Create a certificate by using Terraform

Terraform is an open-source software tool that lets you create and manage your CA Service resources using its infrastructure-as-code paradigm.

Objective

This page describes how you can use Terraform to perform the following operations with Certificate Authority Service:

• Create a certificate authority (CA) pool.
• Create a CA in the new CA pool.
• Generate a new Certificate Signing Request (CSR).
• Use the generated CSR to request a certificate from the new CA pool.

This tutorial uses the Google Cloud Terraform Provider for Terraform.

Before you begin

Make sure that you have the CA Service Admin (roles/privateca.admin) IAM role. If you don't have this IAM role, read Grant a single role for information about granting this role.

Create a Google Cloud project

1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

   Go to project selector

3. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

4. Enable the CA Service API.

   Enable the API

5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

   Go to project selector

6. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

7. Enable the CA Service API.

   Enable the API

Install the Google Cloud CLI

If you haven't already, install the Google Cloud CLI. When prompted, choose the project that you selected or created earlier.

If you already have the Google Cloud CLI installed, update it using the following Google Cloud CLI command:

gcloud components update

For more information about this gcloud CLI command, see gcloud components update.

Create a Terraform configuration file

To create a Terraform configuration file that you can use to perform operations on CA Service, do the following:

1. Create a new directory for the project to live.

2. In this new directory, create a main.tf file for the Terraform configuration.

3. Copy the following Terraform configuration, and paste it in the main.tf file.

   View on GitHub

   provider google{}
   provider tls{}
   
   resource "tls_private_key" "example" {
     algorithm   = "RSA"
   }
   
   resource "tls_cert_request" "example" {
     key_algorithm   = "RSA"
     private_key_pem = tls_private_key.example.private_key_pem
   
     subject {
       common_name  = "example.com"
       organization = "ACME Examples, Inc"
     }
   }
   
   resource "google_privateca_ca_pool" "default" {
     name = "my-ca-pool"
     location = "us-central1"
     tier = "ENTERPRISE"
     project = "project-id"
     publishing_options {
       publish_ca_cert = true
       publish_crl = true
     }
     labels = {
       foo = "bar"
     }
     issuance_policy {
       baseline_values {
         ca_options {
           is_ca = false
         }
         key_usage {
           base_key_usage {
             digital_signature = true
             key_encipherment = true
           }
           extended_key_usage {
             server_auth = true
           }
         }
       }
     }
   }
   
   resource "google_privateca_certificate_authority" "test-ca" {
     certificate_authority_id = "my-authority"
     location = "us-central1"
     project = "project-id"
     pool = google_privateca_ca_pool.pool.name
     config {
       subject_config {
         subject {
           country_code = "us"
           organization = "google"
           organizational_unit = "enterprise"
           locality = "mountain view"
           province = "california"
           street_address = "1600 amphitheatre parkway"
           postal_code = "94109"
           common_name = "my-certificate-authority"
         }
       }
       x509_config {
         ca_options {
           is_ca = true
         }
         key_usage {
           base_key_usage {
             cert_sign = true
             crl_sign = true
           }
           extended_key_usage {
             server_auth = true
           }
         }
       }
     }
     type = "SELF_SIGNED"
     key_spec {
       algorithm = "RSA_PKCS1_4096_SHA256"
     }
   }
   
   resource "google_privateca_certificate" "default" {
     pool = google_privateca_ca_pool.pool.name
     certificate_authority = google_privateca_certificate_authority.test-ca.certificate_authority_id
     project = "project-id"
     location = "us-central1"
     lifetime = "860s"
     name = "my-certificate"
     pem_csr = tls_cert_request.example.cert_request_pem
   }

   For information about operating CA Service with Terraform, see Using Terraform with CA Service.

For more information about setting up Terraform with Google Cloud, see Getting started with the Google Cloud Provider.

Run the Terraform configuration file

To run the Terraform configuration file you created, run the following commands in Cloud Shell.

For information about running gcloud CLI commands using Cloud Shell, see Running gcloud commands with Cloud Shell.

1. Initialize Terraform in the directory where you have stored the main.tf file.

   terraform init
   

2. Run the created Terraform configuration file.

   terraform apply
   

3. When prompted to confirm if you want to run the configuration file, enter yes.

What's next

• Learn how to use Terraform with Google Cloud.
• Read the Terraform documentation about CA Service support.
• Get started with the Google Cloud Provider.
• Use Terraform with CA Service.