How to Import an Google Private CA Certificate Authority into Terraform
terraback gcp import --method bulk. Terraback writes the matching google_privateca_certificate_authority resource block and the Terraform 1.5+ import block for you, so you do not have to run terraform import by hand. The import ID is the full path projects/{project}/locations/{location}/caPools/{pool}/certificateAuthorities/{certificate_authority_id} (the short forms {project}/{location}/{pool}/{certificate_authority_id} and {location}/{pool}/{certificate_authority_id} are also accepted).Import Google Private CA Certificate Authority with Terraback (recommended)
Terraback reverse-engineers your live infrastructure: it reads the Google Certificate Authority Service resource with read-only credentials, generates the HCL, and produces the exact import block. Two commands take you from a live Google Private CA Certificate Authority to managed Terraform.
Scan your Google Cloud account
terraback scan all gcp --project my-gcp-projectGenerate import blocks and import into state
terraback gcp import --method bulkThe Terraform import block
Terraback emits a Terraform 1.5+ import block like the one below. Because the block lives in your configuration, the import is reviewable in a pull request and repeatable across environments.
import {
to = google_privateca_certificate_authority.root
id = "projects/my-project/locations/us-central1/caPools/prod-pool/certificateAuthorities/root-ca"
}Example google_privateca_certificate_authority configuration
Here is a realistic Google Private CA Certificate Authority block. Terraback generates a fuller version from your actual resource attributes; this is a minimal, valid starting point.
resource "google_privateca_certificate_authority" "root" {
certificate_authority_id = "root-ca"
location = "us-central1"
pool = "prod-pool"
config {
subject_config {
subject {
organization = "Example Inc"
common_name = "example-root"
}
}
x509_config {
ca_options {
is_ca = true
}
key_usage {
base_key_usage {
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = true
}
}
}
}
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
lifetime = "315360000s"
deletion_protection = true
}Gotchas when importing a Google Private CA Certificate Authority
- The CA lives inside a google_privateca_ca_pool; the pool must already exist (or be imported) because it is part of the CA identity in the import path.
- deletion_protection defaults to true; set it to false and apply before Terraform can delete the CA, and note CAs must be disabled before deletion.
- config, key_spec, and the subject are immutable; changing them forces a destroy and recreate, so transcribe the existing values exactly.
- A newly imported CA may be in STAGED or DISABLED state; desired_state controls enablement and Enterprise-tier CAs are billed while they exist.
Doing it manually with terraform import
The native approach is to write the google_privateca_certificate_authority block by hand, then run terraform import google_privateca_certificate_authority.example <import-id> for every resource, one at a time. That works for a handful of resources, but it does not scale: you author all the HCL yourself and repeat the command for each item. Terraback generates the HCL and the import blocks for your whole account in one pass.
Import other Google Cloud resources
Import your whole Google Cloud account in minutes
Terraback scans 80+ Google Cloud resource types and emits clean Terraform plus import blocks, running locally with read-only credentials. $499 once, no SaaS.