Misc improvements for Certificate Authority

[drebes]

If this PR is for Terraform, I acknowledge that I have:

• Searched through the issue tracker for an open issue that this either resolves or contributes to, commented on it to claim it, and written "fixes {url}" or "part of {url}" in this PR description. If there were no relevant open issues, I opened one and commented that I would like to work on it (not necessary for very small changes).
• Generated Terraform, and ran make test and make lint to ensure it passes unit and linter tests.
• Ensured that all new fields I added that can be set by a user appear in at least one example (for generated resources) or third_party test (for handwritten resources or update tests).
• Ran relevant acceptance tests (If the acceptance tests do not yet pass or you are unable to run them, please let your reviewer know).
• Read the Release Notes Guide before writing my release note below.

Release Note Template for Downstream PRs (will be copied)

google_privateca_certificate_authority_iam_policy

google_privateca_certificate_authority_iam_binding

google_privateca_certificate_authority_iam_member

This PR brings multiple UX improvements over the recently merged but unreleased #4382. As such it would be nice if google_privateca_certificate_authority release waits to be released with these changes:

1. Fix update.
2. Mark multiple immutable fields as ForceNew.
3. Small documentation improvements.
4. Support for Customer-Managed Encryption Keys (CMEK).
5. Adds a warning to the docs that CAs created during preview/terraform-provider-google-beta will be deleted before GA and should not be used in production (this note is already present in gcloud and the Console and was highlighted internally by the product team)
6. Support for specifying reusableConfigs using the short form (in which case the Google-managed reusableConfig project is used.
7. Adds a virtual attribute disable_on_delete that should be enabled to allow a CA to be deleted (same rationale of force_destroy on google_storage_bucket), and also only disable is the CA is in the enabled state.
8. Adds support for SUBORDINATE CAs (activation should still be done manually via Console or gcloud, however).
9. Adds IAM resources.

[modular-magician]

Hello! I am a robot who works on Magic Modules PRs.

I have detected that you are a community contributor, so your PR will be assigned to someone with a commit-bit on this repo for initial review.

Thanks for your contribution! A human will be with you soon.

@c2thorn, please review this PR or find an appropriate assignee.

[modular-magician]

Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are.

Diff report:

Terraform GA: Diff ( 3 files changed, 238 insertions(+), 12 deletions(-))
Terraform Beta: Diff ( 9 files changed, 918 insertions(+), 90 deletions(-))
TF OiCS: Diff ( 6 files changed, 146 insertions(+))

[modular-magician]

I have triggered VCR tests based on this PR's diffs. See the results here: "https://ci-oss.hashicorp.engineering/viewQueued.html?itemId=167597"

[modular-magician]

Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are.

Diff report:

Terraform GA: Diff ( 3 files changed, 238 insertions(+), 12 deletions(-))
Terraform Beta: Diff ( 8 files changed, 917 insertions(+), 89 deletions(-))
TF OiCS: Diff ( 6 files changed, 146 insertions(+))

[modular-magician]

I have triggered VCR tests based on this PR's diffs. See the results here: "https://ci-oss.hashicorp.engineering/viewQueued.html?itemId=167598"

[modular-magician]

I have triggered VCR tests in RECORDING mode for the following tests that failed during VCR: TestAccPrivatecaCertificateAuthorityIamBindingGenerated|TestAccPrivatecaCertificateAuthorityIamMemberGenerated|TestAccPrivatecaCertificateAuthorityIamPolicyGenerated|TestAccActiveDirectoryDomainTrust_activeDirectoryDomainTrustBasicExample|TestAccCloudRunService_cloudRunServiceMultipleEnvironmentVariablesExample|TestAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityCmekExample You can view the result here: "https://ci-oss.hashicorp.engineering/viewQueued.html?itemId=167599"

[c2thorn]

Just to verify: this needs to be set to a fixed project number?

[drebes]

Good point. The API takes both a project number or project ID (the corresponding project ID for that project number is privateca-data), however the read call will always answer with the project number. So the point of passing the project number directly (instead of project ID) was to avoid a permadiff. But now that we have this custom encoder and the corresponding diff suppress function, we could pass the project ID itself since the diff suppress would only look into the suffix (the reusable config itself) when the user specifies only the short form. Would you prefer to have the project ID on the create call to make this more legible?

[c2thorn]

Got it, I've seen that behavior in other APIs as well. I think it is fine as is, especially when the comment above clarifies the Google-managed project part. Thanks for explaining.

[c2thorn]

Thanks for the follow up on this @drebes. Aside from one question, this looks good to me. I'll get this merged in so both changes get released at the same time.