com.pulumi.gcp.securesourcemanager.kotlin.InstanceArgs.kt Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of pulumi-gcp-kotlin Show documentation
Show all versions of pulumi-gcp-kotlin Show documentation
Build cloud applications and infrastructure by combining the safety and reliability of infrastructure as code with the power of the Kotlin programming language.
@file:Suppress("NAME_SHADOWING", "DEPRECATION")
package com.pulumi.gcp.securesourcemanager.kotlin
import com.pulumi.core.Output
import com.pulumi.core.Output.of
import com.pulumi.gcp.securesourcemanager.InstanceArgs.builder
import com.pulumi.gcp.securesourcemanager.kotlin.inputs.InstancePrivateConfigArgs
import com.pulumi.gcp.securesourcemanager.kotlin.inputs.InstancePrivateConfigArgsBuilder
import com.pulumi.kotlin.ConvertibleToJava
import com.pulumi.kotlin.PulumiTagMarker
import com.pulumi.kotlin.applySuspend
import kotlin.Pair
import kotlin.String
import kotlin.Suppress
import kotlin.Unit
import kotlin.collections.Map
import kotlin.jvm.JvmName
/**
* Instances are deployed to an available Google Cloud region and are accessible via their web interface.
* To get more information about Instance, see:
* * [API documentation](https://cloud.google.com/secure-source-manager/docs/reference/rest/v1/projects.locations.instances)
* * How-to Guides
* * [Official Documentation](https://cloud.google.com/secure-source-manager/docs/create-instance)
* ## Example Usage
* ### Secure Source Manager Instance Basic
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as gcp from "@pulumi/gcp";
* const _default = new gcp.securesourcemanager.Instance("default", {
* location: "us-central1",
* instanceId: "my-instance",
* labels: {
* foo: "bar",
* },
* });
* ```
* ```python
* import pulumi
* import pulumi_gcp as gcp
* default = gcp.securesourcemanager.Instance("default",
* location="us-central1",
* instance_id="my-instance",
* labels={
* "foo": "bar",
* })
* ```
* ```csharp
* using System.Collections.Generic;
* using System.Linq;
* using Pulumi;
* using Gcp = Pulumi.Gcp;
* return await Deployment.RunAsync(() =>
* {
* var @default = new Gcp.SecureSourceManager.Instance("default", new()
* {
* Location = "us-central1",
* InstanceId = "my-instance",
* Labels =
* {
* { "foo", "bar" },
* },
* });
* });
* ```
* ```go
* package main
* import (
* "github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/securesourcemanager"
* "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
* )
* func main() {
* pulumi.Run(func(ctx *pulumi.Context) error {
* _, err := securesourcemanager.NewInstance(ctx, "default", &securesourcemanager.InstanceArgs{
* Location: pulumi.String("us-central1"),
* InstanceId: pulumi.String("my-instance"),
* Labels: pulumi.StringMap{
* "foo": pulumi.String("bar"),
* },
* })
* if err != nil {
* return err
* }
* return nil
* })
* }
* ```
* ```java
* package generated_program;
* import com.pulumi.Context;
* import com.pulumi.Pulumi;
* import com.pulumi.core.Output;
* import com.pulumi.gcp.securesourcemanager.Instance;
* import com.pulumi.gcp.securesourcemanager.InstanceArgs;
* import java.util.List;
* import java.util.ArrayList;
* import java.util.Map;
* import java.io.File;
* import java.nio.file.Files;
* import java.nio.file.Paths;
* public class App {
* public static void main(String[] args) {
* Pulumi.run(App::stack);
* }
* public static void stack(Context ctx) {
* var default_ = new Instance("default", InstanceArgs.builder()
* .location("us-central1")
* .instanceId("my-instance")
* .labels(Map.of("foo", "bar"))
* .build());
* }
* }
* ```
* ```yaml
* resources:
* default:
* type: gcp:securesourcemanager:Instance
* properties:
* location: us-central1
* instanceId: my-instance
* labels:
* foo: bar
* ```
*
* ### Secure Source Manager Instance Cmek
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as gcp from "@pulumi/gcp";
* const keyRing = new gcp.kms.KeyRing("key_ring", {
* name: "my-keyring",
* location: "us-central1",
* });
* const cryptoKey = new gcp.kms.CryptoKey("crypto_key", {
* name: "my-key",
* keyRing: keyRing.id,
* });
* const project = gcp.organizations.getProject({});
* const cryptoKeyBinding = new gcp.kms.CryptoKeyIAMMember("crypto_key_binding", {
* cryptoKeyId: cryptoKey.id,
* role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
* member: project.then(project => `serviceAccount:service-${project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com`),
* });
* const _default = new gcp.securesourcemanager.Instance("default", {
* location: "us-central1",
* instanceId: "my-instance",
* kmsKey: cryptoKey.id,
* }, {
* dependsOn: [cryptoKeyBinding],
* });
* ```
* ```python
* import pulumi
* import pulumi_gcp as gcp
* key_ring = gcp.kms.KeyRing("key_ring",
* name="my-keyring",
* location="us-central1")
* crypto_key = gcp.kms.CryptoKey("crypto_key",
* name="my-key",
* key_ring=key_ring.id)
* project = gcp.organizations.get_project()
* crypto_key_binding = gcp.kms.CryptoKeyIAMMember("crypto_key_binding",
* crypto_key_id=crypto_key.id,
* role="roles/cloudkms.cryptoKeyEncrypterDecrypter",
* member=f"serviceAccount:service-{project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com")
* default = gcp.securesourcemanager.Instance("default",
* location="us-central1",
* instance_id="my-instance",
* kms_key=crypto_key.id,
* opts = pulumi.ResourceOptions(depends_on=[crypto_key_binding]))
* ```
* ```csharp
* using System.Collections.Generic;
* using System.Linq;
* using Pulumi;
* using Gcp = Pulumi.Gcp;
* return await Deployment.RunAsync(() =>
* {
* var keyRing = new Gcp.Kms.KeyRing("key_ring", new()
* {
* Name = "my-keyring",
* Location = "us-central1",
* });
* var cryptoKey = new Gcp.Kms.CryptoKey("crypto_key", new()
* {
* Name = "my-key",
* KeyRing = keyRing.Id,
* });
* var project = Gcp.Organizations.GetProject.Invoke();
* var cryptoKeyBinding = new Gcp.Kms.CryptoKeyIAMMember("crypto_key_binding", new()
* {
* CryptoKeyId = cryptoKey.Id,
* Role = "roles/cloudkms.cryptoKeyEncrypterDecrypter",
* Member = $"serviceAccount:service-{project.Apply(getProjectResult => getProjectResult.Number)}@gcp-sa-sourcemanager.iam.gserviceaccount.com",
* });
* var @default = new Gcp.SecureSourceManager.Instance("default", new()
* {
* Location = "us-central1",
* InstanceId = "my-instance",
* KmsKey = cryptoKey.Id,
* }, new CustomResourceOptions
* {
* DependsOn =
* {
* cryptoKeyBinding,
* },
* });
* });
* ```
* ```go
* package main
* import (
* "fmt"
* "github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/kms"
* "github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
* "github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/securesourcemanager"
* "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
* )
* func main() {
* pulumi.Run(func(ctx *pulumi.Context) error {
* keyRing, err := kms.NewKeyRing(ctx, "key_ring", &kms.KeyRingArgs{
* Name: pulumi.String("my-keyring"),
* Location: pulumi.String("us-central1"),
* })
* if err != nil {
* return err
* }
* cryptoKey, err := kms.NewCryptoKey(ctx, "crypto_key", &kms.CryptoKeyArgs{
* Name: pulumi.String("my-key"),
* KeyRing: keyRing.ID(),
* })
* if err != nil {
* return err
* }
* project, err := organizations.LookupProject(ctx, nil, nil)
* if err != nil {
* return err
* }
* cryptoKeyBinding, err := kms.NewCryptoKeyIAMMember(ctx, "crypto_key_binding", &kms.CryptoKeyIAMMemberArgs{
* CryptoKeyId: cryptoKey.ID(),
* Role: pulumi.String("roles/cloudkms.cryptoKeyEncrypterDecrypter"),
* Member: pulumi.Sprintf("serviceAccount:service-%[email protected]", project.Number),
* })
* if err != nil {
* return err
* }
* _, err = securesourcemanager.NewInstance(ctx, "default", &securesourcemanager.InstanceArgs{
* Location: pulumi.String("us-central1"),
* InstanceId: pulumi.String("my-instance"),
* KmsKey: cryptoKey.ID(),
* }, pulumi.DependsOn([]pulumi.Resource{
* cryptoKeyBinding,
* }))
* if err != nil {
* return err
* }
* return nil
* })
* }
* ```
* ```java
* package generated_program;
* import com.pulumi.Context;
* import com.pulumi.Pulumi;
* import com.pulumi.core.Output;
* import com.pulumi.gcp.kms.KeyRing;
* import com.pulumi.gcp.kms.KeyRingArgs;
* import com.pulumi.gcp.kms.CryptoKey;
* import com.pulumi.gcp.kms.CryptoKeyArgs;
* import com.pulumi.gcp.organizations.OrganizationsFunctions;
* import com.pulumi.gcp.organizations.inputs.GetProjectArgs;
* import com.pulumi.gcp.kms.CryptoKeyIAMMember;
* import com.pulumi.gcp.kms.CryptoKeyIAMMemberArgs;
* import com.pulumi.gcp.securesourcemanager.Instance;
* import com.pulumi.gcp.securesourcemanager.InstanceArgs;
* import com.pulumi.resources.CustomResourceOptions;
* import java.util.List;
* import java.util.ArrayList;
* import java.util.Map;
* import java.io.File;
* import java.nio.file.Files;
* import java.nio.file.Paths;
* public class App {
* public static void main(String[] args) {
* Pulumi.run(App::stack);
* }
* public static void stack(Context ctx) {
* var keyRing = new KeyRing("keyRing", KeyRingArgs.builder()
* .name("my-keyring")
* .location("us-central1")
* .build());
* var cryptoKey = new CryptoKey("cryptoKey", CryptoKeyArgs.builder()
* .name("my-key")
* .keyRing(keyRing.id())
* .build());
* final var project = OrganizationsFunctions.getProject();
* var cryptoKeyBinding = new CryptoKeyIAMMember("cryptoKeyBinding", CryptoKeyIAMMemberArgs.builder()
* .cryptoKeyId(cryptoKey.id())
* .role("roles/cloudkms.cryptoKeyEncrypterDecrypter")
* .member(String.format("serviceAccount:service-%[email protected]", project.applyValue(getProjectResult -> getProjectResult.number())))
* .build());
* var default_ = new Instance("default", InstanceArgs.builder()
* .location("us-central1")
* .instanceId("my-instance")
* .kmsKey(cryptoKey.id())
* .build(), CustomResourceOptions.builder()
* .dependsOn(cryptoKeyBinding)
* .build());
* }
* }
* ```
* ```yaml
* resources:
* keyRing:
* type: gcp:kms:KeyRing
* name: key_ring
* properties:
* name: my-keyring
* location: us-central1
* cryptoKey:
* type: gcp:kms:CryptoKey
* name: crypto_key
* properties:
* name: my-key
* keyRing: ${keyRing.id}
* cryptoKeyBinding:
* type: gcp:kms:CryptoKeyIAMMember
* name: crypto_key_binding
* properties:
* cryptoKeyId: ${cryptoKey.id}
* role: roles/cloudkms.cryptoKeyEncrypterDecrypter
* member: serviceAccount:service-${project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com
* default:
* type: gcp:securesourcemanager:Instance
* properties:
* location: us-central1
* instanceId: my-instance
* kmsKey: ${cryptoKey.id}
* options:
* dependson:
* - ${cryptoKeyBinding}
* variables:
* project:
* fn::invoke:
* Function: gcp:organizations:getProject
* Arguments: {}
* ```
*
* ### Secure Source Manager Instance Private
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as gcp from "@pulumi/gcp";
* import * as time from "@pulumi/time";
* const caPool = new gcp.certificateauthority.CaPool("ca_pool", {
* name: "ca-pool",
* location: "us-central1",
* tier: "ENTERPRISE",
* publishingOptions: {
* publishCaCert: true,
* publishCrl: true,
* },
* });
* const rootCa = new gcp.certificateauthority.Authority("root_ca", {
* pool: caPool.name,
* certificateAuthorityId: "root-ca",
* location: "us-central1",
* config: {
* subjectConfig: {
* subject: {
* organization: "google",
* commonName: "my-certificate-authority",
* },
* },
* x509Config: {
* caOptions: {
* isCa: true,
* },
* keyUsage: {
* baseKeyUsage: {
* certSign: true,
* crlSign: true,
* },
* extendedKeyUsage: {
* serverAuth: true,
* },
* },
* },
* },
* keySpec: {
* algorithm: "RSA_PKCS1_4096_SHA256",
* },
* deletionProtection: false,
* ignoreActiveCertificatesOnDeletion: true,
* skipGracePeriod: true,
* });
* const project = gcp.organizations.getProject({});
* const caPoolBinding = new gcp.certificateauthority.CaPoolIamBinding("ca_pool_binding", {
* caPool: caPool.id,
* role: "roles/privateca.certificateRequester",
* members: [project.then(project => `serviceAccount:service-${project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com`)],
* });
* // ca pool IAM permissions can take time to propagate
* const wait120Seconds = new time.index.Sleep("wait_120_seconds", {createDuration: "120s"}, {
* dependsOn: [caPoolBinding],
* });
* const _default = new gcp.securesourcemanager.Instance("default", {
* instanceId: "my-instance",
* location: "us-central1",
* privateConfig: {
* isPrivate: true,
* caPool: caPool.id,
* },
* }, {
* dependsOn: [
* rootCa,
* wait120Seconds,
* ],
* });
* ```
* ```python
* import pulumi
* import pulumi_gcp as gcp
* import pulumi_time as time
* ca_pool = gcp.certificateauthority.CaPool("ca_pool",
* name="ca-pool",
* location="us-central1",
* tier="ENTERPRISE",
* publishing_options={
* "publish_ca_cert": True,
* "publish_crl": True,
* })
* root_ca = gcp.certificateauthority.Authority("root_ca",
* pool=ca_pool.name,
* certificate_authority_id="root-ca",
* location="us-central1",
* config={
* "subject_config": {
* "subject": {
* "organization": "google",
* "common_name": "my-certificate-authority",
* },
* },
* "x509_config": {
* "ca_options": {
* "is_ca": True,
* },
* "key_usage": {
* "base_key_usage": {
* "cert_sign": True,
* "crl_sign": True,
* },
* "extended_key_usage": {
* "server_auth": True,
* },
* },
* },
* },
* key_spec={
* "algorithm": "RSA_PKCS1_4096_SHA256",
* },
* deletion_protection=False,
* ignore_active_certificates_on_deletion=True,
* skip_grace_period=True)
* project = gcp.organizations.get_project()
* ca_pool_binding = gcp.certificateauthority.CaPoolIamBinding("ca_pool_binding",
* ca_pool=ca_pool.id,
* role="roles/privateca.certificateRequester",
* members=[f"serviceAccount:service-{project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com"])
* # ca pool IAM permissions can take time to propagate
* wait120_seconds = time.index.Sleep("wait_120_seconds", create_duration=120s,
* opts = pulumi.ResourceOptions(depends_on=[ca_pool_binding]))
* default = gcp.securesourcemanager.Instance("default",
* instance_id="my-instance",
* location="us-central1",
* private_config={
* "is_private": True,
* "ca_pool": ca_pool.id,
* },
* opts = pulumi.ResourceOptions(depends_on=[
* root_ca,
* wait120_seconds,
* ]))
* ```
* ```csharp
* using System.Collections.Generic;
* using System.Linq;
* using Pulumi;
* using Gcp = Pulumi.Gcp;
* using Time = Pulumi.Time;
* return await Deployment.RunAsync(() =>
* {
* var caPool = new Gcp.CertificateAuthority.CaPool("ca_pool", new()
* {
* Name = "ca-pool",
* Location = "us-central1",
* Tier = "ENTERPRISE",
* PublishingOptions = new Gcp.CertificateAuthority.Inputs.CaPoolPublishingOptionsArgs
* {
* PublishCaCert = true,
* PublishCrl = true,
* },
* });
* var rootCa = new Gcp.CertificateAuthority.Authority("root_ca", new()
* {
* Pool = caPool.Name,
* CertificateAuthorityId = "root-ca",
* Location = "us-central1",
* Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
* {
* SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
* {
* Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
* {
* Organization = "google",
* CommonName = "my-certificate-authority",
* },
* },
* X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
* {
* CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
* {
* IsCa = true,
* },
* KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
* {
* BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
* {
* CertSign = true,
* CrlSign = true,
* },
* ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
* {
* ServerAuth = true,
* },
* },
* },
* },
* KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
* {
* Algorithm = "RSA_PKCS1_4096_SHA256",
* },
* DeletionProtection = false,
* IgnoreActiveCertificatesOnDeletion = true,
* SkipGracePeriod = true,
* });
* var project = Gcp.Organizations.GetProject.Invoke();
* var caPoolBinding = new Gcp.CertificateAuthority.CaPoolIamBinding("ca_pool_binding", new()
* {
* CaPool = caPool.Id,
* Role = "roles/privateca.certificateRequester",
* Members = new[]
* {
* $"serviceAccount:service-{project.Apply(getProjectResult => getProjectResult.Number)}@gcp-sa-sourcemanager.iam.gserviceaccount.com",
* },
* });
* // ca pool IAM permissions can take time to propagate
* var wait120Seconds = new Time.Index.Sleep("wait_120_seconds", new()
* {
* CreateDuration = "120s",
* }, new CustomResourceOptions
* {
* DependsOn =
* {
* caPoolBinding,
* },
* });
* var @default = new Gcp.SecureSourceManager.Instance("default", new()
* {
* InstanceId = "my-instance",
* Location = "us-central1",
* PrivateConfig = new Gcp.SecureSourceManager.Inputs.InstancePrivateConfigArgs
* {
* IsPrivate = true,
* CaPool = caPool.Id,
* },
* }, new CustomResourceOptions
* {
* DependsOn =
* {
* rootCa,
* wait120Seconds,
* },
* });
* });
* ```
* ```go
* package main
* import (
* "fmt"
* "github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/certificateauthority"
* "github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
* "github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/securesourcemanager"
* "github.com/pulumi/pulumi-time/sdk/go/time"
* "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
* )
* func main() {
* pulumi.Run(func(ctx *pulumi.Context) error {
* caPool, err := certificateauthority.NewCaPool(ctx, "ca_pool", &certificateauthority.CaPoolArgs{
* Name: pulumi.String("ca-pool"),
* Location: pulumi.String("us-central1"),
* Tier: pulumi.String("ENTERPRISE"),
* PublishingOptions: &certificateauthority.CaPoolPublishingOptionsArgs{
* PublishCaCert: pulumi.Bool(true),
* PublishCrl: pulumi.Bool(true),
* },
* })
* if err != nil {
* return err
* }
* rootCa, err := certificateauthority.NewAuthority(ctx, "root_ca", &certificateauthority.AuthorityArgs{
* Pool: caPool.Name,
* CertificateAuthorityId: pulumi.String("root-ca"),
* Location: pulumi.String("us-central1"),
* Config: &certificateauthority.AuthorityConfigArgs{
* SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
* Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
* Organization: pulumi.String("google"),
* CommonName: pulumi.String("my-certificate-authority"),
* },
* },
* X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
* CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
* IsCa: pulumi.Bool(true),
* },
* KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
* BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
* CertSign: pulumi.Bool(true),
* CrlSign: pulumi.Bool(true),
* },
* ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
* ServerAuth: pulumi.Bool(true),
* },
* },
* },
* },
* KeySpec: &certificateauthority.AuthorityKeySpecArgs{
* Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
* },
* DeletionProtection: pulumi.Bool(false),
* IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
* SkipGracePeriod: pulumi.Bool(true),
* })
* if err != nil {
* return err
* }
* project, err := organizations.LookupProject(ctx, nil, nil)
* if err != nil {
* return err
* }
* caPoolBinding, err := certificateauthority.NewCaPoolIamBinding(ctx, "ca_pool_binding", &certificateauthority.CaPoolIamBindingArgs{
* CaPool: caPool.ID(),
* Role: pulumi.String("roles/privateca.certificateRequester"),
* Members: pulumi.StringArray{
* pulumi.Sprintf("serviceAccount:service-%[email protected]", project.Number),
* },
* })
* if err != nil {
* return err
* }
* // ca pool IAM permissions can take time to propagate
* wait120Seconds, err := time.NewSleep(ctx, "wait_120_seconds", &time.SleepArgs{
* CreateDuration: "120s",
* }, pulumi.DependsOn([]pulumi.Resource{
* caPoolBinding,
* }))
* if err != nil {
* return err
* }
* _, err = securesourcemanager.NewInstance(ctx, "default", &securesourcemanager.InstanceArgs{
* InstanceId: pulumi.String("my-instance"),
* Location: pulumi.String("us-central1"),
* PrivateConfig: &securesourcemanager.InstancePrivateConfigArgs{
* IsPrivate: pulumi.Bool(true),
* CaPool: caPool.ID(),
* },
* }, pulumi.DependsOn([]pulumi.Resource{
* rootCa,
* wait120Seconds,
* }))
* if err != nil {
* return err
* }
* return nil
* })
* }
* ```
* ```java
* package generated_program;
* import com.pulumi.Context;
* import com.pulumi.Pulumi;
* import com.pulumi.core.Output;
* import com.pulumi.gcp.certificateauthority.CaPool;
* import com.pulumi.gcp.certificateauthority.CaPoolArgs;
* import com.pulumi.gcp.certificateauthority.inputs.CaPoolPublishingOptionsArgs;
* import com.pulumi.gcp.certificateauthority.Authority;
* import com.pulumi.gcp.certificateauthority.AuthorityArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
* import com.pulumi.gcp.organizations.OrganizationsFunctions;
* import com.pulumi.gcp.organizations.inputs.GetProjectArgs;
* import com.pulumi.gcp.certificateauthority.CaPoolIamBinding;
* import com.pulumi.gcp.certificateauthority.CaPoolIamBindingArgs;
* import com.pulumi.time.sleep;
* import com.pulumi.time.SleepArgs;
* import com.pulumi.gcp.securesourcemanager.Instance;
* import com.pulumi.gcp.securesourcemanager.InstanceArgs;
* import com.pulumi.gcp.securesourcemanager.inputs.InstancePrivateConfigArgs;
* import com.pulumi.resources.CustomResourceOptions;
* import java.util.List;
* import java.util.ArrayList;
* import java.util.Map;
* import java.io.File;
* import java.nio.file.Files;
* import java.nio.file.Paths;
* public class App {
* public static void main(String[] args) {
* Pulumi.run(App::stack);
* }
* public static void stack(Context ctx) {
* var caPool = new CaPool("caPool", CaPoolArgs.builder()
* .name("ca-pool")
* .location("us-central1")
* .tier("ENTERPRISE")
* .publishingOptions(CaPoolPublishingOptionsArgs.builder()
* .publishCaCert(true)
* .publishCrl(true)
* .build())
* .build());
* var rootCa = new Authority("rootCa", AuthorityArgs.builder()
* .pool(caPool.name())
* .certificateAuthorityId("root-ca")
* .location("us-central1")
* .config(AuthorityConfigArgs.builder()
* .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
* .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
* .organization("google")
* .commonName("my-certificate-authority")
* .build())
* .build())
* .x509Config(AuthorityConfigX509ConfigArgs.builder()
* .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
* .isCa(true)
* .build())
* .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
* .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
* .certSign(true)
* .crlSign(true)
* .build())
* .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
* .serverAuth(true)
* .build())
* .build())
* .build())
* .build())
* .keySpec(AuthorityKeySpecArgs.builder()
* .algorithm("RSA_PKCS1_4096_SHA256")
* .build())
* .deletionProtection(false)
* .ignoreActiveCertificatesOnDeletion(true)
* .skipGracePeriod(true)
* .build());
* final var project = OrganizationsFunctions.getProject();
* var caPoolBinding = new CaPoolIamBinding("caPoolBinding", CaPoolIamBindingArgs.builder()
* .caPool(caPool.id())
* .role("roles/privateca.certificateRequester")
* .members(String.format("serviceAccount:service-%[email protected]", project.applyValue(getProjectResult -> getProjectResult.number())))
* .build());
* // ca pool IAM permissions can take time to propagate
* var wait120Seconds = new Sleep("wait120Seconds", SleepArgs.builder()
* .createDuration("120s")
* .build(), CustomResourceOptions.builder()
* .dependsOn(caPoolBinding)
* .build());
* var default_ = new Instance("default", InstanceArgs.builder()
* .instanceId("my-instance")
* .location("us-central1")
* .privateConfig(InstancePrivateConfigArgs.builder()
* .isPrivate(true)
* .caPool(caPool.id())
* .build())
* .build(), CustomResourceOptions.builder()
* .dependsOn(
* rootCa,
* wait120Seconds)
* .build());
* }
* }
* ```
* ```yaml
* resources:
* caPool:
* type: gcp:certificateauthority:CaPool
* name: ca_pool
* properties:
* name: ca-pool
* location: us-central1
* tier: ENTERPRISE
* publishingOptions:
* publishCaCert: true
* publishCrl: true
* rootCa:
* type: gcp:certificateauthority:Authority
* name: root_ca
* properties:
* pool: ${caPool.name}
* certificateAuthorityId: root-ca
* location: us-central1
* config:
* subjectConfig:
* subject:
* organization: google
* commonName: my-certificate-authority
* x509Config:
* caOptions:
* isCa: true
* keyUsage:
* baseKeyUsage:
* certSign: true
* crlSign: true
* extendedKeyUsage:
* serverAuth: true
* keySpec:
* algorithm: RSA_PKCS1_4096_SHA256
* deletionProtection: false
* ignoreActiveCertificatesOnDeletion: true
* skipGracePeriod: true
* caPoolBinding:
* type: gcp:certificateauthority:CaPoolIamBinding
* name: ca_pool_binding
* properties:
* caPool: ${caPool.id}
* role: roles/privateca.certificateRequester
* members:
* - serviceAccount:service-${project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com
* default:
* type: gcp:securesourcemanager:Instance
* properties:
* instanceId: my-instance
* location: us-central1
* privateConfig:
* isPrivate: true
* caPool: ${caPool.id}
* options:
* dependson:
* - ${rootCa}
* - ${wait120Seconds}
* # ca pool IAM permissions can take time to propagate
* wait120Seconds:
* type: time:sleep
* name: wait_120_seconds
* properties:
* createDuration: 120s
* options:
* dependson:
* - ${caPoolBinding}
* variables:
* project:
* fn::invoke:
* Function: gcp:organizations:getProject
* Arguments: {}
* ```
*
* ### Secure Source Manager Instance Private Psc Backend
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as gcp from "@pulumi/gcp";
* import * as time from "@pulumi/time";
* const project = gcp.organizations.getProject({});
* const caPool = new gcp.certificateauthority.CaPool("ca_pool", {
* name: "ca-pool",
* location: "us-central1",
* tier: "ENTERPRISE",
* publishingOptions: {
* publishCaCert: true,
* publishCrl: true,
* },
* });
* const rootCa = new gcp.certificateauthority.Authority("root_ca", {
* pool: caPool.name,
* certificateAuthorityId: "root-ca",
* location: "us-central1",
* config: {
* subjectConfig: {
* subject: {
* organization: "google",
* commonName: "my-certificate-authority",
* },
* },
* x509Config: {
* caOptions: {
* isCa: true,
* },
* keyUsage: {
* baseKeyUsage: {
* certSign: true,
* crlSign: true,
* },
* extendedKeyUsage: {
* serverAuth: true,
* },
* },
* },
* },
* keySpec: {
* algorithm: "RSA_PKCS1_4096_SHA256",
* },
* deletionProtection: false,
* ignoreActiveCertificatesOnDeletion: true,
* skipGracePeriod: true,
* });
* const caPoolBinding = new gcp.certificateauthority.CaPoolIamBinding("ca_pool_binding", {
* caPool: caPool.id,
* role: "roles/privateca.certificateRequester",
* members: [project.then(project => `serviceAccount:service-${project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com`)],
* });
* // ca pool IAM permissions can take time to propagate
* const wait120Seconds = new time.index.Sleep("wait_120_seconds", {createDuration: "120s"}, {
* dependsOn: [caPoolBinding],
* });
* // See https://cloud.google.com/secure-source-manager/docs/create-private-service-connect-instance#root-ca-api
* const _default = new gcp.securesourcemanager.Instance("default", {
* instanceId: "my-instance",
* location: "us-central1",
* privateConfig: {
* isPrivate: true,
* caPool: caPool.id,
* },
* }, {
* dependsOn: [
* rootCa,
* wait120Seconds,
* ],
* });
* // Connect SSM private instance with L4 proxy ILB.
* const network = new gcp.compute.Network("network", {
* name: "my-network",
* autoCreateSubnetworks: false,
* });
* const subnet = new gcp.compute.Subnetwork("subnet", {
* name: "my-subnet",
* region: "us-central1",
* network: network.id,
* ipCidrRange: "10.0.1.0/24",
* privateIpGoogleAccess: true,
* });
* const pscNeg = new gcp.compute.RegionNetworkEndpointGroup("psc_neg", {
* name: "my-neg",
* region: "us-central1",
* networkEndpointType: "PRIVATE_SERVICE_CONNECT",
* pscTargetService: _default.privateConfig.apply(privateConfig => privateConfig?.httpServiceAttachment),
* network: network.id,
* subnetwork: subnet.id,
* });
* const backendService = new gcp.compute.RegionBackendService("backend_service", {
* name: "my-backend-service",
* region: "us-central1",
* protocol: "TCP",
* loadBalancingScheme: "INTERNAL_MANAGED",
* backends: [{
* group: pscNeg.id,
* balancingMode: "UTILIZATION",
* capacityScaler: 1,
* }],
* });
* const proxySubnet = new gcp.compute.Subnetwork("proxy_subnet", {
* name: "my-proxy-subnet",
* region: "us-central1",
* network: network.id,
* ipCidrRange: "10.0.2.0/24",
* purpose: "REGIONAL_MANAGED_PROXY",
* role: "ACTIVE",
* });
* const targetProxy = new gcp.compute.RegionTargetTcpProxy("target_proxy", {
* name: "my-target-proxy",
* region: "us-central1",
* backendService: backendService.id,
* });
* const fwRuleTargetProxy = new gcp.compute.ForwardingRule("fw_rule_target_proxy", {
* name: "fw-rule-target-proxy",
* region: "us-central1",
* loadBalancingScheme: "INTERNAL_MANAGED",
* ipProtocol: "TCP",
* portRange: "443",
* target: targetProxy.id,
* network: network.id,
* subnetwork: subnet.id,
* networkTier: "PREMIUM",
* }, {
* dependsOn: [proxySubnet],
* });
* const privateZone = new gcp.dns.ManagedZone("private_zone", {
* name: "my-dns-zone",
* dnsName: "p.sourcemanager.dev.",
* visibility: "private",
* privateVisibilityConfig: {
* networks: [{
* networkUrl: network.id,
* }],
* },
* });
* const ssmInstanceHtmlRecord = new gcp.dns.RecordSet("ssm_instance_html_record", {
* name: _default.hostConfigs.apply(hostConfigs => `${hostConfigs[0].html}.`),
* type: "A",
* ttl: 300,
* managedZone: privateZone.name,
* rrdatas: [fwRuleTargetProxy.ipAddress],
* });
* const ssmInstanceApiRecord = new gcp.dns.RecordSet("ssm_instance_api_record", {
* name: _default.hostConfigs.apply(hostConfigs => `${hostConfigs[0].api}.`),
* type: "A",
* ttl: 300,
* managedZone: privateZone.name,
* rrdatas: [fwRuleTargetProxy.ipAddress],
* });
* const ssmInstanceGitRecord = new gcp.dns.RecordSet("ssm_instance_git_record", {
* name: _default.hostConfigs.apply(hostConfigs => `${hostConfigs[0].gitHttp}.`),
* type: "A",
* ttl: 300,
* managedZone: privateZone.name,
* rrdatas: [fwRuleTargetProxy.ipAddress],
* });
* ```
* ```python
* import pulumi
* import pulumi_gcp as gcp
* import pulumi_time as time
* project = gcp.organizations.get_project()
* ca_pool = gcp.certificateauthority.CaPool("ca_pool",
* name="ca-pool",
* location="us-central1",
* tier="ENTERPRISE",
* publishing_options={
* "publish_ca_cert": True,
* "publish_crl": True,
* })
* root_ca = gcp.certificateauthority.Authority("root_ca",
* pool=ca_pool.name,
* certificate_authority_id="root-ca",
* location="us-central1",
* config={
* "subject_config": {
* "subject": {
* "organization": "google",
* "common_name": "my-certificate-authority",
* },
* },
* "x509_config": {
* "ca_options": {
* "is_ca": True,
* },
* "key_usage": {
* "base_key_usage": {
* "cert_sign": True,
* "crl_sign": True,
* },
* "extended_key_usage": {
* "server_auth": True,
* },
* },
* },
* },
* key_spec={
* "algorithm": "RSA_PKCS1_4096_SHA256",
* },
* deletion_protection=False,
* ignore_active_certificates_on_deletion=True,
* skip_grace_period=True)
* ca_pool_binding = gcp.certificateauthority.CaPoolIamBinding("ca_pool_binding",
* ca_pool=ca_pool.id,
* role="roles/privateca.certificateRequester",
* members=[f"serviceAccount:service-{project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com"])
* # ca pool IAM permissions can take time to propagate
* wait120_seconds = time.index.Sleep("wait_120_seconds", create_duration=120s,
* opts = pulumi.ResourceOptions(depends_on=[ca_pool_binding]))
* # See https://cloud.google.com/secure-source-manager/docs/create-private-service-connect-instance#root-ca-api
* default = gcp.securesourcemanager.Instance("default",
* instance_id="my-instance",
* location="us-central1",
* private_config={
* "is_private": True,
* "ca_pool": ca_pool.id,
* },
* opts = pulumi.ResourceOptions(depends_on=[
* root_ca,
* wait120_seconds,
* ]))
* # Connect SSM private instance with L4 proxy ILB.
* network = gcp.compute.Network("network",
* name="my-network",
* auto_create_subnetworks=False)
* subnet = gcp.compute.Subnetwork("subnet",
* name="my-subnet",
* region="us-central1",
* network=network.id,
* ip_cidr_range="10.0.1.0/24",
* private_ip_google_access=True)
* psc_neg = gcp.compute.RegionNetworkEndpointGroup("psc_neg",
* name="my-neg",
* region="us-central1",
* network_endpoint_type="PRIVATE_SERVICE_CONNECT",
* psc_target_service=default.private_config.http_service_attachment,
* network=network.id,
* subnetwork=subnet.id)
* backend_service = gcp.compute.RegionBackendService("backend_service",
* name="my-backend-service",
* region="us-central1",
* protocol="TCP",
* load_balancing_scheme="INTERNAL_MANAGED",
* backends=[{
* "group": psc_neg.id,
* "balancing_mode": "UTILIZATION",
* "capacity_scaler": 1,
* }])
* proxy_subnet = gcp.compute.Subnetwork("proxy_subnet",
* name="my-proxy-subnet",
* region="us-central1",
* network=network.id,
* ip_cidr_range="10.0.2.0/24",
* purpose="REGIONAL_MANAGED_PROXY",
* role="ACTIVE")
* target_proxy = gcp.compute.RegionTargetTcpProxy("target_proxy",
* name="my-target-proxy",
* region="us-central1",
* backend_service=backend_service.id)
* fw_rule_target_proxy = gcp.compute.ForwardingRule("fw_rule_target_proxy",
* name="fw-rule-target-proxy",
* region="us-central1",
* load_balancing_scheme="INTERNAL_MANAGED",
* ip_protocol="TCP",
* port_range="443",
* target=target_proxy.id,
* network=network.id,
* subnetwork=subnet.id,
* network_tier="PREMIUM",
* opts = pulumi.ResourceOptions(depends_on=[proxy_subnet]))
* private_zone = gcp.dns.ManagedZone("private_zone",
* name="my-dns-zone",
* dns_name="p.sourcemanager.dev.",
* visibility="private",
* private_visibility_config={
* "networks": [{
* "network_url": network.id,
* }],
* })
* ssm_instance_html_record = gcp.dns.RecordSet("ssm_instance_html_record",
* name=default.host_configs.apply(lambda host_configs: f"{host_configs[0].html}."),
* type="A",
* ttl=300,
* managed_zone=private_zone.name,
* rrdatas=[fw_rule_target_proxy.ip_address])
* ssm_instance_api_record = gcp.dns.RecordSet("ssm_instance_api_record",
* name=default.host_configs.apply(lambda host_configs: f"{host_configs[0].api}."),
* type="A",
* ttl=300,
* managed_zone=private_zone.name,
* rrdatas=[fw_rule_target_proxy.ip_address])
* ssm_instance_git_record = gcp.dns.RecordSet("ssm_instance_git_record",
* name=default.host_configs.apply(lambda host_configs: f"{host_configs[0].git_http}."),
* type="A",
* ttl=300,
* managed_zone=private_zone.name,
* rrdatas=[fw_rule_target_proxy.ip_address])
* ```
* ```csharp
* using System.Collections.Generic;
* using System.Linq;
* using Pulumi;
* using Gcp = Pulumi.Gcp;
* using Time = Pulumi.Time;
* return await Deployment.RunAsync(() =>
* {
* var project = Gcp.Organizations.GetProject.Invoke();
* var caPool = new Gcp.CertificateAuthority.CaPool("ca_pool", new()
* {
* Name = "ca-pool",
* Location = "us-central1",
* Tier = "ENTERPRISE",
* PublishingOptions = new Gcp.CertificateAuthority.Inputs.CaPoolPublishingOptionsArgs
* {
* PublishCaCert = true,
* PublishCrl = true,
* },
* });
* var rootCa = new Gcp.CertificateAuthority.Authority("root_ca", new()
* {
* Pool = caPool.Name,
* CertificateAuthorityId = "root-ca",
* Location = "us-central1",
* Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
* {
* SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
* {
* Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
* {
* Organization = "google",
* CommonName = "my-certificate-authority",
* },
* },
* X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
* {
* CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
* {
* IsCa = true,
* },
* KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
* {
* BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
* {
* CertSign = true,
* CrlSign = true,
* },
* ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
* {
* ServerAuth = true,
* },
* },
* },
* },
* KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
* {
* Algorithm = "RSA_PKCS1_4096_SHA256",
* },
* DeletionProtection = false,
* IgnoreActiveCertificatesOnDeletion = true,
* SkipGracePeriod = true,
* });
* var caPoolBinding = new Gcp.CertificateAuthority.CaPoolIamBinding("ca_pool_binding", new()
* {
* CaPool = caPool.Id,
* Role = "roles/privateca.certificateRequester",
* Members = new[]
* {
* $"serviceAccount:service-{project.Apply(getProjectResult => getProjectResult.Number)}@gcp-sa-sourcemanager.iam.gserviceaccount.com",
* },
* });
* // ca pool IAM permissions can take time to propagate
* var wait120Seconds = new Time.Index.Sleep("wait_120_seconds", new()
* {
* CreateDuration = "120s",
* }, new CustomResourceOptions
* {
* DependsOn =
* {
* caPoolBinding,
* },
* });
* // See https://cloud.google.com/secure-source-manager/docs/create-private-service-connect-instance#root-ca-api
* var @default = new Gcp.SecureSourceManager.Instance("default", new()
* {
* InstanceId = "my-instance",
* Location = "us-central1",
* PrivateConfig = new Gcp.SecureSourceManager.Inputs.InstancePrivateConfigArgs
* {
* IsPrivate = true,
* CaPool = caPool.Id,
* },
* }, new CustomResourceOptions
* {
* DependsOn =
* {
* rootCa,
* wait120Seconds,
* },
* });
* // Connect SSM private instance with L4 proxy ILB.
* var network = new Gcp.Compute.Network("network", new()
* {
* Name = "my-network",
* AutoCreateSubnetworks = false,
* });
* var subnet = new Gcp.Compute.Subnetwork("subnet", new()
* {
* Name = "my-subnet",
* Region = "us-central1",
* Network = network.Id,
* IpCidrRange = "10.0.1.0/24",
* PrivateIpGoogleAccess = true,
* });
* var pscNeg = new Gcp.Compute.RegionNetworkEndpointGroup("psc_neg", new()
* {
* Name = "my-neg",
* Region = "us-central1",
* NetworkEndpointType = "PRIVATE_SERVICE_CONNECT",
* PscTargetService = @default.PrivateConfig.Apply(privateConfig => privateConfig?.HttpServiceAttachment),
* Network = network.Id,
* Subnetwork = subnet.Id,
* });
* var backendService = new Gcp.Compute.RegionBackendService("backend_service", new()
* {
* Name = "my-backend-service",
* Region = "us-central1",
* Protocol = "TCP",
* LoadBalancingScheme = "INTERNAL_MANAGED",
* Backends = new[]
* {
* new Gcp.Compute.Inputs.RegionBackendServiceBackendArgs
* {
* Group = pscNeg.Id,
* BalancingMode = "UTILIZATION",
* CapacityScaler = 1,
* },
* },
* });
* var proxySubnet = new Gcp.Compute.Subnetwork("proxy_subnet", new()
* {
* Name = "my-proxy-subnet",
* Region = "us-central1",
* Network = network.Id,
* IpCidrRange = "10.0.2.0/24",
* Purpose = "REGIONAL_MANAGED_PROXY",
* Role = "ACTIVE",
* });
* var targetProxy = new Gcp.Compute.RegionTargetTcpProxy("target_proxy", new()
* {
* Name = "my-target-proxy",
* Region = "us-central1",
* BackendService = backendService.Id,
* });
* var fwRuleTargetProxy = new Gcp.Compute.ForwardingRule("fw_rule_target_proxy", new()
* {
* Name = "fw-rule-target-proxy",
* Region = "us-central1",
* LoadBalancingScheme = "INTERNAL_MANAGED",
* IpProtocol = "TCP",
* PortRange = "443",
* Target = targetProxy.Id,
* Network = network.Id,
* Subnetwork = subnet.Id,
* NetworkTier = "PREMIUM",
* }, new CustomResourceOptions
* {
* DependsOn =
* {
* proxySubnet,
* },
* });
* var privateZone = new Gcp.Dns.ManagedZone("private_zone", new()
* {
* Name = "my-dns-zone",
* DnsName = "p.sourcemanager.dev.",
* Visibility = "private",
* PrivateVisibilityConfig = new Gcp.Dns.Inputs.ManagedZonePrivateVisibilityConfigArgs
* {
* Networks = new[]
* {
* new Gcp.Dns.Inputs.ManagedZonePrivateVisibilityConfigNetworkArgs
* {
* NetworkUrl = network.Id,
* },
* },
* },
* });
* var ssmInstanceHtmlRecord = new Gcp.Dns.RecordSet("ssm_instance_html_record", new()
* {
* Name = @default.HostConfigs.Apply(hostConfigs => $"{hostConfigs[0].Html}."),
* Type = "A",
* Ttl = 300,
* ManagedZone = privateZone.Name,
* Rrdatas = new[]
* {
* fwRuleTargetProxy.IpAddress,
* },
* });
* var ssmInstanceApiRecord = new Gcp.Dns.RecordSet("ssm_instance_api_record", new()
* {
* Name = @default.HostConfigs.Apply(hostConfigs => $"{hostConfigs[0].Api}."),
* Type = "A",
* Ttl = 300,
* ManagedZone = privateZone.Name,
* Rrdatas = new[]
* {
* fwRuleTargetProxy.IpAddress,
* },
* });
* var ssmInstanceGitRecord = new Gcp.Dns.RecordSet("ssm_instance_git_record", new()
* {
* Name = @default.HostConfigs.Apply(hostConfigs => $"{hostConfigs[0].GitHttp}."),
* Type = "A",
* Ttl = 300,
* ManagedZone = privateZone.Name,
* Rrdatas = new[]
* {
* fwRuleTargetProxy.IpAddress,
* },
* });
* });
* ```
* ```go
* package main
* import (
* "fmt"
* "github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/certificateauthority"
* "github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/compute"
* "github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/dns"
* "github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
* "github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/securesourcemanager"
* "github.com/pulumi/pulumi-time/sdk/go/time"
* "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
* )
* func main() {
* pulumi.Run(func(ctx *pulumi.Context) error {
* project, err := organizations.LookupProject(ctx, nil, nil)
* if err != nil {
* return err
* }
* caPool, err := certificateauthority.NewCaPool(ctx, "ca_pool", &certificateauthority.CaPoolArgs{
* Name: pulumi.String("ca-pool"),
* Location: pulumi.String("us-central1"),
* Tier: pulumi.String("ENTERPRISE"),
* PublishingOptions: &certificateauthority.CaPoolPublishingOptionsArgs{
* PublishCaCert: pulumi.Bool(true),
* PublishCrl: pulumi.Bool(true),
* },
* })
* if err != nil {
* return err
* }
* rootCa, err := certificateauthority.NewAuthority(ctx, "root_ca", &certificateauthority.AuthorityArgs{
* Pool: caPool.Name,
* CertificateAuthorityId: pulumi.String("root-ca"),
* Location: pulumi.String("us-central1"),
* Config: &certificateauthority.AuthorityConfigArgs{
* SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
* Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
* Organization: pulumi.String("google"),
* CommonName: pulumi.String("my-certificate-authority"),
* },
* },
* X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
* CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
* IsCa: pulumi.Bool(true),
* },
* KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
* BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
* CertSign: pulumi.Bool(true),
* CrlSign: pulumi.Bool(true),
* },
* ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
* ServerAuth: pulumi.Bool(true),
* },
* },
* },
* },
* KeySpec: &certificateauthority.AuthorityKeySpecArgs{
* Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
* },
* DeletionProtection: pulumi.Bool(false),
* IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
* SkipGracePeriod: pulumi.Bool(true),
* })
* if err != nil {
* return err
* }
* caPoolBinding, err := certificateauthority.NewCaPoolIamBinding(ctx, "ca_pool_binding", &certificateauthority.CaPoolIamBindingArgs{
* CaPool: caPool.ID(),
* Role: pulumi.String("roles/privateca.certificateRequester"),
* Members: pulumi.StringArray{
* pulumi.Sprintf("serviceAccount:service-%[email protected]", project.Number),
* },
* })
* if err != nil {
* return err
* }
* // ca pool IAM permissions can take time to propagate
* wait120Seconds, err := time.NewSleep(ctx, "wait_120_seconds", &time.SleepArgs{
* CreateDuration: "120s",
* }, pulumi.DependsOn([]pulumi.Resource{
* caPoolBinding,
* }))
* if err != nil {
* return err
* }
* // See https://cloud.google.com/secure-source-manager/docs/create-private-service-connect-instance#root-ca-api
* _, err = securesourcemanager.NewInstance(ctx, "default", &securesourcemanager.InstanceArgs{
* InstanceId: pulumi.String("my-instance"),
* Location: pulumi.String("us-central1"),
* PrivateConfig: &securesourcemanager.InstancePrivateConfigArgs{
* IsPrivate: pulumi.Bool(true),
* CaPool: caPool.ID(),
* },
* }, pulumi.DependsOn([]pulumi.Resource{
* rootCa,
* wait120Seconds,
* }))
* if err != nil {
* return err
* }
* // Connect SSM private instance with L4 proxy ILB.
* network, err := compute.NewNetwork(ctx, "network", &compute.NetworkArgs{
* Name: pulumi.String("my-network"),
* AutoCreateSubnetworks: pulumi.Bool(false),
* })
* if err != nil {
* return err
* }
* subnet, err := compute.NewSubnetwork(ctx, "subnet", &compute.SubnetworkArgs{
* Name: pulumi.String("my-subnet"),
* Region: pulumi.String("us-central1"),
* Network: network.ID(),
* IpCidrRange: pulumi.String("10.0.1.0/24"),
* PrivateIpGoogleAccess: pulumi.Bool(true),
* })
* if err != nil {
* return err
* }
* pscNeg, err := compute.NewRegionNetworkEndpointGroup(ctx, "psc_neg", &compute.RegionNetworkEndpointGroupArgs{
* Name: pulumi.String("my-neg"),
* Region: pulumi.String("us-central1"),
* NetworkEndpointType: pulumi.String("PRIVATE_SERVICE_CONNECT"),
* PscTargetService: pulumi.String(_default.PrivateConfig.ApplyT(func(privateConfig securesourcemanager.InstancePrivateConfig) (*string, error) {
* return &privateConfig.HttpServiceAttachment, nil
* }).(pulumi.StringPtrOutput)),
* Network: network.ID(),
* Subnetwork: subnet.ID(),
* })
* if err != nil {
* return err
* }
* backendService, err := compute.NewRegionBackendService(ctx, "backend_service", &compute.RegionBackendServiceArgs{
* Name: pulumi.String("my-backend-service"),
* Region: pulumi.String("us-central1"),
* Protocol: pulumi.String("TCP"),
* LoadBalancingScheme: pulumi.String("INTERNAL_MANAGED"),
* Backends: compute.RegionBackendServiceBackendArray{
* &compute.RegionBackendServiceBackendArgs{
* Group: pscNeg.ID(),
* BalancingMode: pulumi.String("UTILIZATION"),
* CapacityScaler: pulumi.Float64(1),
* },
* },
* })
* if err != nil {
* return err
* }
* proxySubnet, err := compute.NewSubnetwork(ctx, "proxy_subnet", &compute.SubnetworkArgs{
* Name: pulumi.String("my-proxy-subnet"),
* Region: pulumi.String("us-central1"),
* Network: network.ID(),
* IpCidrRange: pulumi.String("10.0.2.0/24"),
* Purpose: pulumi.String("REGIONAL_MANAGED_PROXY"),
* Role: pulumi.String("ACTIVE"),
* })
* if err != nil {
* return err
* }
* targetProxy, err := compute.NewRegionTargetTcpProxy(ctx, "target_proxy", &compute.RegionTargetTcpProxyArgs{
* Name: pulumi.String("my-target-proxy"),
* Region: pulumi.String("us-central1"),
* BackendService: backendService.ID(),
* })
* if err != nil {
* return err
* }
* fwRuleTargetProxy, err := compute.NewForwardingRule(ctx, "fw_rule_target_proxy", &compute.ForwardingRuleArgs{
* Name: pulumi.String("fw-rule-target-proxy"),
* Region: pulumi.String("us-central1"),
* LoadBalancingScheme: pulumi.String("INTERNAL_MANAGED"),
* IpProtocol: pulumi.String("TCP"),
* PortRange: pulumi.String("443"),
* Target: targetProxy.ID(),
* Network: network.ID(),
* Subnetwork: subnet.ID(),
* NetworkTier: pulumi.String("PREMIUM"),
* }, pulumi.DependsOn([]pulumi.Resource{
* proxySubnet,
* }))
* if err != nil {
* return err
* }
* privateZone, err := dns.NewManagedZone(ctx, "private_zone", &dns.ManagedZoneArgs{
* Name: pulumi.String("my-dns-zone"),
* DnsName: pulumi.String("p.sourcemanager.dev."),
* Visibility: pulumi.String("private"),
* PrivateVisibilityConfig: &dns.ManagedZonePrivateVisibilityConfigArgs{
* Networks: dns.ManagedZonePrivateVisibilityConfigNetworkArray{
* &dns.ManagedZonePrivateVisibilityConfigNetworkArgs{
* NetworkUrl: network.ID(),
* },
* },
* },
* })
* if err != nil {
* return err
* }
* _, err = dns.NewRecordSet(ctx, "ssm_instance_html_record", &dns.RecordSetArgs{
* Name: _default.HostConfigs.ApplyT(func(hostConfigs []securesourcemanager.InstanceHostConfig) (string, error) {
* return fmt.Sprintf("%v.", hostConfigs[0].Html), nil
* }).(pulumi.StringOutput),
* Type: pulumi.String("A"),
* Ttl: pulumi.Int(300),
* ManagedZone: privateZone.Name,
* Rrdatas: pulumi.StringArray{
* fwRuleTargetProxy.IpAddress,
* },
* })
* if err != nil {
* return err
* }
* _, err = dns.NewRecordSet(ctx, "ssm_instance_api_record", &dns.RecordSetArgs{
* Name: _default.HostConfigs.ApplyT(func(hostConfigs []securesourcemanager.InstanceHostConfig) (string, error) {
* return fmt.Sprintf("%v.", hostConfigs[0].Api), nil
* }).(pulumi.StringOutput),
* Type: pulumi.String("A"),
* Ttl: pulumi.Int(300),
* ManagedZone: privateZone.Name,
* Rrdatas: pulumi.StringArray{
* fwRuleTargetProxy.IpAddress,
* },
* })
* if err != nil {
* return err
* }
* _, err = dns.NewRecordSet(ctx, "ssm_instance_git_record", &dns.RecordSetArgs{
* Name: _default.HostConfigs.ApplyT(func(hostConfigs []securesourcemanager.InstanceHostConfig) (string, error) {
* return fmt.Sprintf("%v.", hostConfigs[0].GitHttp), nil
* }).(pulumi.StringOutput),
* Type: pulumi.String("A"),
* Ttl: pulumi.Int(300),
* ManagedZone: privateZone.Name,
* Rrdatas: pulumi.StringArray{
* fwRuleTargetProxy.IpAddress,
* },
* })
* if err != nil {
* return err
* }
* return nil
* })
* }
* ```
* ```java
* package generated_program;
* import com.pulumi.Context;
* import com.pulumi.Pulumi;
* import com.pulumi.core.Output;
* import com.pulumi.gcp.organizations.OrganizationsFunctions;
* import com.pulumi.gcp.organizations.inputs.GetProjectArgs;
* import com.pulumi.gcp.certificateauthority.CaPool;
* import com.pulumi.gcp.certificateauthority.CaPoolArgs;
* import com.pulumi.gcp.certificateauthority.inputs.CaPoolPublishingOptionsArgs;
* import com.pulumi.gcp.certificateauthority.Authority;
* import com.pulumi.gcp.certificateauthority.AuthorityArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
* import com.pulumi.gcp.certificateauthority.CaPoolIamBinding;
* import com.pulumi.gcp.certificateauthority.CaPoolIamBindingArgs;
* import com.pulumi.time.sleep;
* import com.pulumi.time.SleepArgs;
* import com.pulumi.gcp.securesourcemanager.Instance;
* import com.pulumi.gcp.securesourcemanager.InstanceArgs;
* import com.pulumi.gcp.securesourcemanager.inputs.InstancePrivateConfigArgs;
* import com.pulumi.gcp.compute.Network;
* import com.pulumi.gcp.compute.NetworkArgs;
* import com.pulumi.gcp.compute.Subnetwork;
* import com.pulumi.gcp.compute.SubnetworkArgs;
* import com.pulumi.gcp.compute.RegionNetworkEndpointGroup;
* import com.pulumi.gcp.compute.RegionNetworkEndpointGroupArgs;
* import com.pulumi.gcp.compute.RegionBackendService;
* import com.pulumi.gcp.compute.RegionBackendServiceArgs;
* import com.pulumi.gcp.compute.inputs.RegionBackendServiceBackendArgs;
* import com.pulumi.gcp.compute.RegionTargetTcpProxy;
* import com.pulumi.gcp.compute.RegionTargetTcpProxyArgs;
* import com.pulumi.gcp.compute.ForwardingRule;
* import com.pulumi.gcp.compute.ForwardingRuleArgs;
* import com.pulumi.gcp.dns.ManagedZone;
* import com.pulumi.gcp.dns.ManagedZoneArgs;
* import com.pulumi.gcp.dns.inputs.ManagedZonePrivateVisibilityConfigArgs;
* import com.pulumi.gcp.dns.RecordSet;
* import com.pulumi.gcp.dns.RecordSetArgs;
* import com.pulumi.resources.CustomResourceOptions;
* import java.util.List;
* import java.util.ArrayList;
* import java.util.Map;
* import java.io.File;
* import java.nio.file.Files;
* import java.nio.file.Paths;
* public class App {
* public static void main(String[] args) {
* Pulumi.run(App::stack);
* }
* public static void stack(Context ctx) {
* final var project = OrganizationsFunctions.getProject();
* var caPool = new CaPool("caPool", CaPoolArgs.builder()
* .name("ca-pool")
* .location("us-central1")
* .tier("ENTERPRISE")
* .publishingOptions(CaPoolPublishingOptionsArgs.builder()
* .publishCaCert(true)
* .publishCrl(true)
* .build())
* .build());
* var rootCa = new Authority("rootCa", AuthorityArgs.builder()
* .pool(caPool.name())
* .certificateAuthorityId("root-ca")
* .location("us-central1")
* .config(AuthorityConfigArgs.builder()
* .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
* .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
* .organization("google")
* .commonName("my-certificate-authority")
* .build())
* .build())
* .x509Config(AuthorityConfigX509ConfigArgs.builder()
* .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
* .isCa(true)
* .build())
* .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
* .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
* .certSign(true)
* .crlSign(true)
* .build())
* .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
* .serverAuth(true)
* .build())
* .build())
* .build())
* .build())
* .keySpec(AuthorityKeySpecArgs.builder()
* .algorithm("RSA_PKCS1_4096_SHA256")
* .build())
* .deletionProtection(false)
* .ignoreActiveCertificatesOnDeletion(true)
* .skipGracePeriod(true)
* .build());
* var caPoolBinding = new CaPoolIamBinding("caPoolBinding", CaPoolIamBindingArgs.builder()
* .caPool(caPool.id())
* .role("roles/privateca.certificateRequester")
* .members(String.format("serviceAccount:service-%[email protected]", project.applyValue(getProjectResult -> getProjectResult.number())))
* .build());
* // ca pool IAM permissions can take time to propagate
* var wait120Seconds = new Sleep("wait120Seconds", SleepArgs.builder()
* .createDuration("120s")
* .build(), CustomResourceOptions.builder()
* .dependsOn(caPoolBinding)
* .build());
* // See https://cloud.google.com/secure-source-manager/docs/create-private-service-connect-instance#root-ca-api
* var default_ = new Instance("default", InstanceArgs.builder()
* .instanceId("my-instance")
* .location("us-central1")
* .privateConfig(InstancePrivateConfigArgs.builder()
* .isPrivate(true)
* .caPool(caPool.id())
* .build())
* .build(), CustomResourceOptions.builder()
* .dependsOn(
* rootCa,
* wait120Seconds)
* .build());
* // Connect SSM private instance with L4 proxy ILB.
* var network = new Network("network", NetworkArgs.builder()
* .name("my-network")
* .autoCreateSubnetworks(false)
* .build());
* var subnet = new Subnetwork("subnet", SubnetworkArgs.builder()
* .name("my-subnet")
* .region("us-central1")
* .network(network.id())
* .ipCidrRange("10.0.1.0/24")
* .privateIpGoogleAccess(true)
* .build());
* var pscNeg = new RegionNetworkEndpointGroup("pscNeg", RegionNetworkEndpointGroupArgs.builder()
* .name("my-neg")
* .region("us-central1")
* .networkEndpointType("PRIVATE_SERVICE_CONNECT")
* .pscTargetService(default_.privateConfig().applyValue(privateConfig -> privateConfig.httpServiceAttachment()))
* .network(network.id())
* .subnetwork(subnet.id())
* .build());
* var backendService = new RegionBackendService("backendService", RegionBackendServiceArgs.builder()
* .name("my-backend-service")
* .region("us-central1")
* .protocol("TCP")
* .loadBalancingScheme("INTERNAL_MANAGED")
* .backends(RegionBackendServiceBackendArgs.builder()
* .group(pscNeg.id())
* .balancingMode("UTILIZATION")
* .capacityScaler(1)
* .build())
* .build());
* var proxySubnet = new Subnetwork("proxySubnet", SubnetworkArgs.builder()
* .name("my-proxy-subnet")
* .region("us-central1")
* .network(network.id())
* .ipCidrRange("10.0.2.0/24")
* .purpose("REGIONAL_MANAGED_PROXY")
* .role("ACTIVE")
* .build());
* var targetProxy = new RegionTargetTcpProxy("targetProxy", RegionTargetTcpProxyArgs.builder()
* .name("my-target-proxy")
* .region("us-central1")
* .backendService(backendService.id())
* .build());
* var fwRuleTargetProxy = new ForwardingRule("fwRuleTargetProxy", ForwardingRuleArgs.builder()
* .name("fw-rule-target-proxy")
* .region("us-central1")
* .loadBalancingScheme("INTERNAL_MANAGED")
* .ipProtocol("TCP")
* .portRange("443")
* .target(targetProxy.id())
* .network(network.id())
* .subnetwork(subnet.id())
* .networkTier("PREMIUM")
* .build(), CustomResourceOptions.builder()
* .dependsOn(proxySubnet)
* .build());
* var privateZone = new ManagedZone("privateZone", ManagedZoneArgs.builder()
* .name("my-dns-zone")
* .dnsName("p.sourcemanager.dev.")
* .visibility("private")
* .privateVisibilityConfig(ManagedZonePrivateVisibilityConfigArgs.builder()
* .networks(ManagedZonePrivateVisibilityConfigNetworkArgs.builder()
* .networkUrl(network.id())
* .build())
* .build())
* .build());
* var ssmInstanceHtmlRecord = new RecordSet("ssmInstanceHtmlRecord", RecordSetArgs.builder()
* .name(default_.hostConfigs().applyValue(hostConfigs -> String.format("%s.", hostConfigs[0].html())))
* .type("A")
* .ttl(300)
* .managedZone(privateZone.name())
* .rrdatas(fwRuleTargetProxy.ipAddress())
* .build());
* var ssmInstanceApiRecord = new RecordSet("ssmInstanceApiRecord", RecordSetArgs.builder()
* .name(default_.hostConfigs().applyValue(hostConfigs -> String.format("%s.", hostConfigs[0].api())))
* .type("A")
* .ttl(300)
* .managedZone(privateZone.name())
* .rrdatas(fwRuleTargetProxy.ipAddress())
* .build());
* var ssmInstanceGitRecord = new RecordSet("ssmInstanceGitRecord", RecordSetArgs.builder()
* .name(default_.hostConfigs().applyValue(hostConfigs -> String.format("%s.", hostConfigs[0].gitHttp())))
* .type("A")
* .ttl(300)
* .managedZone(privateZone.name())
* .rrdatas(fwRuleTargetProxy.ipAddress())
* .build());
* }
* }
* ```
* ```yaml
* resources:
* caPool:
* type: gcp:certificateauthority:CaPool
* name: ca_pool
* properties:
* name: ca-pool
* location: us-central1
* tier: ENTERPRISE
* publishingOptions:
* publishCaCert: true
* publishCrl: true
* rootCa:
* type: gcp:certificateauthority:Authority
* name: root_ca
* properties:
* pool: ${caPool.name}
* certificateAuthorityId: root-ca
* location: us-central1
* config:
* subjectConfig:
* subject:
* organization: google
* commonName: my-certificate-authority
* x509Config:
* caOptions:
* isCa: true
* keyUsage:
* baseKeyUsage:
* certSign: true
* crlSign: true
* extendedKeyUsage:
* serverAuth: true
* keySpec:
* algorithm: RSA_PKCS1_4096_SHA256
* deletionProtection: false
* ignoreActiveCertificatesOnDeletion: true
* skipGracePeriod: true
* caPoolBinding:
* type: gcp:certificateauthority:CaPoolIamBinding
* name: ca_pool_binding
* properties:
* caPool: ${caPool.id}
* role: roles/privateca.certificateRequester
* members:
* - serviceAccount:service-${project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com
* # See https://cloud.google.com/secure-source-manager/docs/create-private-service-connect-instance#root-ca-api
* default:
* type: gcp:securesourcemanager:Instance
* properties:
* instanceId: my-instance
* location: us-central1
* privateConfig:
* isPrivate: true
* caPool: ${caPool.id}
* options:
* dependson:
* - ${rootCa}
* - ${wait120Seconds}
* # ca pool IAM permissions can take time to propagate
* wait120Seconds:
* type: time:sleep
* name: wait_120_seconds
* properties:
* createDuration: 120s
* options:
* dependson:
* - ${caPoolBinding}
* # Connect SSM private instance with L4 proxy ILB.
* network:
* type: gcp:compute:Network
* properties:
* name: my-network
* autoCreateSubnetworks: false
* subnet:
* type: gcp:compute:Subnetwork
* properties:
* name: my-subnet
* region: us-central1
* network: ${network.id}
* ipCidrRange: 10.0.1.0/24
* privateIpGoogleAccess: true
* pscNeg:
* type: gcp:compute:RegionNetworkEndpointGroup
* name: psc_neg
* properties:
* name: my-neg
* region: us-central1
* networkEndpointType: PRIVATE_SERVICE_CONNECT
* pscTargetService: ${default.privateConfig.httpServiceAttachment}
* network: ${network.id}
* subnetwork: ${subnet.id}
* backendService:
* type: gcp:compute:RegionBackendService
* name: backend_service
* properties:
* name: my-backend-service
* region: us-central1
* protocol: TCP
* loadBalancingScheme: INTERNAL_MANAGED
* backends:
* - group: ${pscNeg.id}
* balancingMode: UTILIZATION
* capacityScaler: 1
* proxySubnet:
* type: gcp:compute:Subnetwork
* name: proxy_subnet
* properties:
* name: my-proxy-subnet
* region: us-central1
* network: ${network.id}
* ipCidrRange: 10.0.2.0/24
* purpose: REGIONAL_MANAGED_PROXY
* role: ACTIVE
* targetProxy:
* type: gcp:compute:RegionTargetTcpProxy
* name: target_proxy
* properties:
* name: my-target-proxy
* region: us-central1
* backendService: ${backendService.id}
* fwRuleTargetProxy:
* type: gcp:compute:ForwardingRule
* name: fw_rule_target_proxy
* properties:
* name: fw-rule-target-proxy
* region: us-central1
* loadBalancingScheme: INTERNAL_MANAGED
* ipProtocol: TCP
* portRange: '443'
* target: ${targetProxy.id}
* network: ${network.id}
* subnetwork: ${subnet.id}
* networkTier: PREMIUM
* options:
* dependson:
* - ${proxySubnet}
* privateZone:
* type: gcp:dns:ManagedZone
* name: private_zone
* properties:
* name: my-dns-zone
* dnsName: p.sourcemanager.dev.
* visibility: private
* privateVisibilityConfig:
* networks:
* - networkUrl: ${network.id}
* ssmInstanceHtmlRecord:
* type: gcp:dns:RecordSet
* name: ssm_instance_html_record
* properties:
* name: ${default.hostConfigs[0].html}.
* type: A
* ttl: 300
* managedZone: ${privateZone.name}
* rrdatas:
* - ${fwRuleTargetProxy.ipAddress}
* ssmInstanceApiRecord:
* type: gcp:dns:RecordSet
* name: ssm_instance_api_record
* properties:
* name: ${default.hostConfigs[0].api}.
* type: A
* ttl: 300
* managedZone: ${privateZone.name}
* rrdatas:
* - ${fwRuleTargetProxy.ipAddress}
* ssmInstanceGitRecord:
* type: gcp:dns:RecordSet
* name: ssm_instance_git_record
* properties:
* name: ${default.hostConfigs[0].gitHttp}.
* type: A
* ttl: 300
* managedZone: ${privateZone.name}
* rrdatas:
* - ${fwRuleTargetProxy.ipAddress}
* variables:
* project:
* fn::invoke:
* Function: gcp:organizations:getProject
* Arguments: {}
* ```
*
* ### Secure Source Manager Instance Private Psc Endpoint
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as gcp from "@pulumi/gcp";
* import * as time from "@pulumi/time";
* const project = gcp.organizations.getProject({});
* const caPool = new gcp.certificateauthority.CaPool("ca_pool", {
* name: "ca-pool",
* location: "us-central1",
* tier: "ENTERPRISE",
* publishingOptions: {
* publishCaCert: true,
* publishCrl: true,
* },
* });
* const rootCa = new gcp.certificateauthority.Authority("root_ca", {
* pool: caPool.name,
* certificateAuthorityId: "root-ca",
* location: "us-central1",
* config: {
* subjectConfig: {
* subject: {
* organization: "google",
* commonName: "my-certificate-authority",
* },
* },
* x509Config: {
* caOptions: {
* isCa: true,
* },
* keyUsage: {
* baseKeyUsage: {
* certSign: true,
* crlSign: true,
* },
* extendedKeyUsage: {
* serverAuth: true,
* },
* },
* },
* },
* keySpec: {
* algorithm: "RSA_PKCS1_4096_SHA256",
* },
* deletionProtection: false,
* ignoreActiveCertificatesOnDeletion: true,
* skipGracePeriod: true,
* });
* const caPoolBinding = new gcp.certificateauthority.CaPoolIamBinding("ca_pool_binding", {
* caPool: caPool.id,
* role: "roles/privateca.certificateRequester",
* members: [project.then(project => `serviceAccount:service-${project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com`)],
* });
* // ca pool IAM permissions can take time to propagate
* const wait120Seconds = new time.index.Sleep("wait_120_seconds", {createDuration: "120s"}, {
* dependsOn: [caPoolBinding],
* });
* // See https://cloud.google.com/secure-source-manager/docs/create-private-service-connect-instance#root-ca-api
* const _default = new gcp.securesourcemanager.Instance("default", {
* instanceId: "my-instance",
* location: "us-central1",
* privateConfig: {
* isPrivate: true,
* caPool: caPool.id,
* },
* }, {
* dependsOn: [
* rootCa,
* wait120Seconds,
* ],
* });
* // Connect SSM private instance with endpoint.
* const network = new gcp.compute.Network("network", {
* name: "my-network",
* autoCreateSubnetworks: false,
* });
* const subnet = new gcp.compute.Subnetwork("subnet", {
* name: "my-subnet",
* region: "us-central1",
* network: network.id,
* ipCidrRange: "10.0.60.0/24",
* privateIpGoogleAccess: true,
* });
* const address = new gcp.compute.Address("address", {
* name: "my-address",
* region: "us-central1",
* address: "10.0.60.100",
* addressType: "INTERNAL",
* subnetwork: subnet.id,
* });
* const fwRuleServiceAttachment = new gcp.compute.ForwardingRule("fw_rule_service_attachment", {
* name: "fw-rule-service-attachment",
* region: "us-central1",
* loadBalancingScheme: "",
* ipAddress: address.id,
* network: network.id,
* target: _default.privateConfig.apply(privateConfig => privateConfig?.httpServiceAttachment),
* });
* const privateZone = new gcp.dns.ManagedZone("private_zone", {
* name: "my-dns-zone",
* dnsName: "p.sourcemanager.dev.",
* visibility: "private",
* privateVisibilityConfig: {
* networks: [{
* networkUrl: network.id,
* }],
* },
* });
* const ssmInstanceHtmlRecord = new gcp.dns.RecordSet("ssm_instance_html_record", {
* name: _default.hostConfigs.apply(hostConfigs => `${hostConfigs[0].html}.`),
* type: "A",
* ttl: 300,
* managedZone: privateZone.name,
* rrdatas: [fwRuleServiceAttachment.ipAddress],
* });
* const ssmInstanceApiRecord = new gcp.dns.RecordSet("ssm_instance_api_record", {
* name: _default.hostConfigs.apply(hostConfigs => `${hostConfigs[0].api}.`),
* type: "A",
* ttl: 300,
* managedZone: privateZone.name,
* rrdatas: [fwRuleServiceAttachment.ipAddress],
* });
* const ssmInstanceGitRecord = new gcp.dns.RecordSet("ssm_instance_git_record", {
* name: _default.hostConfigs.apply(hostConfigs => `${hostConfigs[0].gitHttp}.`),
* type: "A",
* ttl: 300,
* managedZone: privateZone.name,
* rrdatas: [fwRuleServiceAttachment.ipAddress],
* });
* ```
* ```python
* import pulumi
* import pulumi_gcp as gcp
* import pulumi_time as time
* project = gcp.organizations.get_project()
* ca_pool = gcp.certificateauthority.CaPool("ca_pool",
* name="ca-pool",
* location="us-central1",
* tier="ENTERPRISE",
* publishing_options={
* "publish_ca_cert": True,
* "publish_crl": True,
* })
* root_ca = gcp.certificateauthority.Authority("root_ca",
* pool=ca_pool.name,
* certificate_authority_id="root-ca",
* location="us-central1",
* config={
* "subject_config": {
* "subject": {
* "organization": "google",
* "common_name": "my-certificate-authority",
* },
* },
* "x509_config": {
* "ca_options": {
* "is_ca": True,
* },
* "key_usage": {
* "base_key_usage": {
* "cert_sign": True,
* "crl_sign": True,
* },
* "extended_key_usage": {
* "server_auth": True,
* },
* },
* },
* },
* key_spec={
* "algorithm": "RSA_PKCS1_4096_SHA256",
* },
* deletion_protection=False,
* ignore_active_certificates_on_deletion=True,
* skip_grace_period=True)
* ca_pool_binding = gcp.certificateauthority.CaPoolIamBinding("ca_pool_binding",
* ca_pool=ca_pool.id,
* role="roles/privateca.certificateRequester",
* members=[f"serviceAccount:service-{project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com"])
* # ca pool IAM permissions can take time to propagate
* wait120_seconds = time.index.Sleep("wait_120_seconds", create_duration=120s,
* opts = pulumi.ResourceOptions(depends_on=[ca_pool_binding]))
* # See https://cloud.google.com/secure-source-manager/docs/create-private-service-connect-instance#root-ca-api
* default = gcp.securesourcemanager.Instance("default",
* instance_id="my-instance",
* location="us-central1",
* private_config={
* "is_private": True,
* "ca_pool": ca_pool.id,
* },
* opts = pulumi.ResourceOptions(depends_on=[
* root_ca,
* wait120_seconds,
* ]))
* # Connect SSM private instance with endpoint.
* network = gcp.compute.Network("network",
* name="my-network",
* auto_create_subnetworks=False)
* subnet = gcp.compute.Subnetwork("subnet",
* name="my-subnet",
* region="us-central1",
* network=network.id,
* ip_cidr_range="10.0.60.0/24",
* private_ip_google_access=True)
* address = gcp.compute.Address("address",
* name="my-address",
* region="us-central1",
* address="10.0.60.100",
* address_type="INTERNAL",
* subnetwork=subnet.id)
* fw_rule_service_attachment = gcp.compute.ForwardingRule("fw_rule_service_attachment",
* name="fw-rule-service-attachment",
* region="us-central1",
* load_balancing_scheme="",
* ip_address=address.id,
* network=network.id,
* target=default.private_config.http_service_attachment)
* private_zone = gcp.dns.ManagedZone("private_zone",
* name="my-dns-zone",
* dns_name="p.sourcemanager.dev.",
* visibility="private",
* private_visibility_config={
* "networks": [{
* "network_url": network.id,
* }],
* })
* ssm_instance_html_record = gcp.dns.RecordSet("ssm_instance_html_record",
* name=default.host_configs.apply(lambda host_configs: f"{host_configs[0].html}."),
* type="A",
* ttl=300,
* managed_zone=private_zone.name,
* rrdatas=[fw_rule_service_attachment.ip_address])
* ssm_instance_api_record = gcp.dns.RecordSet("ssm_instance_api_record",
* name=default.host_configs.apply(lambda host_configs: f"{host_configs[0].api}."),
* type="A",
* ttl=300,
* managed_zone=private_zone.name,
* rrdatas=[fw_rule_service_attachment.ip_address])
* ssm_instance_git_record = gcp.dns.RecordSet("ssm_instance_git_record",
* name=default.host_configs.apply(lambda host_configs: f"{host_configs[0].git_http}."),
* type="A",
* ttl=300,
* managed_zone=private_zone.name,
* rrdatas=[fw_rule_service_attachment.ip_address])
* ```
* ```csharp
* using System.Collections.Generic;
* using System.Linq;
* using Pulumi;
* using Gcp = Pulumi.Gcp;
* using Time = Pulumi.Time;
* return await Deployment.RunAsync(() =>
* {
* var project = Gcp.Organizations.GetProject.Invoke();
* var caPool = new Gcp.CertificateAuthority.CaPool("ca_pool", new()
* {
* Name = "ca-pool",
* Location = "us-central1",
* Tier = "ENTERPRISE",
* PublishingOptions = new Gcp.CertificateAuthority.Inputs.CaPoolPublishingOptionsArgs
* {
* PublishCaCert = true,
* PublishCrl = true,
* },
* });
* var rootCa = new Gcp.CertificateAuthority.Authority("root_ca", new()
* {
* Pool = caPool.Name,
* CertificateAuthorityId = "root-ca",
* Location = "us-central1",
* Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigArgs
* {
* SubjectConfig = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigArgs
* {
* Subject = new Gcp.CertificateAuthority.Inputs.AuthorityConfigSubjectConfigSubjectArgs
* {
* Organization = "google",
* CommonName = "my-certificate-authority",
* },
* },
* X509Config = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigArgs
* {
* CaOptions = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigCaOptionsArgs
* {
* IsCa = true,
* },
* KeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageArgs
* {
* BaseKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs
* {
* CertSign = true,
* CrlSign = true,
* },
* ExtendedKeyUsage = new Gcp.CertificateAuthority.Inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs
* {
* ServerAuth = true,
* },
* },
* },
* },
* KeySpec = new Gcp.CertificateAuthority.Inputs.AuthorityKeySpecArgs
* {
* Algorithm = "RSA_PKCS1_4096_SHA256",
* },
* DeletionProtection = false,
* IgnoreActiveCertificatesOnDeletion = true,
* SkipGracePeriod = true,
* });
* var caPoolBinding = new Gcp.CertificateAuthority.CaPoolIamBinding("ca_pool_binding", new()
* {
* CaPool = caPool.Id,
* Role = "roles/privateca.certificateRequester",
* Members = new[]
* {
* $"serviceAccount:service-{project.Apply(getProjectResult => getProjectResult.Number)}@gcp-sa-sourcemanager.iam.gserviceaccount.com",
* },
* });
* // ca pool IAM permissions can take time to propagate
* var wait120Seconds = new Time.Index.Sleep("wait_120_seconds", new()
* {
* CreateDuration = "120s",
* }, new CustomResourceOptions
* {
* DependsOn =
* {
* caPoolBinding,
* },
* });
* // See https://cloud.google.com/secure-source-manager/docs/create-private-service-connect-instance#root-ca-api
* var @default = new Gcp.SecureSourceManager.Instance("default", new()
* {
* InstanceId = "my-instance",
* Location = "us-central1",
* PrivateConfig = new Gcp.SecureSourceManager.Inputs.InstancePrivateConfigArgs
* {
* IsPrivate = true,
* CaPool = caPool.Id,
* },
* }, new CustomResourceOptions
* {
* DependsOn =
* {
* rootCa,
* wait120Seconds,
* },
* });
* // Connect SSM private instance with endpoint.
* var network = new Gcp.Compute.Network("network", new()
* {
* Name = "my-network",
* AutoCreateSubnetworks = false,
* });
* var subnet = new Gcp.Compute.Subnetwork("subnet", new()
* {
* Name = "my-subnet",
* Region = "us-central1",
* Network = network.Id,
* IpCidrRange = "10.0.60.0/24",
* PrivateIpGoogleAccess = true,
* });
* var address = new Gcp.Compute.Address("address", new()
* {
* Name = "my-address",
* Region = "us-central1",
* IPAddress = "10.0.60.100",
* AddressType = "INTERNAL",
* Subnetwork = subnet.Id,
* });
* var fwRuleServiceAttachment = new Gcp.Compute.ForwardingRule("fw_rule_service_attachment", new()
* {
* Name = "fw-rule-service-attachment",
* Region = "us-central1",
* LoadBalancingScheme = "",
* IpAddress = address.Id,
* Network = network.Id,
* Target = @default.PrivateConfig.Apply(privateConfig => privateConfig?.HttpServiceAttachment),
* });
* var privateZone = new Gcp.Dns.ManagedZone("private_zone", new()
* {
* Name = "my-dns-zone",
* DnsName = "p.sourcemanager.dev.",
* Visibility = "private",
* PrivateVisibilityConfig = new Gcp.Dns.Inputs.ManagedZonePrivateVisibilityConfigArgs
* {
* Networks = new[]
* {
* new Gcp.Dns.Inputs.ManagedZonePrivateVisibilityConfigNetworkArgs
* {
* NetworkUrl = network.Id,
* },
* },
* },
* });
* var ssmInstanceHtmlRecord = new Gcp.Dns.RecordSet("ssm_instance_html_record", new()
* {
* Name = @default.HostConfigs.Apply(hostConfigs => $"{hostConfigs[0].Html}."),
* Type = "A",
* Ttl = 300,
* ManagedZone = privateZone.Name,
* Rrdatas = new[]
* {
* fwRuleServiceAttachment.IpAddress,
* },
* });
* var ssmInstanceApiRecord = new Gcp.Dns.RecordSet("ssm_instance_api_record", new()
* {
* Name = @default.HostConfigs.Apply(hostConfigs => $"{hostConfigs[0].Api}."),
* Type = "A",
* Ttl = 300,
* ManagedZone = privateZone.Name,
* Rrdatas = new[]
* {
* fwRuleServiceAttachment.IpAddress,
* },
* });
* var ssmInstanceGitRecord = new Gcp.Dns.RecordSet("ssm_instance_git_record", new()
* {
* Name = @default.HostConfigs.Apply(hostConfigs => $"{hostConfigs[0].GitHttp}."),
* Type = "A",
* Ttl = 300,
* ManagedZone = privateZone.Name,
* Rrdatas = new[]
* {
* fwRuleServiceAttachment.IpAddress,
* },
* });
* });
* ```
* ```go
* package main
* import (
* "fmt"
* "github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/certificateauthority"
* "github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/compute"
* "github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/dns"
* "github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
* "github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/securesourcemanager"
* "github.com/pulumi/pulumi-time/sdk/go/time"
* "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
* )
* func main() {
* pulumi.Run(func(ctx *pulumi.Context) error {
* project, err := organizations.LookupProject(ctx, nil, nil)
* if err != nil {
* return err
* }
* caPool, err := certificateauthority.NewCaPool(ctx, "ca_pool", &certificateauthority.CaPoolArgs{
* Name: pulumi.String("ca-pool"),
* Location: pulumi.String("us-central1"),
* Tier: pulumi.String("ENTERPRISE"),
* PublishingOptions: &certificateauthority.CaPoolPublishingOptionsArgs{
* PublishCaCert: pulumi.Bool(true),
* PublishCrl: pulumi.Bool(true),
* },
* })
* if err != nil {
* return err
* }
* rootCa, err := certificateauthority.NewAuthority(ctx, "root_ca", &certificateauthority.AuthorityArgs{
* Pool: caPool.Name,
* CertificateAuthorityId: pulumi.String("root-ca"),
* Location: pulumi.String("us-central1"),
* Config: &certificateauthority.AuthorityConfigArgs{
* SubjectConfig: &certificateauthority.AuthorityConfigSubjectConfigArgs{
* Subject: &certificateauthority.AuthorityConfigSubjectConfigSubjectArgs{
* Organization: pulumi.String("google"),
* CommonName: pulumi.String("my-certificate-authority"),
* },
* },
* X509Config: &certificateauthority.AuthorityConfigX509ConfigArgs{
* CaOptions: &certificateauthority.AuthorityConfigX509ConfigCaOptionsArgs{
* IsCa: pulumi.Bool(true),
* },
* KeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageArgs{
* BaseKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs{
* CertSign: pulumi.Bool(true),
* CrlSign: pulumi.Bool(true),
* },
* ExtendedKeyUsage: &certificateauthority.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs{
* ServerAuth: pulumi.Bool(true),
* },
* },
* },
* },
* KeySpec: &certificateauthority.AuthorityKeySpecArgs{
* Algorithm: pulumi.String("RSA_PKCS1_4096_SHA256"),
* },
* DeletionProtection: pulumi.Bool(false),
* IgnoreActiveCertificatesOnDeletion: pulumi.Bool(true),
* SkipGracePeriod: pulumi.Bool(true),
* })
* if err != nil {
* return err
* }
* caPoolBinding, err := certificateauthority.NewCaPoolIamBinding(ctx, "ca_pool_binding", &certificateauthority.CaPoolIamBindingArgs{
* CaPool: caPool.ID(),
* Role: pulumi.String("roles/privateca.certificateRequester"),
* Members: pulumi.StringArray{
* pulumi.Sprintf("serviceAccount:service-%[email protected]", project.Number),
* },
* })
* if err != nil {
* return err
* }
* // ca pool IAM permissions can take time to propagate
* wait120Seconds, err := time.NewSleep(ctx, "wait_120_seconds", &time.SleepArgs{
* CreateDuration: "120s",
* }, pulumi.DependsOn([]pulumi.Resource{
* caPoolBinding,
* }))
* if err != nil {
* return err
* }
* // See https://cloud.google.com/secure-source-manager/docs/create-private-service-connect-instance#root-ca-api
* _, err = securesourcemanager.NewInstance(ctx, "default", &securesourcemanager.InstanceArgs{
* InstanceId: pulumi.String("my-instance"),
* Location: pulumi.String("us-central1"),
* PrivateConfig: &securesourcemanager.InstancePrivateConfigArgs{
* IsPrivate: pulumi.Bool(true),
* CaPool: caPool.ID(),
* },
* }, pulumi.DependsOn([]pulumi.Resource{
* rootCa,
* wait120Seconds,
* }))
* if err != nil {
* return err
* }
* // Connect SSM private instance with endpoint.
* network, err := compute.NewNetwork(ctx, "network", &compute.NetworkArgs{
* Name: pulumi.String("my-network"),
* AutoCreateSubnetworks: pulumi.Bool(false),
* })
* if err != nil {
* return err
* }
* subnet, err := compute.NewSubnetwork(ctx, "subnet", &compute.SubnetworkArgs{
* Name: pulumi.String("my-subnet"),
* Region: pulumi.String("us-central1"),
* Network: network.ID(),
* IpCidrRange: pulumi.String("10.0.60.0/24"),
* PrivateIpGoogleAccess: pulumi.Bool(true),
* })
* if err != nil {
* return err
* }
* address, err := compute.NewAddress(ctx, "address", &compute.AddressArgs{
* Name: pulumi.String("my-address"),
* Region: pulumi.String("us-central1"),
* Address: pulumi.String("10.0.60.100"),
* AddressType: pulumi.String("INTERNAL"),
* Subnetwork: subnet.ID(),
* })
* if err != nil {
* return err
* }
* fwRuleServiceAttachment, err := compute.NewForwardingRule(ctx, "fw_rule_service_attachment", &compute.ForwardingRuleArgs{
* Name: pulumi.String("fw-rule-service-attachment"),
* Region: pulumi.String("us-central1"),
* LoadBalancingScheme: pulumi.String(""),
* IpAddress: address.ID(),
* Network: network.ID(),
* Target: pulumi.String(_default.PrivateConfig.ApplyT(func(privateConfig securesourcemanager.InstancePrivateConfig) (*string, error) {
* return &privateConfig.HttpServiceAttachment, nil
* }).(pulumi.StringPtrOutput)),
* })
* if err != nil {
* return err
* }
* privateZone, err := dns.NewManagedZone(ctx, "private_zone", &dns.ManagedZoneArgs{
* Name: pulumi.String("my-dns-zone"),
* DnsName: pulumi.String("p.sourcemanager.dev."),
* Visibility: pulumi.String("private"),
* PrivateVisibilityConfig: &dns.ManagedZonePrivateVisibilityConfigArgs{
* Networks: dns.ManagedZonePrivateVisibilityConfigNetworkArray{
* &dns.ManagedZonePrivateVisibilityConfigNetworkArgs{
* NetworkUrl: network.ID(),
* },
* },
* },
* })
* if err != nil {
* return err
* }
* _, err = dns.NewRecordSet(ctx, "ssm_instance_html_record", &dns.RecordSetArgs{
* Name: _default.HostConfigs.ApplyT(func(hostConfigs []securesourcemanager.InstanceHostConfig) (string, error) {
* return fmt.Sprintf("%v.", hostConfigs[0].Html), nil
* }).(pulumi.StringOutput),
* Type: pulumi.String("A"),
* Ttl: pulumi.Int(300),
* ManagedZone: privateZone.Name,
* Rrdatas: pulumi.StringArray{
* fwRuleServiceAttachment.IpAddress,
* },
* })
* if err != nil {
* return err
* }
* _, err = dns.NewRecordSet(ctx, "ssm_instance_api_record", &dns.RecordSetArgs{
* Name: _default.HostConfigs.ApplyT(func(hostConfigs []securesourcemanager.InstanceHostConfig) (string, error) {
* return fmt.Sprintf("%v.", hostConfigs[0].Api), nil
* }).(pulumi.StringOutput),
* Type: pulumi.String("A"),
* Ttl: pulumi.Int(300),
* ManagedZone: privateZone.Name,
* Rrdatas: pulumi.StringArray{
* fwRuleServiceAttachment.IpAddress,
* },
* })
* if err != nil {
* return err
* }
* _, err = dns.NewRecordSet(ctx, "ssm_instance_git_record", &dns.RecordSetArgs{
* Name: _default.HostConfigs.ApplyT(func(hostConfigs []securesourcemanager.InstanceHostConfig) (string, error) {
* return fmt.Sprintf("%v.", hostConfigs[0].GitHttp), nil
* }).(pulumi.StringOutput),
* Type: pulumi.String("A"),
* Ttl: pulumi.Int(300),
* ManagedZone: privateZone.Name,
* Rrdatas: pulumi.StringArray{
* fwRuleServiceAttachment.IpAddress,
* },
* })
* if err != nil {
* return err
* }
* return nil
* })
* }
* ```
* ```java
* package generated_program;
* import com.pulumi.Context;
* import com.pulumi.Pulumi;
* import com.pulumi.core.Output;
* import com.pulumi.gcp.organizations.OrganizationsFunctions;
* import com.pulumi.gcp.organizations.inputs.GetProjectArgs;
* import com.pulumi.gcp.certificateauthority.CaPool;
* import com.pulumi.gcp.certificateauthority.CaPoolArgs;
* import com.pulumi.gcp.certificateauthority.inputs.CaPoolPublishingOptionsArgs;
* import com.pulumi.gcp.certificateauthority.Authority;
* import com.pulumi.gcp.certificateauthority.AuthorityArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigSubjectConfigSubjectArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigCaOptionsArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs;
* import com.pulumi.gcp.certificateauthority.inputs.AuthorityKeySpecArgs;
* import com.pulumi.gcp.certificateauthority.CaPoolIamBinding;
* import com.pulumi.gcp.certificateauthority.CaPoolIamBindingArgs;
* import com.pulumi.time.sleep;
* import com.pulumi.time.SleepArgs;
* import com.pulumi.gcp.securesourcemanager.Instance;
* import com.pulumi.gcp.securesourcemanager.InstanceArgs;
* import com.pulumi.gcp.securesourcemanager.inputs.InstancePrivateConfigArgs;
* import com.pulumi.gcp.compute.Network;
* import com.pulumi.gcp.compute.NetworkArgs;
* import com.pulumi.gcp.compute.Subnetwork;
* import com.pulumi.gcp.compute.SubnetworkArgs;
* import com.pulumi.gcp.compute.Address;
* import com.pulumi.gcp.compute.AddressArgs;
* import com.pulumi.gcp.compute.ForwardingRule;
* import com.pulumi.gcp.compute.ForwardingRuleArgs;
* import com.pulumi.gcp.dns.ManagedZone;
* import com.pulumi.gcp.dns.ManagedZoneArgs;
* import com.pulumi.gcp.dns.inputs.ManagedZonePrivateVisibilityConfigArgs;
* import com.pulumi.gcp.dns.RecordSet;
* import com.pulumi.gcp.dns.RecordSetArgs;
* import com.pulumi.resources.CustomResourceOptions;
* import java.util.List;
* import java.util.ArrayList;
* import java.util.Map;
* import java.io.File;
* import java.nio.file.Files;
* import java.nio.file.Paths;
* public class App {
* public static void main(String[] args) {
* Pulumi.run(App::stack);
* }
* public static void stack(Context ctx) {
* final var project = OrganizationsFunctions.getProject();
* var caPool = new CaPool("caPool", CaPoolArgs.builder()
* .name("ca-pool")
* .location("us-central1")
* .tier("ENTERPRISE")
* .publishingOptions(CaPoolPublishingOptionsArgs.builder()
* .publishCaCert(true)
* .publishCrl(true)
* .build())
* .build());
* var rootCa = new Authority("rootCa", AuthorityArgs.builder()
* .pool(caPool.name())
* .certificateAuthorityId("root-ca")
* .location("us-central1")
* .config(AuthorityConfigArgs.builder()
* .subjectConfig(AuthorityConfigSubjectConfigArgs.builder()
* .subject(AuthorityConfigSubjectConfigSubjectArgs.builder()
* .organization("google")
* .commonName("my-certificate-authority")
* .build())
* .build())
* .x509Config(AuthorityConfigX509ConfigArgs.builder()
* .caOptions(AuthorityConfigX509ConfigCaOptionsArgs.builder()
* .isCa(true)
* .build())
* .keyUsage(AuthorityConfigX509ConfigKeyUsageArgs.builder()
* .baseKeyUsage(AuthorityConfigX509ConfigKeyUsageBaseKeyUsageArgs.builder()
* .certSign(true)
* .crlSign(true)
* .build())
* .extendedKeyUsage(AuthorityConfigX509ConfigKeyUsageExtendedKeyUsageArgs.builder()
* .serverAuth(true)
* .build())
* .build())
* .build())
* .build())
* .keySpec(AuthorityKeySpecArgs.builder()
* .algorithm("RSA_PKCS1_4096_SHA256")
* .build())
* .deletionProtection(false)
* .ignoreActiveCertificatesOnDeletion(true)
* .skipGracePeriod(true)
* .build());
* var caPoolBinding = new CaPoolIamBinding("caPoolBinding", CaPoolIamBindingArgs.builder()
* .caPool(caPool.id())
* .role("roles/privateca.certificateRequester")
* .members(String.format("serviceAccount:service-%[email protected]", project.applyValue(getProjectResult -> getProjectResult.number())))
* .build());
* // ca pool IAM permissions can take time to propagate
* var wait120Seconds = new Sleep("wait120Seconds", SleepArgs.builder()
* .createDuration("120s")
* .build(), CustomResourceOptions.builder()
* .dependsOn(caPoolBinding)
* .build());
* // See https://cloud.google.com/secure-source-manager/docs/create-private-service-connect-instance#root-ca-api
* var default_ = new Instance("default", InstanceArgs.builder()
* .instanceId("my-instance")
* .location("us-central1")
* .privateConfig(InstancePrivateConfigArgs.builder()
* .isPrivate(true)
* .caPool(caPool.id())
* .build())
* .build(), CustomResourceOptions.builder()
* .dependsOn(
* rootCa,
* wait120Seconds)
* .build());
* // Connect SSM private instance with endpoint.
* var network = new Network("network", NetworkArgs.builder()
* .name("my-network")
* .autoCreateSubnetworks(false)
* .build());
* var subnet = new Subnetwork("subnet", SubnetworkArgs.builder()
* .name("my-subnet")
* .region("us-central1")
* .network(network.id())
* .ipCidrRange("10.0.60.0/24")
* .privateIpGoogleAccess(true)
* .build());
* var address = new Address("address", AddressArgs.builder()
* .name("my-address")
* .region("us-central1")
* .address("10.0.60.100")
* .addressType("INTERNAL")
* .subnetwork(subnet.id())
* .build());
* var fwRuleServiceAttachment = new ForwardingRule("fwRuleServiceAttachment", ForwardingRuleArgs.builder()
* .name("fw-rule-service-attachment")
* .region("us-central1")
* .loadBalancingScheme("")
* .ipAddress(address.id())
* .network(network.id())
* .target(default_.privateConfig().applyValue(privateConfig -> privateConfig.httpServiceAttachment()))
* .build());
* var privateZone = new ManagedZone("privateZone", ManagedZoneArgs.builder()
* .name("my-dns-zone")
* .dnsName("p.sourcemanager.dev.")
* .visibility("private")
* .privateVisibilityConfig(ManagedZonePrivateVisibilityConfigArgs.builder()
* .networks(ManagedZonePrivateVisibilityConfigNetworkArgs.builder()
* .networkUrl(network.id())
* .build())
* .build())
* .build());
* var ssmInstanceHtmlRecord = new RecordSet("ssmInstanceHtmlRecord", RecordSetArgs.builder()
* .name(default_.hostConfigs().applyValue(hostConfigs -> String.format("%s.", hostConfigs[0].html())))
* .type("A")
* .ttl(300)
* .managedZone(privateZone.name())
* .rrdatas(fwRuleServiceAttachment.ipAddress())
* .build());
* var ssmInstanceApiRecord = new RecordSet("ssmInstanceApiRecord", RecordSetArgs.builder()
* .name(default_.hostConfigs().applyValue(hostConfigs -> String.format("%s.", hostConfigs[0].api())))
* .type("A")
* .ttl(300)
* .managedZone(privateZone.name())
* .rrdatas(fwRuleServiceAttachment.ipAddress())
* .build());
* var ssmInstanceGitRecord = new RecordSet("ssmInstanceGitRecord", RecordSetArgs.builder()
* .name(default_.hostConfigs().applyValue(hostConfigs -> String.format("%s.", hostConfigs[0].gitHttp())))
* .type("A")
* .ttl(300)
* .managedZone(privateZone.name())
* .rrdatas(fwRuleServiceAttachment.ipAddress())
* .build());
* }
* }
* ```
* ```yaml
* resources:
* caPool:
* type: gcp:certificateauthority:CaPool
* name: ca_pool
* properties:
* name: ca-pool
* location: us-central1
* tier: ENTERPRISE
* publishingOptions:
* publishCaCert: true
* publishCrl: true
* rootCa:
* type: gcp:certificateauthority:Authority
* name: root_ca
* properties:
* pool: ${caPool.name}
* certificateAuthorityId: root-ca
* location: us-central1
* config:
* subjectConfig:
* subject:
* organization: google
* commonName: my-certificate-authority
* x509Config:
* caOptions:
* isCa: true
* keyUsage:
* baseKeyUsage:
* certSign: true
* crlSign: true
* extendedKeyUsage:
* serverAuth: true
* keySpec:
* algorithm: RSA_PKCS1_4096_SHA256
* deletionProtection: false
* ignoreActiveCertificatesOnDeletion: true
* skipGracePeriod: true
* caPoolBinding:
* type: gcp:certificateauthority:CaPoolIamBinding
* name: ca_pool_binding
* properties:
* caPool: ${caPool.id}
* role: roles/privateca.certificateRequester
* members:
* - serviceAccount:service-${project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com
* # See https://cloud.google.com/secure-source-manager/docs/create-private-service-connect-instance#root-ca-api
* default:
* type: gcp:securesourcemanager:Instance
* properties:
* instanceId: my-instance
* location: us-central1
* privateConfig:
* isPrivate: true
* caPool: ${caPool.id}
* options:
* dependson:
* - ${rootCa}
* - ${wait120Seconds}
* # ca pool IAM permissions can take time to propagate
* wait120Seconds:
* type: time:sleep
* name: wait_120_seconds
* properties:
* createDuration: 120s
* options:
* dependson:
* - ${caPoolBinding}
* # Connect SSM private instance with endpoint.
* network:
* type: gcp:compute:Network
* properties:
* name: my-network
* autoCreateSubnetworks: false
* subnet:
* type: gcp:compute:Subnetwork
* properties:
* name: my-subnet
* region: us-central1
* network: ${network.id}
* ipCidrRange: 10.0.60.0/24
* privateIpGoogleAccess: true
* address:
* type: gcp:compute:Address
* properties:
* name: my-address
* region: us-central1
* address: 10.0.60.100
* addressType: INTERNAL
* subnetwork: ${subnet.id}
* fwRuleServiceAttachment:
* type: gcp:compute:ForwardingRule
* name: fw_rule_service_attachment
* properties:
* name: fw-rule-service-attachment
* region: us-central1
* loadBalancingScheme:
* ipAddress: ${address.id}
* network: ${network.id}
* target: ${default.privateConfig.httpServiceAttachment}
* privateZone:
* type: gcp:dns:ManagedZone
* name: private_zone
* properties:
* name: my-dns-zone
* dnsName: p.sourcemanager.dev.
* visibility: private
* privateVisibilityConfig:
* networks:
* - networkUrl: ${network.id}
* ssmInstanceHtmlRecord:
* type: gcp:dns:RecordSet
* name: ssm_instance_html_record
* properties:
* name: ${default.hostConfigs[0].html}.
* type: A
* ttl: 300
* managedZone: ${privateZone.name}
* rrdatas:
* - ${fwRuleServiceAttachment.ipAddress}
* ssmInstanceApiRecord:
* type: gcp:dns:RecordSet
* name: ssm_instance_api_record
* properties:
* name: ${default.hostConfigs[0].api}.
* type: A
* ttl: 300
* managedZone: ${privateZone.name}
* rrdatas:
* - ${fwRuleServiceAttachment.ipAddress}
* ssmInstanceGitRecord:
* type: gcp:dns:RecordSet
* name: ssm_instance_git_record
* properties:
* name: ${default.hostConfigs[0].gitHttp}.
* type: A
* ttl: 300
* managedZone: ${privateZone.name}
* rrdatas:
* - ${fwRuleServiceAttachment.ipAddress}
* variables:
* project:
* fn::invoke:
* Function: gcp:organizations:getProject
* Arguments: {}
* ```
*
* ## Import
* Instance can be imported using any of these accepted formats:
* * `projects/{{project}}/locations/{{location}}/instances/{{instance_id}}`
* * `{{project}}/{{location}}/{{instance_id}}`
* * `{{location}}/{{instance_id}}`
* * `{{instance_id}}`
* When using the `pulumi import` command, Instance can be imported using one of the formats above. For example:
* ```sh
* $ pulumi import gcp:securesourcemanager/instance:Instance default projects/{{project}}/locations/{{location}}/instances/{{instance_id}}
* ```
* ```sh
* $ pulumi import gcp:securesourcemanager/instance:Instance default {{project}}/{{location}}/{{instance_id}}
* ```
* ```sh
* $ pulumi import gcp:securesourcemanager/instance:Instance default {{location}}/{{instance_id}}
* ```
* ```sh
* $ pulumi import gcp:securesourcemanager/instance:Instance default {{instance_id}}
* ```
* @property instanceId The name for the Instance.
* - - -
* @property kmsKey Customer-managed encryption key name, in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.
* @property labels Labels as key value pairs.
* **Note**: This field is non-authoritative, and will only manage the labels present in your configuration.
* Please refer to the field `effective_labels` for all of the labels present on the resource.
* @property location The location for the Instance.
* @property privateConfig Private settings for private instance.
* Structure is documented below.
* @property project The ID of the project in which the resource belongs.
* If it is not provided, the provider project is used.
* */*/*/*/
*/
public data class InstanceArgs(
public val instanceId: Output? = null,
public val kmsKey: Output? = null,
public val labels: Output>? = null,
public val location: Output? = null,
public val privateConfig: Output? = null,
public val project: Output? = null,
) : ConvertibleToJava {
override fun toJava(): com.pulumi.gcp.securesourcemanager.InstanceArgs =
com.pulumi.gcp.securesourcemanager.InstanceArgs.builder()
.instanceId(instanceId?.applyValue({ args0 -> args0 }))
.kmsKey(kmsKey?.applyValue({ args0 -> args0 }))
.labels(labels?.applyValue({ args0 -> args0.map({ args0 -> args0.key.to(args0.value) }).toMap() }))
.location(location?.applyValue({ args0 -> args0 }))
.privateConfig(privateConfig?.applyValue({ args0 -> args0.let({ args0 -> args0.toJava() }) }))
.project(project?.applyValue({ args0 -> args0 })).build()
}
/**
* Builder for [InstanceArgs].
*/
@PulumiTagMarker
public class InstanceArgsBuilder internal constructor() {
private var instanceId: Output? = null
private var kmsKey: Output? = null
private var labels: Output>? = null
private var location: Output? = null
private var privateConfig: Output? = null
private var project: Output? = null
/**
* @param value The name for the Instance.
* - - -
*/
@JvmName("logrdoffnatanakh")
public suspend fun instanceId(`value`: Output) {
this.instanceId = value
}
/**
* @param value Customer-managed encryption key name, in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.
* */*/*/*/
*/
@JvmName("qwvkrvafatueukyj")
public suspend fun kmsKey(`value`: Output) {
this.kmsKey = value
}
/**
* @param value Labels as key value pairs.
* **Note**: This field is non-authoritative, and will only manage the labels present in your configuration.
* Please refer to the field `effective_labels` for all of the labels present on the resource.
*/
@JvmName("xwnovfhctdigwnbo")
public suspend fun labels(`value`: Output>) {
this.labels = value
}
/**
* @param value The location for the Instance.
*/
@JvmName("disrntrqegnnfjyh")
public suspend fun location(`value`: Output) {
this.location = value
}
/**
* @param value Private settings for private instance.
* Structure is documented below.
*/
@JvmName("mkifsnqbnxsnvhqo")
public suspend fun privateConfig(`value`: Output) {
this.privateConfig = value
}
/**
* @param value The ID of the project in which the resource belongs.
* If it is not provided, the provider project is used.
*/
@JvmName("whrggwpaayrimcvr")
public suspend fun project(`value`: Output) {
this.project = value
}
/**
* @param value The name for the Instance.
* - - -
*/
@JvmName("bhjwlogcbnbvgnau")
public suspend fun instanceId(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.instanceId = mapped
}
/**
* @param value Customer-managed encryption key name, in the format projects/*/locations/*/keyRings/*/cryptoKeys/*.
* */*/*/*/
*/
@JvmName("snakeywoeahybgol")
public suspend fun kmsKey(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.kmsKey = mapped
}
/**
* @param value Labels as key value pairs.
* **Note**: This field is non-authoritative, and will only manage the labels present in your configuration.
* Please refer to the field `effective_labels` for all of the labels present on the resource.
*/
@JvmName("ryifjijfgfrgropj")
public suspend fun labels(`value`: Map?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.labels = mapped
}
/**
* @param values Labels as key value pairs.
* **Note**: This field is non-authoritative, and will only manage the labels present in your configuration.
* Please refer to the field `effective_labels` for all of the labels present on the resource.
*/
@JvmName("llyusxlovfylpdvr")
public fun labels(vararg values: Pair) {
val toBeMapped = values.toMap()
val mapped = toBeMapped.let({ args0 -> of(args0) })
this.labels = mapped
}
/**
* @param value The location for the Instance.
*/
@JvmName("vyakppntfugvutve")
public suspend fun location(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.location = mapped
}
/**
* @param value Private settings for private instance.
* Structure is documented below.
*/
@JvmName("llwgtcghflmjpnqj")
public suspend fun privateConfig(`value`: InstancePrivateConfigArgs?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.privateConfig = mapped
}
/**
* @param argument Private settings for private instance.
* Structure is documented below.
*/
@JvmName("fsdiyqqsmrgdulcd")
public suspend fun privateConfig(argument: suspend InstancePrivateConfigArgsBuilder.() -> Unit) {
val toBeMapped = InstancePrivateConfigArgsBuilder().applySuspend { argument() }.build()
val mapped = of(toBeMapped)
this.privateConfig = mapped
}
/**
* @param value The ID of the project in which the resource belongs.
* If it is not provided, the provider project is used.
*/
@JvmName("gbfqlivhrgxxtdft")
public suspend fun project(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.project = mapped
}
internal fun build(): InstanceArgs = InstanceArgs(
instanceId = instanceId,
kmsKey = kmsKey,
labels = labels,
location = location,
privateConfig = privateConfig,
project = project,
)
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy