hashicorp · modular-magician · Apr 16, 2025 · Apr 16, 2025
@@ -0,0 +1,3 @@
+```release-note:enhancement
+privateca: added the `backdate_duration` field to the `google_privateca_ca_pool` resource to add support for backdating the `not_before_time` of certificates
+```
@@ -153,6 +153,15 @@ service-level min RSA modulus size will continue to apply.`,
 								},
 							},
 						},
+						"backdate_duration": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Description: `The duration to backdate all certificates issued from this CaPool. If not set, the
+certificates will be issued with a not_before_time of the issuance time (i.e. the current
+time). If set, the certificates will be issued with a not_before_time of the issuance
+time minus the backdate_duration. The not_after_time will be adjusted to preserve the
+requested lifetime. The backdate_duration must be less than or equal to 48 hours.`,
+						},
 						"baseline_values": {
 							Type:     schema.TypeList,
 							Optional: true,
@@ -976,6 +985,8 @@ func flattenPrivatecaCaPoolIssuancePolicy(v interface{}, d *schema.ResourceData,
 	transformed := make(map[string]interface{})
 	transformed["allowed_key_types"] =
 		flattenPrivatecaCaPoolIssuancePolicyAllowedKeyTypes(original["allowedKeyTypes"], d, config)
+	transformed["backdate_duration"] =
+		flattenPrivatecaCaPoolIssuancePolicyBackdateDuration(original["backdateDuration"], d, config)
 	transformed["maximum_lifetime"] =
 		flattenPrivatecaCaPoolIssuancePolicyMaximumLifetime(original["maximumLifetime"], d, config)
 	transformed["allowed_issuance_modes"] =
@@ -1045,6 +1056,10 @@ func flattenPrivatecaCaPoolIssuancePolicyAllowedKeyTypesEllipticCurveSignatureAl
 	return v
 }
 
+func flattenPrivatecaCaPoolIssuancePolicyBackdateDuration(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenPrivatecaCaPoolIssuancePolicyMaximumLifetime(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
@@ -1235,6 +1250,13 @@ func expandPrivatecaCaPoolIssuancePolicy(v interface{}, d tpgresource.TerraformR
 		transformed["allowedKeyTypes"] = transformedAllowedKeyTypes
 	}
 
+	transformedBackdateDuration, err := expandPrivatecaCaPoolIssuancePolicyBackdateDuration(original["backdate_duration"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedBackdateDuration); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["backdateDuration"] = transformedBackdateDuration
+	}
+
 	transformedMaximumLifetime, err := expandPrivatecaCaPoolIssuancePolicyMaximumLifetime(original["maximum_lifetime"], d, config)
 	if err != nil {
 		return nil, err
@@ -1352,6 +1374,10 @@ func expandPrivatecaCaPoolIssuancePolicyAllowedKeyTypesEllipticCurveSignatureAlg
 	return v, nil
 }
 
+func expandPrivatecaCaPoolIssuancePolicyBackdateDuration(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandPrivatecaCaPoolIssuancePolicyMaximumLifetime(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }

@@ -12,6 +12,7 @@ fields:
   - field: 'issuance_policy.allowed_key_types.elliptic_curve.signature_algorithm'
   - field: 'issuance_policy.allowed_key_types.rsa.max_modulus_size'
   - field: 'issuance_policy.allowed_key_types.rsa.min_modulus_size'
+  - field: 'issuance_policy.backdate_duration'
   - field: 'issuance_policy.baseline_values.additional_extensions.critical'
   - field: 'issuance_policy.baseline_values.additional_extensions.object_id.object_id_path'
   - field: 'issuance_policy.baseline_values.additional_extensions.value'

@@ -123,6 +123,7 @@ resource "google_privateca_ca_pool" "default" {
         max_modulus_size = 10
       }
     }
+    backdate_duration = "3600s"
     maximum_lifetime = "50000s"
     allowed_issuance_modes {
       allow_csr_based_issuance = true

@@ -82,6 +82,7 @@ resource "google_privateca_ca_pool" "default" {
         max_modulus_size = 10
       }
     }
+    backdate_duration = "3600s"
     maximum_lifetime = "50000s"
     allowed_issuance_modes {
       allow_csr_based_issuance = true
@@ -203,6 +204,14 @@ The following arguments are supported:
   Otherwise, any key may be used.
   Structure is [documented below](#nested_issuance_policy_allowed_key_types).
 
+* `backdate_duration` -
+  (Optional)
+  The duration to backdate all certificates issued from this CaPool. If not set, the
+  certificates will be issued with a not_before_time of the issuance time (i.e. the current
+  time). If set, the certificates will be issued with a not_before_time of the issuance
+  time minus the backdate_duration. The not_after_time will be adjusted to preserve the
+  requested lifetime. The backdate_duration must be less than or equal to 48 hours.
+
 * `maximum_lifetime` -
   (Optional)
   The maximum lifetime allowed for issued Certificates. Note that if the issuing CertificateAuthority