Fix an issue which cause failure when updating a sub-CA (#12495) (#8872)

[upstream:172e79f94b241da6b7aac980bbbe189d53722836]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/12495.txt

@@ -0,0 +1,3 @@
+```release-note: bug
+privateca: fixed an issue which causes error when updating labels for activated sub-CA
+```

google-beta/services/privateca/resource_privateca_certificate_authority.go

@@ -1217,6 +1217,21 @@ func resourcePrivatecaCertificateAuthorityUpdate(d *schema.ResourceData, meta in
 		}
 	}
 
+	// `subordinateConfig.certificateAuthority` is not directly passed
+	// to the backend when activating a sub-CA. Instead, it is used to sign CA cert
+	// and activate the sub-CA at client side. See b/332548736 for details.
+	// Drop this field to avoid both `subordinateConfig.certificateAuthority`
+	// and `subordinateConfig.pemIssuerChain` to be passed to the backend.
+	if _, ok := obj["subordinateConfig"]; ok {
+		subConfig := obj["subordinateConfig"].(map[string]interface{})
+		// There could be case which a sub-CA was activated via `subordinateConfig.certificateAuthority`
+		// directly by older version of providers.
+		// For backward compatibility, delete `certificateAuthority` only if `pemIssuerChain` is presented.
+		if _, ok := subConfig["pemIssuerChain"]; ok {
+			delete(subConfig, "certificateAuthority")
+		}
+	}
+
 	// err == nil indicates that the billing_project value was found
 	if bp, err := tpgresource.GetBillingProject(d, config); err == nil {
 		billingProject = bp

google-beta/services/privateca/resource_privateca_certificate_authority_test.go

@@ -128,9 +128,10 @@ func TestAccPrivatecaCertificateAuthority_subordinateCaActivatedByFirstPartyIssu
 
 	random_suffix := acctest.RandString(t, 10)
 	context := map[string]interface{}{
-		"root_location": "us-central1",
-		"sub_location":  "australia-southeast1",
-		"random_suffix": random_suffix,
+		"root_location":     "us-central1",
+		"sub_location":      "australia-southeast1",
+		"random_suffix":     random_suffix,
+		"first_label_value": "bar",
 	}
 
 	resourceName := "google_privateca_certificate_authority.sub-1"
@@ -176,6 +177,47 @@ func TestAccPrivatecaCertificateAuthority_subordinateCaActivatedByFirstPartyIssu
 	})
 }
 
+func TestAccPrivatecaCertificateAuthority_subordinateCaCanUpdateLabel(t *testing.T) {
+	t.Parallel()
+	acctest.SkipIfVcr(t)
+
+	random_suffix := acctest.RandString(t, 10)
+	context1 := map[string]interface{}{
+		"root_location":     "us-central1",
+		"sub_location":      "australia-southeast1",
+		"random_suffix":     random_suffix,
+		"first_label_value": "bar-1",
+	}
+
+	context2 := map[string]interface{}{
+		"root_location":     "us-central1",
+		"sub_location":      "australia-southeast1",
+		"random_suffix":     random_suffix,
+		"first_label_value": "bar-2",
+	}
+
+	resourceName := "google_privateca_certificate_authority.sub-1"
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckPrivatecaCertificateAuthorityDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordinateWithFirstPartyIssuer(context1),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "labels.first_label", context1["first_label_value"].(string)),
+				),
+			},
+			{
+				Config: testAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordinateWithFirstPartyIssuer(context2),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "labels.first_label", context2["first_label_value"].(string)),
+				),
+			},
+		},
+	})
+}
+
 func testAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityBasicRoot(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_privateca_certificate_authority" "default" {
@@ -470,6 +512,10 @@ resource "google_privateca_certificate_authority" "sub-1" {
 	}
 	type = "SUBORDINATE"
 
+	labels = {
+		first_label = "%{first_label_value}"
+	}
+
 	// Disable CA deletion related safe checks for easier cleanup.
 	deletion_protection                    = false
 	skip_grace_period                      = true