diff --git a/products/privateca/api.yaml b/products/privateca/api.yaml new file mode 100644 index 000000000000..fb269225c3d6 --- /dev/null +++ b/products/privateca/api.yaml @@ -0,0 +1,1494 @@ +--- !ruby/object:Api::Product +name: PrivateCA +display_name: Certificate Authority Service +versions: + - !ruby/object:Api::Product::Version + name: ga + base_url: https://privateca.googleapis.com/v1beta1/ +scopes: + - https://www.googleapis.com/auth/cloud-platform +apis_required: + - !ruby/object:Api::Product::ApiReference + name: Certificate Authority Service (PrivateCA) API + url: https://console.cloud.google.com/apis/library/privateca.googleapis.com/ +objects: + - !ruby/object:Api::Resource + name: 'CertificateAuthorities' + base_url: 'projects/{{project}}/locations/{{location}}/certificateAuthorities' + create_url: 'projects/{{project}}/locations/{{location}}/certificateAuthorities?certificateAuthorityId={{name}}' + self_link: 'projects/{{project}}/locations/{{location}}/certificateAuthorities/{{name}}' + input: true + description: | + A `CertificateAuthorities` is a toplevel logical grouping of `CertificateAuthority`. + parameters: + - !ruby/object:Api::Type::String + name: 'location' + description: | + The location for the Certificate Authority. + A full list of valid locations can be found by running `gcloud beta privateca locations list`. + required: true + input: true + url_param_only: true + properties: + - !ruby/object:Api::Type::String + name: 'name' + description: | + Output only. The resource name for this CertificateAuthority in the format projects/*/locations/*/certificateAuthorities/*. + required: true + - !ruby/object:Api::Type::Enum + name: 'type' + required: true + description: | + Required. Immutable. The Type of this CertificateAuthority. + values: + - "TYPE_UNSPECIFIED" + - "SELF_SIGNED" + - "SUBORDINATE" + - !ruby/object:Api::Type::Enum + name: 'tier' + description: | + Required. Immutable. The Tier of this CertificateAuthority. + values: + - "TIER_UNSPECIFIED" + - "ENTERPRISE" + - "DEVOPS" + - !ruby/object:Api::Type::NestedObject + name: 'config' + description: | + A CertificateConfig describes an X.509 certificate or CSR that is to be created, as an alternative to using ASN.1. + properties: + - !ruby/object:Api::Type::NestedObject + name: 'subjectConfig' + description: | + Required. Specifies some of the values in a certificate that are related to the subject. + properties: + - !ruby/object:Api::Type::String + name: 'commonName' + description: | + Optional. The "common name" of the distinguished name. + required: true + - !ruby/object:Api::Type::NestedObject + name: 'subject' + description: | + Required. Contains distinguished name fields such as the location and organization. + properties: + - !ruby/object:Api::Type::String + name: 'countryCode' + description: | + The country code of the subject. + required: true + - !ruby/object:Api::Type::String + name: 'organization' + description: | + The organization of the subject. + required: true + - !ruby/object:Api::Type::String + name: 'organizationalUnit' + description: | + The organizationalUnit of the subject. + required: true + - !ruby/object:Api::Type::String + name: 'locality' + description: | + The locality or city of the subject. + required: true + - !ruby/object:Api::Type::String + name: 'province' + description: | + The province of the subject. + required: true + - !ruby/object:Api::Type::String + name: 'streetAddress' + description: | + The streetAddress or city of the subject. + required: true + - !ruby/object:Api::Type::String + name: 'postalCode' + description: | + The postalCode or city of the subject. + required: true + - !ruby/object:Api::Type::NestedObject + name: 'subjectAltName' + description: | + Optional. The subject alternative name fields. + properties: + - !ruby/object:Api::Type::Array + name: 'dnsNames' + description: | + Contains only valid, fully-qualified host names. + required: false + item_type: Api::Type::String + - !ruby/object:Api::Type::Array + name: 'uris' + description: | + Contains only valid RFC 3986 URIs. + item_type: Api::Type::String + required: false + - !ruby/object:Api::Type::Array + name: 'emailAddresses' + item_type: Api::Type::String + description: | + Contains only valid RFC 2822 E-mail addresses. + required: false + - !ruby/object:Api::Type::Array + name: 'ipAddresses' + item_type: Api::Type::String + description: | + Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses. + required: false + - !ruby/object:Api::Type::Array + name: 'customSans' + required: true + description: | + Contains additional subject alternative name values. + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::NestedObject + name: 'obectId' + required: true + description: | + Required. Describes how some of the technical fields in a certificate should be populated. + properties: + - !ruby/object:Api::Type::Array + name: 'objectIdPath' + required: true + item_type: Api::Type::Integer + description: | + An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. + - !ruby/object:Api::Type::Boolean + name: 'critical' + required: true + description: | + Required. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). + - !ruby/object:Api::Type::String + name: 'value' + description: | + Required. The value of this X.509 extension. + - !ruby/object:Api::Type::NestedObject + name: 'reusableConfig' + required: true + description: | + Required. Describes how some of the technical fields in a certificate should be populated. + properties: + - !ruby/object:Api::Type::String + name: 'reusableConfig' + # exactly_one_of: + # - reusable_config.0.reusable_config + # - reusable_config.0.reusable_config_values + description: | + Required. A resource path to a ReusableConfig in the format projects/*/locations/*/reusableConfigs/*. + + - !ruby/object:Api::Type::NestedObject + name: 'reusableConfigValues' + # exactly_one_of: + # - reusable_config.0.reusable_config + # - reusable_config.0.reusable_config_values + description: | + Required. A user-specified inline ReusableConfigValues. + properties: + - !ruby/object:Api::Type::NestedObject + name: 'keyUsage' + description: | + Optional. Indicates the intended use for keys that correspond to a certificate. + properties: + - !ruby/object:Api::Type::NestedObject + name: 'baseKeyUsage' + description: | + Describes high-level ways in which a key may be used. + properties: + - !ruby/object:Api::Type::NestedObject + name: 'keyUsageOptions' + description: | + Describes high-level ways in which a key may be used. + properties: + - !ruby/object:Api::Type::Boolean + name: 'digitalSignature' + description: | + The key may be used for digital signatures. + - !ruby/object:Api::Type::Boolean + name: 'contentCommitment' + description: | + The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation". + - !ruby/object:Api::Type::Boolean + name: 'keyEncipherment' + description: | + The key may be used to encipher other keys. + - !ruby/object:Api::Type::Boolean + name: 'dataEncipherment' + description: | + The key may be used to encipher data. + - !ruby/object:Api::Type::Boolean + name: 'keyAgreement' + description: | + The key may be used in a key agreement protocol. + - !ruby/object:Api::Type::Boolean + name: 'certSign' + description: | + The key may be used to sign certificates. + - !ruby/object:Api::Type::Boolean + name: 'crlSign' + description: | + The key may be used sign certificate revocation lists. + - !ruby/object:Api::Type::Boolean + name: 'encipherOnly' + description: | + The key may be used to encipher only. + - !ruby/object:Api::Type::Boolean + name: 'decipherOnly' + description: | + The key may be used to decipher only. + - !ruby/object:Api::Type::NestedObject + name: 'extendedKeyUsage' + description: | + Describes high-level ways in which a key may be used. + properties: + - !ruby/object:Api::Type::Boolean + name: 'serverAuth' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS. + - !ruby/object:Api::Type::Boolean + name: 'clientAuth' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS. + - !ruby/object:Api::Type::Boolean + name: 'codeSigning' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication". + - !ruby/object:Api::Type::Boolean + name: 'emailProtection' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection". + - !ruby/object:Api::Type::Boolean + name: 'timeStamping' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time". + - !ruby/object:Api::Type::Boolean + name: 'ocspSigning' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses". + - !ruby/object:Api::Type::Array + name: 'unknownExtendedKeyUsages' + required: true + description: | + An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::NestedObject + name: 'obectId' + required: true + description: | + Required. Describes how some of the technical fields in a certificate should be populated. + properties: + - !ruby/object:Api::Type::Array + name: 'objectIdPath' + required: true + item_type: Api::Type::Integer + description: | + An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. + + - !ruby/object:Api::Type::NestedObject + name: 'caOptions' + description: | + Optional. Describes options in this ReusableConfigValues that are relevant in a CA certificate. + properties: + - !ruby/object:Api::Type::Boolean + name: 'isCa' + description: | + Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate. + - !ruby/object:Api::Type::Integer + name: 'maxIssuerPathLength' + description: | + Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate. + - !ruby/object:Api::Type::NestedObject + name: 'policyIds' + description: | + Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. + properties: + - !ruby/object:Api::Type::Array + name: 'objectIdPath' + item_type: Api::Type::Integer + description: | + An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. + - !ruby/object:Api::Type::Array + name: 'aiaOcspServers' + item_type: Api::Type::String + description: | + Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate. + - !ruby/object:Api::Type::Array + name: 'additionalExtensions' + description: | + Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate. + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::Array + name: 'objectIdPath' + required: true + item_type: Api::Type::Integer + description: | + An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. + - !ruby/object:Api::Type::Boolean + name: 'critical' + required: true + description: | + Required. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). + - !ruby/object:Api::Type::String + name: 'value' + description: | + Required. The value of this X.509 extension. + - !ruby/object:Api::Type::NestedObject + name: 'publicKey' + description: | + Required. Describes how some of the technical fields in a certificate should be populated. + properties: + - !ruby/object:Api::Type::String + name: 'key' + description: | + Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string. + - !ruby/object:Api::Type::Enum + name: 'type' + required: true + description: | + Types of public keys that are supported. At a minimum, we support RSA and ECDSA, for the key sizes or curves listed: https://cloud.google.com/kms/docs/algorithms#asymmetric_signing_algorithms + values: + - "KEY_TYPE_UNSPECIFIED" + - "PEM_RSA_KEY" + - "PEM_EC_KEY" + - !ruby/object:Api::Type::String + name: 'lifetime' + description: | + The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. + required: true + - !ruby/object:Api::Type::NestedObject + name: 'keySpec' + # required: true + description: | + Required. Immutable. Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA certificate. Otherwise, it is used to sign a CSR. + properties: + - !ruby/object:Api::Type::String + name: 'cloudKmsKeyVersion' + description: | + Required. The resource name for an existing Cloud KMS CryptoKeyVersion in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*. This option enables full flexibility in the key's capabilities and properties. + # exactly_one_of: + # - key_spec.0.cloud_kms_key_version + # - key_spec.0.algorithm + - !ruby/object:Api::Type::Enum + name: 'algorithm' + # exactly_one_of: + # - key_spec.0.cloud_kms_key_version + # - key_spec.0.algorithm + description: | + Required. The algorithm to use for creating a managed Cloud KMS key for a for a simplified experience. All managed keys will be have their [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] as HSM. + values: + - "SIGN_HASH_ALGORITHM_UNSPECIFIED" + - "RSA_PSS_2048_SHA256" + - "RSA_PSS_3072_SHA256" + - "RSA_PSS_4096_SHA256" + - "RSA_PKCS1_2048_SHA256" + - "RSA_PKCS1_3072_SHA256" + - "RSA_PKCS1_4096_SHA256" + - "EC_P256_SHA256" + - "EC_P384_SHA384" + - !ruby/object:Api::Type::NestedObject + name: 'certificatePolicy' + description: | + Optional. The CertificateAuthorityPolicy to enforce when issuing Certificates from this CertificateAuthority. + properties: + - !ruby/object:Api::Type::Array + name: 'allowedLocationsAndOrganizations' + description: | + Optional. If any Subject is specified here, then all Certificates issued by the CertificateAuthority must match at least one listed Subject. If a Subject has an empty field, any value will be allowed for that field. + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::NestedObject + name: 'subject' + required: true + description: | + Required. Describes how some of the technical fields in a certificate should be populated. + properties: + - !ruby/object:Api::Type::String + name: 'countryCode' + description: | + The country code of the subject. + - !ruby/object:Api::Type::String + name: 'organization' + description: | + The organization of the subject + - !ruby/object:Api::Type::String + name: 'organizationalUnit' + description: | + The organizationalUnit of the subject. + - !ruby/object:Api::Type::String + name: 'locality' + description: | + The locality or city of the subject. + - !ruby/object:Api::Type::String + name: 'province' + description: | + The province, territory, or regional state of the subject. + - !ruby/object:Api::Type::String + name: 'streetAddress' + description: | + The street address of the subject. + - !ruby/object:Api::Type::String + name: 'postalCode' + description: | + The postal code of the subject. + - !ruby/object:Api::Type::NestedObject + name: 'issuingOptions' + description: | + Optional. The IssuingOptions to follow when issuing Certificates from this CertificateAuthority. + properties: + - !ruby/object:Api::Type::Boolean + name: 'includeCaCertUrl' + required: true + description: | + Required. When true, includes a URL to the issuing CA certificate in the "authority information access" X.509 extension. + - !ruby/object:Api::Type::Boolean + name: 'includeCrlAccessUrl' + required: true + description: | + Required. When true, includes a URL to the CRL corresponding to certificates issued from a CertificateAuthority. CRLs will expire 7 days from their creation. However, we will rebuild daily. CRLs are also rebuilt shortly after a certificate is revoked. + - !ruby/object:Api::Type::NestedObject + name: 'subordinateConfig' + description: | + Optional. If this is a subordinate CertificateAuthority, this field will be set with the subordinate configuration, which describes its issuers. This may be updated, but this CertificateAuthority must continue to validate. + properties: + - !ruby/object:Api::Type::String + name: 'certificateAuthority' + # exactly_one_of: + # - subordinate_config.0.certificate_authority + # - subordinate_config.0.pemIssuerChain + description: | + Required. This can refer to a CertificateAuthority in the same project that was used to create a subordinate CertificateAuthority. This field is used for information and usability purposes only. The resource name is in the format projects/*/locations/*/certificateAuthorities/*. + - !ruby/object:Api::Type::NestedObject + name: 'pemIssuerChain' + description: | + Required. Contains the PEM certificate chain for the issuers of this CertificateAuthority, but not pem certificate for this CA itself. + properties: + - !ruby/object:Api::Type::Array + name: 'pemCertificates' + description: | + Required. Expected to be in leaf-to-root order according to RFC 5246. + item_type: Api::Type::String + - !ruby/object:Api::Type::Enum + name: 'state' + description: | + The state of a CertificateAuthority, indicating if it can be used. + values: + - "STATE_UNSPECIFIED" + - "ENABLED" + - "DISABLED" + - "PENDING_ACTIVATION" + - "PENDING_DELETION" + output: true + - !ruby/object:Api::Type::Array + name: 'pemCaCertificates' + description: | + Output only. This CertificateAuthority's certificate chain, including the current CertificateAuthority's certificate. Ordered such that the root issuer is the final element (consistent with RFC 5246). For a self-signed CA, this will only list the current CertificateAuthority's certificate. + item_type: Api::Type::String + output: true + - !ruby/object:Api::Type::Array + name: 'caCertificateDescriptions' + description: | + Output only. A structured description of this CertificateAuthority's CA certificate and its issuers. Ordered as self-to-root. + output: true + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::NestedObject + name: 'subjectDescription' + description: | + Describes some of the values in a certificate that are related to the subject and lifetime. + properties: + - !ruby/object:Api::Type::NestedObject + name: 'subject' + description: | + Required. Contains distinguished name fields such as the location and organization. + properties: + - !ruby/object:Api::Type::String + name: 'countryCode' + description: | + The country code of the subject. + - !ruby/object:Api::Type::String + name: 'organization' + description: | + The organization of the subject. + - !ruby/object:Api::Type::String + name: 'organizationalUnit' + description: | + The organizationalUnit of the subject. + - !ruby/object:Api::Type::String + name: 'locality' + description: | + The locality or city of the subject. + - !ruby/object:Api::Type::String + name: 'province' + description: | + The province of the subject. + - !ruby/object:Api::Type::String + name: 'streetAddress' + description: | + The streetAddress or city of the subject. + - !ruby/object:Api::Type::String + name: 'postalCode' + description: | + The postalCode or city of the subject. + - !ruby/object:Api::Type::String + name: 'commonName' + description: | + The "common name" of the distinguished name. + - !ruby/object:Api::Type::NestedObject + name: 'subjectAltName' + description: | + Optional. The subject alternative name fields. + properties: + - !ruby/object:Api::Type::Array + name: 'dnsNames' + description: | + Contains only valid, fully-qualified host names. + required: false + item_type: Api::Type::String + - !ruby/object:Api::Type::Array + name: 'uris' + description: | + Contains only valid RFC 3986 URIs. + item_type: Api::Type::String + required: false + - !ruby/object:Api::Type::Array + name: 'emailAddresses' + item_type: Api::Type::String + description: | + Contains only valid RFC 2822 E-mail addresses. + required: false + - !ruby/object:Api::Type::Array + name: 'ipAddresses' + item_type: Api::Type::String + description: | + Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses. + required: false + - !ruby/object:Api::Type::Array + name: 'customSans' + required: true + description: | + Contains additional subject alternative name values. + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::NestedObject + name: 'obectId' + required: true + description: | + Required. Describes how some of the technical fields in a certificate should be populated. + properties: + - !ruby/object:Api::Type::Array + name: 'objectIdPath' + required: true + item_type: Api::Type::Integer + description: | + An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. + - !ruby/object:Api::Type::Boolean + name: 'critical' + required: true + description: | + Required. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). + - !ruby/object:Api::Type::String + name: 'value' + description: | + Required. The value of this X.509 extension. + - !ruby/object:Api::Type::String + name: 'hexSerialNumber' + description: | + The serial number encoded in lowercase hexadecimal. + - !ruby/object:Api::Type::String + name: 'lifetime' + description: | + For convenience, the actual lifetime of an issued certificate. Corresponds to 'notAfterTime' - 'notBeforeTime'. + - !ruby/object:Api::Type::String + name: 'notBeforeTime' + description: | + The time at which the certificate becomes valid. + - !ruby/object:Api::Type::String + name: 'notAfterTime' + description: | + The time at which the certificate expires. + - !ruby/object:Api::Type::NestedObject + name: 'configValues' + description: | + Describes some of the technical fields in a certificate. + properties: + - !ruby/object:Api::Type::NestedObject + name: 'keyUsage' + description: | + Optional. Indicates the intended use for keys that correspond to a certificate. + properties: + - !ruby/object:Api::Type::NestedObject + name: 'baseKeyUsage' + description: | + Describes high-level ways in which a key may be used. + properties: + - !ruby/object:Api::Type::NestedObject + name: 'keyUsageOptions' + description: | + Describes high-level ways in which a key may be used. + properties: + - !ruby/object:Api::Type::Boolean + name: 'digitalSignature' + description: | + The key may be used for digital signatures. + - !ruby/object:Api::Type::Boolean + name: 'contentCommitment' + description: | + The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation". + - !ruby/object:Api::Type::Boolean + name: 'keyEncipherment' + description: | + The key may be used to encipher other keys. + - !ruby/object:Api::Type::Boolean + name: 'dataEncipherment' + description: | + The key may be used to encipher data. + - !ruby/object:Api::Type::Boolean + name: 'keyAgreement' + description: | + The key may be used in a key agreement protocol. + - !ruby/object:Api::Type::Boolean + name: 'certSign' + description: | + The key may be used to sign certificates. + - !ruby/object:Api::Type::Boolean + name: 'crlSign' + description: | + The key may be used sign certificate revocation lists. + - !ruby/object:Api::Type::Boolean + name: 'encipherOnly' + description: | + The key may be used to encipher only. + - !ruby/object:Api::Type::Boolean + name: 'decipherOnly' + description: | + The key may be used to decipher only. + - !ruby/object:Api::Type::NestedObject + name: 'extendedKeyUsage' + description: | + Describes high-level ways in which a key may be used. + properties: + - !ruby/object:Api::Type::Boolean + name: 'serverAuth' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS. + - !ruby/object:Api::Type::Boolean + name: 'clientAuth' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS. + - !ruby/object:Api::Type::Boolean + name: 'codeSigning' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication". + - !ruby/object:Api::Type::Boolean + name: 'emailProtection' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection". + - !ruby/object:Api::Type::Boolean + name: 'timeStamping' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time". + - !ruby/object:Api::Type::Boolean + name: 'ocspSigning' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses". + - !ruby/object:Api::Type::Array + name: 'unknownExtendedKeyUsages' + required: true + description: | + An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::NestedObject + name: 'obectId' + required: true + description: | + Required. Describes how some of the technical fields in a certificate should be populated. + properties: + - !ruby/object:Api::Type::Array + name: 'objectIdPath' + required: true + item_type: Api::Type::Integer + description: | + An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. + - !ruby/object:Api::Type::NestedObject + name: 'publicKey' + required: true + description: | + A PublicKey describes a public key. + properties: + - !ruby/object:Api::Type::String + name: 'key' + description: | + Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string. + - !ruby/object:Api::Type::Enum + name: 'type' + required: true + description: | + Types of public keys that are supported. At a minimum, we support RSA and ECDSA, for the key sizes or curves listed: https://cloud.google.com/kms/docs/algorithms#asymmetric_signing_algorithms + values: + - "KEY_TYPE_UNSPECIFIED" + - "PEM_RSA_KEY" + - "PEM_EC_KEY" + - !ruby/object:Api::Type::NestedObject + name: 'subjectKeyId' + description: | + Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. + properties: + - !ruby/object:Api::Type::String + name: 'keyId' + description: | + Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key. + - !ruby/object:Api::Type::NestedObject + name: 'authorityKeyId' + description: | + Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 + properties: + - !ruby/object:Api::Type::String + name: 'keyId' + description: | + Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key. + - !ruby/object:Api::Type::Array + name: 'crlDistributionPoints' + description: | + Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13 + item_type: Api::Type::String + - !ruby/object:Api::Type::Array + name: 'aiaIssuingCertificateUrls' + description: | + Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate. + item_type: Api::Type::String + - !ruby/object:Api::Type::NestedObject + name: 'certFingerprint' + description: | + The hash of the x.509 certificate. + properties: + - !ruby/object:Api::Type::String + name: 'sha256Hash' + description: | + The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate. + - !ruby/object:Api::Type::String + name: 'gcsBucket' + description: | + Immutable. The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be created. + - !ruby/object:Api::Type::NestedObject + name: 'accessUrls' + description: | + URLs where a CertificateAuthority will publish content. + properties: + - !ruby/object:Api::Type::String + name: 'caCertificateAccessUrl' + description: | + The URL where this CertificateAuthority's CA certificate is published. This will only be set for CAs that have been activated. + - !ruby/object:Api::Type::String + name: 'crlAccessUrl' + description: | + The URL where this CertificateAuthority's CRLs are published. This will only be set for CAs that have been activated. + - !ruby/object:Api::Type::Time + name: 'createTime' + description: | + The time that this resource was created on the server. + This is in RFC3339 text format. + output: true + - !ruby/object:Api::Type::Time + name: 'updateTime' + description: | + Output only. The time at which this CertificateAuthority was updated. + This is in RFC3339 text format. + output: true + - !ruby/object:Api::Type::Time + name: 'deleteTime' + description: | + Output only. The time at which this CertificateAuthority was deleted. + This is in RFC3339 text format. + output: true + - !ruby/object:Api::Type::KeyValuePairs + name: 'labels' + description: | + Labels with user-defined metadata to apply to this resource. + references: !ruby/object:Api::Resource::ReferenceLinks + guides: + 'Creating a Certificate Authority': + 'https://cloud.google.com/certificate-authority-service/docs/creating-certificate-authorities' + api: 'https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1beta1/projects.locations.certificateAuthorities' + + + - !ruby/object:Api::Resource + name: 'Certificate' + base_url: '{{certificate_authorities}}/certificates' + create_url: '{{certificate_authorities}}/certificates?certificateId={{name}}' + self_link: '{{certificate_authorities}}/certificates/{{name}}' + input: true + description: | + A Certificate corresponds to a signed X.509 certificate issued by a CertificateAuthority. + parameters: + - !ruby/object:Api::Type::String + name: 'certificate_authorities' + description: | + The Certificate Authority that this Certificate belongs to. + Format: `'projects/{{project}}/locations/{{location}}/certificateAuthorities/{{certificate_authority}}'`. + required: true + input: true + url_param_only: true + properties: + - !ruby/object:Api::Type::String + name: 'name' + description: | + Output only. The resource path for this Certificate in the format projects/*/locations/*/certificateAuthorities/*/certificates/*. + output: true + - !ruby/object:Api::Type::String + name: 'lifetime' + description: | + Required. Immutable. The desired lifetime of a certificate. Used to create the "notBeforeTime" and "notAfterTime" fields inside an X.509 certificate. Note that the lifetime may be truncated if it would extend past the life of any certificate authority in the issuing chain. + required: true + - !ruby/object:Api::Type::NestedObject + name: 'revocationDetails' + description: | + Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. + output: true + properties: + - !ruby/object:Api::Type::Enum + name: 'revocationState' + description: | + Indicates why a Certificate was revoked. + values: + - "REVOCATION_REASON_UNSPECIFIED" + - "KEY_COMPROMISE" + - "CERTIFICATE_AUTHORITY_COMPROMISE" + - "AFFILIATION_CHANGED" + - "SUPERSEDED" + - "CESSATION_OF_OPERATION" + - "CERTIFICATE_HOLD" + - "PRIVILEGE_WITHDRAWN" + - "ATTRIBUTE_AUTHORITY_COMPROMISE" + - !ruby/object:Api::Type::String + name: 'revocationTime' + description: | + The time at which this Certificate was revoked. + - !ruby/object:Api::Type::String + name: 'pemCertificate' + output: true + description: | + Output only. The pem-encoded, signed X.509 certificate. + - !ruby/object:Api::Type::NestedObject + name: 'certificateDescription' + description: | + Output only. Details regarding the revocation of this Certificate. This Certificate is considered revoked if and only if this field is present. + output: true + properties: + - !ruby/object:Api::Type::NestedObject + name: 'subjectDescription' + description: | + Describes some of the values in a certificate that are related to the subject and lifetime. + properties: + - !ruby/object:Api::Type::NestedObject + name: 'subject' + description: | + Required. Contains distinguished name fields such as the location and organization. + properties: + - !ruby/object:Api::Type::String + name: 'countryCode' + description: | + The country code of the subject. + - !ruby/object:Api::Type::String + name: 'organization' + description: | + The organization of the subject. + - !ruby/object:Api::Type::String + name: 'organizationalUnit' + description: | + The organizationalUnit of the subject. + - !ruby/object:Api::Type::String + name: 'locality' + description: | + The locality or city of the subject. + - !ruby/object:Api::Type::String + name: 'province' + description: | + The province of the subject. + - !ruby/object:Api::Type::String + name: 'streetAddress' + description: | + The streetAddress or city of the subject. + - !ruby/object:Api::Type::String + name: 'postalCode' + description: | + The postalCode or city of the subject. + - !ruby/object:Api::Type::String + name: 'commonName' + description: | + The "common name" of the distinguished name. + - !ruby/object:Api::Type::NestedObject + name: 'subjectAltName' + description: | + Optional. The subject alternative name fields. + properties: + - !ruby/object:Api::Type::Array + name: 'dnsNames' + description: | + Contains only valid, fully-qualified host names. + required: false + item_type: Api::Type::String + - !ruby/object:Api::Type::Array + name: 'uris' + description: | + Contains only valid RFC 3986 URIs. + item_type: Api::Type::String + required: false + - !ruby/object:Api::Type::Array + name: 'emailAddresses' + item_type: Api::Type::String + description: | + Contains only valid RFC 2822 E-mail addresses. + required: false + - !ruby/object:Api::Type::Array + name: 'ipAddresses' + item_type: Api::Type::String + description: | + Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses. + required: false + - !ruby/object:Api::Type::Array + name: 'customSans' + required: true + description: | + Contains additional subject alternative name values. + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::NestedObject + name: 'obectId' + required: true + description: | + Required. Describes how some of the technical fields in a certificate should be populated. + properties: + - !ruby/object:Api::Type::Array + name: 'objectIdPath' + required: true + item_type: Api::Type::Integer + description: | + An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. + - !ruby/object:Api::Type::Boolean + name: 'critical' + required: true + description: | + Required. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). + - !ruby/object:Api::Type::String + name: 'value' + description: | + Required. The value of this X.509 extension. + - !ruby/object:Api::Type::String + name: 'hexSerialNumber' + description: | + The serial number encoded in lowercase hexadecimal. + - !ruby/object:Api::Type::String + name: 'lifetime' + description: | + For convenience, the actual lifetime of an issued certificate. Corresponds to 'notAfterTime' - 'notBeforeTime'. + - !ruby/object:Api::Type::String + name: 'notBeforeTime' + description: | + The time at which the certificate becomes valid. + - !ruby/object:Api::Type::String + name: 'notAfterTime' + description: | + The time at which the certificate expires. + - !ruby/object:Api::Type::NestedObject + name: 'configValues' + description: | + Describes some of the technical fields in a certificate. + properties: + - !ruby/object:Api::Type::NestedObject + name: 'keyUsage' + description: | + Optional. Indicates the intended use for keys that correspond to a certificate. + properties: + - !ruby/object:Api::Type::NestedObject + name: 'baseKeyUsage' + description: | + Describes high-level ways in which a key may be used. + properties: + - !ruby/object:Api::Type::NestedObject + name: 'keyUsageOptions' + description: | + Describes high-level ways in which a key may be used. + properties: + - !ruby/object:Api::Type::Boolean + name: 'digitalSignature' + description: | + The key may be used for digital signatures. + - !ruby/object:Api::Type::Boolean + name: 'contentCommitment' + description: | + The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation". + - !ruby/object:Api::Type::Boolean + name: 'keyEncipherment' + description: | + The key may be used to encipher other keys. + - !ruby/object:Api::Type::Boolean + name: 'dataEncipherment' + description: | + The key may be used to encipher data. + - !ruby/object:Api::Type::Boolean + name: 'keyAgreement' + description: | + The key may be used in a key agreement protocol. + - !ruby/object:Api::Type::Boolean + name: 'certSign' + description: | + The key may be used to sign certificates. + - !ruby/object:Api::Type::Boolean + name: 'crlSign' + description: | + The key may be used sign certificate revocation lists. + - !ruby/object:Api::Type::Boolean + name: 'encipherOnly' + description: | + The key may be used to encipher only. + - !ruby/object:Api::Type::Boolean + name: 'decipherOnly' + description: | + The key may be used to decipher only. + - !ruby/object:Api::Type::NestedObject + name: 'extendedKeyUsage' + description: | + Describes high-level ways in which a key may be used. + properties: + - !ruby/object:Api::Type::Boolean + name: 'serverAuth' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS. + - !ruby/object:Api::Type::Boolean + name: 'clientAuth' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS. + - !ruby/object:Api::Type::Boolean + name: 'codeSigning' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication". + - !ruby/object:Api::Type::Boolean + name: 'emailProtection' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection". + - !ruby/object:Api::Type::Boolean + name: 'timeStamping' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time". + - !ruby/object:Api::Type::Boolean + name: 'ocspSigning' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses". + - !ruby/object:Api::Type::Array + name: 'unknownExtendedKeyUsages' + required: true + description: | + An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::NestedObject + name: 'obectId' + required: true + description: | + Required. Describes how some of the technical fields in a certificate should be populated. + properties: + - !ruby/object:Api::Type::Array + name: 'objectIdPath' + required: true + item_type: Api::Type::Integer + description: | + An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. + - !ruby/object:Api::Type::NestedObject + name: 'publicKey' + required: true + description: | + A PublicKey describes a public key. + properties: + - !ruby/object:Api::Type::String + name: 'key' + description: | + Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string. + - !ruby/object:Api::Type::Enum + name: 'type' + required: true + description: | + Types of public keys that are supported. At a minimum, we support RSA and ECDSA, for the key sizes or curves listed: https://cloud.google.com/kms/docs/algorithms#asymmetric_signing_algorithms + values: + - "KEY_TYPE_UNSPECIFIED" + - "PEM_RSA_KEY" + - "PEM_EC_KEY" + - !ruby/object:Api::Type::NestedObject + name: 'subjectKeyId' + description: | + Provides a means of identifiying certificates that contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2. + properties: + - !ruby/object:Api::Type::String + name: 'keyId' + description: | + Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key. + - !ruby/object:Api::Type::NestedObject + name: 'authorityKeyId' + description: | + Identifies the subjectKeyId of the parent certificate, per https://tools.ietf.org/html/rfc5280#section-4.2.1.1 + properties: + - !ruby/object:Api::Type::String + name: 'keyId' + description: | + Optional. The value of this KeyId encoded in lowercase hexadecimal. This is most likely the 160 bit SHA-1 hash of the public key. + - !ruby/object:Api::Type::Array + name: 'crlDistributionPoints' + description: | + Describes a list of locations to obtain CRL information, i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13 + item_type: Api::Type::String + - !ruby/object:Api::Type::Array + name: 'aiaIssuingCertificateUrls' + description: | + Describes lists of issuer CA certificate URLs that appear in the "Authority Information Access" extension in the certificate. + item_type: Api::Type::String + - !ruby/object:Api::Type::NestedObject + name: 'certFingerprint' + description: | + The hash of the x.509 certificate. + properties: + - !ruby/object:Api::Type::String + name: 'sha256Hash' + description: | + The SHA 256 hash, encoded in hexadecimal, of the DER x509 certificate. + - !ruby/object:Api::Type::Array + name: 'pemCertificates' + output: true + description: | + Required. Expected to be in leaf-to-root order according to RFC 5246. + item_type: Api::Type::String + - !ruby/object:Api::Type::Time + name: 'createTime' + description: | + The time that this resource was created on the server. + This is in RFC3339 text format. + output: true + - !ruby/object:Api::Type::Time + name: 'updateTime' + description: | + Output only. The time at which this CertificateAuthority was updated. + This is in RFC3339 text format. + output: true + - !ruby/object:Api::Type::KeyValuePairs + name: 'labels' + description: | + Labels with user-defined metadata to apply to this resource. + - !ruby/object:Api::Type::String + name: 'pemCsr' + description: | + Immutable. A pem-encoded X.509 certificate signing request (CSR). + # exactly_one_of: + # - pemCsr + # - config + - !ruby/object:Api::Type::NestedObject + name: 'config' + description: | + A CertificateConfig describes an X.509 certificate or CSR that is to be created, as an alternative to using ASN.1. + properties: + - !ruby/object:Api::Type::NestedObject + name: 'subjectConfig' + description: | + Required. Specifies some of the values in a certificate that are related to the subject. + properties: + - !ruby/object:Api::Type::String + name: 'commonName' + description: | + Optional. The "common name" of the distinguished name. + required: true + - !ruby/object:Api::Type::NestedObject + name: 'subject' + description: | + Required. Contains distinguished name fields such as the location and organization. + properties: + - !ruby/object:Api::Type::String + name: 'countryCode' + description: | + The country code of the subject. + required: true + - !ruby/object:Api::Type::String + name: 'organization' + description: | + The organization of the subject. + required: true + - !ruby/object:Api::Type::String + name: 'organizationalUnit' + description: | + The organizationalUnit of the subject. + required: true + - !ruby/object:Api::Type::String + name: 'locality' + description: | + The locality or city of the subject. + required: true + - !ruby/object:Api::Type::String + name: 'province' + description: | + The province of the subject. + required: true + - !ruby/object:Api::Type::String + name: 'streetAddress' + description: | + The streetAddress or city of the subject. + required: true + - !ruby/object:Api::Type::String + name: 'postalCode' + description: | + The postalCode or city of the subject. + required: true + - !ruby/object:Api::Type::NestedObject + name: 'subjectAltName' + description: | + Optional. The subject alternative name fields. + properties: + - !ruby/object:Api::Type::Array + name: 'dnsNames' + description: | + Contains only valid, fully-qualified host names. + required: false + item_type: Api::Type::String + - !ruby/object:Api::Type::Array + name: 'uris' + description: | + Contains only valid RFC 3986 URIs. + item_type: Api::Type::String + required: false + - !ruby/object:Api::Type::Array + name: 'emailAddresses' + item_type: Api::Type::String + description: | + Contains only valid RFC 2822 E-mail addresses. + required: false + - !ruby/object:Api::Type::Array + name: 'ipAddresses' + item_type: Api::Type::String + description: | + Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses. + required: false + - !ruby/object:Api::Type::Array + name: 'customSans' + required: true + description: | + Contains additional subject alternative name values. + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::NestedObject + name: 'obectId' + required: true + description: | + Required. Describes how some of the technical fields in a certificate should be populated. + properties: + - !ruby/object:Api::Type::Array + name: 'objectIdPath' + required: true + item_type: Api::Type::Integer + description: | + An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. + - !ruby/object:Api::Type::Boolean + name: 'critical' + required: true + description: | + Required. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). + - !ruby/object:Api::Type::String + name: 'value' + description: | + Required. The value of this X.509 extension. + - !ruby/object:Api::Type::NestedObject + name: 'reusableConfig' + required: true + description: | + Required. Describes how some of the technical fields in a certificate should be populated. + properties: + - !ruby/object:Api::Type::String + name: 'reusableConfig' + # exactly_one_of: + # - reusable_config.0.reusable_config + # - reusable_config.0.reusable_config_values + description: | + Required. A resource path to a ReusableConfig in the format projects/*/locations/*/reusableConfigs/*. + + - !ruby/object:Api::Type::NestedObject + name: 'reusableConfigValues' + # exactly_one_of: + # - reusable_config.0.reusable_config + # - reusable_config.0.reusable_config_values + description: | + Required. A user-specified inline ReusableConfigValues. + properties: + - !ruby/object:Api::Type::NestedObject + name: 'keyUsage' + description: | + Optional. Indicates the intended use for keys that correspond to a certificate. + properties: + - !ruby/object:Api::Type::NestedObject + name: 'baseKeyUsage' + description: | + Describes high-level ways in which a key may be used. + properties: + - !ruby/object:Api::Type::NestedObject + name: 'keyUsageOptions' + description: | + Describes high-level ways in which a key may be used. + properties: + - !ruby/object:Api::Type::Boolean + name: 'digitalSignature' + description: | + The key may be used for digital signatures. + - !ruby/object:Api::Type::Boolean + name: 'contentCommitment' + description: | + The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation". + - !ruby/object:Api::Type::Boolean + name: 'keyEncipherment' + description: | + The key may be used to encipher other keys. + - !ruby/object:Api::Type::Boolean + name: 'dataEncipherment' + description: | + The key may be used to encipher data. + - !ruby/object:Api::Type::Boolean + name: 'keyAgreement' + description: | + The key may be used in a key agreement protocol. + - !ruby/object:Api::Type::Boolean + name: 'certSign' + description: | + The key may be used to sign certificates. + - !ruby/object:Api::Type::Boolean + name: 'crlSign' + description: | + The key may be used sign certificate revocation lists. + - !ruby/object:Api::Type::Boolean + name: 'encipherOnly' + description: | + The key may be used to encipher only. + - !ruby/object:Api::Type::Boolean + name: 'decipherOnly' + description: | + The key may be used to decipher only. + - !ruby/object:Api::Type::NestedObject + name: 'extendedKeyUsage' + description: | + Describes high-level ways in which a key may be used. + properties: + - !ruby/object:Api::Type::Boolean + name: 'serverAuth' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS. + - !ruby/object:Api::Type::Boolean + name: 'clientAuth' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS. + - !ruby/object:Api::Type::Boolean + name: 'codeSigning' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication". + - !ruby/object:Api::Type::Boolean + name: 'emailProtection' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection". + - !ruby/object:Api::Type::Boolean + name: 'timeStamping' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time". + - !ruby/object:Api::Type::Boolean + name: 'ocspSigning' + description: | + Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses". + - !ruby/object:Api::Type::Array + name: 'unknownExtendedKeyUsages' + required: true + description: | + An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::NestedObject + name: 'obectId' + required: true + description: | + Required. Describes how some of the technical fields in a certificate should be populated. + properties: + - !ruby/object:Api::Type::Array + name: 'objectIdPath' + required: true + item_type: Api::Type::Integer + description: | + An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. + + - !ruby/object:Api::Type::NestedObject + name: 'caOptions' + description: | + Optional. Describes options in this ReusableConfigValues that are relevant in a CA certificate. + properties: + - !ruby/object:Api::Type::Boolean + name: 'isCa' + description: | + Optional. Refers to the "CA" X.509 extension, which is a boolean value. When this value is missing, the extension will be omitted from the CA certificate. + - !ruby/object:Api::Type::Integer + name: 'maxIssuerPathLength' + description: | + Optional. Refers to the path length restriction X.509 extension. For a CA certificate, this value describes the depth of subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. If this value is missing, the max path length will be omitted from the CA certificate. + - !ruby/object:Api::Type::NestedObject + name: 'policyIds' + description: | + Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4. + properties: + - !ruby/object:Api::Type::Array + name: 'objectIdPath' + item_type: Api::Type::Integer + description: | + An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. + - !ruby/object:Api::Type::Array + name: 'aiaOcspServers' + item_type: Api::Type::String + description: | + Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate. + - !ruby/object:Api::Type::Array + name: 'additionalExtensions' + description: | + Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate. + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::Array + name: 'objectIdPath' + required: true + item_type: Api::Type::Integer + description: | + An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages. + - !ruby/object:Api::Type::Boolean + name: 'critical' + required: true + description: | + Required. Indicates whether or not this extension is critical (i.e., if the client does not know how to handle this extension, the client should consider this to be an error). + - !ruby/object:Api::Type::String + name: 'value' + description: | + Required. The value of this X.509 extension. + - !ruby/object:Api::Type::NestedObject + name: 'publicKey' + description: | + Required. Describes how some of the technical fields in a certificate should be populated. + properties: + - !ruby/object:Api::Type::String + name: 'key' + description: | + Required. A public key. When this is specified in a request, the padding and encoding can be any of the options described by the respective 'KeyType' value. When this is generated by the service, it will always be an RFC 5280 SubjectPublicKeyInfo structure containing an algorithm identifier and a key. A base64-encoded string. + - !ruby/object:Api::Type::Enum + name: 'type' + required: true + description: | + Types of public keys that are supported. At a minimum, we support RSA and ECDSA, for the key sizes or curves listed: https://cloud.google.com/kms/docs/algorithms#asymmetric_signing_algorithms + values: + - "KEY_TYPE_UNSPECIFIED" + - "PEM_RSA_KEY" + - "PEM_EC_KEY" + + + + + references: !ruby/object:Api::Resource::ReferenceLinks + guides: + 'Creating a Certificate': + 'https://cloud.google.com/certificate-authority-service/docs/requesting-certificates' + api: 'https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1beta1/projects.locations.certificateAuthorities.certificates' diff --git a/products/privateca/terraform.yaml b/products/privateca/terraform.yaml new file mode 100644 index 000000000000..3723c861d463 --- /dev/null +++ b/products/privateca/terraform.yaml @@ -0,0 +1,39 @@ +# Copyright 2019 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- !ruby/object:Provider::Terraform::Config +# overrides: !ruby/object:Overrides::ResourceOverrides +# CertificateAuthorities: !ruby/object:Overrides::Terraform::ResourceOverride +# description: | +# {{description}} +# ~> **Note:** CertificateAuthorities cannot be deleted from Google Cloud Platform. +# Destroying a Terraform-managed KeyRing will remove it from state but +# *will not delete the resource on the server.* +# id_format: "projects/{{project}}/locations/{{location}}/certificateAuthorities/{{name}}" +# import_format: ["projects/{{project}}/locations/{{location}}/certificateAuthorities/{{name}}"] +# skip_delete: true +# properties: +# createTime: !ruby/object:Overrides::Terraform::PropertyOverride +# exclude: true +# location: !ruby/object:Overrides::Terraform::PropertyOverride +# ignore_read: true +# custom_code: !ruby/object:Provider::Terraform::CustomCode +# decoder: templates/terraform/decoders/long_name_to_self_link.go.erb +# encoder: templates/terraform/encoders/send_nil_body.go.erb + + +files: !ruby/object:Provider::Config::Files + # These files have templating (ERB) code that will be run. + # This is usually to add licensing info, autogeneration notices, etc. + compile: +<%= lines(indent(compile('provider/terraform/product~compile.yaml'), 4)) -%>