zz_certificateauthority_types.go

// SPDX-FileCopyrightText: 2024 The Crossplane Authors <https://crossplane.io>
//
// SPDX-License-Identifier: Apache-2.0

// Code generated by upjet. DO NOT EDIT.

package v1beta1

import (
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/runtime/schema"

	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
)

type AccessUrlsInitParameters struct {
}

type AccessUrlsObservation struct {

	// (Output)
	// The URL where this CertificateAuthority's CA certificate is published. This will only be
	// set for CAs that have been activated.
	CACertificateAccessURL *string `json:"caCertificateAccessUrl,omitempty" tf:"ca_certificate_access_url,omitempty"`

	// (Output)
	// The URL where this CertificateAuthority's CRLs are published. This will only be set for
	// CAs that have been activated.
	CrlAccessUrls []*string `json:"crlAccessUrls,omitempty" tf:"crl_access_urls,omitempty"`
}

type AccessUrlsParameters struct {
}

type CertificateAuthorityConfigInitParameters struct {

	// Specifies some of the values in a certificate that are related to the subject.
	// Structure is documented below.
	SubjectConfig []ConfigSubjectConfigInitParameters `json:"subjectConfig,omitempty" tf:"subject_config,omitempty"`

	// Describes how some of the technical X.509 fields in a certificate should be populated.
	// Structure is documented below.
	X509Config []ConfigX509ConfigInitParameters `json:"x509Config,omitempty" tf:"x509_config,omitempty"`
}

type CertificateAuthorityConfigObservation struct {

	// Specifies some of the values in a certificate that are related to the subject.
	// Structure is documented below.
	SubjectConfig []ConfigSubjectConfigObservation `json:"subjectConfig,omitempty" tf:"subject_config,omitempty"`

	// Describes how some of the technical X.509 fields in a certificate should be populated.
	// Structure is documented below.
	X509Config []ConfigX509ConfigObservation `json:"x509Config,omitempty" tf:"x509_config,omitempty"`
}

type CertificateAuthorityConfigParameters struct {

	// Specifies some of the values in a certificate that are related to the subject.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	SubjectConfig []ConfigSubjectConfigParameters `json:"subjectConfig" tf:"subject_config,omitempty"`

	// Describes how some of the technical X.509 fields in a certificate should be populated.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	X509Config []ConfigX509ConfigParameters `json:"x509Config" tf:"x509_config,omitempty"`
}

type CertificateAuthorityInitParameters struct {

	// The config used to create a self-signed X.509 certificate or CSR.
	// Structure is documented below.
	Config []CertificateAuthorityConfigInitParameters `json:"config,omitempty" tf:"config,omitempty"`

	DeletionProtection *bool `json:"deletionProtection,omitempty" tf:"deletion_protection,omitempty"`

	// Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.
	DesiredState *string `json:"desiredState,omitempty" tf:"desired_state,omitempty"`

	// The name of a Cloud Storage bucket where this CertificateAuthority will publish content,
	// such as the CA certificate and CRLs. This must be a bucket name, without any prefixes
	// (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named
	// my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be
	// created.
	GcsBucket *string `json:"gcsBucket,omitempty" tf:"gcs_bucket,omitempty"`

	// This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs.
	// Use with care. Defaults to false.
	IgnoreActiveCertificatesOnDeletion *bool `json:"ignoreActiveCertificatesOnDeletion,omitempty" tf:"ignore_active_certificates_on_deletion,omitempty"`

	// Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority
	// is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA
	// certificate. Otherwise, it is used to sign a CSR.
	// Structure is documented below.
	KeySpec []KeySpecInitParameters `json:"keySpec,omitempty" tf:"key_spec,omitempty"`

	// Labels with user-defined metadata.
	// An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass":
	// "1.3kg", "count": "3" }.
	// +mapType=granular
	Labels map[string]*string `json:"labels,omitempty" tf:"labels,omitempty"`

	// The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and
	// "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine
	// fractional digits, terminated by 's'. Example: "3.5s".
	Lifetime *string `json:"lifetime,omitempty" tf:"lifetime,omitempty"`

	// The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
	PemCACertificate *string `json:"pemCaCertificate,omitempty" tf:"pem_ca_certificate,omitempty"`

	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	Project *string `json:"project,omitempty" tf:"project,omitempty"`

	// If this flag is set, the Certificate Authority will be deleted as soon as
	// possible without a 30-day grace period where undeletion would have been
	// allowed. If you proceed, there will be no way to recover this CA.
	// Use with care. Defaults to false.
	SkipGracePeriod *bool `json:"skipGracePeriod,omitempty" tf:"skip_grace_period,omitempty"`

	// If this is a subordinate CertificateAuthority, this field will be set
	// with the subordinate configuration, which describes its issuers.
	// Structure is documented below.
	SubordinateConfig []SubordinateConfigInitParameters `json:"subordinateConfig,omitempty" tf:"subordinate_config,omitempty"`

	// The Type of this CertificateAuthority.
	// ~> Note: For SUBORDINATE Certificate Authorities, they need to
	// be activated before they can issue certificates.
	// Default value is SELF_SIGNED.
	// Possible values are: SELF_SIGNED, SUBORDINATE.
	Type *string `json:"type,omitempty" tf:"type,omitempty"`
}

type CertificateAuthorityObservation struct {

	// URLs for accessing content published by this CA, such as the CA certificate and CRLs.
	// Structure is documented below.
	AccessUrls []AccessUrlsObservation `json:"accessUrls,omitempty" tf:"access_urls,omitempty"`

	// The config used to create a self-signed X.509 certificate or CSR.
	// Structure is documented below.
	Config []CertificateAuthorityConfigObservation `json:"config,omitempty" tf:"config,omitempty"`

	// The time at which this CertificateAuthority was created.
	// A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine
	// fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
	CreateTime *string `json:"createTime,omitempty" tf:"create_time,omitempty"`

	DeletionProtection *bool `json:"deletionProtection,omitempty" tf:"deletion_protection,omitempty"`

	// Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.
	DesiredState *string `json:"desiredState,omitempty" tf:"desired_state,omitempty"`

	// +mapType=granular
	EffectiveLabels map[string]*string `json:"effectiveLabels,omitempty" tf:"effective_labels,omitempty"`

	// The name of a Cloud Storage bucket where this CertificateAuthority will publish content,
	// such as the CA certificate and CRLs. This must be a bucket name, without any prefixes
	// (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named
	// my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be
	// created.
	GcsBucket *string `json:"gcsBucket,omitempty" tf:"gcs_bucket,omitempty"`

	// an identifier for the resource with format projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}
	ID *string `json:"id,omitempty" tf:"id,omitempty"`

	// This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs.
	// Use with care. Defaults to false.
	IgnoreActiveCertificatesOnDeletion *bool `json:"ignoreActiveCertificatesOnDeletion,omitempty" tf:"ignore_active_certificates_on_deletion,omitempty"`

	// Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority
	// is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA
	// certificate. Otherwise, it is used to sign a CSR.
	// Structure is documented below.
	KeySpec []KeySpecObservation `json:"keySpec,omitempty" tf:"key_spec,omitempty"`

	// Labels with user-defined metadata.
	// An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass":
	// "1.3kg", "count": "3" }.
	// +mapType=granular
	Labels map[string]*string `json:"labels,omitempty" tf:"labels,omitempty"`

	// The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and
	// "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine
	// fractional digits, terminated by 's'. Example: "3.5s".
	Lifetime *string `json:"lifetime,omitempty" tf:"lifetime,omitempty"`

	// Location of the CertificateAuthority. A full list of valid locations can be found by
	// running gcloud privateca locations list.
	Location *string `json:"location,omitempty" tf:"location,omitempty"`

	// The resource name for this CertificateAuthority in the format
	// projects//locations//certificateAuthorities/*.
	Name *string `json:"name,omitempty" tf:"name,omitempty"`

	// The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
	PemCACertificate *string `json:"pemCaCertificate,omitempty" tf:"pem_ca_certificate,omitempty"`

	// This CertificateAuthority's certificate chain, including the current
	// CertificateAuthority's certificate. Ordered such that the root issuer is the final
	// element (consistent with RFC 5246). For a self-signed CA, this will only list the current
	// CertificateAuthority's certificate.
	PemCACertificates []*string `json:"pemCaCertificates,omitempty" tf:"pem_ca_certificates,omitempty"`

	// The name of the CaPool this Certificate Authority belongs to.
	Pool *string `json:"pool,omitempty" tf:"pool,omitempty"`

	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	Project *string `json:"project,omitempty" tf:"project,omitempty"`

	// If this flag is set, the Certificate Authority will be deleted as soon as
	// possible without a 30-day grace period where undeletion would have been
	// allowed. If you proceed, there will be no way to recover this CA.
	// Use with care. Defaults to false.
	SkipGracePeriod *bool `json:"skipGracePeriod,omitempty" tf:"skip_grace_period,omitempty"`

	// The State for this CertificateAuthority.
	State *string `json:"state,omitempty" tf:"state,omitempty"`

	// If this is a subordinate CertificateAuthority, this field will be set
	// with the subordinate configuration, which describes its issuers.
	// Structure is documented below.
	SubordinateConfig []SubordinateConfigObservation `json:"subordinateConfig,omitempty" tf:"subordinate_config,omitempty"`

	// The combination of labels configured directly on the resource
	// and default labels configured on the provider.
	// +mapType=granular
	TerraformLabels map[string]*string `json:"terraformLabels,omitempty" tf:"terraform_labels,omitempty"`

	// The Type of this CertificateAuthority.
	// ~> Note: For SUBORDINATE Certificate Authorities, they need to
	// be activated before they can issue certificates.
	// Default value is SELF_SIGNED.
	// Possible values are: SELF_SIGNED, SUBORDINATE.
	Type *string `json:"type,omitempty" tf:"type,omitempty"`

	// The time at which this CertificateAuthority was updated.
	// A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine
	// fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
	UpdateTime *string `json:"updateTime,omitempty" tf:"update_time,omitempty"`
}

type CertificateAuthorityParameters struct {

	// The config used to create a self-signed X.509 certificate or CSR.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	Config []CertificateAuthorityConfigParameters `json:"config,omitempty" tf:"config,omitempty"`

	// +kubebuilder:validation:Optional
	DeletionProtection *bool `json:"deletionProtection,omitempty" tf:"deletion_protection,omitempty"`

	// Desired state of the CertificateAuthority. Set this field to STAGED to create a STAGED root CA.
	// +kubebuilder:validation:Optional
	DesiredState *string `json:"desiredState,omitempty" tf:"desired_state,omitempty"`

	// The name of a Cloud Storage bucket where this CertificateAuthority will publish content,
	// such as the CA certificate and CRLs. This must be a bucket name, without any prefixes
	// (such as gs://) or suffixes (such as .googleapis.com). For example, to use a bucket named
	// my-bucket, you would simply specify my-bucket. If not specified, a managed bucket will be
	// created.
	// +kubebuilder:validation:Optional
	GcsBucket *string `json:"gcsBucket,omitempty" tf:"gcs_bucket,omitempty"`

	// This field allows the CA to be deleted even if the CA has active certs. Active certs include both unrevoked and unexpired certs.
	// Use with care. Defaults to false.
	// +kubebuilder:validation:Optional
	IgnoreActiveCertificatesOnDeletion *bool `json:"ignoreActiveCertificatesOnDeletion,omitempty" tf:"ignore_active_certificates_on_deletion,omitempty"`

	// Used when issuing certificates for this CertificateAuthority. If this CertificateAuthority
	// is a self-signed CertificateAuthority, this key is also used to sign the self-signed CA
	// certificate. Otherwise, it is used to sign a CSR.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	KeySpec []KeySpecParameters `json:"keySpec,omitempty" tf:"key_spec,omitempty"`

	// Labels with user-defined metadata.
	// An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass":
	// "1.3kg", "count": "3" }.
	// +kubebuilder:validation:Optional
	// +mapType=granular
	Labels map[string]*string `json:"labels,omitempty" tf:"labels,omitempty"`

	// The desired lifetime of the CA certificate. Used to create the "notBeforeTime" and
	// "notAfterTime" fields inside an X.509 certificate. A duration in seconds with up to nine
	// fractional digits, terminated by 's'. Example: "3.5s".
	// +kubebuilder:validation:Optional
	Lifetime *string `json:"lifetime,omitempty" tf:"lifetime,omitempty"`

	// Location of the CertificateAuthority. A full list of valid locations can be found by
	// running gcloud privateca locations list.
	// +kubebuilder:validation:Required
	Location *string `json:"location" tf:"location,omitempty"`

	// The signed CA certificate issued from the subordinated CA's CSR. This is needed when activating the subordiante CA with a third party issuer.
	// +kubebuilder:validation:Optional
	PemCACertificate *string `json:"pemCaCertificate,omitempty" tf:"pem_ca_certificate,omitempty"`

	// The name of the CaPool this Certificate Authority belongs to.
	// +crossplane:generate:reference:type=CAPool
	// +kubebuilder:validation:Optional
	Pool *string `json:"pool,omitempty" tf:"pool,omitempty"`

	// Reference to a CAPool to populate pool.
	// +kubebuilder:validation:Optional
	PoolRef *v1.Reference `json:"poolRef,omitempty" tf:"-"`

	// Selector for a CAPool to populate pool.
	// +kubebuilder:validation:Optional
	PoolSelector *v1.Selector `json:"poolSelector,omitempty" tf:"-"`

	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	// +kubebuilder:validation:Optional
	Project *string `json:"project,omitempty" tf:"project,omitempty"`

	// If this flag is set, the Certificate Authority will be deleted as soon as
	// possible without a 30-day grace period where undeletion would have been
	// allowed. If you proceed, there will be no way to recover this CA.
	// Use with care. Defaults to false.
	// +kubebuilder:validation:Optional
	SkipGracePeriod *bool `json:"skipGracePeriod,omitempty" tf:"skip_grace_period,omitempty"`

	// If this is a subordinate CertificateAuthority, this field will be set
	// with the subordinate configuration, which describes its issuers.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	SubordinateConfig []SubordinateConfigParameters `json:"subordinateConfig,omitempty" tf:"subordinate_config,omitempty"`

	// The Type of this CertificateAuthority.
	// ~> Note: For SUBORDINATE Certificate Authorities, they need to
	// be activated before they can issue certificates.
	// Default value is SELF_SIGNED.
	// Possible values are: SELF_SIGNED, SUBORDINATE.
	// +kubebuilder:validation:Optional
	Type *string `json:"type,omitempty" tf:"type,omitempty"`
}

type ConfigSubjectConfigInitParameters struct {

	// Contains distinguished name fields such as the location and organization.
	// Structure is documented below.
	Subject []ConfigSubjectConfigSubjectInitParameters `json:"subject,omitempty" tf:"subject,omitempty"`

	// The subject alternative name fields.
	// Structure is documented below.
	SubjectAltName []ConfigSubjectConfigSubjectAltNameInitParameters `json:"subjectAltName,omitempty" tf:"subject_alt_name,omitempty"`
}

type ConfigSubjectConfigObservation struct {

	// Contains distinguished name fields such as the location and organization.
	// Structure is documented below.
	Subject []ConfigSubjectConfigSubjectObservation `json:"subject,omitempty" tf:"subject,omitempty"`

	// The subject alternative name fields.
	// Structure is documented below.
	SubjectAltName []ConfigSubjectConfigSubjectAltNameObservation `json:"subjectAltName,omitempty" tf:"subject_alt_name,omitempty"`
}

type ConfigSubjectConfigParameters struct {

	// Contains distinguished name fields such as the location and organization.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	Subject []ConfigSubjectConfigSubjectParameters `json:"subject" tf:"subject,omitempty"`

	// The subject alternative name fields.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	SubjectAltName []ConfigSubjectConfigSubjectAltNameParameters `json:"subjectAltName,omitempty" tf:"subject_alt_name,omitempty"`
}

type ConfigSubjectConfigSubjectAltNameInitParameters struct {

	// Contains only valid, fully-qualified host names.
	DNSNames []*string `json:"dnsNames,omitempty" tf:"dns_names,omitempty"`

	// Contains only valid RFC 2822 E-mail addresses.
	EmailAddresses []*string `json:"emailAddresses,omitempty" tf:"email_addresses,omitempty"`

	// Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
	IPAddresses []*string `json:"ipAddresses,omitempty" tf:"ip_addresses,omitempty"`

	// Contains only valid RFC 3986 URIs.
	Uris []*string `json:"uris,omitempty" tf:"uris,omitempty"`
}

type ConfigSubjectConfigSubjectAltNameObservation struct {

	// Contains only valid, fully-qualified host names.
	DNSNames []*string `json:"dnsNames,omitempty" tf:"dns_names,omitempty"`

	// Contains only valid RFC 2822 E-mail addresses.
	EmailAddresses []*string `json:"emailAddresses,omitempty" tf:"email_addresses,omitempty"`

	// Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
	IPAddresses []*string `json:"ipAddresses,omitempty" tf:"ip_addresses,omitempty"`

	// Contains only valid RFC 3986 URIs.
	Uris []*string `json:"uris,omitempty" tf:"uris,omitempty"`
}

type ConfigSubjectConfigSubjectAltNameParameters struct {

	// Contains only valid, fully-qualified host names.
	// +kubebuilder:validation:Optional
	DNSNames []*string `json:"dnsNames,omitempty" tf:"dns_names,omitempty"`

	// Contains only valid RFC 2822 E-mail addresses.
	// +kubebuilder:validation:Optional
	EmailAddresses []*string `json:"emailAddresses,omitempty" tf:"email_addresses,omitempty"`

	// Contains only valid 32-bit IPv4 addresses or RFC 4291 IPv6 addresses.
	// +kubebuilder:validation:Optional
	IPAddresses []*string `json:"ipAddresses,omitempty" tf:"ip_addresses,omitempty"`

	// Contains only valid RFC 3986 URIs.
	// +kubebuilder:validation:Optional
	Uris []*string `json:"uris,omitempty" tf:"uris,omitempty"`
}

type ConfigSubjectConfigSubjectInitParameters struct {

	// The common name of the distinguished name.
	CommonName *string `json:"commonName,omitempty" tf:"common_name,omitempty"`

	// The country code of the subject.
	CountryCode *string `json:"countryCode,omitempty" tf:"country_code,omitempty"`

	// The locality or city of the subject.
	Locality *string `json:"locality,omitempty" tf:"locality,omitempty"`

	// The organization of the subject.
	Organization *string `json:"organization,omitempty" tf:"organization,omitempty"`

	// The organizational unit of the subject.
	OrganizationalUnit *string `json:"organizationalUnit,omitempty" tf:"organizational_unit,omitempty"`

	// The postal code of the subject.
	PostalCode *string `json:"postalCode,omitempty" tf:"postal_code,omitempty"`

	// The province, territory, or regional state of the subject.
	Province *string `json:"province,omitempty" tf:"province,omitempty"`

	// The street address of the subject.
	StreetAddress *string `json:"streetAddress,omitempty" tf:"street_address,omitempty"`
}

type ConfigSubjectConfigSubjectObservation struct {

	// The common name of the distinguished name.
	CommonName *string `json:"commonName,omitempty" tf:"common_name,omitempty"`

	// The country code of the subject.
	CountryCode *string `json:"countryCode,omitempty" tf:"country_code,omitempty"`

	// The locality or city of the subject.
	Locality *string `json:"locality,omitempty" tf:"locality,omitempty"`

	// The organization of the subject.
	Organization *string `json:"organization,omitempty" tf:"organization,omitempty"`

	// The organizational unit of the subject.
	OrganizationalUnit *string `json:"organizationalUnit,omitempty" tf:"organizational_unit,omitempty"`

	// The postal code of the subject.
	PostalCode *string `json:"postalCode,omitempty" tf:"postal_code,omitempty"`

	// The province, territory, or regional state of the subject.
	Province *string `json:"province,omitempty" tf:"province,omitempty"`

	// The street address of the subject.
	StreetAddress *string `json:"streetAddress,omitempty" tf:"street_address,omitempty"`
}

type ConfigSubjectConfigSubjectParameters struct {

	// The common name of the distinguished name.
	// +kubebuilder:validation:Optional
	CommonName *string `json:"commonName" tf:"common_name,omitempty"`

	// The country code of the subject.
	// +kubebuilder:validation:Optional
	CountryCode *string `json:"countryCode,omitempty" tf:"country_code,omitempty"`

	// The locality or city of the subject.
	// +kubebuilder:validation:Optional
	Locality *string `json:"locality,omitempty" tf:"locality,omitempty"`

	// The organization of the subject.
	// +kubebuilder:validation:Optional
	Organization *string `json:"organization" tf:"organization,omitempty"`

	// The organizational unit of the subject.
	// +kubebuilder:validation:Optional
	OrganizationalUnit *string `json:"organizationalUnit,omitempty" tf:"organizational_unit,omitempty"`

	// The postal code of the subject.
	// +kubebuilder:validation:Optional
	PostalCode *string `json:"postalCode,omitempty" tf:"postal_code,omitempty"`

	// The province, territory, or regional state of the subject.
	// +kubebuilder:validation:Optional
	Province *string `json:"province,omitempty" tf:"province,omitempty"`

	// The street address of the subject.
	// +kubebuilder:validation:Optional
	StreetAddress *string `json:"streetAddress,omitempty" tf:"street_address,omitempty"`
}

type ConfigX509ConfigAdditionalExtensionsInitParameters struct {

	// Indicates whether or not the name constraints are marked critical.
	Critical *bool `json:"critical,omitempty" tf:"critical,omitempty"`

	// Describes values that are relevant in a CA certificate.
	// Structure is documented below.
	ObjectID []ConfigX509ConfigAdditionalExtensionsObjectIDInitParameters `json:"objectId,omitempty" tf:"object_id,omitempty"`

	// The value of this X.509 extension. A base64-encoded string.
	Value *string `json:"value,omitempty" tf:"value,omitempty"`
}

type ConfigX509ConfigAdditionalExtensionsObjectIDInitParameters struct {

	// An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
	ObjectIDPath []*float64 `json:"objectIdPath,omitempty" tf:"object_id_path,omitempty"`
}

type ConfigX509ConfigAdditionalExtensionsObjectIDObservation struct {

	// An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
	ObjectIDPath []*float64 `json:"objectIdPath,omitempty" tf:"object_id_path,omitempty"`
}

type ConfigX509ConfigAdditionalExtensionsObjectIDParameters struct {

	// An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
	// +kubebuilder:validation:Optional
	ObjectIDPath []*float64 `json:"objectIdPath" tf:"object_id_path,omitempty"`
}

type ConfigX509ConfigAdditionalExtensionsObservation struct {

	// Indicates whether or not the name constraints are marked critical.
	Critical *bool `json:"critical,omitempty" tf:"critical,omitempty"`

	// Describes values that are relevant in a CA certificate.
	// Structure is documented below.
	ObjectID []ConfigX509ConfigAdditionalExtensionsObjectIDObservation `json:"objectId,omitempty" tf:"object_id,omitempty"`

	// The value of this X.509 extension. A base64-encoded string.
	Value *string `json:"value,omitempty" tf:"value,omitempty"`
}

type ConfigX509ConfigAdditionalExtensionsParameters struct {

	// Indicates whether or not the name constraints are marked critical.
	// +kubebuilder:validation:Optional
	Critical *bool `json:"critical" tf:"critical,omitempty"`

	// Describes values that are relevant in a CA certificate.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	ObjectID []ConfigX509ConfigAdditionalExtensionsObjectIDParameters `json:"objectId" tf:"object_id,omitempty"`

	// The value of this X.509 extension. A base64-encoded string.
	// +kubebuilder:validation:Optional
	Value *string `json:"value" tf:"value,omitempty"`
}

type ConfigX509ConfigCAOptionsInitParameters struct {

	// When true, the "CA" in Basic Constraints extension will be set to true.
	IsCA *bool `json:"isCa,omitempty" tf:"is_ca,omitempty"`

	// Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of
	// subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0
	// requires setting zero_max_issuer_path_length = true.
	MaxIssuerPathLength *float64 `json:"maxIssuerPathLength,omitempty" tf:"max_issuer_path_length,omitempty"`

	// When true, the "CA" in Basic Constraints extension will be set to false.
	// If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.
	NonCA *bool `json:"nonCa,omitempty" tf:"non_ca,omitempty"`

	// When true, the "path length constraint" in Basic Constraints extension will be set to 0.
	// If both max_issuer_path_length and zero_max_issuer_path_length are unset,
	// the max path length will be omitted from the CA certificate.
	ZeroMaxIssuerPathLength *bool `json:"zeroMaxIssuerPathLength,omitempty" tf:"zero_max_issuer_path_length,omitempty"`
}

type ConfigX509ConfigCAOptionsObservation struct {

	// When true, the "CA" in Basic Constraints extension will be set to true.
	IsCA *bool `json:"isCa,omitempty" tf:"is_ca,omitempty"`

	// Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of
	// subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0
	// requires setting zero_max_issuer_path_length = true.
	MaxIssuerPathLength *float64 `json:"maxIssuerPathLength,omitempty" tf:"max_issuer_path_length,omitempty"`

	// When true, the "CA" in Basic Constraints extension will be set to false.
	// If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.
	NonCA *bool `json:"nonCa,omitempty" tf:"non_ca,omitempty"`

	// When true, the "path length constraint" in Basic Constraints extension will be set to 0.
	// If both max_issuer_path_length and zero_max_issuer_path_length are unset,
	// the max path length will be omitted from the CA certificate.
	ZeroMaxIssuerPathLength *bool `json:"zeroMaxIssuerPathLength,omitempty" tf:"zero_max_issuer_path_length,omitempty"`
}

type ConfigX509ConfigCAOptionsParameters struct {

	// When true, the "CA" in Basic Constraints extension will be set to true.
	// +kubebuilder:validation:Optional
	IsCA *bool `json:"isCa" tf:"is_ca,omitempty"`

	// Refers to the "path length constraint" in Basic Constraints extension. For a CA certificate, this value describes the depth of
	// subordinate CA certificates that are allowed. If this value is less than 0, the request will fail. Setting the value to 0
	// requires setting zero_max_issuer_path_length = true.
	// +kubebuilder:validation:Optional
	MaxIssuerPathLength *float64 `json:"maxIssuerPathLength,omitempty" tf:"max_issuer_path_length,omitempty"`

	// When true, the "CA" in Basic Constraints extension will be set to false.
	// If both is_ca and non_ca are unset, the extension will be omitted from the CA certificate.
	// +kubebuilder:validation:Optional
	NonCA *bool `json:"nonCa,omitempty" tf:"non_ca,omitempty"`

	// When true, the "path length constraint" in Basic Constraints extension will be set to 0.
	// If both max_issuer_path_length and zero_max_issuer_path_length are unset,
	// the max path length will be omitted from the CA certificate.
	// +kubebuilder:validation:Optional
	ZeroMaxIssuerPathLength *bool `json:"zeroMaxIssuerPathLength,omitempty" tf:"zero_max_issuer_path_length,omitempty"`
}

type ConfigX509ConfigInitParameters struct {

	// Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs.
	// Structure is documented below.
	AdditionalExtensions []ConfigX509ConfigAdditionalExtensionsInitParameters `json:"additionalExtensions,omitempty" tf:"additional_extensions,omitempty"`

	// Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the
	// "Authority Information Access" extension in the certificate.
	AiaOcspServers []*string `json:"aiaOcspServers,omitempty" tf:"aia_ocsp_servers,omitempty"`

	// Describes values that are relevant in a CA certificate.
	// Structure is documented below.
	CAOptions []ConfigX509ConfigCAOptionsInitParameters `json:"caOptions,omitempty" tf:"ca_options,omitempty"`

	// Indicates the intended use for keys that correspond to a certificate.
	// Structure is documented below.
	KeyUsage []ConfigX509ConfigKeyUsageInitParameters `json:"keyUsage,omitempty" tf:"key_usage,omitempty"`

	// Describes the X.509 name constraints extension.
	// Structure is documented below.
	NameConstraints []ConfigX509ConfigNameConstraintsInitParameters `json:"nameConstraints,omitempty" tf:"name_constraints,omitempty"`

	// Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
	// Structure is documented below.
	PolicyIds []ConfigX509ConfigPolicyIdsInitParameters `json:"policyIds,omitempty" tf:"policy_ids,omitempty"`
}

type ConfigX509ConfigKeyUsageBaseKeyUsageInitParameters struct {

	// The key may be used to sign certificates.
	CertSign *bool `json:"certSign,omitempty" tf:"cert_sign,omitempty"`

	// The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
	ContentCommitment *bool `json:"contentCommitment,omitempty" tf:"content_commitment,omitempty"`

	// The key may be used sign certificate revocation lists.
	CrlSign *bool `json:"crlSign,omitempty" tf:"crl_sign,omitempty"`

	// The key may be used to encipher data.
	DataEncipherment *bool `json:"dataEncipherment,omitempty" tf:"data_encipherment,omitempty"`

	// The key may be used to decipher only.
	DecipherOnly *bool `json:"decipherOnly,omitempty" tf:"decipher_only,omitempty"`

	// The key may be used for digital signatures.
	DigitalSignature *bool `json:"digitalSignature,omitempty" tf:"digital_signature,omitempty"`

	// The key may be used to encipher only.
	EncipherOnly *bool `json:"encipherOnly,omitempty" tf:"encipher_only,omitempty"`

	// The key may be used in a key agreement protocol.
	KeyAgreement *bool `json:"keyAgreement,omitempty" tf:"key_agreement,omitempty"`

	// The key may be used to encipher other keys.
	KeyEncipherment *bool `json:"keyEncipherment,omitempty" tf:"key_encipherment,omitempty"`
}

type ConfigX509ConfigKeyUsageBaseKeyUsageObservation struct {

	// The key may be used to sign certificates.
	CertSign *bool `json:"certSign,omitempty" tf:"cert_sign,omitempty"`

	// The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
	ContentCommitment *bool `json:"contentCommitment,omitempty" tf:"content_commitment,omitempty"`

	// The key may be used sign certificate revocation lists.
	CrlSign *bool `json:"crlSign,omitempty" tf:"crl_sign,omitempty"`

	// The key may be used to encipher data.
	DataEncipherment *bool `json:"dataEncipherment,omitempty" tf:"data_encipherment,omitempty"`

	// The key may be used to decipher only.
	DecipherOnly *bool `json:"decipherOnly,omitempty" tf:"decipher_only,omitempty"`

	// The key may be used for digital signatures.
	DigitalSignature *bool `json:"digitalSignature,omitempty" tf:"digital_signature,omitempty"`

	// The key may be used to encipher only.
	EncipherOnly *bool `json:"encipherOnly,omitempty" tf:"encipher_only,omitempty"`

	// The key may be used in a key agreement protocol.
	KeyAgreement *bool `json:"keyAgreement,omitempty" tf:"key_agreement,omitempty"`

	// The key may be used to encipher other keys.
	KeyEncipherment *bool `json:"keyEncipherment,omitempty" tf:"key_encipherment,omitempty"`
}

type ConfigX509ConfigKeyUsageBaseKeyUsageParameters struct {

	// The key may be used to sign certificates.
	// +kubebuilder:validation:Optional
	CertSign *bool `json:"certSign,omitempty" tf:"cert_sign,omitempty"`

	// The key may be used for cryptographic commitments. Note that this may also be referred to as "non-repudiation".
	// +kubebuilder:validation:Optional
	ContentCommitment *bool `json:"contentCommitment,omitempty" tf:"content_commitment,omitempty"`

	// The key may be used sign certificate revocation lists.
	// +kubebuilder:validation:Optional
	CrlSign *bool `json:"crlSign,omitempty" tf:"crl_sign,omitempty"`

	// The key may be used to encipher data.
	// +kubebuilder:validation:Optional
	DataEncipherment *bool `json:"dataEncipherment,omitempty" tf:"data_encipherment,omitempty"`

	// The key may be used to decipher only.
	// +kubebuilder:validation:Optional
	DecipherOnly *bool `json:"decipherOnly,omitempty" tf:"decipher_only,omitempty"`

	// The key may be used for digital signatures.
	// +kubebuilder:validation:Optional
	DigitalSignature *bool `json:"digitalSignature,omitempty" tf:"digital_signature,omitempty"`

	// The key may be used to encipher only.
	// +kubebuilder:validation:Optional
	EncipherOnly *bool `json:"encipherOnly,omitempty" tf:"encipher_only,omitempty"`

	// The key may be used in a key agreement protocol.
	// +kubebuilder:validation:Optional
	KeyAgreement *bool `json:"keyAgreement,omitempty" tf:"key_agreement,omitempty"`

	// The key may be used to encipher other keys.
	// +kubebuilder:validation:Optional
	KeyEncipherment *bool `json:"keyEncipherment,omitempty" tf:"key_encipherment,omitempty"`
}

type ConfigX509ConfigKeyUsageExtendedKeyUsageInitParameters struct {

	// Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
	ClientAuth *bool `json:"clientAuth,omitempty" tf:"client_auth,omitempty"`

	// Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
	CodeSigning *bool `json:"codeSigning,omitempty" tf:"code_signing,omitempty"`

	// Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
	EmailProtection *bool `json:"emailProtection,omitempty" tf:"email_protection,omitempty"`

	// Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
	OcspSigning *bool `json:"ocspSigning,omitempty" tf:"ocsp_signing,omitempty"`

	// Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
	ServerAuth *bool `json:"serverAuth,omitempty" tf:"server_auth,omitempty"`

	// Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
	TimeStamping *bool `json:"timeStamping,omitempty" tf:"time_stamping,omitempty"`
}

type ConfigX509ConfigKeyUsageExtendedKeyUsageObservation struct {

	// Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
	ClientAuth *bool `json:"clientAuth,omitempty" tf:"client_auth,omitempty"`

	// Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
	CodeSigning *bool `json:"codeSigning,omitempty" tf:"code_signing,omitempty"`

	// Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
	EmailProtection *bool `json:"emailProtection,omitempty" tf:"email_protection,omitempty"`

	// Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
	OcspSigning *bool `json:"ocspSigning,omitempty" tf:"ocsp_signing,omitempty"`

	// Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
	ServerAuth *bool `json:"serverAuth,omitempty" tf:"server_auth,omitempty"`

	// Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
	TimeStamping *bool `json:"timeStamping,omitempty" tf:"time_stamping,omitempty"`
}

type ConfigX509ConfigKeyUsageExtendedKeyUsageParameters struct {

	// Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially described as "TLS WWW client authentication", though regularly used for non-WWW TLS.
	// +kubebuilder:validation:Optional
	ClientAuth *bool `json:"clientAuth,omitempty" tf:"client_auth,omitempty"`

	// Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially described as "Signing of downloadable executable code client authentication".
	// +kubebuilder:validation:Optional
	CodeSigning *bool `json:"codeSigning,omitempty" tf:"code_signing,omitempty"`

	// Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially described as "Email protection".
	// +kubebuilder:validation:Optional
	EmailProtection *bool `json:"emailProtection,omitempty" tf:"email_protection,omitempty"`

	// Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially described as "Signing OCSP responses".
	// +kubebuilder:validation:Optional
	OcspSigning *bool `json:"ocspSigning,omitempty" tf:"ocsp_signing,omitempty"`

	// Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially described as "TLS WWW server authentication", though regularly used for non-WWW TLS.
	// +kubebuilder:validation:Optional
	ServerAuth *bool `json:"serverAuth,omitempty" tf:"server_auth,omitempty"`

	// Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially described as "Binding the hash of an object to a time".
	// +kubebuilder:validation:Optional
	TimeStamping *bool `json:"timeStamping,omitempty" tf:"time_stamping,omitempty"`
}

type ConfigX509ConfigKeyUsageInitParameters struct {

	// Describes high-level ways in which a key may be used.
	// Structure is documented below.
	BaseKeyUsage []ConfigX509ConfigKeyUsageBaseKeyUsageInitParameters `json:"baseKeyUsage,omitempty" tf:"base_key_usage,omitempty"`

	// Describes high-level ways in which a key may be used.
	// Structure is documented below.
	ExtendedKeyUsage []ConfigX509ConfigKeyUsageExtendedKeyUsageInitParameters `json:"extendedKeyUsage,omitempty" tf:"extended_key_usage,omitempty"`

	// An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
	// Structure is documented below.
	UnknownExtendedKeyUsages []ConfigX509ConfigKeyUsageUnknownExtendedKeyUsagesInitParameters `json:"unknownExtendedKeyUsages,omitempty" tf:"unknown_extended_key_usages,omitempty"`
}

type ConfigX509ConfigKeyUsageObservation struct {

	// Describes high-level ways in which a key may be used.
	// Structure is documented below.
	BaseKeyUsage []ConfigX509ConfigKeyUsageBaseKeyUsageObservation `json:"baseKeyUsage,omitempty" tf:"base_key_usage,omitempty"`

	// Describes high-level ways in which a key may be used.
	// Structure is documented below.
	ExtendedKeyUsage []ConfigX509ConfigKeyUsageExtendedKeyUsageObservation `json:"extendedKeyUsage,omitempty" tf:"extended_key_usage,omitempty"`

	// An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
	// Structure is documented below.
	UnknownExtendedKeyUsages []ConfigX509ConfigKeyUsageUnknownExtendedKeyUsagesObservation `json:"unknownExtendedKeyUsages,omitempty" tf:"unknown_extended_key_usages,omitempty"`
}

type ConfigX509ConfigKeyUsageParameters struct {

	// Describes high-level ways in which a key may be used.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	BaseKeyUsage []ConfigX509ConfigKeyUsageBaseKeyUsageParameters `json:"baseKeyUsage" tf:"base_key_usage,omitempty"`

	// Describes high-level ways in which a key may be used.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	ExtendedKeyUsage []ConfigX509ConfigKeyUsageExtendedKeyUsageParameters `json:"extendedKeyUsage" tf:"extended_key_usage,omitempty"`

	// An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	UnknownExtendedKeyUsages []ConfigX509ConfigKeyUsageUnknownExtendedKeyUsagesParameters `json:"unknownExtendedKeyUsages,omitempty" tf:"unknown_extended_key_usages,omitempty"`
}

type ConfigX509ConfigKeyUsageUnknownExtendedKeyUsagesInitParameters struct {

	// An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
	ObjectIDPath []*float64 `json:"objectIdPath,omitempty" tf:"object_id_path,omitempty"`
}

type ConfigX509ConfigKeyUsageUnknownExtendedKeyUsagesObservation struct {

	// An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
	ObjectIDPath []*float64 `json:"objectIdPath,omitempty" tf:"object_id_path,omitempty"`
}

type ConfigX509ConfigKeyUsageUnknownExtendedKeyUsagesParameters struct {

	// An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
	// +kubebuilder:validation:Optional
	ObjectIDPath []*float64 `json:"objectIdPath" tf:"object_id_path,omitempty"`
}

type ConfigX509ConfigNameConstraintsInitParameters struct {

	// Indicates whether or not the name constraints are marked critical.
	Critical *bool `json:"critical,omitempty" tf:"critical,omitempty"`

	// Contains excluded DNS names. Any DNS name that can be
	// constructed by simply adding zero or more labels to
	// the left-hand side of the name satisfies the name constraint.
	// For example, example.com, www.example.com, www.sub.example.com
	// would satisfy example.com while example1.com does not.
	ExcludedDNSNames []*string `json:"excludedDnsNames,omitempty" tf:"excluded_dns_names,omitempty"`

	// Contains the excluded email addresses. The value can be a particular
	// email address, a hostname to indicate all email addresses on that host or
	// a domain with a leading period (e.g. .example.com) to indicate
	// all email addresses in that domain.
	ExcludedEmailAddresses []*string `json:"excludedEmailAddresses,omitempty" tf:"excluded_email_addresses,omitempty"`

	// Contains the excluded IP ranges. For IPv4 addresses, the ranges
	// are expressed using CIDR notation as specified in RFC 4632.
	// For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
	// addresses.
	ExcludedIPRanges []*string `json:"excludedIpRanges,omitempty" tf:"excluded_ip_ranges,omitempty"`

	// Contains the excluded URIs that apply to the host part of the name.
	// The value can be a hostname or a domain with a
	// leading period (like .example.com)
	ExcludedUris []*string `json:"excludedUris,omitempty" tf:"excluded_uris,omitempty"`

	// Contains permitted DNS names. Any DNS name that can be
	// constructed by simply adding zero or more labels to
	// the left-hand side of the name satisfies the name constraint.
	// For example, example.com, www.example.com, www.sub.example.com
	// would satisfy example.com while example1.com does not.
	PermittedDNSNames []*string `json:"permittedDnsNames,omitempty" tf:"permitted_dns_names,omitempty"`

	// Contains the permitted email addresses. The value can be a particular
	// email address, a hostname to indicate all email addresses on that host or
	// a domain with a leading period (e.g. .example.com) to indicate
	// all email addresses in that domain.
	PermittedEmailAddresses []*string `json:"permittedEmailAddresses,omitempty" tf:"permitted_email_addresses,omitempty"`

	// Contains the permitted IP ranges. For IPv4 addresses, the ranges
	// are expressed using CIDR notation as specified in RFC 4632.
	// For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
	// addresses.
	PermittedIPRanges []*string `json:"permittedIpRanges,omitempty" tf:"permitted_ip_ranges,omitempty"`

	// Contains the permitted URIs that apply to the host part of the name.
	// The value can be a hostname or a domain with a
	// leading period (like .example.com)
	PermittedUris []*string `json:"permittedUris,omitempty" tf:"permitted_uris,omitempty"`
}

type ConfigX509ConfigNameConstraintsObservation struct {

	// Indicates whether or not the name constraints are marked critical.
	Critical *bool `json:"critical,omitempty" tf:"critical,omitempty"`

	// Contains excluded DNS names. Any DNS name that can be
	// constructed by simply adding zero or more labels to
	// the left-hand side of the name satisfies the name constraint.
	// For example, example.com, www.example.com, www.sub.example.com
	// would satisfy example.com while example1.com does not.
	ExcludedDNSNames []*string `json:"excludedDnsNames,omitempty" tf:"excluded_dns_names,omitempty"`

	// Contains the excluded email addresses. The value can be a particular
	// email address, a hostname to indicate all email addresses on that host or
	// a domain with a leading period (e.g. .example.com) to indicate
	// all email addresses in that domain.
	ExcludedEmailAddresses []*string `json:"excludedEmailAddresses,omitempty" tf:"excluded_email_addresses,omitempty"`

	// Contains the excluded IP ranges. For IPv4 addresses, the ranges
	// are expressed using CIDR notation as specified in RFC 4632.
	// For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
	// addresses.
	ExcludedIPRanges []*string `json:"excludedIpRanges,omitempty" tf:"excluded_ip_ranges,omitempty"`

	// Contains the excluded URIs that apply to the host part of the name.
	// The value can be a hostname or a domain with a
	// leading period (like .example.com)
	ExcludedUris []*string `json:"excludedUris,omitempty" tf:"excluded_uris,omitempty"`

	// Contains permitted DNS names. Any DNS name that can be
	// constructed by simply adding zero or more labels to
	// the left-hand side of the name satisfies the name constraint.
	// For example, example.com, www.example.com, www.sub.example.com
	// would satisfy example.com while example1.com does not.
	PermittedDNSNames []*string `json:"permittedDnsNames,omitempty" tf:"permitted_dns_names,omitempty"`

	// Contains the permitted email addresses. The value can be a particular
	// email address, a hostname to indicate all email addresses on that host or
	// a domain with a leading period (e.g. .example.com) to indicate
	// all email addresses in that domain.
	PermittedEmailAddresses []*string `json:"permittedEmailAddresses,omitempty" tf:"permitted_email_addresses,omitempty"`

	// Contains the permitted IP ranges. For IPv4 addresses, the ranges
	// are expressed using CIDR notation as specified in RFC 4632.
	// For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
	// addresses.
	PermittedIPRanges []*string `json:"permittedIpRanges,omitempty" tf:"permitted_ip_ranges,omitempty"`

	// Contains the permitted URIs that apply to the host part of the name.
	// The value can be a hostname or a domain with a
	// leading period (like .example.com)
	PermittedUris []*string `json:"permittedUris,omitempty" tf:"permitted_uris,omitempty"`
}

type ConfigX509ConfigNameConstraintsParameters struct {

	// Indicates whether or not the name constraints are marked critical.
	// +kubebuilder:validation:Optional
	Critical *bool `json:"critical" tf:"critical,omitempty"`

	// Contains excluded DNS names. Any DNS name that can be
	// constructed by simply adding zero or more labels to
	// the left-hand side of the name satisfies the name constraint.
	// For example, example.com, www.example.com, www.sub.example.com
	// would satisfy example.com while example1.com does not.
	// +kubebuilder:validation:Optional
	ExcludedDNSNames []*string `json:"excludedDnsNames,omitempty" tf:"excluded_dns_names,omitempty"`

	// Contains the excluded email addresses. The value can be a particular
	// email address, a hostname to indicate all email addresses on that host or
	// a domain with a leading period (e.g. .example.com) to indicate
	// all email addresses in that domain.
	// +kubebuilder:validation:Optional
	ExcludedEmailAddresses []*string `json:"excludedEmailAddresses,omitempty" tf:"excluded_email_addresses,omitempty"`

	// Contains the excluded IP ranges. For IPv4 addresses, the ranges
	// are expressed using CIDR notation as specified in RFC 4632.
	// For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
	// addresses.
	// +kubebuilder:validation:Optional
	ExcludedIPRanges []*string `json:"excludedIpRanges,omitempty" tf:"excluded_ip_ranges,omitempty"`

	// Contains the excluded URIs that apply to the host part of the name.
	// The value can be a hostname or a domain with a
	// leading period (like .example.com)
	// +kubebuilder:validation:Optional
	ExcludedUris []*string `json:"excludedUris,omitempty" tf:"excluded_uris,omitempty"`

	// Contains permitted DNS names. Any DNS name that can be
	// constructed by simply adding zero or more labels to
	// the left-hand side of the name satisfies the name constraint.
	// For example, example.com, www.example.com, www.sub.example.com
	// would satisfy example.com while example1.com does not.
	// +kubebuilder:validation:Optional
	PermittedDNSNames []*string `json:"permittedDnsNames,omitempty" tf:"permitted_dns_names,omitempty"`

	// Contains the permitted email addresses. The value can be a particular
	// email address, a hostname to indicate all email addresses on that host or
	// a domain with a leading period (e.g. .example.com) to indicate
	// all email addresses in that domain.
	// +kubebuilder:validation:Optional
	PermittedEmailAddresses []*string `json:"permittedEmailAddresses,omitempty" tf:"permitted_email_addresses,omitempty"`

	// Contains the permitted IP ranges. For IPv4 addresses, the ranges
	// are expressed using CIDR notation as specified in RFC 4632.
	// For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
	// addresses.
	// +kubebuilder:validation:Optional
	PermittedIPRanges []*string `json:"permittedIpRanges,omitempty" tf:"permitted_ip_ranges,omitempty"`

	// Contains the permitted URIs that apply to the host part of the name.
	// The value can be a hostname or a domain with a
	// leading period (like .example.com)
	// +kubebuilder:validation:Optional
	PermittedUris []*string `json:"permittedUris,omitempty" tf:"permitted_uris,omitempty"`
}

type ConfigX509ConfigObservation struct {

	// Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs.
	// Structure is documented below.
	AdditionalExtensions []ConfigX509ConfigAdditionalExtensionsObservation `json:"additionalExtensions,omitempty" tf:"additional_extensions,omitempty"`

	// Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the
	// "Authority Information Access" extension in the certificate.
	AiaOcspServers []*string `json:"aiaOcspServers,omitempty" tf:"aia_ocsp_servers,omitempty"`

	// Describes values that are relevant in a CA certificate.
	// Structure is documented below.
	CAOptions []ConfigX509ConfigCAOptionsObservation `json:"caOptions,omitempty" tf:"ca_options,omitempty"`

	// Indicates the intended use for keys that correspond to a certificate.
	// Structure is documented below.
	KeyUsage []ConfigX509ConfigKeyUsageObservation `json:"keyUsage,omitempty" tf:"key_usage,omitempty"`

	// Describes the X.509 name constraints extension.
	// Structure is documented below.
	NameConstraints []ConfigX509ConfigNameConstraintsObservation `json:"nameConstraints,omitempty" tf:"name_constraints,omitempty"`

	// Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
	// Structure is documented below.
	PolicyIds []ConfigX509ConfigPolicyIdsObservation `json:"policyIds,omitempty" tf:"policy_ids,omitempty"`
}

type ConfigX509ConfigParameters struct {

	// Specifies an X.509 extension, which may be used in different parts of X.509 objects like certificates, CSRs, and CRLs.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	AdditionalExtensions []ConfigX509ConfigAdditionalExtensionsParameters `json:"additionalExtensions,omitempty" tf:"additional_extensions,omitempty"`

	// Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the
	// "Authority Information Access" extension in the certificate.
	// +kubebuilder:validation:Optional
	AiaOcspServers []*string `json:"aiaOcspServers,omitempty" tf:"aia_ocsp_servers,omitempty"`

	// Describes values that are relevant in a CA certificate.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	CAOptions []ConfigX509ConfigCAOptionsParameters `json:"caOptions" tf:"ca_options,omitempty"`

	// Indicates the intended use for keys that correspond to a certificate.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	KeyUsage []ConfigX509ConfigKeyUsageParameters `json:"keyUsage" tf:"key_usage,omitempty"`

	// Describes the X.509 name constraints extension.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	NameConstraints []ConfigX509ConfigNameConstraintsParameters `json:"nameConstraints,omitempty" tf:"name_constraints,omitempty"`

	// Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	PolicyIds []ConfigX509ConfigPolicyIdsParameters `json:"policyIds,omitempty" tf:"policy_ids,omitempty"`
}

type ConfigX509ConfigPolicyIdsInitParameters struct {

	// An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
	ObjectIDPath []*float64 `json:"objectIdPath,omitempty" tf:"object_id_path,omitempty"`
}

type ConfigX509ConfigPolicyIdsObservation struct {

	// An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
	ObjectIDPath []*float64 `json:"objectIdPath,omitempty" tf:"object_id_path,omitempty"`
}

type ConfigX509ConfigPolicyIdsParameters struct {

	// An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
	// +kubebuilder:validation:Optional
	ObjectIDPath []*float64 `json:"objectIdPath" tf:"object_id_path,omitempty"`
}

type KeySpecInitParameters struct {

	// The algorithm to use for creating a managed Cloud KMS key for a for a simplified
	// experience. All managed keys will be have their ProtectionLevel as HSM.
	// Possible values are: SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, EC_P384_SHA384.
	Algorithm *string `json:"algorithm,omitempty" tf:"algorithm,omitempty"`

	// The resource name for an existing Cloud KMS CryptoKeyVersion in the format
	// projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
	CloudKMSKeyVersion *string `json:"cloudKmsKeyVersion,omitempty" tf:"cloud_kms_key_version,omitempty"`
}

type KeySpecObservation struct {

	// The algorithm to use for creating a managed Cloud KMS key for a for a simplified
	// experience. All managed keys will be have their ProtectionLevel as HSM.
	// Possible values are: SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, EC_P384_SHA384.
	Algorithm *string `json:"algorithm,omitempty" tf:"algorithm,omitempty"`

	// The resource name for an existing Cloud KMS CryptoKeyVersion in the format
	// projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
	CloudKMSKeyVersion *string `json:"cloudKmsKeyVersion,omitempty" tf:"cloud_kms_key_version,omitempty"`
}

type KeySpecParameters struct {

	// The algorithm to use for creating a managed Cloud KMS key for a for a simplified
	// experience. All managed keys will be have their ProtectionLevel as HSM.
	// Possible values are: SIGN_HASH_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256, EC_P256_SHA256, EC_P384_SHA384.
	// +kubebuilder:validation:Optional
	Algorithm *string `json:"algorithm,omitempty" tf:"algorithm,omitempty"`

	// The resource name for an existing Cloud KMS CryptoKeyVersion in the format
	// projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*.
	// +kubebuilder:validation:Optional
	CloudKMSKeyVersion *string `json:"cloudKmsKeyVersion,omitempty" tf:"cloud_kms_key_version,omitempty"`
}

type PemIssuerChainInitParameters struct {

	// Expected to be in leaf-to-root order according to RFC 5246.
	PemCertificates []*string `json:"pemCertificates,omitempty" tf:"pem_certificates,omitempty"`
}

type PemIssuerChainObservation struct {

	// Expected to be in leaf-to-root order according to RFC 5246.
	PemCertificates []*string `json:"pemCertificates,omitempty" tf:"pem_certificates,omitempty"`
}

type PemIssuerChainParameters struct {

	// Expected to be in leaf-to-root order according to RFC 5246.
	// +kubebuilder:validation:Optional
	PemCertificates []*string `json:"pemCertificates,omitempty" tf:"pem_certificates,omitempty"`
}

type SubordinateConfigInitParameters struct {

	// This can refer to a CertificateAuthority that was used to create a
	// subordinate CertificateAuthority. This field is used for information
	// and usability purposes only. The resource name is in the format
	// projects/*/locations/*/caPools/*/certificateAuthorities/*.
	// +crossplane:generate:reference:type=github.com/upbound/provider-gcp/apis/privateca/v1beta1.CertificateAuthority
	// +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("name",true)
	CertificateAuthority *string `json:"certificateAuthority,omitempty" tf:"certificate_authority,omitempty"`

	// Reference to a CertificateAuthority in privateca to populate certificateAuthority.
	// +kubebuilder:validation:Optional
	CertificateAuthorityRef *v1.Reference `json:"certificateAuthorityRef,omitempty" tf:"-"`

	// Selector for a CertificateAuthority in privateca to populate certificateAuthority.
	// +kubebuilder:validation:Optional
	CertificateAuthoritySelector *v1.Selector `json:"certificateAuthoritySelector,omitempty" tf:"-"`

	// Contains the PEM certificate chain for the issuers of this CertificateAuthority,
	// but not pem certificate for this CA itself.
	// Structure is documented below.
	PemIssuerChain []PemIssuerChainInitParameters `json:"pemIssuerChain,omitempty" tf:"pem_issuer_chain,omitempty"`
}

type SubordinateConfigObservation struct {

	// This can refer to a CertificateAuthority that was used to create a
	// subordinate CertificateAuthority. This field is used for information
	// and usability purposes only. The resource name is in the format
	// projects/*/locations/*/caPools/*/certificateAuthorities/*.
	CertificateAuthority *string `json:"certificateAuthority,omitempty" tf:"certificate_authority,omitempty"`

	// Contains the PEM certificate chain for the issuers of this CertificateAuthority,
	// but not pem certificate for this CA itself.
	// Structure is documented below.
	PemIssuerChain []PemIssuerChainObservation `json:"pemIssuerChain,omitempty" tf:"pem_issuer_chain,omitempty"`
}

type SubordinateConfigParameters struct {

	// This can refer to a CertificateAuthority that was used to create a
	// subordinate CertificateAuthority. This field is used for information
	// and usability purposes only. The resource name is in the format
	// projects/*/locations/*/caPools/*/certificateAuthorities/*.
	// +crossplane:generate:reference:type=github.com/upbound/provider-gcp/apis/privateca/v1beta1.CertificateAuthority
	// +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("name",true)
	// +kubebuilder:validation:Optional
	CertificateAuthority *string `json:"certificateAuthority,omitempty" tf:"certificate_authority,omitempty"`

	// Reference to a CertificateAuthority in privateca to populate certificateAuthority.
	// +kubebuilder:validation:Optional
	CertificateAuthorityRef *v1.Reference `json:"certificateAuthorityRef,omitempty" tf:"-"`

	// Selector for a CertificateAuthority in privateca to populate certificateAuthority.
	// +kubebuilder:validation:Optional
	CertificateAuthoritySelector *v1.Selector `json:"certificateAuthoritySelector,omitempty" tf:"-"`

	// Contains the PEM certificate chain for the issuers of this CertificateAuthority,
	// but not pem certificate for this CA itself.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	PemIssuerChain []PemIssuerChainParameters `json:"pemIssuerChain,omitempty" tf:"pem_issuer_chain,omitempty"`
}

// CertificateAuthoritySpec defines the desired state of CertificateAuthority
type CertificateAuthoritySpec struct {
	v1.ResourceSpec `json:",inline"`
	ForProvider     CertificateAuthorityParameters `json:"forProvider"`
	// THIS IS A BETA FIELD. It will be honored
	// unless the Management Policies feature flag is disabled.
	// InitProvider holds the same fields as ForProvider, with the exception
	// of Identifier and other resource reference fields. The fields that are
	// in InitProvider are merged into ForProvider when the resource is created.
	// The same fields are also added to the terraform ignore_changes hook, to
	// avoid updating them after creation. This is useful for fields that are
	// required on creation, but we do not desire to update them after creation,
	// for example because of an external controller is managing them, like an
	// autoscaler.
	InitProvider CertificateAuthorityInitParameters `json:"initProvider,omitempty"`
}

// CertificateAuthorityStatus defines the observed state of CertificateAuthority.
type CertificateAuthorityStatus struct {
	v1.ResourceStatus `json:",inline"`
	AtProvider        CertificateAuthorityObservation `json:"atProvider,omitempty"`
}

// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:storageversion

// CertificateAuthority is the Schema for the CertificateAuthoritys API. A CertificateAuthority represents an individual Certificate Authority.
// +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status"
// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
// +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name"
// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
// +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,gcp}
type CertificateAuthority struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.config) || (has(self.initProvider) && has(self.initProvider.config))",message="spec.forProvider.config is a required parameter"
	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.keySpec) || (has(self.initProvider) && has(self.initProvider.keySpec))",message="spec.forProvider.keySpec is a required parameter"
	Spec   CertificateAuthoritySpec   `json:"spec"`
	Status CertificateAuthorityStatus `json:"status,omitempty"`
}

// +kubebuilder:object:root=true

// CertificateAuthorityList contains a list of CertificateAuthoritys
type CertificateAuthorityList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []CertificateAuthority `json:"items"`
}

// Repository type metadata.
var (
	CertificateAuthority_Kind             = "CertificateAuthority"
	CertificateAuthority_GroupKind        = schema.GroupKind{Group: CRDGroup, Kind: CertificateAuthority_Kind}.String()
	CertificateAuthority_KindAPIVersion   = CertificateAuthority_Kind + "." + CRDGroupVersion.String()
	CertificateAuthority_GroupVersionKind = CRDGroupVersion.WithKind(CertificateAuthority_Kind)
)

func init() {
	SchemeBuilder.Register(&CertificateAuthority{}, &CertificateAuthorityList{})
}