diff --git a/privateca_capool_all_fields/backing_file.tf b/privateca_capool_all_fields/backing_file.tf
new file mode 100644
index 00000000..c60b1199
--- /dev/null
+++ b/privateca_capool_all_fields/backing_file.tf
@@ -0,0 +1,15 @@
+# This file has some scaffolding to make sure that names are unique and that
+# a region and zone are selected when you try to create your Terraform resources.
+
+locals {
+ name_suffix = "${random_pet.suffix.id}"
+}
+
+resource "random_pet" "suffix" {
+ length = 2
+}
+
+provider "google" {
+ region = "us-central1"
+ zone = "us-central1-c"
+}
diff --git a/privateca_capool_all_fields/main.tf b/privateca_capool_all_fields/main.tf
new file mode 100644
index 00000000..0de05fca
--- /dev/null
+++ b/privateca_capool_all_fields/main.tf
@@ -0,0 +1,77 @@
+resource "google_privateca_ca_pool" "default" {
+ name = "my-pool-${local.name_suffix}"
+ location = "us-central1"
+ tier = "ENTERPRISE"
+ publishing_options {
+ publish_ca_cert = false
+ publish_crl = true
+ }
+ labels = {
+ foo = "bar"
+ }
+ issuance_policy {
+ allowed_key_types {
+ elliptic_curve {
+ signature_algorithm = "ECDSA_P256"
+ }
+ }
+ allowed_key_types {
+ rsa {
+ min_modulus_size = 5
+ max_modulus_size = 10
+ }
+ }
+ maximum_lifetime = "50000s"
+ allowed_issuance_modes {
+ allow_csr_based_issuance = true
+ allow_config_based_issuance = true
+ }
+ identity_constraints {
+ allow_subject_passthrough = true
+ allow_subject_alt_names_passthrough = true
+ cel_expression {
+ expression = "subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )"
+ title = "My title"
+ }
+ }
+ baseline_values {
+ aia_ocsp_servers = ["example.com"]
+ additional_extensions {
+ critical = true
+ value = "asdf"
+ object_id {
+ object_id_path = [123, 899]
+ }
+ }
+ policy_ids {
+ object_id_path = [123, 888]
+ }
+ policy_ids {
+ object_id_path = [456, 120]
+ }
+ ca_options {
+ is_ca = true
+ max_issuer_path_length = 10
+ }
+ key_usage {
+ base_key_usage {
+ digital_signature = true
+ content_commitment = true
+ key_encipherment = false
+ data_encipherment = true
+ key_agreement = true
+ cert_sign = false
+ crl_sign = true
+ decipher_only = true
+ }
+ extended_key_usage {
+ server_auth = true
+ client_auth = false
+ email_protection = true
+ code_signing = true
+ time_stamping = true
+ }
+ }
+ }
+ }
+}
diff --git a/privateca_capool_all_fields/motd b/privateca_capool_all_fields/motd
new file mode 100644
index 00000000..45a906e8
--- /dev/null
+++ b/privateca_capool_all_fields/motd
@@ -0,0 +1,7 @@
+===
+
+These examples use real resources that will be billed to the
+Google Cloud Platform project you use - so make sure that you
+run "terraform destroy" before quitting!
+
+===
diff --git a/privateca_capool_all_fields/tutorial.md b/privateca_capool_all_fields/tutorial.md
new file mode 100644
index 00000000..ebb62fcc
--- /dev/null
+++ b/privateca_capool_all_fields/tutorial.md
@@ -0,0 +1,79 @@
+# Privateca Capool All Fields - Terraform
+
+## Setup
+
+
+
+Welcome to Terraform in Google Cloud Shell! We need you to let us know what project you'd like to use with Terraform.
+
+
+
+Terraform provisions real GCP resources, so anything you create in this session will be billed against this project.
+
+## Terraforming!
+
+Let's use {{project-id}} with Terraform! Click the Cloud Shell icon below to copy the command
+to your shell, and then run it from the shell by pressing Enter/Return. Terraform will pick up
+the project name from the environment variable.
+
+```bash
+export GOOGLE_CLOUD_PROJECT={{project-id}}
+```
+
+After that, let's get Terraform started. Run the following to pull in the providers.
+
+```bash
+terraform init
+```
+
+With the providers downloaded and a project set, you're ready to use Terraform. Go ahead!
+
+```bash
+terraform apply
+```
+
+Terraform will show you what it plans to do, and prompt you to accept. Type "yes" to accept the plan.
+
+```bash
+yes
+```
+
+
+## Post-Apply
+
+### Editing your config
+
+Now you've provisioned your resources in GCP! If you run a "plan", you should see no changes needed.
+
+```bash
+terraform plan
+```
+
+So let's make a change! Try editing a number, or appending a value to the name in the editor. Then,
+run a 'plan' again.
+
+```bash
+terraform plan
+```
+
+Afterwards you can run an apply, which implicitly does a plan and shows you the intended changes
+at the 'yes' prompt.
+
+```bash
+terraform apply
+```
+
+```bash
+yes
+```
+
+## Cleanup
+
+Run the following to remove the resources Terraform provisioned:
+
+```bash
+terraform destroy
+```
+```bash
+yes
+```
diff --git a/privateca_capool_basic/backing_file.tf b/privateca_capool_basic/backing_file.tf
new file mode 100644
index 00000000..c60b1199
--- /dev/null
+++ b/privateca_capool_basic/backing_file.tf
@@ -0,0 +1,15 @@
+# This file has some scaffolding to make sure that names are unique and that
+# a region and zone are selected when you try to create your Terraform resources.
+
+locals {
+ name_suffix = "${random_pet.suffix.id}"
+}
+
+resource "random_pet" "suffix" {
+ length = 2
+}
+
+provider "google" {
+ region = "us-central1"
+ zone = "us-central1-c"
+}
diff --git a/privateca_capool_basic/main.tf b/privateca_capool_basic/main.tf
new file mode 100644
index 00000000..4d58d998
--- /dev/null
+++ b/privateca_capool_basic/main.tf
@@ -0,0 +1,12 @@
+resource "google_privateca_ca_pool" "default" {
+ name = "my-pool-${local.name_suffix}"
+ location = "us-central1"
+ tier = "ENTERPRISE"
+ publishing_options {
+ publish_ca_cert = true
+ publish_crl = true
+ }
+ labels = {
+ foo = "bar"
+ }
+}
diff --git a/privateca_capool_basic/motd b/privateca_capool_basic/motd
new file mode 100644
index 00000000..45a906e8
--- /dev/null
+++ b/privateca_capool_basic/motd
@@ -0,0 +1,7 @@
+===
+
+These examples use real resources that will be billed to the
+Google Cloud Platform project you use - so make sure that you
+run "terraform destroy" before quitting!
+
+===
diff --git a/privateca_capool_basic/tutorial.md b/privateca_capool_basic/tutorial.md
new file mode 100644
index 00000000..fa980dca
--- /dev/null
+++ b/privateca_capool_basic/tutorial.md
@@ -0,0 +1,79 @@
+# Privateca Capool Basic - Terraform
+
+## Setup
+
+
+
+Welcome to Terraform in Google Cloud Shell! We need you to let us know what project you'd like to use with Terraform.
+
+
+
+Terraform provisions real GCP resources, so anything you create in this session will be billed against this project.
+
+## Terraforming!
+
+Let's use {{project-id}} with Terraform! Click the Cloud Shell icon below to copy the command
+to your shell, and then run it from the shell by pressing Enter/Return. Terraform will pick up
+the project name from the environment variable.
+
+```bash
+export GOOGLE_CLOUD_PROJECT={{project-id}}
+```
+
+After that, let's get Terraform started. Run the following to pull in the providers.
+
+```bash
+terraform init
+```
+
+With the providers downloaded and a project set, you're ready to use Terraform. Go ahead!
+
+```bash
+terraform apply
+```
+
+Terraform will show you what it plans to do, and prompt you to accept. Type "yes" to accept the plan.
+
+```bash
+yes
+```
+
+
+## Post-Apply
+
+### Editing your config
+
+Now you've provisioned your resources in GCP! If you run a "plan", you should see no changes needed.
+
+```bash
+terraform plan
+```
+
+So let's make a change! Try editing a number, or appending a value to the name in the editor. Then,
+run a 'plan' again.
+
+```bash
+terraform plan
+```
+
+Afterwards you can run an apply, which implicitly does a plan and shows you the intended changes
+at the 'yes' prompt.
+
+```bash
+terraform apply
+```
+
+```bash
+yes
+```
+
+## Cleanup
+
+Run the following to remove the resources Terraform provisioned:
+
+```bash
+terraform destroy
+```
+```bash
+yes
+```
diff --git a/privateca_certificate_authority_basic/backing_file.tf b/privateca_certificate_authority_basic/backing_file.tf
new file mode 100644
index 00000000..c60b1199
--- /dev/null
+++ b/privateca_certificate_authority_basic/backing_file.tf
@@ -0,0 +1,15 @@
+# This file has some scaffolding to make sure that names are unique and that
+# a region and zone are selected when you try to create your Terraform resources.
+
+locals {
+ name_suffix = "${random_pet.suffix.id}"
+}
+
+resource "random_pet" "suffix" {
+ length = 2
+}
+
+provider "google" {
+ region = "us-central1"
+ zone = "us-central1-c"
+}
diff --git a/privateca_certificate_authority_basic/main.tf b/privateca_certificate_authority_basic/main.tf
new file mode 100644
index 00000000..0860ef05
--- /dev/null
+++ b/privateca_certificate_authority_basic/main.tf
@@ -0,0 +1,47 @@
+resource "google_privateca_certificate_authority" "default" {
+ // This example assumes this pool already exists.
+ // Pools cannot be deleted in normal test circumstances, so we depend on static pools
+ pool = ""
+ certificate_authority_id = "my-certificate-authority-${local.name_suffix}"
+ location = "us-central1"
+ config {
+ subject_config {
+ subject {
+ organization = "HashiCorp"
+ common_name = "my-certificate-authority"
+ }
+ subject_alt_name {
+ dns_names = ["hashicorp.com"]
+ }
+ }
+ x509_config {
+ ca_options {
+ is_ca = true
+ max_issuer_path_length = 10
+ }
+ key_usage {
+ base_key_usage {
+ digital_signature = true
+ content_commitment = true
+ key_encipherment = false
+ data_encipherment = true
+ key_agreement = true
+ cert_sign = true
+ crl_sign = true
+ decipher_only = true
+ }
+ extended_key_usage {
+ server_auth = true
+ client_auth = false
+ email_protection = true
+ code_signing = true
+ time_stamping = true
+ }
+ }
+ }
+ }
+ lifetime = "86400s"
+ key_spec {
+ algorithm = "RSA_PKCS1_4096_SHA256"
+ }
+}
diff --git a/privateca_certificate_authority_basic/motd b/privateca_certificate_authority_basic/motd
new file mode 100644
index 00000000..45a906e8
--- /dev/null
+++ b/privateca_certificate_authority_basic/motd
@@ -0,0 +1,7 @@
+===
+
+These examples use real resources that will be billed to the
+Google Cloud Platform project you use - so make sure that you
+run "terraform destroy" before quitting!
+
+===
diff --git a/privateca_certificate_authority_basic/tutorial.md b/privateca_certificate_authority_basic/tutorial.md
new file mode 100644
index 00000000..5eb43340
--- /dev/null
+++ b/privateca_certificate_authority_basic/tutorial.md
@@ -0,0 +1,79 @@
+# Privateca Certificate Authority Basic - Terraform
+
+## Setup
+
+
+
+Welcome to Terraform in Google Cloud Shell! We need you to let us know what project you'd like to use with Terraform.
+
+
+
+Terraform provisions real GCP resources, so anything you create in this session will be billed against this project.
+
+## Terraforming!
+
+Let's use {{project-id}} with Terraform! Click the Cloud Shell icon below to copy the command
+to your shell, and then run it from the shell by pressing Enter/Return. Terraform will pick up
+the project name from the environment variable.
+
+```bash
+export GOOGLE_CLOUD_PROJECT={{project-id}}
+```
+
+After that, let's get Terraform started. Run the following to pull in the providers.
+
+```bash
+terraform init
+```
+
+With the providers downloaded and a project set, you're ready to use Terraform. Go ahead!
+
+```bash
+terraform apply
+```
+
+Terraform will show you what it plans to do, and prompt you to accept. Type "yes" to accept the plan.
+
+```bash
+yes
+```
+
+
+## Post-Apply
+
+### Editing your config
+
+Now you've provisioned your resources in GCP! If you run a "plan", you should see no changes needed.
+
+```bash
+terraform plan
+```
+
+So let's make a change! Try editing a number, or appending a value to the name in the editor. Then,
+run a 'plan' again.
+
+```bash
+terraform plan
+```
+
+Afterwards you can run an apply, which implicitly does a plan and shows you the intended changes
+at the 'yes' prompt.
+
+```bash
+terraform apply
+```
+
+```bash
+yes
+```
+
+## Cleanup
+
+Run the following to remove the resources Terraform provisioned:
+
+```bash
+terraform destroy
+```
+```bash
+yes
+```
diff --git a/privateca_certificate_authority_cmek/backing_file.tf b/privateca_certificate_authority_cmek/backing_file.tf
new file mode 100644
index 00000000..c60b1199
--- /dev/null
+++ b/privateca_certificate_authority_cmek/backing_file.tf
@@ -0,0 +1,15 @@
+# This file has some scaffolding to make sure that names are unique and that
+# a region and zone are selected when you try to create your Terraform resources.
+
+locals {
+ name_suffix = "${random_pet.suffix.id}"
+}
+
+resource "random_pet" "suffix" {
+ length = 2
+}
+
+provider "google" {
+ region = "us-central1"
+ zone = "us-central1-c"
+}
diff --git a/privateca_certificate_authority_cmek/main.tf b/privateca_certificate_authority_cmek/main.tf
new file mode 100644
index 00000000..f997011d
--- /dev/null
+++ b/privateca_certificate_authority_cmek/main.tf
@@ -0,0 +1,62 @@
+resource "google_project_service_identity" "privateca_sa" {
+ service = "privateca.googleapis.com"
+}
+
+resource "google_kms_crypto_key_iam_binding" "privateca_sa_keyuser_signerverifier" {
+ crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key-${local.name_suffix}"
+ role = "roles/cloudkms.signerVerifier"
+
+ members = [
+ "serviceAccount:${google_project_service_identity.privateca_sa.email}",
+ ]
+}
+
+resource "google_kms_crypto_key_iam_binding" "privateca_sa_keyuser_viewer" {
+ crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key-${local.name_suffix}"
+ role = "roles/viewer"
+ members = [
+ "serviceAccount:${google_project_service_identity.privateca_sa.email}",
+ ]
+}
+
+resource "google_privateca_certificate_authority" "default" {
+ // This example assumes this pool already exists.
+ // Pools cannot be deleted in normal test circumstances, so we depend on static pools
+ pool = ""
+ certificate_authority_id = "my-certificate-authority-${local.name_suffix}"
+ location = "us-central1"
+ key_spec {
+ cloud_kms_key_version = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key-${local.name_suffix}/cryptoKeyVersions/1"
+ }
+
+ config {
+ subject_config {
+ subject {
+ organization = "Example, Org."
+ common_name = "Example Authority"
+ }
+ }
+ x509_config {
+ ca_options {
+ # is_ca *MUST* be true for certificate authorities
+ is_ca = true
+ max_issuer_path_length = 10
+ }
+ key_usage {
+ base_key_usage {
+ # cert_sign and crl_sign *MUST* be true for certificate authorities
+ cert_sign = true
+ crl_sign = true
+ }
+ extended_key_usage {
+ server_auth = false
+ }
+ }
+ }
+ }
+
+ depends_on = [
+ google_kms_crypto_key_iam_binding.privateca_sa_keyuser_signerverifier,
+ google_kms_crypto_key_iam_binding.privateca_sa_keyuser_viewer,
+ ]
+}
diff --git a/privateca_certificate_authority_cmek/motd b/privateca_certificate_authority_cmek/motd
new file mode 100644
index 00000000..45a906e8
--- /dev/null
+++ b/privateca_certificate_authority_cmek/motd
@@ -0,0 +1,7 @@
+===
+
+These examples use real resources that will be billed to the
+Google Cloud Platform project you use - so make sure that you
+run "terraform destroy" before quitting!
+
+===
diff --git a/privateca_certificate_authority_cmek/tutorial.md b/privateca_certificate_authority_cmek/tutorial.md
new file mode 100644
index 00000000..1b2e68ab
--- /dev/null
+++ b/privateca_certificate_authority_cmek/tutorial.md
@@ -0,0 +1,79 @@
+# Privateca Certificate Authority Cmek - Terraform
+
+## Setup
+
+
+
+Welcome to Terraform in Google Cloud Shell! We need you to let us know what project you'd like to use with Terraform.
+
+
+
+Terraform provisions real GCP resources, so anything you create in this session will be billed against this project.
+
+## Terraforming!
+
+Let's use {{project-id}} with Terraform! Click the Cloud Shell icon below to copy the command
+to your shell, and then run it from the shell by pressing Enter/Return. Terraform will pick up
+the project name from the environment variable.
+
+```bash
+export GOOGLE_CLOUD_PROJECT={{project-id}}
+```
+
+After that, let's get Terraform started. Run the following to pull in the providers.
+
+```bash
+terraform init
+```
+
+With the providers downloaded and a project set, you're ready to use Terraform. Go ahead!
+
+```bash
+terraform apply
+```
+
+Terraform will show you what it plans to do, and prompt you to accept. Type "yes" to accept the plan.
+
+```bash
+yes
+```
+
+
+## Post-Apply
+
+### Editing your config
+
+Now you've provisioned your resources in GCP! If you run a "plan", you should see no changes needed.
+
+```bash
+terraform plan
+```
+
+So let's make a change! Try editing a number, or appending a value to the name in the editor. Then,
+run a 'plan' again.
+
+```bash
+terraform plan
+```
+
+Afterwards you can run an apply, which implicitly does a plan and shows you the intended changes
+at the 'yes' prompt.
+
+```bash
+terraform apply
+```
+
+```bash
+yes
+```
+
+## Cleanup
+
+Run the following to remove the resources Terraform provisioned:
+
+```bash
+terraform destroy
+```
+```bash
+yes
+```