Feat add cas custom cdp aia support (#12452) (#9221)

modular-magician · web-flow · commit cd33ad747fe1 · 2025-02-03T16:41:10.000-08:00
[upstream:47cf9528aec3da430af249968b438905b44c14b4]

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/12452.txt b/.changelog/12452.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+privateca: added `userDefinedAccessUrls` fields to `CertificateAuthority` resource to add support for custom CDP AIA URLs
+```
diff --git a/google-beta/services/privateca/resource_privateca_certificate_authority.go b/google-beta/services/privateca/resource_privateca_certificate_authority.go
@@ -757,6 +757,33 @@ but not pem certificate for this CA itself.`,
 be activated before they can issue certificates. Default value: "SELF_SIGNED" Possible values: ["SELF_SIGNED", "SUBORDINATE"]`,
 				Default: "SELF_SIGNED",
 			},
+			"user_defined_access_urls": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Description: `Custom URLs for accessing content published by this CA, such as the CA certificate and CRLs,
+that can be specified by users.`,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"aia_issuing_certificate_urls": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							Description: `A list of URLs where this CertificateAuthority's CA certificate is published that is specified by users.`,
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+						},
+						"crl_access_urls": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							Description: `A list of URLs where this CertificateAuthority's CRLs are published that is specified by users.`,
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+						},
+					},
+				},
+			},
 			"access_urls": {
 				Type:        schema.TypeList,
 				Computed:    true,
@@ -902,6 +929,12 @@ func resourcePrivatecaCertificateAuthorityCreate(d *schema.ResourceData, meta in
 	} else if v, ok := d.GetOkExists("gcs_bucket"); !tpgresource.IsEmptyValue(reflect.ValueOf(gcsBucketProp)) && (ok || !reflect.DeepEqual(v, gcsBucketProp)) {
 		obj["gcsBucket"] = gcsBucketProp
 	}
+	userDefinedAccessUrlsProp, err := expandPrivatecaCertificateAuthorityUserDefinedAccessUrls(d.Get("user_defined_access_urls"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("user_defined_access_urls"); !tpgresource.IsEmptyValue(reflect.ValueOf(userDefinedAccessUrlsProp)) && (ok || !reflect.DeepEqual(v, userDefinedAccessUrlsProp)) {
+		obj["userDefinedAccessUrls"] = userDefinedAccessUrlsProp
+	}
 	labelsProp, err := expandPrivatecaCertificateAuthorityEffectiveLabels(d.Get("effective_labels"), d, config)
 	if err != nil {
 		return err
@@ -1112,6 +1145,9 @@ func resourcePrivatecaCertificateAuthorityRead(d *schema.ResourceData, meta inte
 	if err := d.Set("labels", flattenPrivatecaCertificateAuthorityLabels(res["labels"], d, config)); err != nil {
 		return fmt.Errorf("Error reading CertificateAuthority: %s", err)
 	}
+	if err := d.Set("user_defined_access_urls", flattenPrivatecaCertificateAuthorityUserDefinedAccessUrls(res["userDefinedAccessUrls"], d, config)); err != nil {
+		return fmt.Errorf("Error reading CertificateAuthority: %s", err)
+	}
 	if err := d.Set("terraform_labels", flattenPrivatecaCertificateAuthorityTerraformLabels(res["labels"], d, config)); err != nil {
 		return fmt.Errorf("Error reading CertificateAuthority: %s", err)
 	}
@@ -1144,6 +1180,12 @@ func resourcePrivatecaCertificateAuthorityUpdate(d *schema.ResourceData, meta in
 	} else if v, ok := d.GetOkExists("subordinate_config"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, subordinateConfigProp)) {
 		obj["subordinateConfig"] = subordinateConfigProp
 	}
+	userDefinedAccessUrlsProp, err := expandPrivatecaCertificateAuthorityUserDefinedAccessUrls(d.Get("user_defined_access_urls"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("user_defined_access_urls"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, userDefinedAccessUrlsProp)) {
+		obj["userDefinedAccessUrls"] = userDefinedAccessUrlsProp
+	}
 	labelsProp, err := expandPrivatecaCertificateAuthorityEffectiveLabels(d.Get("effective_labels"), d, config)
 	if err != nil {
 		return err
@@ -1164,6 +1206,10 @@ func resourcePrivatecaCertificateAuthorityUpdate(d *schema.ResourceData, meta in
 		updateMask = append(updateMask, "subordinateConfig")
 	}
 
+	if d.HasChange("user_defined_access_urls") {
+		updateMask = append(updateMask, "userDefinedAccessUrls")
+	}
+
 	if d.HasChange("effective_labels") {
 		updateMask = append(updateMask, "labels")
 	}
@@ -1675,6 +1721,29 @@ func flattenPrivatecaCertificateAuthorityLabels(v interface{}, d *schema.Resourc
 	return transformed
 }
 
+func flattenPrivatecaCertificateAuthorityUserDefinedAccessUrls(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["aia_issuing_certificate_urls"] =
+		flattenPrivatecaCertificateAuthorityUserDefinedAccessUrlsAiaIssuingCertificateUrls(original["aiaIssuingCertificateUrls"], d, config)
+	transformed["crl_access_urls"] =
+		flattenPrivatecaCertificateAuthorityUserDefinedAccessUrlsCrlAccessUrls(original["crlAccessUrls"], d, config)
+	return []interface{}{transformed}
+}
+func flattenPrivatecaCertificateAuthorityUserDefinedAccessUrlsAiaIssuingCertificateUrls(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenPrivatecaCertificateAuthorityUserDefinedAccessUrlsCrlAccessUrls(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenPrivatecaCertificateAuthorityTerraformLabels(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	if v == nil {
 		return v
@@ -2084,6 +2153,40 @@ func expandPrivatecaCertificateAuthorityGcsBucket(v interface{}, d tpgresource.T
 	return v, nil
 }
 
+func expandPrivatecaCertificateAuthorityUserDefinedAccessUrls(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedAiaIssuingCertificateUrls, err := expandPrivatecaCertificateAuthorityUserDefinedAccessUrlsAiaIssuingCertificateUrls(original["aia_issuing_certificate_urls"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedAiaIssuingCertificateUrls); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["aiaIssuingCertificateUrls"] = transformedAiaIssuingCertificateUrls
+	}
+
+	transformedCrlAccessUrls, err := expandPrivatecaCertificateAuthorityUserDefinedAccessUrlsCrlAccessUrls(original["crl_access_urls"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedCrlAccessUrls); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["crlAccessUrls"] = transformedCrlAccessUrls
+	}
+
+	return transformed, nil
+}
+
+func expandPrivatecaCertificateAuthorityUserDefinedAccessUrlsAiaIssuingCertificateUrls(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandPrivatecaCertificateAuthorityUserDefinedAccessUrlsCrlAccessUrls(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandPrivatecaCertificateAuthorityEffectiveLabels(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (map[string]string, error) {
 	if v == nil {
 		return map[string]string{}, nil
diff --git a/google-beta/services/privateca/resource_privateca_certificate_authority_generated_meta.yaml b/google-beta/services/privateca/resource_privateca_certificate_authority_generated_meta.yaml
@@ -89,3 +89,5 @@ fields:
     provider_only: true
   - field: 'type'
   - field: 'update_time'
+  - field: 'user_defined_access_urls.aia_issuing_certificate_urls'
+  - field: 'user_defined_access_urls.crl_access_urls'
diff --git a/google-beta/services/privateca/resource_privateca_certificate_authority_generated_test.go b/google-beta/services/privateca/resource_privateca_certificate_authority_generated_test.go
@@ -213,6 +213,79 @@ resource "google_privateca_certificate_authority" "default" {
 `, context)
 }
 
+func TestAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityBasicWithCustomCdpAiaUrlsExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"deletion_protection": false,
+		"pool_location":       "us-central1",
+		"pool_name":           acctest.BootstrapSharedCaPoolInLocation(t, "us-central1"),
+		"random_suffix":       acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckPrivatecaCertificateAuthorityDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityBasicWithCustomCdpAiaUrlsExample(context),
+			},
+			{
+				ResourceName:            "google_privateca_certificate_authority.default",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"certificate_authority_id", "deletion_protection", "ignore_active_certificates_on_deletion", "labels", "location", "pem_ca_certificate", "pool", "skip_grace_period", "terraform_labels"},
+			},
+		},
+	})
+}
+
+func testAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityBasicWithCustomCdpAiaUrlsExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_privateca_certificate_authority" "default" {
+  // This example assumes this pool already exists.
+  // Pools cannot be deleted in normal test circumstances, so we depend on static pools
+  pool = "%{pool_name}"
+  certificate_authority_id = "tf-test-my-certificate-authority%{random_suffix}"
+  location = "%{pool_location}"
+  deletion_protection = %{deletion_protection}
+  config {
+    subject_config {
+      subject {
+        organization = "ACME"
+        common_name = "my-certificate-authority"
+      }
+    }
+    x509_config {
+      ca_options {
+        # is_ca *MUST* be true for certificate authorities
+        is_ca = true
+      }
+      key_usage {
+        base_key_usage {
+          # cert_sign and crl_sign *MUST* be true for certificate authorities
+          cert_sign = true
+          crl_sign = true
+        }
+        extended_key_usage {
+        }
+      }
+    }
+  }
+  # valid for 10 years
+  lifetime = "${10 * 365 * 24 * 3600}s"
+  key_spec {
+    algorithm = "RSA_PKCS1_4096_SHA256"
+  }
+  user_defined_access_urls {
+    aia_issuing_certificate_urls = ["http://example.com/ca.crt", "http://example.com/anotherca.crt"]
+    crl_access_urls = ["http://example.com/crl1.crt", "http://example.com/crl2.crt"]
+  }
+}
+`, context)
+}
+
 func testAccCheckPrivatecaCertificateAuthorityDestroyProducer(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		for name, rs := range s.RootModule().Resources {
diff --git a/website/docs/r/privateca_certificate_authority.html.markdown b/website/docs/r/privateca_certificate_authority.html.markdown
@@ -284,6 +284,56 @@ resource "google_privateca_certificate_authority" "default" {
   }
 }
 ```
+<div class = "oics-button" style="float: right; margin: 0 0 -15px">
+  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.jpy.wang%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=privateca_certificate_authority_basic_with_custom_cdp_aia_urls&open_in_editor=main.tf" target="_blank">
+    <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
+  </a>
+</div>
+## Example Usage - Privateca Certificate Authority Basic With Custom Cdp Aia Urls
+
+
+```hcl
+resource "google_privateca_certificate_authority" "default" {
+  // This example assumes this pool already exists.
+  // Pools cannot be deleted in normal test circumstances, so we depend on static pools
+  pool = "ca-pool"
+  certificate_authority_id = "my-certificate-authority"
+  location = "us-central1"
+  deletion_protection = true
+  config {
+    subject_config {
+      subject {
+        organization = "ACME"
+        common_name = "my-certificate-authority"
+      }
+    }
+    x509_config {
+      ca_options {
+        # is_ca *MUST* be true for certificate authorities
+        is_ca = true
+      }
+      key_usage {
+        base_key_usage {
+          # cert_sign and crl_sign *MUST* be true for certificate authorities
+          cert_sign = true
+          crl_sign = true
+        }
+        extended_key_usage {
+        }
+      }
+    }
+  }
+  # valid for 10 years
+  lifetime = "${10 * 365 * 24 * 3600}s"
+  key_spec {
+    algorithm = "RSA_PKCS1_4096_SHA256"
+  }
+  user_defined_access_urls {
+    aia_issuing_certificate_urls = ["http://example.com/ca.crt", "http://example.com/anotherca.crt"]
+    crl_access_urls = ["http://example.com/crl1.crt", "http://example.com/crl2.crt"]
+  }
+}
+```
 
 ## Argument Reference
 
@@ -709,6 +759,12 @@ The following arguments are supported:
   **Note**: This field is non-authoritative, and will only manage the labels present in your configuration.
   Please refer to the field `effective_labels` for all of the labels present on the resource.
 
+* `user_defined_access_urls` -
+  (Optional)
+  Custom URLs for accessing content published by this CA, such as the CA certificate and CRLs,
+  that can be specified by users.
+  Structure is [documented below](#nested_user_defined_access_urls).
+
 * `project` - (Optional) The ID of the project in which the resource belongs.
     If it is not provided, the provider project is used.
 
@@ -743,6 +799,16 @@ Possible values: ENABLED, DISABLED, STAGED.
   (Optional)
   Expected to be in leaf-to-root order according to RFC 5246.
 
+<a name="nested_user_defined_access_urls"></a>The `user_defined_access_urls` block supports:
+
+* `aia_issuing_certificate_urls` -
+  (Optional)
+  A list of URLs where this CertificateAuthority's CA certificate is published that is specified by users.
+
+* `crl_access_urls` -
+  (Optional)
+  A list of URLs where this CertificateAuthority's CRLs are published that is specified by users.
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are exported:

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:enhancement
	`2`	+privateca: added `userDefinedAccessUrls` fields to `CertificateAuthority` resource to add support for custom CDP AIA URLs
	`3`	+```