fixed permission issues when activating a sub-CA in a different region (#10354) (#17783)

[upstream:8ee3e3e2e9c42bd901178cc409bed2960a691b43]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/10354.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+privateca: fixed permission issues when activating a sub-CA in a different region
+```

google/services/privateca/privateca_ca_utils.go

@@ -230,12 +230,14 @@ func activateSubCAWithFirstPartyIssuer(config *transport_tpg.Config, d *schema.R
 		return fmt.Errorf("Error creating Certificate: %s", err)
 	}
 	signedCACert := res["pemCertificate"]
+	signerCertChain := res["pemCertificateChain"]
 
 	// 4. activate sub CA with the signed CA cert.
 	activateObj := make(map[string]interface{})
 	activateObj["pemCaCertificate"] = signedCACert
 	activateObj["subordinateConfig"] = make(map[string]interface{})
-	activateObj["subordinateConfig"].(map[string]interface{})["certificateAuthority"] = issuer
+	activateObj["subordinateConfig"].(map[string]interface{})["pemIssuerChain"] = make(map[string]interface{})
+	activateObj["subordinateConfig"].(map[string]interface{})["pemIssuerChain"].(map[string]interface{})["pemCertificates"] = signerCertChain
 
 	activateUrl, err := tpgresource.ReplaceVars(d, config, "{{PrivatecaBasePath}}projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}:activate")
 	if err != nil {

google/services/privateca/resource_privateca_certificate_authority.go

@@ -709,6 +709,7 @@ and usability purposes only. The resource name is in the format
 						},
 						"pem_issuer_chain": {
 							Type:     schema.TypeList,
+							Computed: true,
 							Optional: true,
 							Description: `Contains the PEM certificate chain for the issuers of this CertificateAuthority,
 but not pem certificate for this CA itself.`,
@@ -1538,7 +1539,7 @@ func flattenPrivatecaCertificateAuthoritySubordinateConfig(v interface{}, d *sch
 	return []interface{}{transformed}
 }
 func flattenPrivatecaCertificateAuthoritySubordinateConfigCertificateAuthority(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
-	return v
+	return d.Get("subordinate_config.0.certificate_authority")
 }
 
 func flattenPrivatecaCertificateAuthoritySubordinateConfigPemIssuerChain(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {

google/services/privateca/resource_privateca_certificate_authority_test.go

@@ -122,6 +122,33 @@ func TestAccPrivatecaCertificateAuthority_rootCaManageDesiredState(t *testing.T)
 	})
 }
 
+func TestAccPrivatecaCertificateAuthority_subordinateCaActivatedByFirstPartyIssuerOnCreation(t *testing.T) {
+	t.Parallel()
+	acctest.SkipIfVcr(t)
+
+	random_suffix := acctest.RandString(t, 10)
+	context := map[string]interface{}{
+		"root_location": "us-central1",
+		"sub_location":  "australia-southeast1",
+		"random_suffix": random_suffix,
+	}
+
+	resourceName := "google_privateca_certificate_authority.sub-1"
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckPrivatecaCertificateAuthorityDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordinateWithFirstPartyIssuer(context),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "state", "ENABLED"),
+				),
+			},
+		},
+	})
+}
+
 func testAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityBasicRoot(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_privateca_certificate_authority" "default" {
@@ -287,3 +314,139 @@ resource "google_privateca_certificate_authority" "default" {
 }
 `, context)
 }
+
+// testAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordinateWithFirstPartyIssuer provides a config
+// which contains
+// * A CaPool for root CA
+// * A root CA
+// * A CaPool for sub CA
+// * A subordinate CA which should be activated by the above root CA
+func testAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordinateWithFirstPartyIssuer(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_privateca_ca_pool" "root-pool" {
+	name     = "root-pool-%{random_suffix}"
+	location = "%{root_location}"
+	tier     = "ENTERPRISE"
+	publishing_options {
+	  publish_ca_cert = true
+	  publish_crl     = true
+	}
+}
+
+resource "google_privateca_certificate_authority" "root-1" {
+	pool = google_privateca_ca_pool.root-pool.name 
+	certificate_authority_id = "tf-test-my-certificate-authority-root-%{random_suffix}"
+	location = "%{root_location}"
+	config {
+		subject_config {
+		subject {
+			organization = "HashiCorp"
+			common_name = "my-certificate-authority"
+		}
+		subject_alt_name {
+			dns_names = ["hashicorp.com"]
+		}
+		}
+		x509_config {
+		ca_options {
+			is_ca = true
+			max_issuer_path_length = 10
+		}
+		key_usage {
+			base_key_usage {
+			digital_signature = true
+			content_commitment = true
+			key_encipherment = false
+			data_encipherment = true
+			key_agreement = true
+			cert_sign = true
+			crl_sign = true
+			decipher_only = true
+			}
+			extended_key_usage {
+			server_auth = true
+			client_auth = false
+			email_protection = true
+			code_signing = true
+			time_stamping = true
+			}
+		}
+		}
+	}
+	lifetime = "86400s"
+	key_spec {
+		algorithm = "RSA_PKCS1_4096_SHA256"
+	}
+
+	// Disable CA deletion related safe checks for easier cleanup.
+	deletion_protection                    = false
+	skip_grace_period                      = true
+	ignore_active_certificates_on_deletion = true
+}
+
+resource "google_privateca_ca_pool" "sub-pool" {
+	name     = "sub-pool-%{random_suffix}"
+	location = "%{sub_location}"
+	tier     = "ENTERPRISE"
+	publishing_options {
+	  publish_ca_cert = true
+	  publish_crl     = true
+	}
+}
+
+resource "google_privateca_certificate_authority" "sub-1" {
+	pool = google_privateca_ca_pool.sub-pool.name 
+	certificate_authority_id = "tf-test-my-certificate-authority-sub-%{random_suffix}"
+	location = "%{sub_location}"
+	subordinate_config {
+		certificate_authority = google_privateca_certificate_authority.root-1.name
+	}
+	config {
+		subject_config {
+		subject {
+			organization = "HashiCorp"
+			common_name = "my-certificate-authority"
+		}
+		subject_alt_name {
+			dns_names = ["hashicorp.com"]
+		}
+		}
+		x509_config {
+		ca_options {
+			is_ca = true
+			max_issuer_path_length = 10
+		}
+		key_usage {
+			base_key_usage {
+			digital_signature = true
+			content_commitment = true
+			key_encipherment = false
+			data_encipherment = true
+			key_agreement = true
+			cert_sign = true
+			crl_sign = true
+			decipher_only = true
+			}
+			extended_key_usage {
+			server_auth = true
+			client_auth = false
+			email_protection = true
+			code_signing = true
+			time_stamping = true
+			}
+		}
+		}
+	}
+	lifetime = "86400s"
+	key_spec {
+		algorithm = "RSA_PKCS1_4096_SHA256"
+	}
+	type = "SUBORDINATE"
+
+	// Disable CA deletion related safe checks for easier cleanup.
+	deletion_protection                    = false
+	skip_grace_period                      = true
+	ignore_active_certificates_on_deletion = true
+}
+`, context)
+}