add deletion protection for CA (#5932) (#11551)

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/5932.txt

@@ -0,0 +1,6 @@
+```release-note:enhancement
+privateca: add `deletion_protection` for CertificateAuthority.
+```
+```release-note:note
+`google_privateca_certificate_authority` resources now cannot be destroyed unless `deletion_protection = false` is set in state for the resource.
+```

google/data_source_certificate_authority_test.go

@@ -39,6 +39,7 @@ resource "google_privateca_certificate_authority" "default" {
   certificate_authority_id = "tf-test-my-certificate-authority%{random_suffix}"
   location = "%{pool_location}"
   type = "SUBORDINATE"
+  deletion_protection = false
   config {
     subject_config {
       subject {

google/resource_privateca_certificate_authority.go

@@ -596,6 +596,11 @@ CertificateAuthority's certificate.`,
 A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine
 fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".`,
 			},
+			"deletion_protection": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  true,
+			},
 			"project": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -782,6 +787,12 @@ func resourcePrivatecaCertificateAuthorityRead(d *schema.ResourceData, meta inte
 		return nil
 	}
 
+	// Explicitly set virtual fields to default values if unset
+	if _, ok := d.GetOkExists("deletion_protection"); !ok {
+		if err := d.Set("deletion_protection", true); err != nil {
+			return fmt.Errorf("Error setting deletion_protection: %s", err)
+		}
+	}
 	if err := d.Set("project", project); err != nil {
 		return fmt.Errorf("Error reading CertificateAuthority: %s", err)
 	}
@@ -912,6 +923,10 @@ func resourcePrivatecaCertificateAuthorityDelete(d *schema.ResourceData, meta in
 	}
 
 	var obj map[string]interface{}
+	if d.Get("deletion_protection").(bool) {
+		return fmt.Errorf("cannot destroy CertificateAuthority without setting deletion_protection=false and running `terraform apply`")
+	}
+
 	if d.Get("state").(string) == "ENABLED" {
 		disableUrl, err := replaceVars(d, config, "{{PrivatecaBasePath}}projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}:disable")
 		if err != nil {
@@ -974,6 +989,10 @@ func resourcePrivatecaCertificateAuthorityImport(d *schema.ResourceData, meta in
 	}
 	d.SetId(id)
 
+	// Explicitly set virtual fields to default values on import
+	if err := d.Set("deletion_protection", true); err != nil {
+		return nil, fmt.Errorf("Error setting deletion_protection: %s", err)
+	}
 	if err := d.Set("ignore_active_certificates_on_deletion", false); err != nil {
 		return nil, err
 	}

google/resource_privateca_certificate_authority_generated_test.go

@@ -27,9 +27,10 @@ func TestAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityBasicExam
 	t.Parallel()
 
 	context := map[string]interface{}{
-		"pool_name":     BootstrapSharedCaPoolInLocation(t, "us-central1"),
-		"pool_location": "us-central1",
-		"random_suffix": randString(t, 10),
+		"pool_name":           BootstrapSharedCaPoolInLocation(t, "us-central1"),
+		"pool_location":       "us-central1",
+		"deletion_protection": false,
+		"random_suffix":       randString(t, 10),
 	}
 
 	vcrTest(t, resource.TestCase{
@@ -44,7 +45,7 @@ func TestAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityBasicExam
 				ResourceName:            "google_privateca_certificate_authority.default",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"ignore_active_certificates_on_deletion", "location", "certificate_authority_id", "pool"},
+				ImportStateVerifyIgnore: []string{"ignore_active_certificates_on_deletion", "location", "certificate_authority_id", "pool", "deletion_protection"},
 			},
 		},
 	})
@@ -58,6 +59,7 @@ resource "google_privateca_certificate_authority" "default" {
   pool = "%{pool_name}"
   certificate_authority_id = "tf-test-my-certificate-authority%{random_suffix}"
   location = "%{pool_location}"
+  deletion_protection = "%{deletion_protection}"
   config {
     subject_config {
       subject {
@@ -106,9 +108,10 @@ func TestAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordina
 	t.Parallel()
 
 	context := map[string]interface{}{
-		"pool_name":     BootstrapSharedCaPoolInLocation(t, "us-central1"),
-		"pool_location": "us-central1",
-		"random_suffix": randString(t, 10),
+		"pool_name":           BootstrapSharedCaPoolInLocation(t, "us-central1"),
+		"pool_location":       "us-central1",
+		"deletion_protection": false,
+		"random_suffix":       randString(t, 10),
 	}
 
 	vcrTest(t, resource.TestCase{
@@ -123,7 +126,7 @@ func TestAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordina
 				ResourceName:            "google_privateca_certificate_authority.default",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"ignore_active_certificates_on_deletion", "location", "certificate_authority_id", "pool"},
+				ImportStateVerifyIgnore: []string{"ignore_active_certificates_on_deletion", "location", "certificate_authority_id", "pool", "deletion_protection"},
 			},
 		},
 	})
@@ -137,6 +140,7 @@ resource "google_privateca_certificate_authority" "default" {
   pool = "%{pool_name}"
   certificate_authority_id = "tf-test-my-certificate-authority%{random_suffix}"
   location = "%{pool_location}"
+  deletion_protection = "%{deletion_protection}"
   config {
     subject_config {
       subject {

google/resource_privateca_certificate_authority_test.go

@@ -28,7 +28,7 @@ func TestAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityUpdate(t
 				ResourceName:            "google_privateca_certificate_authority.default",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"ignore_active_certificates_on_deletion", "location", "certificate_authority_id", "pool"},
+				ImportStateVerifyIgnore: []string{"ignore_active_certificates_on_deletion", "location", "certificate_authority_id", "pool", "deletion_protection"},
 			},
 			{
 				Config: testAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityEnd(context),
@@ -37,7 +37,7 @@ func TestAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityUpdate(t
 				ResourceName:            "google_privateca_certificate_authority.default",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"ignore_active_certificates_on_deletion", "location", "certificate_authority_id", "pool"},
+				ImportStateVerifyIgnore: []string{"ignore_active_certificates_on_deletion", "location", "certificate_authority_id", "pool", "deletion_protection"},
 			},
 			{
 				Config: testAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityStart(context),
@@ -46,7 +46,7 @@ func TestAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityUpdate(t
 				ResourceName:            "google_privateca_certificate_authority.default",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"ignore_active_certificates_on_deletion", "location", "certificate_authority_id", "pool"},
+				ImportStateVerifyIgnore: []string{"ignore_active_certificates_on_deletion", "location", "certificate_authority_id", "pool", "deletion_protection"},
 			},
 		},
 	})
@@ -60,6 +60,7 @@ resource "google_privateca_certificate_authority" "default" {
 	pool = "%{pool_name}"
 	certificate_authority_id = "tf-test-my-certificate-authority-%{random_suffix}"
 	location = "%{pool_location}"
+	deletion_protection = false
 	config {
 		subject_config {
 		subject {
@@ -112,6 +113,7 @@ resource "google_privateca_certificate_authority" "default" {
 	pool = "%{pool_name}"
 	certificate_authority_id = "tf-test-my-certificate-authority-%{random_suffix}"
 	location = "%{pool_location}"
+	deletion_protection = false
 	config {
 		subject_config {
 		subject {

google/resource_privateca_certificate_generated_test.go

@@ -57,6 +57,7 @@ resource "google_privateca_certificate_authority" "test-ca" {
   location = "us-central1"
   pool = "%{pool}"
   ignore_active_certificates_on_deletion = true
+  deletion_protection = false
   config {
     subject_config {
       subject {
@@ -241,6 +242,7 @@ resource "google_privateca_certificate_authority" "test-ca" {
   pool = "%{pool}"
   certificate_authority_id = "tf-test-my-certificate-authority%{random_suffix}"
   location = "us-central1"
+  deletion_protection = false
   config {
     subject_config {
       subject {
@@ -319,6 +321,7 @@ resource "google_privateca_certificate_authority" "test-ca" {
   pool = "%{pool}"
   certificate_authority_id = "tf-test-my-certificate-authority%{random_suffix}"
   location = "us-central1"
+  deletion_protection = false
   config {
     subject_config {
       subject {
@@ -398,6 +401,7 @@ resource "google_privateca_certificate_authority" "authority" {
   pool = "%{pool}"
   certificate_authority_id = "tf-test-my-authority%{random_suffix}"
   location = "us-central1"
+  deletion_protection = false
   config {
     subject_config {
       subject {

google/resource_privateca_certificate_test.go

@@ -60,6 +60,7 @@ resource "google_privateca_certificate_authority" "default" {
 	pool = "%{pool_name}"
 	certificate_authority_id = "tf-test-my-certificate-authority-%{random_suffix}"
 	location = "%{pool_location}"
+	deletion_protection = false
 	config {
 		subject_config {
 			subject {
@@ -137,6 +138,7 @@ resource "google_privateca_certificate_authority" "default" {
 	pool = "%{pool_name}"
 	certificate_authority_id = "tf-test-my-certificate-authority-%{random_suffix}"
 	location = "%{pool_location}"
+	deletion_protection = false
 	config {
 		subject_config {
 			subject {

website/docs/r/privateca_certificate.html.markdown

@@ -39,6 +39,7 @@ resource "google_privateca_certificate_authority" "test-ca" {
   location = "us-central1"
   pool = ""
   ignore_active_certificates_on_deletion = true
+  deletion_protection = false
   config {
     subject_config {
       subject {
@@ -196,6 +197,7 @@ resource "google_privateca_certificate_authority" "test-ca" {
   pool = ""
   certificate_authority_id = "my-certificate-authority"
   location = "us-central1"
+  deletion_protection = false
   config {
     subject_config {
       subject {
@@ -247,6 +249,7 @@ resource "google_privateca_certificate_authority" "test-ca" {
   pool = ""
   certificate_authority_id = "my-certificate-authority"
   location = "us-central1"
+  deletion_protection = false
   config {
     subject_config {
       subject {
@@ -299,6 +302,7 @@ resource "google_privateca_certificate_authority" "authority" {
   pool = ""
   certificate_authority_id = "my-authority"
   location = "us-central1"
+  deletion_protection = false
   config {
     subject_config {
       subject {

website/docs/r/privateca_certificate_authority.html.markdown

@@ -32,6 +32,10 @@ To get more information about CertificateAuthority, see:
 * How-to Guides
     * [Official Documentation](https://cloud.google.com/certificate-authority-service)
 
+~> **Warning:** On newer versions of the provider, you must explicitly set `deletion_protection=false`
+(and run `terraform apply` to write the field to state) in order to destroy a CertificateAuthority.
+It is recommended to not set this field (or set it to true) until you're ready to destroy.
+
 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
   <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.jpy.wang%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=privateca_certificate_authority_basic&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
     <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
@@ -47,6 +51,7 @@ resource "google_privateca_certificate_authority" "default" {
   pool = "ca-pool"
   certificate_authority_id = "my-certificate-authority"
   location = "us-central1"
+  deletion_protection = "true"
   config {
     subject_config {
       subject {
@@ -104,6 +109,7 @@ resource "google_privateca_certificate_authority" "default" {
   pool = "ca-pool"
   certificate_authority_id = "my-certificate-authority"
   location = "us-central1"
+  deletion_protection = "true"
   config {
     subject_config {
       subject {
@@ -179,6 +185,7 @@ resource "google_privateca_certificate_authority" "default" {
   pool = "ca-pool"
   certificate_authority_id = "my-certificate-authority"
   location = "us-central1"
+  deletion_protection = "true"
   key_spec {
     cloud_kms_key_version = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key/cryptoKeyVersions/1"
   }
@@ -545,6 +552,9 @@ The following arguments are supported:
 * `project` - (Optional) The ID of the project in which the resource belongs.
     If it is not provided, the provider project is used.
 
+* `deletion_protection` - (Optional) Whether or not to allow Terraform to destroy the CertificateAuthority. Unless this field is set to false
+in Terraform state, a `terraform destroy` or `terraform apply` that would delete the instance will fail.
+
 
 ## Attributes Reference