Skip to content

Commit

Permalink
Revert "fixed permission issues when activating a sub-CA in a differe…
Browse files Browse the repository at this point in the history
…nt region (#10354) (#17783)"

This reverts commit fa17f2d.
  • Loading branch information
shuyama1 committed Apr 5, 2024
1 parent fa17f2d commit 1c1d44a
Show file tree
Hide file tree
Showing 4 changed files with 2 additions and 171 deletions.
3 changes: 0 additions & 3 deletions .changelog/10354.txt

This file was deleted.

4 changes: 1 addition & 3 deletions google/services/privateca/privateca_ca_utils.go
Original file line number Diff line number Diff line change
Expand Up @@ -230,14 +230,12 @@ func activateSubCAWithFirstPartyIssuer(config *transport_tpg.Config, d *schema.R
return fmt.Errorf("Error creating Certificate: %s", err)
}
signedCACert := res["pemCertificate"]
signerCertChain := res["pemCertificateChain"]

// 4. activate sub CA with the signed CA cert.
activateObj := make(map[string]interface{})
activateObj["pemCaCertificate"] = signedCACert
activateObj["subordinateConfig"] = make(map[string]interface{})
activateObj["subordinateConfig"].(map[string]interface{})["pemIssuerChain"] = make(map[string]interface{})
activateObj["subordinateConfig"].(map[string]interface{})["pemIssuerChain"].(map[string]interface{})["pemCertificates"] = signerCertChain
activateObj["subordinateConfig"].(map[string]interface{})["certificateAuthority"] = issuer

activateUrl, err := tpgresource.ReplaceVars(d, config, "{{PrivatecaBasePath}}projects/{{project}}/locations/{{location}}/caPools/{{pool}}/certificateAuthorities/{{certificate_authority_id}}:activate")
if err != nil {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -709,7 +709,6 @@ and usability purposes only. The resource name is in the format
},
"pem_issuer_chain": {
Type: schema.TypeList,
Computed: true,
Optional: true,
Description: `Contains the PEM certificate chain for the issuers of this CertificateAuthority,
but not pem certificate for this CA itself.`,
Expand Down Expand Up @@ -1539,7 +1538,7 @@ func flattenPrivatecaCertificateAuthoritySubordinateConfig(v interface{}, d *sch
return []interface{}{transformed}
}
func flattenPrivatecaCertificateAuthoritySubordinateConfigCertificateAuthority(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
return d.Get("subordinate_config.0.certificate_authority")
return v
}

func flattenPrivatecaCertificateAuthoritySubordinateConfigPemIssuerChain(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -122,33 +122,6 @@ func TestAccPrivatecaCertificateAuthority_rootCaManageDesiredState(t *testing.T)
})
}

func TestAccPrivatecaCertificateAuthority_subordinateCaActivatedByFirstPartyIssuerOnCreation(t *testing.T) {
t.Parallel()
acctest.SkipIfVcr(t)

random_suffix := acctest.RandString(t, 10)
context := map[string]interface{}{
"root_location": "us-central1",
"sub_location": "australia-southeast1",
"random_suffix": random_suffix,
}

resourceName := "google_privateca_certificate_authority.sub-1"
acctest.VcrTest(t, resource.TestCase{
PreCheck: func() { acctest.AccTestPreCheck(t) },
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
CheckDestroy: testAccCheckPrivatecaCertificateAuthorityDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordinateWithFirstPartyIssuer(context),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr(resourceName, "state", "ENABLED"),
),
},
},
})
}

func testAccPrivatecaCertificateAuthority_privatecaCertificateAuthorityBasicRoot(context map[string]interface{}) string {
return acctest.Nprintf(`
resource "google_privateca_certificate_authority" "default" {
Expand Down Expand Up @@ -314,139 +287,3 @@ resource "google_privateca_certificate_authority" "default" {
}
`, context)
}

// testAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordinateWithFirstPartyIssuer provides a config
// which contains
// * A CaPool for root CA
// * A root CA
// * A CaPool for sub CA
// * A subordinate CA which should be activated by the above root CA
func testAccPrivatecaCertificateAuthority_privatecaCertificateAuthoritySubordinateWithFirstPartyIssuer(context map[string]interface{}) string {
return acctest.Nprintf(`
resource "google_privateca_ca_pool" "root-pool" {
name = "root-pool-%{random_suffix}"
location = "%{root_location}"
tier = "ENTERPRISE"
publishing_options {
publish_ca_cert = true
publish_crl = true
}
}
resource "google_privateca_certificate_authority" "root-1" {
pool = google_privateca_ca_pool.root-pool.name
certificate_authority_id = "tf-test-my-certificate-authority-root-%{random_suffix}"
location = "%{root_location}"
config {
subject_config {
subject {
organization = "HashiCorp"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
is_ca = true
max_issuer_path_length = 10
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
cert_sign = true
crl_sign = true
decipher_only = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
// Disable CA deletion related safe checks for easier cleanup.
deletion_protection = false
skip_grace_period = true
ignore_active_certificates_on_deletion = true
}
resource "google_privateca_ca_pool" "sub-pool" {
name = "sub-pool-%{random_suffix}"
location = "%{sub_location}"
tier = "ENTERPRISE"
publishing_options {
publish_ca_cert = true
publish_crl = true
}
}
resource "google_privateca_certificate_authority" "sub-1" {
pool = google_privateca_ca_pool.sub-pool.name
certificate_authority_id = "tf-test-my-certificate-authority-sub-%{random_suffix}"
location = "%{sub_location}"
subordinate_config {
certificate_authority = google_privateca_certificate_authority.root-1.name
}
config {
subject_config {
subject {
organization = "HashiCorp"
common_name = "my-certificate-authority"
}
subject_alt_name {
dns_names = ["hashicorp.com"]
}
}
x509_config {
ca_options {
is_ca = true
max_issuer_path_length = 10
}
key_usage {
base_key_usage {
digital_signature = true
content_commitment = true
key_encipherment = false
data_encipherment = true
key_agreement = true
cert_sign = true
crl_sign = true
decipher_only = true
}
extended_key_usage {
server_auth = true
client_auth = false
email_protection = true
code_signing = true
time_stamping = true
}
}
}
}
lifetime = "86400s"
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
type = "SUBORDINATE"
// Disable CA deletion related safe checks for easier cleanup.
deletion_protection = false
skip_grace_period = true
ignore_active_certificates_on_deletion = true
}
`, context)
}

0 comments on commit 1c1d44a

Please sign in to comment.