATE"]
*/
readonly type: pulumi.Output<string | undefined>;
/**
* The time at which this CertificateAuthority was updated.
* A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine
* fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
*/
readonly updateTime: pulumi.Output<string>;
/**
* Custom URLs for accessing content published by this CA, such as the CA certificate and CRLs, that can be specified by
* users.
*/
readonly userDefinedAccessUrls: pulumi.Output<outputs.certificateauthority.AuthorityUserDefinedAccessUrls | undefined>;
/**
* Create a Authority resource with the given unique name, arguments, and options.
*
* @param name The _unique_ name of the resource.
* @param args The arguments to use to populate this resource's properties.
* @param opts A bag of options that control this resource's behavior.
*/
constructor(name: string, args: AuthorityArgs, opts?: pulumi.CustomResourceOptions);
}
/**
* Input properties used for looking up and filtering Authority resources.
*/
export interface AuthorityState {
/**
* URLs for accessing content published by this CA, such as the CA certificate and CRLs.
* Structure is documented below.
*/
accessUrls?: pulumi.Input<pulumi.Input<inputs.certificateauthority.AuthorityAccessUrl>[]>;
/**
* The user provided Resource ID for this Certificate Authority.
*/
certificateAuthorityId?: pulumi.Input<string>;
/**
* The config used to create a self-signed X.509 certificate or CSR.
* Structure is documented below.
*/
config?: pulumi.Input<inputs.certificateauthority.AuthorityConfig>;
/**
* The time at which this CertificateAuthority was created.
* A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine
* fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
*/
createTime?: pulumi.Input<string>;
deletionProtection?: pulumi.Input<boolean>;
/**
* Desired state of the CertificateAuthority. Set this field to 'STAGED' to create a 'STAGED' root CA. Possible values:
* ENABLED, DISABLED, STAGED.
*/
desiredState?: pulumi.Input<string>;
/**
* All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services.
*/
effectiveLabels?: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
/**
* The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and
* CRLs. This must be a bucket name, without any prefixes (such as 'gs://') or suffixes (such as '.googleapis.com'). For
* example, to use a bucket named my-bucket, you would simply specify 'my-bucket'. If not specified, a managed bucket will
* be created.
*/
gcsBucket?: pulumi.Input<string>;
/**
* This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and
* unexpired certs. Use with care. Defaults to 'false'.
*/
ignoreActiveCertificatesOnDeletion?: pulumi.Input<boolean>;
/**
* Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority
* is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA
* certificate. Otherwise, it is used to sign a CSR.
* Structure is documented below.
*/
keySpec?: pulumi.Input<inputs.certificateauthority.AuthorityKeySpec>;
/**
* Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench",
* "mass": "1.3kg", "count": "3" }. **Note**: This field is non-authoritative, and will only manage the labels present in
* your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
*/
labels?: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
/**
* The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509
* certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
*/
lifetime?: pulumi.Input<string>;
/**
* Location of the CertificateAuthority. A full list of valid locations can be found by
* running `gcloud privateca locations list`.
*/
location?: pulumi.Input<string>;
/**
* The resource name for this CertificateAuthority in the format
* projects/*/locations/*/certificateAuthorities/*.
*/
name?: pulumi.Input<string>;
/**
* The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with
* a third party issuer.
*/
pemCaCertificate?: pulumi.Input<string>;
/**
* This CertificateAuthority's certificate chain, including the current
* CertificateAuthority's certificate. Ordered such that the root issuer is the final
* element (consistent with RFC 5246). For a self-signed CA, this will only list the current
* CertificateAuthority's certificate.
*/
pemCaCertificates?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The name of the CaPool this Certificate Authority belongs to.
*/
pool?: pulumi.Input<string>;
project?: pulumi.Input<string>;
/**
* The combination of labels configured directly on the resource
* and default labels configured on the provider.
*/
pulumiLabels?: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
/**
* If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where
* undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to
* 'false'.
*/
skipGracePeriod?: pulumi.Input<boolean>;
/**
* The State for this CertificateAuthority.
*/
state?: pulumi.Input<string>;
/**
* If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which
* describes its issuers.
*/
subordinateConfig?: pulumi.Input<inputs.certificateauthority.AuthoritySubordinateConfig>;
/**
* The Type of this CertificateAuthority. > **Note:** For 'SUBORDINATE' Certificate Authorities, they need to be activated
* before they can issue certificates. Default value: "SELF_SIGNED" Possible values: ["SELF_SIGNED", "SUBORDINATE"]
*/
type?: pulumi.Input<string>;
/**
* The time at which this CertificateAuthority was updated.
* A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine
* fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
*/
updateTime?: pulumi.Input<string>;
/**
* Custom URLs for accessing content published by this CA, such as the CA certificate and CRLs, that can be specified by
* users.
*/
userDefinedAccessUrls?: pulumi.Input<inputs.certificateauthority.AuthorityUserDefinedAccessUrls>;
}
/**
* The set of arguments for constructing a Authority resource.
*/
export interface AuthorityArgs {
/**
* The user provided Resource ID for this Certificate Authority.
*/
certificateAuthorityId: pulumi.Input<string>;
/**
* The config used to create a self-signed X.509 certificate or CSR.
* Structure is documented below.
*/
config: pulumi.Input<inputs.certificateauthority.AuthorityConfig>;
deletionProtection?: pulumi.Input<boolean>;
/**
* Desired state of the CertificateAuthority. Set this field to 'STAGED' to create a 'STAGED' root CA. Possible values:
* ENABLED, DISABLED, STAGED.
*/
desiredState?: pulumi.Input<string>;
/**
* The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and
* CRLs. This must be a bucket name, without any prefixes (such as 'gs://') or suffixes (such as '.googleapis.com'). For
* example, to use a bucket named my-bucket, you would simply specify 'my-bucket'. If not specified, a managed bucket will
* be created.
*/
gcsBucket?: pulumi.Input<string>;
/**
* This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and
* unexpired certs. Use with care. Defaults to 'false'.
*/
ignoreActiveCertificatesOnDeletion?: pulumi.Input<boolean>;
/**
* Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority
* is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA
* certificate. Otherwise, it is used to sign a CSR.
* Structure is documented below.
*/
keySpec: pulumi.Input<inputs.certificateauthority.AuthorityKeySpec>;
/**
* Labels with user-defined metadata. An object containing a list of "key": value pairs. Example: { "name": "wrench",
* "mass": "1.3kg", "count": "3" }. **Note**: This field is non-authoritative, and will only manage the labels present in
* your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
*/
labels?: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
/**
* The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509
* certificate. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
*/
lifetime?: pulumi.Input<string>;
/**
* Location of the CertificateAuthority. A full list of valid locations can be found by
* running `gcloud privateca locations list`.
*/
location: pulumi.Input<string>;
/**
* The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with
* a third party issuer.
*/
pemCaCertificate?: pulumi.Input<string>;
/**
* The name of the CaPool this Certificate Authority belongs to.
*/
pool: pulumi.Input<string>;
project?: pulumi.Input<string>;
/**
* If this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where
* undeletion would have been allowed. If you proceed, there will be no way to recover this CA. Use with care. Defaults to
* 'false'.
*/
skipGracePeriod?: pulumi.Input<boolean>;
/**
* If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which
* describes its issuers.
*/
subordinateConfig?: pulumi.Input<inputs.certificateauthority.AuthoritySubordinateConfig>;
/**
* The Type of this CertificateAuthority. > **Note:** For 'SUBORDINATE' Certificate Authorities, they need to be activated
* before they can issue certificates. Default value: "SELF_SIGNED" Possible values: ["SELF_SIGNED", "SUBORDINATE"]
*/
type?: pulumi.Input<string>;
/**
* Custom URLs for accessing content published by this CA, such as the CA certificate and CRLs, that can be specified by
* users.
*/
userDefinedAccessUrls?: pulumi.Input<inputs.certificateauthority.AuthorityUserDefinedAccessUrls>;
}