Support sub-CA to be activated into staged state (#12162) (#8560)

modular-magician · web-flow · commit c8b1d12596c6 · 2024-10-30T10:15:13.000-07:00
[upstream:3cca7aa245ba4e600cbe9f1cb23b316fb5361845]

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/12162.txt b/.changelog/12162.txt
@@ -0,0 +1,3 @@
+```release-note: enhancement
+privateca: added support for sub-CA to be activated into STAGED state
+```
diff --git a/google-beta/services/privateca/resource_privateca_certificate_authority.go b/google-beta/services/privateca/resource_privateca_certificate_authority.go
@@ -39,9 +39,6 @@ func resourcePrivateCaCACustomDiff(_ context.Context, diff *schema.ResourceDiff,
 		_, new := diff.GetChange("desired_state")
 
 		if tpgresource.IsNewResource(diff) {
-			if diff.Get("type").(string) == "SUBORDINATE" {
-				return fmt.Errorf("`desired_state` can not be specified when creating a SUBORDINATE CA")
-			}
 			if new.(string) != "STAGED" && new.(string) != "ENABLED" {
 				return fmt.Errorf("`desired_state` can only be set to `STAGED` or `ENABLED` when creating a new CA")
 			}
@@ -1004,7 +1001,6 @@ func resourcePrivatecaCertificateAuthorityCreate(d *schema.ResourceData, meta in
 
 	// Enable the CA if `desired_state` is unspecified or specified as `ENABLED`.
 	if p, ok := d.GetOk("desired_state"); !ok || p.(string) == "ENABLED" {
-		// Skip enablement on SUBORDINATE CA for backward compatible.
 		if staged {
 			if err := enableCA(config, d, project, billingProject, userAgent); err != nil {
 				return fmt.Errorf("Error enabling CertificateAuthority: %v", err)
diff --git a/google-beta/services/privateca/resource_privateca_certificate_authority_test.go b/google-beta/services/privateca/resource_privateca_certificate_authority_test.go
@@ -149,6 +149,33 @@ func TestAccPrivatecaCertificateAuthority_subordinateCaActivatedByFirstPartyIssu
 	})
 }
 
+func TestAccPrivatecaCertificateAuthority_subordinateCaActivatedByFirstPartyIssuerOnCreationInStagedState(t *testing.T) {
+	t.Parallel()
+	acctest.SkipIfVcr(t)
+
+	random_suffix := acctest.RandString(t, 10)
+	context := map[string]interface{}{
+		"root_location": "us-central1",
+		"sub_location":  "australia-southeast1",
+		"random_suffix": random_suffix,
+	}
+
+	resourceName := "google_privateca_certificate_authority.sub-1"
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckPrivatecaCertificateAuthorityDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordinateStagedWithFirstPartyIssuer(context),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "state", "STAGED"),
+				),
+			},
+		},
+	})
+}
+
 func testAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityBasicRoot(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_privateca_certificate_authority" "default" {
@@ -450,3 +477,140 @@ resource "google_privateca_certificate_authority" "sub-1" {
 }
 `, context)
 }
+
+// testAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordinateStagedWithFirstPartyIssuer provides a config
+// which contains
+// * A CaPool for root CA
+// * A root CA
+// * A CaPool for sub CA
+// * A subordinate CA which should be activated by the above root CA
+func testAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordinateStagedWithFirstPartyIssuer(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_privateca_ca_pool" "root-pool" {
+	name     = "root-pool-%{random_suffix}"
+	location = "%{root_location}"
+	tier     = "ENTERPRISE"
+	publishing_options {
+	  publish_ca_cert = true
+	  publish_crl     = true
+	}
+}
+
+resource "google_privateca_certificate_authority" "root-1" {
+	pool = google_privateca_ca_pool.root-pool.name 
+	certificate_authority_id = "tf-test-my-certificate-authority-root-%{random_suffix}"
+	location = "%{root_location}"
+	config {
+		subject_config {
+		subject {
+			organization = "HashiCorp"
+			common_name = "my-certificate-authority"
+		}
+		subject_alt_name {
+			dns_names = ["hashicorp.com"]
+		}
+		}
+		x509_config {
+		ca_options {
+			is_ca = true
+			max_issuer_path_length = 10
+		}
+		key_usage {
+			base_key_usage {
+			digital_signature = true
+			content_commitment = true
+			key_encipherment = false
+			data_encipherment = true
+			key_agreement = true
+			cert_sign = true
+			crl_sign = true
+			decipher_only = true
+			}
+			extended_key_usage {
+			server_auth = true
+			client_auth = false
+			email_protection = true
+			code_signing = true
+			time_stamping = true
+			}
+		}
+		}
+	}
+	lifetime = "86400s"
+	key_spec {
+		algorithm = "RSA_PKCS1_4096_SHA256"
+	}
+
+	// Disable CA deletion related safe checks for easier cleanup.
+	deletion_protection                    = false
+	skip_grace_period                      = true
+	ignore_active_certificates_on_deletion = true
+}
+
+resource "google_privateca_ca_pool" "sub-pool" {
+	name     = "sub-pool-%{random_suffix}"
+	location = "%{sub_location}"
+	tier     = "ENTERPRISE"
+	publishing_options {
+	  publish_ca_cert = true
+	  publish_crl     = true
+	}
+}
+
+resource "google_privateca_certificate_authority" "sub-1" {
+	pool = google_privateca_ca_pool.sub-pool.name 
+	certificate_authority_id = "tf-test-my-certificate-authority-sub-%{random_suffix}"
+	location = "%{sub_location}"
+	desired_state = "STAGED"
+	subordinate_config {
+		certificate_authority = google_privateca_certificate_authority.root-1.name
+	}
+	config {
+		subject_config {
+		subject {
+			organization = "HashiCorp"
+			common_name = "my-certificate-authority"
+		}
+		subject_alt_name {
+			dns_names = ["hashicorp.com"]
+		}
+		}
+		x509_config {
+		ca_options {
+			is_ca = true
+			max_issuer_path_length = 10
+		}
+		key_usage {
+			base_key_usage {
+			digital_signature = true
+			content_commitment = true
+			key_encipherment = false
+			data_encipherment = true
+			key_agreement = true
+			cert_sign = true
+			crl_sign = true
+			decipher_only = true
+			}
+			extended_key_usage {
+			server_auth = true
+			client_auth = false
+			email_protection = true
+			code_signing = true
+			time_stamping = true
+			}
+		}
+		}
+	}
+	lifetime = "86400s"
+	key_spec {
+		algorithm = "RSA_PKCS1_4096_SHA256"
+	}
+	type = "SUBORDINATE"
+
+	// Disable CA deletion related safe checks for easier cleanup.
+	deletion_protection                    = false
+	skip_grace_period                      = true
+	ignore_active_certificates_on_deletion = true
+}
+`, context)
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note: enhancement
	`2`	`+privateca: added support for sub-CA to be activated into STAGED state`
	`3`	+```